Effective Date: December 31, 2025
PayNext Inc. (“PayNext,” “we,” “us,” or “our”) values your privacy. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you access or use the PayNext modern payments platform, APIs, dashboards, SDKs, websites, and related services (collectively, the “Services”).
By using PayNext, you agree to the collection and use of your information as described below. This Privacy Policy forms part of PayNext’s Terms of Service.
Privacy at a Glance
| What we collect | Business contact info, account credentials, transaction data, device/browser info for fraud prevention |
| Why we collect it | To provide payment services, prevent fraud, comply with laws, and improve our platform |
| Who we share with | Payment processors you select (Stripe, Braintree, PayPal, Unlimit), service providers, and authorities when legally required |
| What we don’t do | Sell your data, use it for advertising, or share it for behavioral profiling |
| Your rights | Access, correct, delete, port your data, and opt out of certain processing |
| How to contact us | [email protected] |
1. Who We Are
| Company | PayNext Inc. |
| Registered Address | 8 The Green, Suite R, Dover, Delaware 19901, United States |
| Privacy and Legal | [email protected] |
| Support | [email protected] |
2. Who This Policy Applies To
This Privacy Policy applies to different categories of individuals:| Category | Description | Our Role |
|---|---|---|
| Business Users | Companies and individuals who use PayNext to process payments (our direct customers) | Data Controller |
| Representatives | Employees, officers, and agents of Business Users who access the PayNext Dashboard | Data Controller |
| End Customers | Individuals whose personal data is processed through PayNext on behalf of Business Users (your customers) | Data Processor / Service Provider |
| Visitors | Individuals who visit our website or interact with our marketing | Data Controller |
2.1 PayNext as Controller
PayNext acts as a data controller when processing personal information of Business Users, Representatives, and Visitors for:- Account administration and customer relationship management
- Billing, invoicing, and payment collection
- Platform security and fraud prevention
- Customer support and communications
- Legal and regulatory compliance
- Improving and developing the Services
2.2 PayNext as Processor (Service Provider)
PayNext acts as a data processor (under GDPR) or service provider (under CCPA/CPRA) when processing personal data of End Customers on behalf of Business Users. In those cases:- Processing is governed by PayNext’s Data Processing Agreement (DPA)
- Business Users remain the data controller (or “business” under CCPA) and are responsible for providing required notices and obtaining lawful bases from their End Customers
- PayNext processes End Customer data only in accordance with Business User instructions
- End Customers should direct privacy requests to the Business User (the company from whom they made a purchase), not to PayNext
3. Information We Collect
Data Minimization. We collect only the personal information necessary to provide the Services, comply with legal obligations, and protect against fraud. We do not collect personal information that is excessive or unrelated to these purposes.A. Information You Provide
We collect information you provide directly, including:- Name, email address, job title, and business contact details
- Account credentials and authentication data
- Billing and payment information
- Company name and business information
- Communications with PayNext (support tickets, emails, feedback)
B. Information Collected Automatically
When you use the Services, we automatically collect:- IP address, device type, browser type, and operating system
- Browser user agent string and language preferences
- Log data, telemetry, timestamps, and usage metrics
- Security and authentication data
- Referring URLs and pages visited
- IP address and derived geolocation (country, city, state/region, postal code)
- Geographic coordinates (latitude/longitude)
- Timezone
- Browser user agent and language preferences
C. Customer Data
Customers may submit or transmit data through the Services, including transaction metadata, payment references, and end-user information. PayNext processes Customer Data only in accordance with customer instructions and the applicable DPA.4. How We Use Information
4.1 We use personal information for the following purposes:
- Providing, operating, and maintaining the Services
- Authenticating users and preventing unauthorized access
- Processing billing and managing customer accounts
- Responding to inquiries and providing customer support
- Monitoring performance, uptime, and service reliability
- Detecting and preventing fraud, abuse, and security incidents
- Complying with legal obligations and enforcing our agreements
- Analyzing aggregated, de-identified usage patterns to improve platform performance, reliability, and feature development
4.2 We do not use personal information for advertising, behavioral profiling, cross-context tracking, or selling to third parties.
