Privacy Policy

1. Introduction

At HandyPay, we are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, store, and protect your data when you use our mobile payment application and services.

2. Information We Collect

We collect information you provide directly, such as your name, email address, phone number, and business information during account registration. We also collect authentication data through Apple Sign-In, including your user ID and profile information.

3. Payment Information

Payment data is processed securely through Stripe and is not stored on our servers. We do not have access to your full credit card numbers, bank account details, or payment credentials. Stripe handles all payment processing in compliance with PCI DSS standards.

4. Transaction Data

We collect transaction information including amounts, timestamps, and merchant details for your payment history and receipts. This data helps us provide transaction records and improve our services.

5. Device and Usage Information

We collect information about your device, including device type, operating system, app version, and usage patterns. This helps us optimize the app performance and provide technical support.

6. How We Use Your Information

• Process payments and manage your account
• Provide customer support and technical assistance
• Send transaction notifications and receipts
• Improve our app and develop new features
• Comply with legal and regulatory requirements
• Prevent fraud and ensure platform security

7. Information Sharing

We do not sell or rent your personal information to third parties. We may share information with:

• Stripe for payment processing
• Financial institutions for payout processing
• Law enforcement when required by law
• Service providers who assist our operations

8. Data Security

We implement industry-standard security measures including encryption, secure servers, and regular security audits. Your payment information is protected by Stripe's advanced security systems. We use secure connections (HTTPS) for all data transmission.

9. Data Retention

We retain your personal information for as long as necessary to provide our services and comply with legal obligations. Transaction records are typically retained for 7 years as required by Jamaican financial regulations. You can request deletion of your account data at any time.

10. Your Rights

• Access your personal information
• Correct inaccurate information
• Request deletion of your data
• Object to processing of your information
• Request data portability

11. Cookies and Tracking

Our mobile app may use cookies and similar technologies to improve user experience and analyze app usage. You can manage cookie preferences through your device settings.

12. International Data Transfers

Your data may be transferred to and processed in countries other than Jamaica, including the United States for Stripe's services. We ensure appropriate safeguards are in place for such transfers.

13. Children's Privacy

Our services are not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes via the app or email. Your continued use of our services after changes take effect constitutes acceptance of the updated policy.

15. Information We Collect - Detailed Categories

Personal Identification Information: We collect personal information that you provide directly to us, including:

• Full name and any aliases
• Email address
• Phone number
• Date of birth (for age verification)
• Government-issued identification numbers (for verification purposes)
• Photographs (from identification documents)
• Physical address and mailing address

Business Information: If you are a merchant, we collect:

• Business name and legal entity name
• Business registration number
• Tax identification number
• Business address and contact information
• Business type and industry
• Bank account information for payouts
• Business licenses and permits

Authentication Information: We collect authentication data through various methods:

• Apple Sign-In credentials (user ID, email, name)
• Account passwords (stored in encrypted form)
• Two-factor authentication codes
• Biometric data (if you enable biometric authentication on your device)
• Device identifiers for authentication

Financial Information: While we do not store full payment card numbers, we may collect:

• Payment method type (credit card, debit card, etc.)
• Last four digits of payment cards (for display purposes)
• Card expiration dates (processed securely by Stripe)
• Bank account information for payouts
• Transaction history and payment patterns

16. How We Collect Information

Information You Provide: We collect information that you voluntarily provide when you:

• Create an account or register for our Services
• Complete merchant onboarding forms
• Submit verification documents
• Contact our customer support
• Participate in surveys or provide feedback
• Subscribe to our newsletters or marketing communications
• Use features that require additional information

Automatically Collected Information: We automatically collect certain information when you use our Services:

• Device information (model, operating system, unique device identifiers)
• IP address and approximate location
• Browser type and version (for web access)
• App version and installation information
• Usage data and interaction patterns
• Crash reports and error logs
• Network information and connection type

Information from Third Parties: We may receive information about you from third parties, including:

• Stripe (payment processing and verification data)
• Identity verification services
• Credit bureaus or financial institutions (for risk assessment)
• Government databases (for compliance verification)
• Social media platforms (if you connect your accounts)
• Business partners and service providers

17. Payment Information - Detailed

Payment Processing: All payment transactions are processed securely through Stripe Connect, a PCI DSS Level 1 certified payment processor. We do not store, process, or have access to your full credit card numbers, debit card numbers, or complete bank account details.

