Privacy Policy.

PYMSTR Privacy Policy

Effective Date: February 25, 2026

1. About Our Services

PYMSTR provides non-custodial checkout and invoicing software for stablecoin payments. PYMSTR is a software provider only. All stablecoin transfers occur directly between users' self-custodial wallets on public blockchain networks. PYMSTR does not process, route, hold, or intermediate any funds. This means:

• We never hold, control, or have custody of any funds — all payments transfer directly from the customer's wallet to the merchant's wallet on-chain
• We are a software provider, not a money transmitter, financial institution, or Virtual Asset Service Provider (VASP)
• We do not perform KYC (Know Your Customer), KYB (Know Your Business), or AML (Anti-Money Laundering) verification on any user
• Our data collection practices are minimal by design — we collect only the information necessary to provide the software
• Stablecoin transfers occur on public blockchain networks (Ethereum, Base, Polygon, Arbitrum, BNB Chain)
• Supported stablecoins include USDT and USDC

Our Services are used by both merchants (who use our software to generate checkout pages and invoices) and customers (who use our software to view invoices and initiate payments). This Privacy Policy applies to both categories of users.

2. Legal Basis and Regulatory Framework

2.1 Data Protection Laws

We process personal data in accordance with:

• DIFC Data Protection Law — DIFC Law No. 5 of 2020 (as amended), as our primary data protection framework
• EU General Data Protection Regulation (GDPR) — where applicable to individuals in the European Economic Area
• UK GDPR — where applicable to individuals in the United Kingdom
• California Consumer Privacy Act (CCPA) — where applicable to California residents
• Other applicable data protection laws in jurisdictions where our users are located

2.2 Controller

For the purposes of applicable data protection laws:

• PYMSTR acts as the Controller of merchant account data collected directly through the Services. This includes first name, last name, and business legal name provided during registration, as well as contact name and contact email address provided by the merchant during profile setup. An email address may also be received from third-party authentication providers (such as Web3Auth) as part of the login process but is not independently verified by PYMSTR.
• PYMSTR also acts as the Controller of limited customer personal data received from third-party authentication providers (such as Web3Auth) during social login. This data is limited to the customer's email address and display name, and is used solely to associate the authentication identity with the customer's wallet. PYMSTR does not independently collect, verify, or solicit additional personal data from customers. For customers who connect their own external Web3 wallets (MetaMask, WalletConnect, Coinbase Wallet), PYMSTR holds no personal data beyond publicly available blockchain addresses.
• Merchants are independently responsible for complying with applicable data protection laws in respect of any personal data they collect from their own customers.

2.3 Legal Bases for Processing

We process personal data on the following legal bases:

• Contract performance — Providing the checkout software, maintaining accounts, providing the Services
• Legitimate interests — Security, service improvement, analytics; storing customer email and display name received from Web3Auth to maintain the link between the customer's authentication identity and their wallet
• Legal obligation — Responding to lawful requests, maintaining records as required by law
• Consent — Marketing communications (where required)

3. Information We Collect

3.1 Merchant Information

When merchants register for and use the Services, we collect:

• Required account data — First name, last name, business legal name — provided directly by the merchant during registration
• Authentication data — Email address — automatically received from third-party authentication providers (such as Web3Auth) during login; not independently verified by PYMSTR
• Contact data — Contact name, contact email address, contact phone number — provided directly by the merchant during merchant profile setup
• Auto-generated data — Settlement wallet address — created at account registration
• Transactional data — Payment amounts, stablecoins used, blockchain networks, fees, transaction hashes, timestamps — publicly recorded on blockchain networks
• Merchant-configured data — API keys, webhook endpoints, enforced payment settings, payment splitting configurations, accepted stablecoins and chains
• Usage data — Dashboard access, API calls, feature usage

During merchant upgrade (optional), merchants provide additional business profile information including business legal name, business address, business type, website URL, contact name, and contact email address.