5. Legal Bases for Processing
5.1 Where required by applicable law (including GDPR), we process personal information based on the following legal bases:
| Contract Performance | Processing necessary to provide the Services, manage your account, and fulfill our contractual obligations. |
| Legitimate Interests | Processing necessary for our legitimate business interests, specifically: (a) maintaining platform availability and performance; (b) detecting, preventing, and responding to security incidents and fraud; (c) sending transactional communications and responding to support requests; and (d) enforcing our Terms of Service. We conduct balancing tests to ensure these interests do not override your fundamental rights and freedoms. |
| Legal Obligations | Processing necessary to comply with applicable laws, regulations, court orders, or legal process. |
| Consent | Where you have provided consent for specific processing activities. You may withdraw consent at any time by contacting us. |
6. Cookies and Tracking Technologies
6.1 PayNext uses only essential cookies and similar technologies necessary for:
- Authentication and session management
- Security and fraud prevention
- Load balancing and platform functionality
- Remembering user preferences
6.2 We do not use advertising cookies, third-party tracking pixels, or cross-site tracking for marketing purposes.
6.3 Blocking essential cookies may impact the functionality of the Services. You can manage cookie preferences through your browser settings.
7. Sharing and Disclosure
7.1 No Sale of Personal Information. We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
7.2 We may disclose personal information to the following categories of recipients:
| Service Providers | Vendors that support the Services (hosting, infrastructure, monitoring, authentication, analytics). Subject to contractual confidentiality and security obligations. |
| Payment Processors | Payment processors you select and connect through PayNext (including Stripe, Braintree, PayPal, and Unlimit). We transmit transaction data, customer information, and device fingerprint data as necessary to process payments. You maintain a direct contractual relationship with your chosen processors, and their privacy practices are governed by their own privacy policies. |
| Professional Advisors | Legal counsel, accountants, auditors, and consultants as necessary for business operations. |
| Authorities | Government agencies, regulators, or law enforcement only: (a) in response to valid legal process (subpoena, court order, or government request); (b) to comply with applicable law or regulation; or (c) where necessary to prevent imminent harm to individuals or protect against fraud or illegal activity. We evaluate each request and object to overbroad or improper requests where appropriate. |
| Corporate Transactions | In connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality obligations. |
7.3 All disclosures are limited, purpose-bound, and subject to contractual confidentiality and security requirements.
8. Subprocessors
8.1 We engage third-party subprocessors to assist in providing the Services. Key subprocessors include:
| Subprocessor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | United States |
| Braintree (PayPal) | Payment processing | United States |
| PayPal | Payment processing | United States |
| Unlimit | Payment processing | European Union |
| Svix | Webhook delivery | United States |
8.2 We notify customers of changes to subprocessors in accordance with our Data Processing Agreement. Customers may subscribe to subprocessor change notifications.
8.3 All subprocessors are subject to contractual obligations regarding data protection, confidentiality, and security.
8.4 Limitation of Liability for Third-Party Services. PayNext is not responsible for the privacy practices, security measures, or data breaches of third-party payment processors that you select and configure. Your use of payment processors (Stripe, Braintree, PayPal, Unlimit, or others) is governed by your direct agreements with those providers. We recommend reviewing each processor’s privacy policy before integration.
9. Payment and PCI-Related Data
9.1 PayNext may integrate with third-party services for:
- Network tokenization
- 3D Secure (3DS) authentication
- Encryption and decryption of PCI DSS-compliant data
- Fraud detection and prevention
9.2 While PayNext does not operate as a payment processor, PayNext may technically access or decrypt certain payment-related data where required for:
