PayKeeper, Inc.
PRIVACY POLICY
Effective Date: March 18, 2026
Last Updated: March 18, 2026
Introduction
PayKeeper, Inc. (“PayKeeper,” “we,” “us,” or “our”) is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy (“Policy”) explains how we collect, use, protect, share, and retain personal data in connection with our websites, applications, and services.
This Policy applies to:
- Our websites, including paykeeper.com, app.paykeeper.com, and admin.paykeeper.com
- The PayKeeper application and all features, functionalities, and services accessible through it
- All communications you send to or receive from us
- Personal data we receive from third parties in connection with providing our services
We refer to our websites, applications, and services collectively as the “Platform.”
PayKeeper, Inc. is the data controller for personal data processed under this Policy.
If you have questions about this Policy or our privacy practices, contact us at:
PayKeeper, Inc.
893 Baxter Drive
South Jordan, Utah 84095
United States of America
Email: [email protected]
Subject line: Privacy Inquiry
By using our Platform, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please do not use our Platform.
1. Personal Data We Collect
When we refer to “Personal Data” in this Policy, we mean information that identifies, relates to, describes, or is reasonably capable of being associated with a specific person, whether directly or in combination with other information.
1.1 Identity and Contact Information
We collect information that identifies you or your business, including:
- Full legal name, business name, and authorized representatives
- Email address, telephone number, and mailing or physical address
- Government-issued identification numbers (e.g., passport, driver’s license, EIN, SSN for sole proprietors)
- Date of birth (for KYC verification purposes)
- IP address and online identifiers
- Beneficial ownership information required under the Bank Secrecy Act and Corporate Transparency Act
1.2 Financial and Transaction Information
To provide escrow, payment processing, and related services, we collect:
- Bank account numbers, routing numbers, and account ownership information
- Digital wallet addresses (including cryptocurrency and stablecoin wallet addresses)
- Payment card information (processed exclusively through PCI-DSS certified third-party processors; we do not store card details)
- Transaction history, amounts, dates, counterparties, and conditions
- Stablecoin transaction data, including on-chain addresses and transaction identifiers
- Income, expenses, and financial statements provided for underwriting or fund control purposes
1.3 Business and KYB / KYC Verification Data
For all clients, we collect information to fulfill our legal obligations under applicable anti-money laundering (AML) and Know Your Customer / Know Your Business (KYC/KYB) regulations:
- Business registration documents, articles of incorporation, and operating agreements
- Ultimate Beneficial Owner (UBO) information, including identity documents
- Sanctions screening data, including results from OFAC, UN, EU, and applicable watchlists
- Source of funds documentation
- Politically Exposed Person (PEP) screening results
- Ongoing transaction monitoring data
1.4 Platform Account Information
When you create and use a PayKeeper account, we collect:
- Username, password (hashed and encrypted), and security credentials
- Account activity, login history, and access logs
- User preferences, notification settings, and platform configuration
1.5 Communications Data
When you communicate with us or through our Platform, we may collect:
- Emails, in-platform messages, chat logs, and voicemails
- Support tickets, feedback, and correspondence
- Records of consent and opt-in/opt-out choices
1.6 Usage and Technical Information
When you access our Platform, we automatically collect certain technical information:
- Device type, operating system, browser type, and language preferences
- IP address and approximate geographic location (country/city level)
- Pages visited, features used, session duration, and clickstream data
- Referral sources, search terms, and navigation paths
- Cookies and similar tracking technology data (see Section 5)
1.7 Third-Party Sourced Data
We may receive personal data from third parties, including:
- Identity verification and KYC/KYB service providers
- Credit reporting agencies and fraud detection services
- Banking partners and payment networks
- Other users of the Platform who invite or refer you
- Publicly available sources, including business registries and government records
2. How We Collect Personal Data
2.1 Directly From You
We collect personal data directly from you when you:
- Register for an account or request information about our services
- Complete KYB/KYC onboarding verification
- Create or fund an escrow account or initiate a payment
- Submit documentation for milestone verification or fund releases
- Communicate with us by email, phone, chat, or through the Platform
- Complete surveys, forms, or provide feedback
2.2 Automatically When You Use Our Platform
Our systems automatically collect usage and technical data when you access the Platform. See Section 5 (Cookies and Tracking Technologies) for details.
