Policy
No-log policy
Privacy claims are easy to make and hard to verify. Here is the exact list of fields our database holds, and the fields we deliberately discard at the edge. If a field isn't on the "stored" list, it doesn't exist in our systems.
What we store
- Merchant accountEmail, hashed password, approval status, billing plan.
- API keysBcrypt hash of the key, label, scopes, created/last-used timestamp.
- InvoicesInvoice ID, amount, currency, coin, status, expiry, on-chain txid once confirmed.
- Webhook deliveriesEndpoint URL, response code, retry count. Payload kept 7 days for debugging, then purged.
- Address rotationsRotation timestamp and which key triggered it. No customer linkage.
What we don't store
- Customer IP addresses (stripped at the edge proxy).
- Customer email, name, shipping address, or any PII.
- Browser fingerprints, cookies, or device identifiers from the checkout page.
- Geolocation data of any kind.
- Referrer headers on the hosted checkout.
- Cross-invoice linkage — invoices are not joinable to customer profiles because no customer profile exists.
Retention
Invoices and on-chain references are kept for the lifetime of the merchant account (you need them for accounting). Webhook payload bodies are purged after 7 days. Application logs are line-buffered, scrubbed of identifiers, and rotated every 24 hours.
Subpoenas & data requests
We comply with valid legal requests from our jurisdiction. Because of the policy above, the data available to disclose is structurally limited to the "stored" list and is scoped to a specific merchant account, never a specific customer.