3.2 Customer Information

PYMSTR collects minimal data from customers. The data collected depends on how the customer authenticates:

Social login customers (Google, Email, Phone, Apple):

When a customer authenticates via social login, a user record is created in PYMSTR's systems. PYMSTR receives the customer's email address and display name from the third-party authentication provider (Web3Auth) as part of the login process.

• Authentication data — Email address and display name — received from the third-party authentication provider (Web3Auth) during social login; not independently collected or verified by PYMSTR
• Wallet addresses — Embedded wallet addresses created during the authentication process — this data is publicly available on blockchain networks
• Transaction data — Payment amounts, stablecoins used, blockchain networks, transaction hashes, timestamps, merchant identifiers — this data is publicly recorded on blockchain networks

This authentication data is stored to associate the customer's authentication identity with their wallet. PYMSTR does not use customer email addresses or display names for marketing, profiling, or any purpose other than wallet association and account identification. PYMSTR does not share this data with merchants or other third parties.

External wallet customers (MetaMask, WalletConnect, Coinbase Wallet):

When a customer connects their own Web3 wallet, PYMSTR receives only the customer's public wallet address. No personal data is collected or stored.

• Wallet addresses — Connected Web3 wallet addresses used for payments — this data is publicly available on blockchain networks
• Transaction data — Payment amounts, stablecoins used, blockchain networks, transaction hashes, timestamps, merchant identifiers — this data is publicly recorded on blockchain networks

PYMSTR does not perform KYC or AML checks on customers. PYMSTR does not independently collect, verify, or solicit personal data from customers beyond what is automatically received from authentication providers during social login.

3.3 Technical Information

We automatically collect the following technical information when merchants access the merchant Dashboard:

• IP addresses
• Browser type and version
• Device information (operating system, device type)
• Access times and dates
• Pages viewed and features used
• Referring URLs

We do not use this data for advertising, profiling, or cross-site tracking. For customers using the checkout widget, standard server logs are collected for security and operational purposes but are not linked to any personal identity.

3.4 Compliance Screening

PYMSTR does not perform KYC, KYB, or AML verification. PYMSTR is not a Virtual Asset Service Provider (VASP). We are a software provider only.

We may screen wallet addresses against publicly available sanctions lists and risk databases. This screening uses only public blockchain addresses — no personal data is collected or processed for this purpose. We do not use identity verification services, credit reference agencies, or fraud prevention agencies.

We reserve the right to collect additional verification data in the future if required by Applicable Law.

4. How We Use Information

We use collected information to:

• Provide Services — Provide checkout software, generate invoices, operate merchant dashboards, enable payment splitting configuration
• Facilitate Wallet Creation — Direct customers to third-party authentication and wallet providers (such as Web3Auth) for self-custodial wallet creation via social login
• Associate Authentication Identity — Store email address and display name received from Web3Auth for social login customers to maintain the link between the customer's authentication identity and their wallet
• Send Notifications — Transaction confirmations, service updates, and security alerts to merchants
• Improve Services — Analyse usage patterns, fix bugs, develop new features
• Ensure Security — Prevent abuse, protect against unauthorised access
• Comply with Law — Meet legal obligations, respond to lawful requests from courts and regulatory authorities
• Communicate — Respond to inquiries, provide support
• Enforce Agreements — Enforce our Merchant Agreement, Customer Agreement, and this Privacy Policy

PYMSTR does not use information for identity verification, credit checks, or KYC/AML purposes. We do not share information with credit reference agencies or fraud prevention agencies.

5. Information Sharing

We may share information in the following circumstances:

5.1 Service Providers

We work with third-party service providers who assist in operating our Services:

• Embedded Wallet Providers — Facilitate creation of self-custodial wallets for customers (e.g., Web3Auth). These providers handle authentication independently under their own privacy policies. PYMSTR receives limited data (email address and display name) transmitted by these providers during social login, used solely for wallet association.
• Blockchain Networks — Process transactions on Ethereum, Base, Polygon, Arbitrum, and BNB Chain
• Cloud Infrastructure — Host and operate our Services
• Analytics — Understand service usage and performance

PYMSTR does not share customer personal data received from authentication providers with any third party.