2.3 From Third Parties
We receive personal data from third-party service providers and partners, including identity verification vendors, banking partners, and fraud detection services, as necessary to provide our services and comply with legal obligations. We may combine information from these sources with information we hold about you.
3. How We Use Personal Data
3.1 Service Delivery
We use personal data to provide, operate, and improve our Platform and services, including:
- Creating and managing escrow accounts and payment workflows
- Processing and executing fund disbursements and payment transactions
- Verifying identity and business credentials (KYC/KYB) for onboarding
- Conducting milestone verifications, document reviews, and AI-assisted fund control checks
- Managing stablecoin transactions and on-chain compliance screening
- Processing foreign exchange transactions through our banking partners
- Supporting customer service, technical support, and dispute resolution
3.2 Legal and Regulatory Compliance
We are legally required to use personal data for:
- Anti-money laundering (AML) program obligations under the Bank Secrecy Act
- Know Your Customer (KYC) and Know Your Business (KYB) verification
- Sanctions screening under OFAC, UN Security Council, and applicable international sanctions programs
- Filing Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) with FinCEN
- Complying with state escrow licensing obligations, including Utah escrow law
- Responding to lawful requests from government authorities, law enforcement, and courts
- Beneficial ownership reporting under the Corporate Transparency Act
- Complying with stablecoin regulations under the GENIUS Act and applicable law
- Meeting record-keeping obligations under the Bank Secrecy Act and applicable law
3.3 Security and Fraud Prevention
We use personal data to:
- Detect, prevent, and investigate fraud, unauthorized access, and financial crime
- Conduct identity theft detection under our Identity Theft Prevention Program (ITPP)
- Monitor transactions for suspicious activity and apply risk-based controls
- Conduct on-chain analytics for stablecoin and virtual asset transactions
- Maintain the security and integrity of our systems and client accounts
3.4 Communications and Account Management
We use personal data to:
- Send transactional communications (account alerts, escrow deposit confirmations, payment notifications, milestone updates)
- Provide onboarding assistance and platform guidance
- Respond to inquiries and support requests
- Send service-related announcements and regulatory notices
3.5 Business Operations and Improvement
We use personal data for legitimate business purposes, including:
- Analyzing platform usage to improve features and user experience
- Conducting internal research, testing, and quality assurance
- Managing business relationships and vendor obligations
- Conducting audits, risk assessments, and compliance reviews
3.6 Marketing Communications
With your consent (where required), we may use your contact information to send you:
- Information about new products, features, and services
- Industry news, compliance updates, and educational content
You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting us at [email protected]. Opting out of marketing does not affect transactional or legally required communications.
3.7 Stablecoin Transaction Data — Special Rules
In connection with our stablecoin payment services, we observe the following additional rules:
- We do not use stablecoin transaction data for targeted advertising purposes.
- We do not sell or share stablecoin transaction data with non-affiliated third parties without your explicit consent, except as required by law or as strictly necessary to provide contracted services.
- These restrictions apply in accordance with the Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act, Pub. L. No. 119-___, 2025) and applicable regulations.
4. How We Share Personal Data
We do not sell personal data. We share personal data only in the circumstances described below.
4.1 Service Providers and Sub-Processors
We share personal data with third-party service providers who process data on our behalf to help us deliver the Platform. These providers are contractually required to protect personal data, use it only as directed, and comply with applicable privacy and security law. We maintain Data Processing Agreements (DPAs) with all sub-processors.
We engage service providers in the following categories:
- Communications — email delivery, SMS notifications, and transactional messaging
- Analytics — website and platform usage analytics and performance monitoring
- Identity Verification — KYC/KYB identity verification, sanctions screening, and PEP screening
- Banking and Payments — escrow trust account banking, payment processing, and foreign exchange settlement (including JPMorgan Chase Bank, N.A., Continental Bank, and Zions Bank)
- Blockchain Analytics — on-chain transaction screening and VASP compliance for stablecoin services
- Cloud Infrastructure — application hosting and data storage, operated by ISO 27001 and SOC 2 Type 2 certified providers
- Account Linking — bank account verification and financial data connectivity
- Customer Relationship Management — business relationship and account management
A current list of our sub-processors is available upon written request. Contact [email protected] with the subject line: Sub-Processor List Request.
