AI Payment Guard
Legal

Privacy Policy

Last updated: 2026-05-04

This Privacy Policy describes how AI Payment Guard ("we") handles personal data. We are the controller of personal data we collect from prospects and our own users. We are a processor of personal data submitted via the Service by our customers.

1. Data we collect

Account data

Email address, name (optional), hashed password, 2FA secret (encrypted), recovery code hashes, IP address and user-agent at sign-in.

Operational data submitted by your agents

Payment intents (amount, currency, beneficiary, category, memo, agent identifier), approval decisions, audit events, webhook delivery metadata. This data is processed on your behalf — you are the controller.

Telemetry

Server logs of API requests (IP, path, status, latency) used for security and reliability. We do not run third-party trackers on the marketing website beyond minimal analytics.

2. How we use it

  • To operate, secure and improve the Service;
  • To authenticate users and prevent abuse;
  • To send transactional emails (sign-in, password resets, approval notifications);
  • To meet legal and contractual obligations;
  • To respond to support requests.

We do not sell personal data and we do not use your operational data to train models.

3. Legal bases (GDPR)

  • Performance of a contract: providing the Service to you;
  • Legitimate interests: security, abuse prevention, product improvement;
  • Legal obligation: tax, accounting, financial regulations;
  • Consent: where required (e.g. optional cookies).

4. Data retention

  • Account data: while your account exists, plus 30 days after deletion.
  • Audit events: per the retention window disclosed in your plan (7 days, 12 months, or up to 10 years on Enterprise).
  • Server logs: 90 days.
  • Backups: rolling 30-day window.

5. Sharing

We share personal data only with:

  • Sub-processors (cloud hosting, transactional email, error tracking) listed in the DPA;
  • Authorities, when legally compelled and after notifying you where lawful;
  • An acquirer or successor entity in case of merger or acquisition.

6. International transfers

Personal data is hosted within the European Economic Area. If a sub-processor processes data outside the EEA, we rely on Standard Contractual Clauses or an equivalent transfer mechanism.

7. Your rights

Subject to applicable law, you may request access, rectification, deletion, restriction or portability of your personal data, and object to certain processing. Contact privacy@payment-guard.example. You can also lodge a complaint with your local data protection authority (in France: CNIL).

8. Security

We employ industry-standard safeguards: encryption in transit (TLS 1.2+), encryption at rest, role-based access controls, append-only audit logging, periodic backups, and least privilege principles. See our Security page for details.

9. Cookies

We use a small number of strictly necessary cookies (authentication session, CSRF protection). We do not set advertising or cross-site tracking cookies.

10. Changes

We will post material changes to this Policy on this page and notify customers by email.

This document is a starting template. Have your legal counsel review and adapt before using in production.