Privacy Policy
Last updated: March 2026
1. Information We Collect
We collect information you provide when creating an account (email address), registering agents (agent name, framework, purpose), and conducting transactions (amounts, currencies, merchant details). We also collect API usage data, authentication events, and audit log entries for security and compliance purposes.
2. How We Use Information
We use your information to provide and maintain the Service, process transactions, issue virtual cards and IBANs, manage credit lines, authenticate requests, detect and prevent fraud, comply with financial regulations, and improve our platform. We do not use your data for advertising.
3. Data Encryption
Card data (PAN, CVV) is encrypted at rest using AES-256-GCM with a random initialization vector per field. Card data is decrypted only on your explicit request. Session tokens are signed with HS256 and stored locally with restricted file permissions (mode 0600). All data in transit is encrypted via TLS 1.3.
4. Agent Data
Each registered agent receives scoped credentials that are isolated from other agents. One compromised agent cannot access another agent's cards, IBANs, or funds. Agent registration data (name, framework, purpose) is stored to maintain the KYA identity chain. Agent-generated transaction data is attributed and auditable.
5. Data Retention
Account data is retained for the lifetime of your account. Transaction records and audit logs are retained for a minimum of 7 years as required by financial regulations. Upon account termination, personal data is deleted within 30 days, except where retention is required by law.
6. Third Parties
We share data with banking partners and the Mastercard network as necessary to process transactions and issue cards. We do not sell your personal data to third parties. We may share anonymized, aggregated data for analytical purposes. We use industry-standard subprocessors for infrastructure (hosting, monitoring).
7. Your Rights
You have the right to access, correct, and delete your personal data. You can export your transaction history and audit logs as CSV or JSON at any time. To exercise these rights, contact us at privacy@aipay.sh. We will respond to requests within 30 days.
8. Cookies & Analytics
We use essential cookies for authentication and session management. We do not use third-party advertising cookies. We may use privacy-respecting analytics to understand platform usage patterns. You can disable non-essential cookies in your browser settings.
9. International Transfers
Your data may be processed in the United Kingdom and European Economic Area. We ensure appropriate safeguards are in place for any international data transfers, including Standard Contractual Clauses where required by GDPR.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on our website. Your continued use of the Service after changes constitutes acceptance of the updated policy.
11. Contact
For questions about this Privacy Policy or to exercise your data rights, contact us at privacy@aipay.sh. For security-related concerns, see our Security page or contact security@aipay.sh.