Privacy Policy

Last updated: 19 April 2026

We collect the minimum data needed to run a payment router and nothing more. We do not sell data. We do not advertise. We do not profile you. This document explains exactly what hits our database and where it goes.

What we store.

On the merchant side (you, if you are integrating Peptide-Pay):

·Merchant email address (for dashboard login and notifications)
·Business name or brand name you provide
·Polygon wallet address(es) receiving payouts
·Transaction metadata: session ID, amount, currency, status, timestamp, on-chain TX hash
·API key hashes and webhook endpoint URLs
·IP address and user agent of dashboard logins (90 days, for security)

On the customer side (the person paying by card on your store):

·Customer email, only if you explicitly pass it to our API
·The metadata you attach to the session (e.g. your internal order ID)
·The resulting on-chain payout TX hash

What we don't store.

Card data

PAN, CVV, expiry, cardholder name. We literally never touch it. The card form is hosted by Moonpay; we only receive a pass/fail status.

KYC data

Customer name, address, DOB, ID scans. Moonpay handles KYC on the buyer. We receive none of it.

Bank details

We have no bank rails. No IBAN, no routing number, no SSN. Settlement happens on Polygon only.

Cross-site tracking

No Facebook pixel. No Google Analytics. No ad retargeting. The widget does not drop a tracking cookie on your customer.

Third parties.

Peptide-Pay relies on a small set of vendors. Each receives only the data it needs.

Vendor	Purpose	Data shared
Moonpay	Fiat on-ramp, card processing, KYC	Amount, currency, customer email, merchant wallet
PayGate.to	Wallet splitter smart contract	Merchant wallet, fee recipient, amount
Upstash	Database (Redis)	All merchant and session records
Resend	Transactional email	Merchant email, session status

Data retention.

We keep transaction records for 7 years. That is the shortest common retention window for tax and anti-money-laundering compliance across the jurisdictions we and our merchants operate in. Non-transaction records (login logs, API key metadata) are retained for 90 days and then purged.

Your GDPR rights.

If you are in the EU, you have the right to access, correct, delete, export, or restrict processing of your personal data. Email privacy@peptide-pay.com and we will respond within 30 days. We can delete your merchant record on request; transaction records required for tax compliance cannot be deleted until their statutory retention window expires, but we will anonymize everything that is not legally required to retain.

Legal basis for processing: performance of the contract you entered into by using the Service (Article 6(1)(b) GDPR) and legitimate interest in fraud prevention (Article 6(1)(f) GDPR).

International transfers.

Our infrastructure is hosted in the EU (Frankfurt). Upstash and Resend are GDPR-compliant. Moonpay and PayGate have their own privacy policies — we recommend reading them if you care about the full chain.

Contact.

Privacy questions: privacy@peptide-pay.com. General support: support@peptide-pay.com.