Privacy Policy

We collect information in several ways depending on how you interact with PayFence. The types of information we collect include:

Account Information. When you create a PayFence account, we collect your name, email address, and authentication credentials. If you sign up using a third-party authentication provider (such as Google or GitHub), we receive your profile information from that provider.

Billing Information. When you subscribe to a paid plan or connect your Stripe account, we collect billing-related information such as your Stripe account ID, subscription status, and transaction history. Full payment card details are collected and processed directly by Stripe and are never stored on PayFence servers.

API and Site Configuration. We collect information about the APIs and endpoints you register with PayFence, including site names, origin URLs, slugs, endpoint paths, plan configurations, pricing, and quota settings.

Usage Data. We automatically collect information about how you and your End Customers interact with the Service, including request metadata (HTTP method, URL path, headers, IP addresses, timestamps, response status codes), decision outcomes (allow or deny), token usage counts, and quota consumption. We do not collect or store request or response bodies.

Device and Browser Information. When you access the PayFence dashboard, we collect standard technical information such as your browser type and version, operating system, device type, screen resolution, language preference, and referring URL.

Communications. If you contact us via email, support forms, or other channels, we collect the content of those communications along with any associated metadata.

We use the information we collect for the following purposes:

• Providing the Service. To operate, maintain, and deliver the core PayFence platform, including processing API requests, enforcing access policies, managing quotas, and generating usage analytics.
• Billing and Payments. To process subscriptions, calculate platform fees, generate invoices, and manage your billing relationship through Stripe.
• Communication. To send you service-related notifications, respond to your inquiries, and provide customer support. With your consent, we may also send you product updates and marketing communications.
• Improvement and Analytics. To analyze usage patterns, diagnose technical issues, improve the Service, and develop new features. We use aggregated and anonymized data for these purposes whenever possible.
• Security and Fraud Prevention. To detect, investigate, and prevent fraudulent activity, unauthorized access, and other security threats to the Service and our users.
• Legal Compliance. To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

We do not sell your personal information to third parties. We share information only in the following circumstances:

• Service Providers. We share information with trusted third-party service providers who assist us in operating the Service, such as payment processors, hosting providers, and analytics services. These providers are contractually obligated to use your information only as necessary to provide services to us.
• Between Users and End Customers. When an End Customer subscribes to a Plan, the User who created that Plan may receive information about the End Customer's usage, including request counts and quota consumption. End Customers may see the name and branding of the User whose API they are accessing.
• Legal Requirements. We may disclose information if required by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
• Business Transfers. In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.
• With Your Consent. We may share your information with third parties when you have given us explicit consent to do so.

PayFence integrates with the following third-party services. Each service has its own privacy policy governing its use of your data:

Stripe. We use Stripe for payment processing, subscription management, and Connect account onboarding. When you connect your Stripe account or make payments through PayFence, your payment information is processed directly by Stripe. Stripe may collect and process your personal information in accordance with the Stripe Privacy Policy.

PostHog. We use PostHog for product analytics to understand how users interact with the PayFence dashboard. PostHog collects anonymized usage data, including page views, feature usage, and session information. We configure PostHog to respect Do Not Track preferences and to minimize the collection of personally identifiable information. You can learn more about PostHog's data practices in the PostHog Privacy Policy.

We are not responsible for the privacy practices of these third-party services. We encourage you to review their respective privacy policies.

We implement commercially reasonable technical and organizational measures to protect your information from unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher for all connections to and from PayFence services.
• Encryption of sensitive data at rest using AES-256 encryption in our data stores.
• Access controls and authentication mechanisms to restrict access to personal data to authorized personnel only.
• Regular security assessments, vulnerability scans, and code reviews to identify and address potential security issues.
• Infrastructure hosted on AWS with industry-standard security certifications and compliance frameworks.

While we strive to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, and you use the Service at your own risk.

We retain your information for as long as your account is active or as needed to provide the Service. Specific retention periods include:

• Account Data: Retained for the lifetime of your account and for up to 30 days following account deletion.
• Request Logs: Request metadata and decision logs are retained for 90 days by default. Users on certain plans may configure custom retention periods.
• Billing Records: Transaction and billing records are retained for a minimum of 7 years to comply with tax and financial reporting obligations.
• Analytics Data: Aggregated and anonymized analytics data may be retained indefinitely for product improvement purposes.

When data is no longer needed, we securely delete or anonymize it. You may request earlier deletion of your data, subject to our legal and operational requirements.

Depending on your location and applicable law, you may have the following rights regarding your personal information:

• Access. You have the right to request a copy of the personal information we hold about you.
• Correction. You have the right to request that we correct inaccurate or incomplete personal information.
• Deletion. You have the right to request that we delete your personal information, subject to certain exceptions such as legal obligations or legitimate business needs.
• Portability. You have the right to request your personal information in a structured, commonly used, machine-readable format.
• Objection and Restriction. You have the right to object to or request restriction of certain processing of your personal information.
• Withdrawal of Consent. Where processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us at privacy@payfence.io. We will respond to your request within 30 days, or within the timeframe required by applicable law. We may ask you to verify your identity before processing your request.

If you are a resident of the European Economic Area (EEA), the United Kingdom, or California, you may have additional rights under the GDPR, UK GDPR, or CCPA respectively. We are committed to honoring these rights in accordance with applicable law.

PayFence uses cookies and similar tracking technologies on our website and dashboard. The types of cookies we use include:

• Essential Cookies. Required for the Service to function properly. These cookies handle authentication, session management, and security. They cannot be disabled without affecting core functionality.
• Analytics Cookies. Used to understand how visitors interact with our website and dashboard. We use PostHog for product analytics, which sets cookies to track sessions and feature usage. These cookies help us improve the Service.
• Preference Cookies. Used to remember your settings and preferences, such as language, theme, and dashboard layout choices.

We do not use third-party advertising cookies or cross-site tracking technologies. You can manage cookie preferences through your browser settings. Most browsers allow you to block or delete cookies, though doing so may affect the functionality of the Service.

We honor Do Not Track (DNT) browser signals. When we detect a DNT signal, we disable non-essential analytics tracking for that session.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at privacy@payfence.io. If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will take steps to delete that information promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and notify you through the Service or by email.

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy. If you disagree with any changes, you should stop using the Service and contact us to delete your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@payfence.io
• General Support: support@payfence.io
• Website: payfence.io

For data protection inquiries from the European Economic Area, you may also contact your local Data Protection Authority if you believe we have not adequately addressed your concerns.