Legal

Privacy Policy

Last updated: 2026

Provisional document — to be reviewed by a lawyer / DPO before going live.

1. Data controller

Andypay LLC, registered address to be completed. Data Protection Officer: [email protected].

2. Data collected

Identity: last name, first name, email, password (hashed).
KYC: via a licensed partner — Andypay does not store the identity documents themselves.
Payment: card data is tokenised — no card data is stored by Andypay.
Transaction & risk: amounts, references, device and fraud-engine signals.
Browsing: technical logs and session cookies.

3. Purposes

Service delivery, branded checkout and payment processing, fraud scoring, settlement and payouts, billing, AML/KYC compliance, customer support and product improvement.

4. Legal basis

Performance of the contract (Art. 6.1.b GDPR), legal obligation (Art. 6.1.c GDPR) and legitimate interest (Art. 6.1.f GDPR), in particular for fraud prevention.

5. Retention period

Active accounts: duration of the contractual relationship
KYC data: 5 years after closure (AML obligation)
Transaction and fraud-engine data: 5 years
Technical logs: 12 months
Billing data: 10 years (accounting obligation)

6. Subprocessors

Licensed payment partner (European Union) — payment processing and KYC
Cloud host (European Union) — application and data hosting
Transactional email service — with Standard Contractual Clauses
PCI tokenisation service — with Standard Contractual Clauses

7. Your rights

Access, rectification, erasure, portability, objection and restriction. Contact [email protected] or the CNIL (cnil.fr) in case of a dispute.

8. Security

TLS 1.3 encryption in transit, AES-256 at rest. Hashed passwords. No card data or identity document stored on our servers. Card data is tokenised by a PCI-DSS certified partner.