Privacy Policy

Last updated: March 16, 2026

1. Introduction

PayLoop LLC ("PayLoop," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our payment processing platform, checkout services, and administrative tools (collectively, the "Services").

By using our Services, you consent to the data practices described in this Privacy Policy. If you do not agree with these practices, please do not use our Services.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, phone number, and business details when you create a merchant account
  • Customer Information: First name, last name, email address, phone number, billing address (street, city, state, ZIP/postal code, country) provided during checkout
  • Payment Information: Credit/debit card number, expiration date, and CVV. Important: PayLoop does not store or have access to raw card data. All card information is securely tokenized and stored by our PCI DSS Level 1 certified vault provider, Basis Theory, Inc.
  • Transaction Information: Purchase amounts, items purchased, subscription details, refund requests, and billing history
  • Communication Data: Any messages or correspondence you send to us

2.2 Information Collected Automatically

  • Device Information: Browser type, operating system, screen resolution, and device identifiers
  • Usage Data: Pages visited, features used, click patterns, and time spent on the platform
  • Network Information: IP address, referring URL, and approximate geographic location derived from IP
  • Cookies and Similar Technologies: Session cookies for authentication and preferences. See Section 8 for details

2.3 Information from Third Parties

  • Payment Processors: Transaction status, authorization codes, and decline reasons from NMI and other gateway providers
  • 3D Secure Providers: Authentication results and risk assessments from 3DS verification services
  • E-commerce Platforms: Product and cart information from connected Shopify stores

3. How We Use Your Information

We use the collected information to:

  • Process Payments: Execute one-time and recurring transactions, manage subscriptions, and process refunds
  • Provide Services: Operate and maintain the platform, including checkout processing, subscription management, and merchant administration
  • Fraud Prevention: Detect and prevent fraudulent transactions using 3D Secure authentication, rate limiting, and behavioral analysis
  • Communication: Send transaction receipts, billing notifications, subscription updates, and respond to inquiries
  • Compliance: Meet legal obligations, including PCI DSS requirements, tax reporting, and responding to lawful requests
  • Improvement: Analyze usage patterns to improve the Services, fix bugs, and develop new features

4. How We Share Your Information

We share your information only with the following categories of third parties, and only as necessary:

Third PartyPurposeData Shared
Basis Theory, Inc.Secure card data vault (PCI DSS Level 1)Tokenized card data
NMI / Payment ProcessorsPayment authorization and settlementTokenized card references, amounts, customer name
3DS Providers (Paay)Cardholder authenticationCard BIN, transaction amount, device data
ShopifyProduct and cart synchronizationProduct data, cart contents
Hosting Provider (Render)Infrastructure and deploymentApplication logs (no raw card data)

We do not sell, rent, or trade your personal information to any third party for marketing purposes.

5. Data Retention

  • Transaction Records: Retained for seven (7) years to comply with financial recordkeeping requirements and chargeback dispute resolution
  • Customer Accounts: Retained for the duration of the customer relationship plus three (3) years after the last transaction
  • Payment Tokens: Retained in Basis Theory's vault until the associated subscription is cancelled and the retention period expires, or upon customer request
  • Server Logs: Automatically deleted after ninety (90) days
  • Cookies: Session cookies expire when the browser is closed. Authentication cookies expire after 24 hours

6. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
  • Card Vault: Raw card data is never stored on PayLoop servers. It is tokenized and stored in Basis Theory's PCI DSS Level 1 certified vault
  • Authentication: HMAC-signed session tokens with automatic expiration
  • Access Controls: Role-based access for merchant accounts with strict API permissions
  • Rate Limiting: Automated throttling to prevent brute force attacks and card testing
  • 3D Secure: Additional cardholder verification for transactions where supported

7. Your Rights

7.1 General Rights (All Users)

You have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data, subject to legal retention requirements
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing of your personal data in certain circumstances

7.2 European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with your local data protection authority. Our legal basis for processing your data includes: contractual necessity (to process payments), legitimate interest (fraud prevention), and consent (where applicable).

7.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us using the information below.

8. Cookies and Tracking

We use the following types of cookies:

  • Essential Cookies: Required for authentication, session management, and security. These cannot be disabled
  • Functional Cookies: Remember your preferences such as theme selection (light/dark mode)

We do not use advertising or tracking cookies. We do not use third-party analytics services that track individual users across websites.

9. International Data Transfers

Your information may be transferred to and processed in the United States, where our servers and service providers are located. If you are located outside the United States, you consent to the transfer of your information to the United States, where data protection laws may differ from those of your country.

10. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Services or via email to registered merchants. The "Last updated" date at the top reflects the most recent revision.

12. Contact Us

For privacy-related inquiries, data access requests, or complaints:

  • Email: privacy@mypayloop.co
  • Address: PayLoop LLC, 1209 Orange Street, Suite 600, Wilmington, DE 19801, United States

We will respond to all legitimate requests within thirty (30) days.