4.2 Legal Obligations and Government Requests
We may disclose personal data when required by law, legal process, or government authority, including:
- In response to a court order, subpoena, or lawful request from a regulatory authority
- To file Suspicious Activity Reports (SARs) or Currency Transaction Reports (CTRs) with FinCEN
- To comply with OFAC sanctions reporting obligations
- To comply with state escrow regulatory requirements, including examination and audit requests
- To comply with any other applicable legal obligation
We will notify you of such disclosures to the extent permitted by law.
4.3 Business Transfers
If PayKeeper undergoes a merger, acquisition, reorganization, or sale of all or substantially all of its assets, personal data may be transferred as part of that transaction. We will notify you via email or a prominent notice on our Platform before your personal data is transferred and becomes subject to a different privacy policy.
4.4 With Your Consent
We may share personal data with third parties in other circumstances with your explicit prior consent.
4.5 Aggregated and De-Identified Data
We may share aggregated or de-identified data that cannot reasonably be used to identify you. We do not attempt to re-identify such data.
4.6 We Do Not Sell Personal Data
PayKeeper does not sell, rent, or trade personal data to third parties for their own marketing or commercial purposes.
5. Cookies and Tracking Technologies
5.1 What We Use
We use cookies and similar tracking technologies on our Platform, including:
| Type | Technology | Purpose |
|---|---|---|
| Strictly Necessary | Session cookies, security tokens | Essential to Platform operation — login, session management, security |
| Analytics | Google Analytics | Understand how users interact with our Platform; improve features |
| Marketing / Advertising | LinkedIn Insight Tag | Track conversions, analyze ad effectiveness, retargeting |
| Functional | Preference cookies | Remember your settings and language preferences |
5.2 LinkedIn Insight Tag
Our website uses the LinkedIn Insight Tag, operated by LinkedIn Ireland Unlimited Company. This tag collects data about your visits to our website for analytics and advertising purposes, including tracking conversions from LinkedIn ads. LinkedIn may use this data in accordance with its own privacy policy, available at linkedin.com/legal/privacy-policy. To opt out of LinkedIn tracking, visit linkedin.com/psettings/guest-controls/retargeting-opt-out.
5.3 Google Analytics
We use Google Analytics, provided by Google LLC, to understand how our Platform is used. Google Analytics may transmit data to Google servers in the United States. You may opt out by installing the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout. Google’s privacy policy is available at policies.google.com/privacy.
5.4 Managing Cookies
You can manage or disable cookies through your browser settings. Most browsers allow you to:
- View and delete cookies stored on your device
- Block all or specific cookies from being set
- Receive a warning before a cookie is placed
Note: disabling strictly necessary cookies may prevent certain Platform features from functioning. For more information about cookies, visit allaboutcookies.org.
5.5 EU/UK Cookie Consent
If you are located in the European Economic Area (EEA) or the United Kingdom, we will request your consent before placing non-essential cookies on your device. You may withdraw or modify your consent at any time through our cookie preference center.
5.6 Do Not Track
Our Platform does not currently respond to browser “Do Not Track” signals. We will continue to evaluate this as industry standards and legal requirements develop.
6. Data Retention
We retain personal data for as long as necessary to fulfill the purposes described in this Policy, maintain our business relationships, and comply with our legal obligations. The following minimum retention periods apply:
| Data Category | Minimum Retention Period | Legal Basis |
|---|---|---|
| KYC/KYB identity verification records | 5 years after end of business relationship | Bank Secrecy Act (31 U.S.C. §5318) |
| Transaction records and escrow account records | 5 years after transaction date | Bank Secrecy Act; Utah Escrow Law |
| Suspicious Activity Report (SAR) records | 5 years from filing date | Bank Secrecy Act (31 CFR §1010.430) |
| Currency Transaction Report (CTR) records | 5 years from filing date | Bank Secrecy Act |
| AML program and ITPP documentation | 5 years | Bank Secrecy Act; FTC Red Flags Rule |
| Stablecoin transaction records | 5 years | BSA; GENIUS Act; applicable law |
| Account records (active accounts) | Duration of relationship plus 5 years | BSA; contractual obligation |
| Contracts and escrow agreements | 7 years after expiration | Legal / contractual obligation |
| Marketing and communications data | Until opt-out or 3 years from last interaction | Consent / legitimate interests |
| Website usage / analytics data | Up to 26 months | Legitimate interests (Google Analytics default) |
| CCTV / physical security data (if any) | 30 days | Legitimate interests |
After applicable retention periods expire, personal data is securely deleted or anonymized using industry-standard methods. Note that erasure requests under GDPR or CCPA may not override mandatory AML retention obligations under the Bank Secrecy Act and applicable law.