- Reconciliation and reporting
- Dispute resolution and chargebacks
- Fraud investigation
- Legal or regulatory compliance
9.3 Such access is strictly controlled, logged, limited to authorized personnel, and subject to PCI DSS requirements.
10. Data Retention
10.1 We retain personal information only as long as necessary for the purposes described in this Privacy Policy, or as required by law. Retention periods vary based on the type of information and purpose:
| Account Information | Duration of customer relationship plus 7 years (legal/tax requirements) |
| Transaction Records | 7 years from transaction date (financial regulations) |
| Support Communications | 3 years after resolution |
| Security and Access Logs | 1 year (unless required longer for investigation) |
| Marketing Preferences | Until consent is withdrawn or account is closed |
| Customer Data | Per customer instructions and DPA; deleted within 30 days of termination unless otherwise agreed |
10.2 Data may be retained beyond the periods above only where specifically required by: (a) applicable tax, financial, or anti-money laundering regulations; (b) active litigation, regulatory investigation, or legal hold; or (c) valid law enforcement requests. In such cases, retention is limited to the minimum period necessary to satisfy the legal requirement, after which data is deleted or anonymized.
11. Data Security
11.1 PayNext implements and maintains commercially reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, acquisition, destruction, use, modification, or disclosure. These safeguards are appropriate to the nature of the personal information and the risks presented by our processing activities.
11.2 Our security program includes:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls, role-based permissions, and multi-factor authentication
- Regular security assessments, penetration testing, and vulnerability scanning
- Incident detection, monitoring, and response procedures
- Employee security training and background checks
- SOC 2 Type II certification and PCI DSS compliance
11.3 No Guarantee of Security. While we use commercially reasonable efforts to protect personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot and do not guarantee the absolute security of your information. You acknowledge that you provide personal information at your own risk.
11.4 Your Security Responsibilities. You are responsible for maintaining the confidentiality of your account credentials, API keys, and access tokens. Notify us immediately at [email protected] if you believe your credentials have been compromised.
11.5 Breach Notification. In the event of a security breach involving your personal information, we will notify you and relevant authorities as required by applicable law. For breaches affecting End Customer data, we will notify the relevant Business User, who is responsible for notifying affected individuals.
12. International Data Transfers
12.1 PayNext operates globally and may process personal information in the United States and other jurisdictions where our service providers operate.
12.2 For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Supplementary measures as appropriate to ensure adequate protection
12.3 You may request a copy of applicable transfer mechanisms by contacting [email protected].
13. Your Privacy Rights
13.1 Depending on your location, you may have the following rights regarding your personal information:
| Access | Request access to personal information we hold about you. |
| Correction | Request correction of inaccurate or incomplete information. |
| Deletion | Request deletion of your personal information, subject to legal retention requirements. |
| Portability | Receive your personal information in a structured, machine-readable format (JSON or CSV). |
| Objection | Object to processing based on legitimate interests. |
| Restriction | Request restriction of processing in certain circumstances. |
| Withdraw Consent | Withdraw consent where processing is based on consent. |
13.2 To exercise your rights, contact us at [email protected]. We will:
- Acknowledge your request within 10 business days
- Respond to access and portability requests within 30 days (GDPR) or 45 days (CCPA)
- Process deletion requests within 30 days of verification
- Notify you if we need additional time (extensions up to 45 additional days for CCPA, 60 days for GDPR)
13.3 If PayNext processes your data on behalf of a customer (as a processor), you may need to direct your request to that customer as the data controller.
13.4 We do not discriminate against individuals who exercise their privacy rights.
14. Additional Rights for EEA/UK Residents
14.1 If you are located in the European Economic Area or United Kingdom, you have the following additional rights under GDPR/UK GDPR:
14.2 Right to Lodge a Complaint. You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable law. You may contact:
- Your local data protection authority in your country of residence
- The lead supervisory authority where PayNext is established
14.3 Automated Decision-Making. PayNext does not use automated decision-making (including profiling) that produces legal effects or similarly significant effects on individuals without human involvement.