5.2 Blockchain Networks

Transaction data is recorded on public blockchain networks. This data is publicly visible and includes wallet addresses and transaction details. This is inherent to blockchain technology and cannot be changed or deleted.

5.3 Merchants

When you make a Payment through our Services, the relevant Merchant will receive transaction data including the payment amount, stablecoin used, blockchain network, transaction hash, and your wallet address. This is all publicly available blockchain data. PYMSTR does not share customer email addresses or other personal data received from authentication providers with merchants. Merchants receive only publicly available blockchain transaction data and process it in accordance with their own privacy policies.

5.4 Legal Requirements

We may disclose information if required by law, legal process, or government request, including requests from the DIFC Commissioner of Data Protection, courts, or regulatory authorities. We may also disclose information if we believe disclosure is necessary to:

• Comply with applicable laws or regulations
• Protect the rights, property, or safety of PYMSTR, our users, or the public
• Detect, prevent, or address security or technical issues
• Respond to lawful requests regarding publicly available blockchain data

5.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred to the acquiring entity. We will notify affected users of any such transfer.

5.6 PYMSTR Group

We may share information with other entities within the PYMSTR Group where necessary for the operation of our Services, compliance with legal obligations, or legitimate business purposes.

5.7 With Consent

We may share information with your consent or at your direction.

6. Third-Party Services

6.1 Authentication Providers

We offer multiple login options:

For merchants:

When merchants authenticate using social login or email, they share information with both PYMSTR and the respective authentication provider according to the provider's privacy policy. PYMSTR receives the information necessary to create and maintain the merchant account.

For customers:

When customers authenticate via social login to create an embedded wallet, authentication is handled by the third-party provider (such as Web3Auth). As part of this process, PYMSTR receives the customer's email address and display name from the authentication provider, which PYMSTR stores to associate the authentication identity with the customer's wallet. PYMSTR does not use this data for marketing, profiling, or any purpose beyond wallet association, and does not share it with merchants or other third parties. Customers who connect their own external Web3 wallets share only their public wallet address with PYMSTR.

Social Login options:

• Google
• Email
• Phone (SMS)
• Apple

Web3 Wallets:

• MetaMask
• WalletConnect
• Coinbase Wallet

6.2 Embedded Wallet Providers

When customers use social login, an embedded self-custodial wallet is created through third-party wallet infrastructure providers (such as Web3Auth). These providers:

• Enable wallet creation without requiring prior crypto knowledge
• Operate according to their own privacy policies and terms of service
• Do not share wallet private keys with PYMSTR
• May collect and process personal data independently as controllers for their own purposes

We encourage you to review the privacy policies of the relevant embedded wallet provider.

6.3 Block Explorers

Transaction verification links may direct to public block explorers:

• etherscan.io (Ethereum)
• basescan.org (Base)
• polygonscan.com (Polygon)
• arbiscan.io (Arbitrum)
• bscscan.com (BNB Chain)

These are third-party services with their own privacy policies.

7. Data Retention

We retain information for as long as necessary to:

• Provide the Services
• Comply with legal obligations
• Resolve disputes
• Enforce agreements

Specific retention periods:

• Merchant account data — Duration of account plus 6 years after account closure (or as required by applicable law)
• Customer authentication data — Email address and display name received from social login — duration of wallet association. Customers may request deletion by contacting [email protected].
• Transaction data — 6 years from the date of the transaction (to comply with financial record-keeping requirements). Note: on-chain transaction data is permanently and publicly recorded on blockchain networks independent of PYMSTR.
• Wallet screening data — 6 years from the date of screening (or as required by applicable law)
• Technical/usage data — Up to 2 years from collection
• Marketing consent records — Duration of consent plus 3 years
• Blockchain data — Permanent — transaction data recorded on blockchain networks is publicly visible and cannot be deleted

For other data not listed above, retention periods depend on the type of information and legal requirements. You may request deletion of your merchant account data by contacting us, subject to our legal obligations to retain certain records.