What Stripe Collects: When you make or receive payments, Stripe collects and processes:

• Full payment card numbers (encrypted and tokenized)
• Card verification values (CVV)
• Card expiration dates
• Billing addresses
• Bank account numbers and routing information
• Payment authentication data

What We See: We only receive and store:

• Last four digits of payment cards (for display and identification)
• Card brand (Visa, Mastercard, etc.)
• Payment method type
• Transaction amounts and status
• Payment tokens (non-sensitive identifiers)

PCI DSS Compliance: We comply with Payment Card Industry Data Security Standard (PCI DSS) requirements through our use of Stripe's secure infrastructure. We do not handle, store, or transmit cardholder data directly.

18. Transaction Data - Comprehensive

Transaction Records: We collect and store comprehensive transaction information, including:

• Transaction amounts (in both JMD and USD when applicable)
• Transaction dates and timestamps
• Transaction status (completed, pending, failed, refunded)
• Merchant and customer information (as applicable)
• Transaction descriptions and notes
• Payment method used
• Transaction fees and charges
• Currency exchange rates (if applicable)
• QR code identifiers
• Payment link identifiers
• Receipt and invoice data

Transaction Metadata: We also collect metadata associated with transactions:

• Device information used for the transaction
• IP addresses (for fraud prevention)
• Geographic location (approximate, based on IP)
• Transaction patterns and frequency
• Refund and chargeback history

19. Device and Usage Information - Detailed

Device Information: We collect detailed information about the devices you use to access our Services:

• Device manufacturer and model
• Operating system name and version
• Device unique identifiers (UDID, IMEI, Android ID)
• Mobile carrier information
• Screen resolution and display settings
• Battery level and charging status
• Available storage space
• Language and region settings

Usage Analytics: We collect information about how you use our Services:

• Features accessed and frequency of use
• Time spent in the app
• Navigation patterns and user flows
• Search queries and filters used
• Error messages encountered
• Performance metrics and load times
• App crashes and technical issues

Location Information: With your permission, we may collect:

• Precise location (GPS coordinates) when you enable location services
• Approximate location (based on IP address or network information)
• Location history (if you use location-based features)

You can disable location services through your device settings, though this may limit certain features.

20. How We Use Your Information - Comprehensive

Service Provision: We use your information to:

• Create and manage your account
• Process payments and transactions
• Facilitate payouts to your bank account
• Generate QR codes and payment links
• Provide transaction history and receipts
• Enable multi-currency transactions
• Support customer tracking features
• Manage team and business accounts

Verification and Compliance: We use your information to:

• Verify your identity and eligibility
• Complete Know Your Customer (KYC) checks
• Comply with anti-money laundering (AML) regulations
• Meet regulatory reporting requirements
• Conduct risk assessments
• Prevent fraud and financial crimes

Communication: We use your contact information to:

• Send transaction notifications and receipts
• Provide customer support
• Send important account updates and security alerts
• Respond to your inquiries and requests
• Send marketing communications (with your consent)
• Notify you of policy changes

Service Improvement: We use aggregated and anonymized data to:

• Analyze usage patterns and trends
• Improve app performance and functionality
• Develop new features and services
• Conduct research and analytics
• Optimize user experience
• Fix bugs and technical issues

Security and Fraud Prevention: We use your information to:

• Detect and prevent fraudulent transactions
• Monitor for suspicious activity
• Protect against security threats
• Investigate potential violations
• Enforce our Terms of Service
• Maintain platform security

21. Legal Basis for Processing

We process your personal information based on the following legal grounds:

Contract Performance: We process your information to perform our contract with you, including processing payments, managing your account, and providing our Services.

