Privacy Policy (SOC-2 Informed)

For Review by Legal Counsel – Not Final
Last Updated: [Insert Date]
Effective Date: [Insert Date]

1. Introduction

This Privacy Policy describes how [Company Name] ("Company," "we," "our," or "us") collects, uses, discloses, and protects personal information in connection with our online payment platform, websites, mobile applications, APIs, and related services ("Services").

We are committed to maintaining the confidentiality, integrity, and availability of personal information, consistent with applicable privacy laws and SOC-2 Trust Services Criteria.

2. Information We Collect

2.1 Information You Provide

  • Name, email, phone
  • Account registration data
  • Payment information (tokenized)
  • Identity verification data
  • Support inquiries

2.2 Automatically Collected Data

  • IP address, device identifiers
  • Log data and usage metrics
  • Cookies and tracking information

2.3 Payment Data

  • Tokenized card or bank information
  • Transaction metadata
  • Fraud detection signals

We do not store full card numbers.

3. How We Use Your Information

  • Provide and maintain the Services
  • Process transactions
  • Verify identity and detect fraud
  • Improve user experience
  • Comply with law and financial regulations
  • Communicate service-related updates

4. Legal Basis (Where Required)

  • Contract performance
  • Legitimate interests
  • Legal obligations
  • Consent

5. How We Share Information

We may share information with:

  • Payment processors
  • Cloud and hosting providers
  • Analytics providers
  • Identity verification vendors
  • Legal or regulatory authorities

We do not sell personal information.

6. Data Retention

Data is retained:

  • As needed for the Services
  • As required for financial, audit, and compliance rules
  • According to structured retention schedules

Data is deleted or anonymized when no longer required.

7. Data Security (SOC-2 Aligned)

Controls include:

  • Encryption in transit and at rest
  • Role-based access controls
  • Secure software development lifecycle
  • Logging and monitoring
  • Vulnerability and penetration testing
  • Incident response procedures

8. User Rights

Depending on jurisdiction:

  • Access
  • Correction
  • Deletion
  • Objection or restriction
  • Portability
  • Consent withdrawal

9. International Transfers

Protected by:

  • Standard contractual clauses
  • SOC-2 certified environments
  • Encryption and technical safeguards

10. Cookies

Used for security, authentication, analytics, and improving the platform. See our Cookie Policy for more details.

11. Children's Privacy

Not intended for children under 13.

12. Changes to This Policy

We may update periodically and provide notice.

13. Contact

[Company Contact Email]
[Company Address]