14.4 Legal Bases Summary. Our processing activities and corresponding legal bases are described in Section 5.
15. California Privacy Rights (CCPA/CPRA)
15.1 If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
| Right to Know | Request disclosure of: categories of personal information collected; categories of sources; business purposes for collection; categories of third parties with whom we share; and specific pieces of personal information collected. |
| Right to Delete | Request deletion of personal information we collected, subject to exceptions. |
| Right to Correct | Request correction of inaccurate personal information. |
| Right to Opt-Out | Opt out of the sale or sharing of personal information for cross-context behavioral advertising. Note: We do not sell or share personal information. |
| Right to Limit | Limit use of sensitive personal information to purposes permitted by law. |
| Non-Discrimination | Not be discriminated against for exercising your privacy rights. |
15.2 Categories of Personal Information. In the preceding 12 months, we collected the following categories:
- Identifiers (name, email, IP address, account ID)
- Commercial information (transaction records, billing history)
- Internet/network activity (logs, usage data, device information)
- Professional/employment information (job title, company)
- Geolocation data (precise location including city, state, postal code, and coordinates derived from IP address)
15.3 Sources. We collect personal information from: you directly; your use of the Services; our customers (for Customer Data); and service providers.
15.4 Business Purposes. We use personal information for the purposes described in Section 4.
15.5 Disclosure for Business Purposes. We disclose personal information to the categories of recipients described in Section 7.
15.6 No Sale or Sharing. We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
15.7 Sensitive Personal Information. We do not collect sensitive personal information as defined by CPRA, except as necessary to provide the Services.
15.8 Exercising Your Rights. To exercise your California privacy rights, contact us at [email protected] or submit a request through our website. We will verify your identity before processing your request.
15.9 You may designate an authorized agent to make requests on your behalf. Agents must provide written authorization signed by you, and we may require you to verify your identity directly.
15.10 Verification Procedures
To protect your privacy, we verify your identity before processing access, deletion, or correction requests. Verification may include:- Matching information you provide against data we already have
- Requiring you to log into your account
- For sensitive requests, additional verification steps such as signed declarations
15.11 Appeal Process
If we deny your privacy request, you may appeal by contacting [email protected] with “Privacy Appeal” in the subject line. We will respond to appeals within 60 days.15.12 Do Not Track Disclosure
California law requires disclosure of how we respond to “Do Not Track” browser signals. PayNext does not currently respond to Do Not Track signals because there is no industry-standard interpretation. However, we do not engage in cross-site tracking or targeted advertising, so our practices are consistent with Do Not Track principles.15.13 California Shine the Light
California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. PayNext does not share personal information with third parties for their direct marketing purposes.15.14 Financial Incentive Programs
PayNext does not offer financial incentive programs (such as loyalty programs or discounts) that require the collection of personal information. If we introduce such programs in the future, we will update this policy with the required disclosures.16. Children’s Privacy
16.1 The Services are intended for business use and are not directed to individuals under 16 years of age (or the applicable age of consent in your jurisdiction).
16.2 We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at [email protected].
16.3 If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete that information promptly.
17. Changes to This Policy
17.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
17.2 Notice of Changes. We will provide notice of changes as follows:
| Change Type | Notice Method | Timing |
|---|---|---|
| Material changes (new data uses, new sharing categories, reduced rights) | Email to your registered address AND prominent notice on our website and Dashboard | At least 30 days before the change takes effect |
| Non-material changes (clarifications, formatting, typos) | Update to this Policy with revised “Last Updated” date | Effective immediately upon posting |
17.3 What Constitutes a Material Change. A change is “material” if it:
- Introduces new categories of personal information we collect
- Adds new purposes for which we use personal information
- Expands the categories of third parties with whom we share data
- Reduces or limits your privacy rights
- Changes how we respond to Do Not Track signals
- Modifies data retention periods to be longer
17.4 Your Choices. For material changes:
- You will receive email notice at least 30 days in advance
- If you do not agree to the changes, you may close your account before the effective date
- For changes that require consent under applicable law, we will obtain your affirmative consent before the change takes effect
- Continued use of the Services after the effective date of a material change constitutes your acceptance, except where consent is required
17.5 We encourage you to review this Privacy Policy periodically. The “Effective Date” at the top of this Policy indicates when it was last updated.
18. Contact Us
18.1 For questions about this Privacy Policy or our privacy practices:
| Privacy and Legal | [email protected] |
| General Support | [email protected] |
| Mailing Address | PayNext Inc., 8 The Green, Suite R, Dover, DE 19901, USA |
18.2 We aim to respond to all inquiries within 30 days, or sooner where required by applicable law.