Legal Obligation: We process your information to comply with legal obligations, including:

• Financial regulations and reporting requirements
• Anti-money laundering laws
• Tax reporting obligations
• Court orders and legal processes
• Regulatory investigations

Legitimate Interests: We process your information for our legitimate business interests, including:

• Fraud prevention and security
• Service improvement and development
• Marketing and business development (with appropriate safeguards)
• Risk management
• Legal defense

Consent: We process certain information based on your explicit consent, such as:

• Marketing communications
• Location tracking
• Biometric authentication
• Optional data sharing

You may withdraw your consent at any time, though this may limit certain features.

22. Information Sharing - Detailed

We Do Not Sell Your Data: We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

Payment Processors: We share payment information with Stripe and other payment processors to facilitate transactions. These processors are contractually obligated to protect your data and comply with PCI DSS standards.

Financial Institutions: We share information with banks and financial institutions to:

• Process payouts to your bank account
• Verify bank account information
• Comply with banking regulations
• Facilitate Western Union transfers

Service Providers: We share information with service providers who assist our operations, including:

• Cloud hosting providers
• Customer support platforms
• Email and SMS service providers
• Analytics and monitoring services
• Identity verification services
• Fraud detection services
• Legal and accounting services

All service providers are contractually required to protect your information and use it only for specified purposes.

Legal and Regulatory: We may disclose your information when required by law or to:

• Comply with court orders, subpoenas, or legal processes
• Respond to government or regulatory requests
• Enforce our Terms of Service
• Protect our rights, property, or safety
• Investigate potential violations
• Prevent fraud or illegal activities

Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

With Your Consent: We may share your information with third parties when you explicitly consent to such sharing.

23. Data Security - Comprehensive Measures

Encryption: We use industry-standard encryption to protect your data:

• Transport Layer Security (TLS) 1.2+ for data in transit
• Advanced Encryption Standard (AES-256) for data at rest
• Encrypted database connections
• Encrypted backups

Access Controls: We implement strict access controls:

• Role-based access controls (RBAC)
• Multi-factor authentication for administrative access
• Regular access reviews and audits
• Principle of least privilege
• Secure credential management

Infrastructure Security: Our infrastructure is secured through:

• Secure cloud hosting with industry-leading providers
• Firewalls and network segmentation
• Intrusion detection and prevention systems
• Regular security updates and patches
• DDoS protection
• Secure configuration management

Security Monitoring: We continuously monitor for security threats:

• 24/7 security operations center
• Automated threat detection
• Security event logging and analysis
• Incident response procedures
• Regular security assessments

Employee Training: Our employees receive regular security training and are bound by strict confidentiality agreements.

Third-Party Security: We require all third-party service providers to maintain appropriate security measures and undergo security assessments.

Data Breach Response: In the event of a data breach, we will:

• Investigate and contain the breach immediately
• Notify affected users and relevant authorities as required by law
• Provide guidance on protective measures
• Take steps to prevent future breaches

24. Data Retention - Detailed Policies

Retention Periods: We retain your personal information for different periods depending on the type of data and legal requirements:

Account Information: We retain your account information for as long as your account is active, plus an additional period as required by law (typically 7 years for financial records).

Transaction Records: Transaction records are retained for 7 years from the date of the transaction, as required by Jamaican financial regulations and tax laws.

Verification Documents: Identity verification documents are retained for the duration of your account plus 7 years for compliance purposes.

Marketing Data: Marketing preferences and consent records are retained until you withdraw consent or close your account.

Support Communications: Customer support communications are retained for 3 years after the last interaction.

Analytics Data: Aggregated and anonymized analytics data may be retained indefinitely for research and improvement purposes.

Deletion: Upon account closure or deletion request, we will delete your personal information within 30 days, except where retention is required by law. Some data may be retained in anonymized form for analytics.

Backup Retention: Deleted data may persist in backups for up to 90 days before permanent deletion.