8. Data Security

We implement appropriate technical and organisational measures to protect information, including:

• Encryption of data in transit (TLS) and at rest
• Access controls and authentication requirements
• Regular security assessments
• Secure API authentication (SHA256 HMAC signatures)
• Role-based access controls for internal systems
• Incident response procedures

However, no system is completely secure. We cannot guarantee absolute security of your information.

9. International Data Transfers

We operate globally and may transfer information to countries outside the DIFC, the UAE, the EEA, or your country of residence. International data transfers apply primarily to merchant account data and limited customer authentication data (email address and display name) received from Web3Auth during social login.

When transferring personal data internationally, we implement appropriate safeguards in accordance with the DIFC Data Protection Law and other applicable data protection laws, which may include:

• Standard contractual clauses approved by the relevant supervisory authority
• Transfer to jurisdictions that have been recognised as providing an adequate level of data protection
• Other appropriate safeguards as required by applicable law

10. Your Rights and Choices

The rights described in this section apply to merchants in respect of their merchant account data. These rights also apply to customers whose personal data (email address and display name) PYMSTR holds as a result of social login. Customers may exercise their rights by contacting [email protected]. Customers who have questions about personal data held separately by third-party authentication providers (such as Web3Auth) should also contact those providers directly under their respective privacy policies.

10.1 General Rights

Depending on your jurisdiction and applicable law, you may have the right to:

• Access information we hold about you
• Correct inaccurate information
• Delete your account and associated data (excluding blockchain records and data we are legally required to retain)
• Object to certain processing activities
• Restrict processing in certain circumstances
• Data portability — receive your data in a structured, commonly used format
• Withdraw consent where processing is based on consent

10.2 DIFC Residents

If you are located in the DIFC, you have rights under the DIFC Data Protection Law, DIFC Law No. 5 of 2020, including the rights listed in clause 10.1 above. To exercise these rights or to lodge a complaint, you may contact the DIFC Commissioner of Data Protection.

10.3 European Economic Area and UK Residents

If you are located in the EEA or UK, you have rights under the General Data Protection Regulation (GDPR), including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Rights related to automated decision-making

You also have the right to lodge a complaint with your local supervisory authority.

10.4 California Residents

California residents have rights under the California Consumer Privacy Act (CCPA), including:

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale of personal information
• Right to non-discrimination

We do not sell personal information as defined under the CCPA.

10.5 Exercising Your Rights

To exercise any of the rights described above, contact us at [email protected]. We will respond to your request within the timeframe required by applicable law (typically within 30 days). We may need to verify your identity before processing your request.

10.6 Communication Preferences

To opt out of marketing communications, email us at [email protected] or use the unsubscribe link in any marketing email.

11. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

• Strictly Necessary — Maintain session state, authenticate users, enable core functionality (Session / persistent)
• Functional — Remember preferences, settings (Up to 1 year)
• Analytics — Understand service usage, performance monitoring (Up to 2 years)

We do not use advertising or tracking cookies.

You can control cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or set preferences for certain websites. Disabling strictly necessary cookies may affect the functionality of the Services.

12. Children's Privacy

The Services are not directed to individuals under 18. We do not knowingly collect information from children. If you believe we have collected information from a child, contact us immediately at [email protected] and we will take steps to delete such information.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

• Posting the updated policy on our website
• Updating the "Effective Date"
• Sending notice to registered users when required by law

Your continued use of the Services after changes constitutes acceptance of the updated policy. If you do not agree with any changes, you should discontinue use of the Services.

14. Contact Us

For questions about this Privacy Policy, to exercise your rights, or to lodge a complaint, contact us:

For complaints regarding our handling of your personal data, you may also contact the DIFC Commissioner of Data Protection.

Last Updated: February 25, 2026