7. Data Security
We implement technical, organizational, and administrative safeguards designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. These measures include:
7.1 Technical Controls
- Encryption in transit: TLS 1.2 or higher for all data transmitted to and from our Platform
- Encryption at rest: AES-256 (AES-GCM) for all stored data
- Multi-factor authentication required for Platform access
- Role-based access controls limiting data access to authorized personnel only
- Automated security monitoring and threat detection tools
- Bank account transactions require dual signing authority with full audit logs
- Hardware Security Module (HSM) key storage for stablecoin wallet operations
7.2 Organizational Controls
- SOC 2 Type II certified — independently audited security controls
- ISO 27001 certified application hosting and data center partners
- PCI DSS compliant payment processing (cards processed by certified third parties; we never store card details)
- Mandatory background checks for all employees with access to personal data
- Security and privacy training required for all employees
- Non-disclosure agreements required of all employees
- Third-party vendor due diligence program with contractual data protection requirements
7.3 Incident Response
We maintain an incident response program. In the event of a data breach that may affect your rights and freedoms, we will notify affected individuals and applicable regulatory authorities as required by law.
Despite these measures, no security system is perfect. We cannot guarantee the absolute security of your personal data. You are responsible for maintaining the confidentiality of your account credentials.
8. Your Privacy Rights — United States
8.1 California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know
You have the right to request that we disclose the categories and specific pieces of personal data we have collected about you, the categories of sources from which it was collected, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
Right to Delete
You have the right to request deletion of personal data we have collected from you, subject to certain exceptions (including our legal obligations to retain data under AML and other laws).
Right to Correct
You have the right to request that we correct inaccurate personal data we maintain about you.
Right to Opt Out of Sale or Sharing
PayKeeper does not sell personal data and does not share personal data for cross-context behavioral advertising. If this practice changes, we will update this Policy and provide a “Do Not Sell or Share My Personal Information” link.
Right to Limit Use of Sensitive Personal Information
We use sensitive personal information (such as government ID numbers and financial account data) only as necessary to provide our services and comply with legal obligations. You may request that we limit our use of sensitive personal information beyond what is necessary.
Non-Discrimination
We will not discriminate against you for exercising any of your CCPA/CPRA rights.
How to Submit a Request
To exercise your California privacy rights, contact us at:
- Email: [email protected]
- Subject line: California Privacy Rights Request
We will respond to verified requests within 45 days (with a possible 45-day extension with notice). We will verify your identity before processing your request to protect against unauthorized access.
We have entered into Data Processing Agreements (DPAs) with our partners to comply with CCPA, CPRA, and other applicable data privacy laws.
8.2 Other U.S. State Privacy Laws
Residents of other U.S. states with enacted privacy legislation (including Virginia, Colorado, Connecticut, Texas, and others) may have similar privacy rights. We extend equivalent rights to all U.S. residents, including the right to access, correct, and delete personal data, subject to applicable exceptions. Contact us at [email protected] to make a request.
9. Information for EU and UK Users (GDPR / UK GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom, this section provides additional information required by the General Data Protection Regulation (GDPR) and UK GDPR.
9.1 Data Controller
PayKeeper, Inc. is the data controller for personal data processed under this Policy.