25. Your Rights - Comprehensive

Right to Access: You have the right to request access to your personal information. We will provide you with:

• A copy of your personal data
• Information about how we use your data
• Details about third parties with whom we share your data
• Information about data retention periods

Right to Rectification: You have the right to correct inaccurate or incomplete personal information. You can update most information through your account settings or by contacting us.

Right to Erasure: You have the right to request deletion of your personal information, subject to legal and regulatory retention requirements. We may not be able to delete certain information if:

• It is required for legal compliance
• It is necessary for contract performance
• It is needed for legal claims or defense
• It is part of an ongoing investigation

Right to Restrict Processing: You have the right to request that we limit how we use your personal information in certain circumstances, such as when you contest the accuracy of the data.

Right to Data Portability: You have the right to receive your personal information in a structured, commonly used, and machine-readable format. You can request export of your data at any time.

Right to Object: You have the right to object to processing of your personal information for:

• Direct marketing purposes
• Legitimate interests (where applicable)
• Automated decision-making

Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time. This will not affect the lawfulness of processing before withdrawal.

Right to Complain: You have the right to lodge a complaint with the relevant data protection authority if you believe we have violated your privacy rights.

Exercising Your Rights: To exercise any of these rights, please contact us at privacy@tryhandypay.com. We will respond to your request within 30 days.

26. Cookies and Tracking Technologies - Detailed

Types of Cookies: We use various types of cookies and similar technologies:

Essential Cookies: These are necessary for the Services to function and cannot be disabled:

• Authentication cookies
• Security cookies
• Session management cookies
• Load balancing cookies

Functional Cookies: These enhance functionality but are not essential:

• Preference cookies (language, region)
• Feature cookies (remembering settings)

Analytics Cookies: These help us understand how you use our Services:

• Usage analytics
• Performance monitoring
• Error tracking

Third-Party Cookies: Some third-party services we use may set their own cookies:

• Stripe (for payment processing)
• Analytics providers
• Customer support platforms

Managing Cookies: You can manage cookie preferences through:

• Your device settings (for mobile apps)
• Browser settings (for web access)
• Our app settings (where available)

Note that disabling certain cookies may limit functionality.

Do Not Track: Some browsers offer a "Do Not Track" feature. We do not currently respond to Do Not Track signals, but we respect your privacy choices through other mechanisms.

27. International Data Transfers - Detailed

Transfer Locations: Your data may be transferred to and processed in countries outside Jamaica, including:

• United States (for Stripe's payment processing)
• Other countries where our service providers operate

Safeguards: We ensure appropriate safeguards are in place for international transfers:

• Standard Contractual Clauses (SCCs) with service providers
• Data Processing Agreements (DPAs)
• Certification under recognized frameworks (where applicable)
• Due diligence on service providers
• Regular security assessments

Your Rights: When your data is transferred internationally, you retain all rights under this Privacy Policy and applicable data protection laws.

Legal Basis: International transfers are necessary for:

• Payment processing (Stripe operates globally)
• Cloud hosting and infrastructure
• Service provision and support
• Compliance with legal obligations

28. Children's Privacy - Detailed

Age Requirement: Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

Age Verification: During account registration, we verify that users are at least 18 years old. If we discover that we have collected information from a child under 18, we will:

• Immediately delete the information
• Close the account
• Refund any transactions (if applicable)
• Notify the child's parent or guardian (if possible)

Parental Rights: If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

Educational Use: Our Services are designed for business use and are not suitable for educational or personal use by minors.

29. Marketing Communications

Opt-In Consent: We only send marketing communications with your explicit consent. You can opt in when creating your account or through your account settings.

Types of Marketing: Marketing communications may include:

• Product updates and new features
• Promotional offers and discounts
• Educational content and tips
• Newsletters and company updates
• Event invitations

Opt-Out: You can opt out of marketing communications at any time by:

• Clicking the unsubscribe link in emails
• Updating your preferences in account settings
• Contacting us directly

Transactional Communications: You cannot opt out of transactional communications, which are necessary for service provision, including:

• Payment confirmations
• Account notifications
• Security alerts
• Important service updates
• Legal notices

Frequency: We limit marketing communications to avoid overwhelming you. You can adjust frequency preferences in your account settings.

