Privacy

1. Introduction

FloPay provides payment-orchestration infrastructure for human-led and agent-led commerce. This policy describes what information we collect when you visit our websites or use our products, how we use it, and the choices and rights you have over it.

Where we process information on behalf of a business customer, that customer is the controller of any end-user personal information they submit to the Services, and their own privacy notice governs that data. This policy then describes FloPay’s role as a processor acting on the customer’s instructions.

2. Scope

This policy applies to:

• flopay.com and our developer and demo subdomains, including docs.flopay.com, api.flopay.com, and demo.flopay.com.
• The FloPay platform, SDKs, APIs, dashboards, the Agent Vault, the MCP Server, and any other product surfaces (together, the “Services”).

Specific product features may be governed by additional notices, schedules, or order forms. In the event of a conflict, the more specific document controls for the matter it covers.

3. Information We Collect

We collect information in the following ways:

• Information you provide directly. Account, billing, and contact details; business and identity-verification information; communications you send us; and any other information you choose to share when using the Services.
• Information generated as you use the Services. API request metadata, device and browser data, IP address, approximate location, and log data created by your interactions with the Services.
• Payment-instrument data. When you transact through the Services, we and our payment-gateway partners process payment-instrument data strictly to authorize, settle, prevent fraud against, and record the Transaction.
• Cookies and similar technologies. As described in our Cookie Policy.

4. How We Use Information

We use the information we collect to:

• Provide, secure, and operate the Services.
• Route, reconcile, and report on Transactions.
• Verify identity, screen for sanctions, and prevent fraud and abuse.
• Communicate with you about your account and Service updates.
• Comply with legal, tax, and regulatory obligations.
• Analyze and improve the Services and develop new features.

We do not sell personal information.

5. Legal Bases (EEA/UK)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR (and equivalent UK/Swiss law):

• Performance of a contract with you, to provide and bill the Services.
• Our legitimate interests in operating, securing, improving, and marketing the Services, balanced against your rights and interests.
• Your consent, where required (for example, for certain cookies and marketing communications). You may withdraw consent at any time without affecting prior lawful processing.
• Compliance with legal obligations, including anti-money-laundering, tax, and accounting requirements.

6. How We Share Information

We share personal information with:

• Service providers and sub-processors who help us run the Services — including hosting, payment-gateway partners, fraud and risk providers, analytics, and communications.
• Parties to a Transaction, where you direct us to do so (for example, a merchant or a payment-gateway partner involved in settling a payment).
• Authorities and regulators, where required by law, legal process, or to protect our or others’ rights, safety, and property.
• Parties to a corporate transaction, such as a merger, acquisition, financing, or sale of assets, subject to standard confidentiality protections.

We require sub-processors to meet appropriate confidentiality and security obligations and to process personal information only on documented instructions.

7. International Transfers

FloPay is based in the United States and may transfer personal information across borders to operate the Services. For transfers from the EEA, UK, or Switzerland to countries that do not provide an equivalent level of protection, we use appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum where relevant), supplemented by technical and organizational measures.

8. Retention

We keep personal information for as long as needed to provide the Services, comply with our legal, accounting, and tax obligations, resolve disputes, and enforce our agreements.

When personal information is no longer needed, we delete it or anonymize it so that it can no longer be associated with you.

9. Security

We use administrative, technical, and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction — including encryption in transit, access controls, and continuous monitoring. No system is perfectly secure, and we cannot guarantee absolute security.

You are responsible for keeping your account credentials and API keys confidential and for promptly notifying us of any suspected compromise.

10. Your Rights

EEA, UK, and Swiss users

You may request to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete personal information, where applicable.
• Receive your information in a portable format.
• Restrict or object to certain processing.
• Withdraw consent, where processing is based on consent.
• Lodge a complaint with your supervisory authority.

California residents (CCPA/CPRA)

You have the right to:

• Know what personal information we collect, use, disclose, and share.
• Request deletion or correction of personal information.
• Opt out of any sale or sharing of personal information — we do not sell personal information.
• Limit the use of sensitive personal information.
• Not be discriminated against for exercising your rights.

To exercise any right, contact us using the details in Section 13. We will verify your request before acting on it and will respond within the timeframes required by applicable law.

11. Children

The Services are not directed to children under 16 (under 13 in the United States), and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact us using the details in Section 13 and we will delete it.

12. Changes to This Policy

We may update this policy from time to time. When we do, we will revise the “Effective” date above and, for material changes, give prominent notice on the Services — for example, by an in-product notification or email to the address associated with your account. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

13. Contact

Questions, requests, or complaints about this policy or our handling of personal information can be sent to hello@flopay.com