9.2 Lawful Basis for Processing
We process your personal data on the following legal bases:
| Processing Activity | Legal Basis (GDPR Article 6) | Details |
|---|---|---|
| KYC/KYB identity verification | Art. 6(1)(c) Legal obligation | AML Directives, Bank Secrecy Act, FinCEN rules |
| Escrow and payment services | Art. 6(1)(b) Contract performance | Required to provide the services you have requested |
| Sanctions and OFAC screening | Art. 6(1)(c) Legal obligation | OFAC regulations, EU sanctions law, UN sanctions |
| Fraud detection and security | Art. 6(1)(f) Legitimate interests | Protecting clients and the integrity of financial transactions |
| Platform analytics and improvement | Art. 6(1)(f) Legitimate interests | Understanding usage to improve our services |
| Marketing communications | Art. 6(1)(a) Consent | Only where you have provided explicit opt-in consent |
| Responding to legal requests | Art. 6(1)(c) Legal obligation | Court orders, regulatory requests, SAR/CTR filing |
9.3 Your Rights Under GDPR / UK GDPR
You have the following rights regarding your personal data. We will respond to requests within 30 days (extendable by up to two further months for complex requests, with notice).
Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you and information about how we process it.
Right to Rectification (Article 16)
You have the right to request correction of inaccurate or incomplete personal data.
Right to Erasure — ‘Right to Be Forgotten’ (Article 17)
You have the right to request that we delete your personal data. This right is subject to important limitations: we are legally required to retain AML/KYC records for a minimum of five years under the Bank Secrecy Act and equivalent laws, and these retention obligations override erasure requests for that data. We will inform you if an erasure request cannot be fulfilled due to legal obligations.
Right to Restriction of Processing (Article 18)
You have the right to request that we restrict the processing of your personal data in certain circumstances (for example, while an accuracy dispute is being resolved).
Right to Data Portability (Article 20)
Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
Right to Object (Article 21)
You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Rights Related to Automated Decision-Making (Article 22)
We use automated systems to support fund control decisions (AI-assisted verification). These systems do not make final decisions that produce legal effects — all fund releases require satisfaction of contractual conditions and human oversight. You may request human review of any automated determination by contacting [email protected].
How to Exercise Your Rights
Submit a request to [email protected] with subject line: “GDPR Data Rights Request.” Include your full name, the nature of your request, and sufficient information to verify your identity. We do not charge a fee for requests unless they are manifestly unfounded or excessive.
9.4 International Data Transfers
PayKeeper, Inc. is based in the United States. If you are located in the EEA or UK, your personal data is transferred to and processed in the United States.
These transfers are made pursuant to Standard Contractual Clauses (SCCs) approved by the European Commission. For transfers of personal data from the United Kingdom, we rely on the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable. Copies of the applicable SCCs are available upon written request to [email protected].
For transfers to our sub-processors, we ensure appropriate safeguards are in place through Data Processing Agreements incorporating approved transfer mechanisms.
9.5 Right to Lodge a Complaint
If you believe we have processed your personal data in violation of applicable law, you have the right to lodge a complaint with your local data protection supervisory authority.
- EU users: Contact the national Data Protection Authority (DPA) in your country of residence. A list of EU DPAs is available at edpb.europa.eu.
- UK users: Contact the Information Commissioner’s Office (ICO) at ico.org.uk or by telephone at 0303 123 1113.
We encourage you to contact us first at [email protected] — we will make every effort to resolve your concern before you need to escalate to a supervisory authority.
10. Children’s Privacy
Our Platform is designed for business use and is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If we discover that we have inadvertently collected personal data from a minor, we will delete it promptly. If you believe we have received personal data from a minor, please contact us at [email protected].
11. Third-Party Links and Services
Our Platform may contain links to third-party websites or services that are not operated by PayKeeper. This Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access through links on our Platform. We are not responsible for the privacy practices or content of third-party websites.
12. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will:
- Update the “Last Updated” date at the top of this Policy
- Post the revised Policy on our website at paykeeper.com/privacy
- Notify you by email or a prominent notice on our Platform where the changes materially affect your rights
Your continued use of the Platform after the effective date of a revised Policy constitutes your acceptance of the changes. If you do not agree with a revised Policy, please discontinue your use of the Platform.
13. Contact Us
For questions, concerns, or to exercise your privacy rights, contact PayKeeper’s Compliance team:
| [email protected] | |
| Subject Line | Privacy Inquiry — [Your Name / Company] |
| Response Time | Within 30 days for GDPR requests; within 45 days for CCPA requests |
| GDPR Rights Requests | Subject line: GDPR Data Rights Request |
| CCPA Rights Requests | Subject line: California Privacy Rights Request |
| Security Incidents | Subject line: Security Incident Report |
| Registered Address | PayKeeper, Inc. 893 Baxter Drive, South Jordan, Utah 84095 |