30. Automated Decision-Making and Profiling

Automated Processing: We use automated systems for certain processes, including:

• Fraud detection and prevention
• Risk assessment
• Transaction approval or decline
• Account verification

Your Rights: You have the right to:

• Request human review of automated decisions
• Express your point of view
• Challenge automated decisions
• Understand the logic behind automated processing

Profiling: We may create profiles based on your usage patterns to:

• Personalize your experience
• Detect fraud
• Assess risk
• Improve our Services

You can object to profiling for marketing purposes at any time.

31. Third-Party Links and Services

External Links: Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

Integrated Services: Our Services integrate with third-party services, including:

• Stripe (payment processing)
• Apple Sign-In (authentication)
• Cloud hosting providers
• Analytics services
• Customer support platforms

Data Sharing: When you use integrated services, your data may be shared with those third parties in accordance with their privacy policies and our agreements with them.

Your Control: You can control some third-party integrations through your account settings. Disabling certain integrations may limit functionality.

32. Data Breach Notification

Our Commitment: We take data breaches seriously and have procedures in place to detect, respond to, and prevent breaches.

Notification Process: In the event of a data breach that may affect your personal information, we will:

• Investigate and contain the breach immediately
• Assess the risk and scope of the breach
• Notify affected users without undue delay (typically within 72 hours)
• Notify relevant authorities as required by law
• Provide information about the breach and steps taken
• Offer guidance on protective measures

Notification Methods: We will notify you of breaches through:

• Email to your registered address
• In-app notifications
• Public announcements (for significant breaches)

Information Provided: Breach notifications will include:

• Description of the breach
• Types of data affected
• Potential consequences
• Steps we are taking
• Recommended actions for you
• Contact information for questions

33. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know: You have the right to know what personal information we collect, use, disclose, and sell.

Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.

Right to Opt-Out: You have the right to opt out of the sale of your personal information. We do not sell personal information.

Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Verification: We may need to verify your identity before processing certain requests.

To exercise your California privacy rights, please contact us at privacy@tryhandypay.com.

34. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

Data Controller: HandyPay is the data controller for your personal information.

Lawful Basis: We process your data based on contract performance, legal obligation, legitimate interests, and consent as described in Section 21.

Data Protection Officer: For GDPR-related inquiries, you can contact our Data Protection Officer at privacy@tryhandypay.com.

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority if you believe we have violated your rights.

Cross-Border Transfers: We use Standard Contractual Clauses and other appropriate safeguards for transfers outside the EEA as described in Section 27.

35. Changes to This Policy

Policy Updates: We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of Changes: We will notify you of material changes by:

• Posting a notice in the app
• Sending an email to your registered address
• Updating the "Last Updated" date at the top of this Policy
• Providing prominent notice for significant changes

Material Changes: Material changes include:

• Changes to how we collect or use your information
• Changes to your rights
• Changes to data sharing practices
• Changes to security measures

Effective Date: Changes will take effect 30 days after notification, unless a shorter period is required by law or for security reasons.

Continued Use: Your continued use of our Services after changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you must stop using our Services and may close your account.

Review: We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

36. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@tryhandypay.com or support@tryhandypay.com
• Address: HandyPay, Jamaica
• Data Protection Officer: privacy@tryhandypay.com

Response Time: We aim to respond to privacy inquiries within 30 days. For urgent matters, please indicate "URGENT" in your subject line.

Verification: For security purposes, we may need to verify your identity before processing certain requests.

37. Acknowledgment

By using HandyPay's Services, you acknowledge that:

• You have read and understood this Privacy Policy
• You consent to our collection, use, and sharing of your information as described
• You understand your rights and how to exercise them
• You will review this Policy periodically for updates
• Your continued use constitutes acceptance of any modifications

Last Updated: May 23, 2025
Version: 2.0

This Privacy Policy is effective as of the Last Updated date above. By using HandyPay's Services, you acknowledge that you have read, understood, and agree to this Privacy Policy.