Privacy Policy
Last updated April 11, 2026
Last Updated: February 2, 2026
1. Introduction
SolvaPay Inc. ("SolvaPay," "we," "us," or "our") is committed to protecting the privacy and personal data of all individuals who use our platform. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you access or use the SolvaPay website at solvapay.com, our APIs, dashboards, hosted checkout pages, pay via a SolvaPay account or otherwise use our related services (collectively, the "Service").
SolvaPay Inc. is incorporated in Delaware, USA. SolvaPay AB, our Swedish subsidiary, operates the service infrastructure and holds contracts with hosting and IT service providers. For the purposes of this Privacy Policy, SolvaPay Inc. is the data controller of personal data collected through the Service (except where SolvaPay processes data on behalf of Providers as a data processor — see Section 5 below).
This Privacy Policy applies to all users of the Service, including Providers (developers and businesses who integrate with SolvaPay) and End-Users (individuals who purchase products or services from Providers through SolvaPay-hosted checkout).
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service.
2. Data Controller and Contact Information
Data Controller: SolvaPay Inc.
Address: Grev Turegatan 10B, 114 46 Stockholm, Sweden
Data Protection Officer: dpo@solvapay.com
For any questions or concerns regarding this Privacy Policy or our data practices, please contact our Data Protection Officer at dpo@solvapay.com.
3. Personal Data We Collect
3.1 Data Collected from Providers
When you register and use the Service as a Provider, we may collect:
- Account information: name, email address, business name, business address, phone number, and other registration details.
- Identity and verification data: information required for identity verification and know-your-customer (KYC) processes as mandated by our Payment Service Provider(s), which may include government-issued identification, tax identification numbers, and business registration documents.
- Financial information: bank account details for payouts (processed and stored by our Payment Service Provider), transaction history, payout records, and fee statements.
- Technical data: IP address, browser type, device information, operating system, and access timestamps.
- Usage data: interactions with the dashboard, API call logs, AI token consumption metrics, entitlement and usage limit checks, configuration settings, and feature utilization.
- Public profile data: name, description, service capabilities, and other information you choose to publish on the Registry.
- Communications: correspondence with our support team and any feedback you provide.
3.2 Data Collected from End-Users
We may collect:
- Account information: if you set up an account with us, we will process personal data such as your name and email address. We may also process this data to process the transaction and provide receipts.
- Transaction information: purchase details, product or plan selected, transaction amount, currency, and timestamp.
- Payment information: payment card details are collected and processed directly by our Payment Service Provider(s). SolvaPay does not directly access, process, or store raw payment card numbers.
- Technical data: IP address, browser type, device information, and access timestamps.
- Communications: If you contact us directly (e.g., via our contact forms), we may receive additional information about you, such as your name, email address, phone number, the contents of a message or attachments that you may send to us, and other information you choose to provide.
3.3 Data Collected via Third-Party Login Providers
You may register for or log in to the Service using third-party authentication providers, including Google and GitHub ("Third-Party Login Providers"). When you choose to authenticate via a Third-Party Login Provider, we may receive the following information from your third-party account, depending on the provider and your account settings:
- From Google: name, email address, profile picture, and Google account identifier.
- From GitHub: username, email address, profile picture, and GitHub account identifier.
We use this information solely to create and manage your SolvaPay Account and to authenticate your identity. We do not access your third-party account credentials (such as passwords), and we do not post to or modify your third-party accounts.
You may control the information shared with SolvaPay by adjusting the privacy settings on your Third-Party Login Provider account. Disconnecting a Third-Party Login Provider from your SolvaPay Account will not automatically delete personal data already collected; you may request deletion in accordance with Section 11 and our Data Deletion Policy.
Your use of Third-Party Login Providers is subject to those providers' own terms of service and privacy policies.
3.4 Data Collected Automatically
When you visit solvapay.com or use the Service, we automatically collect certain data through cookies and similar technologies, as described in our Cookie Policy:
- Log data: IP address, browser type and version, pages visited, time and date of visit, time spent on pages, referring URL.
- Device data: We receive information about the device and software you use to access our Services, including IP address, device identifiers, web browser type and version, device type, operating system and version, screen resolution, and language preferences.
- Analytics data: We automatically receive information about your interactions with our Services, like the pages or other content you view, referrer information (the website you visited before coming to our Services), the dates and times of your visits, and other usage patterns and interactions. See our Cookie Policy for details and opt-out options. When we send you emails, we may use embedded pixels or other technologies to track information about your receipt and interaction with our emails, such as whether and when you open them, whether you access any links included in our emails, how long you read our emails, whether you forward our emails and to whom, your Location Information (described here), and your Device Information (described here).
- Location Information: When you use our Services, we may receive your location information. For example, we may infer your general location information by using your IP address.
4. How We Use Your Personal Data
We use the personal data we collect for the following purposes:
Purpose
Legal Basis (GDPR Art. 6)
Providing, maintaining, and improving the Service
Performance of contract (Art. 6(1)(b))
Processing transactions and facilitating payments
Performance of contract (Art. 6(1)(b))
Provider onboarding, identity verification, and KYC
Legal obligation (Art. 6(1)(c)); Legitimate interest (Art. 6(1)(f))
Communicating with you about your Account, transactions, and service updates
Performance of contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f))
Detecting, preventing, and investigating fraud, security incidents, and abuse
Legitimate interest (Art. 6(1)(f)); Legal obligation (Art. 6(1)(c))
Complying with legal and regulatory obligations, including bookkeeping and tax requirements
Legal obligation (Art. 6(1)(c))
Analyzing usage patterns and improving the Service (via analytics)
Legitimate interest (Art. 6(1)(f)); Consent (Art. 6(1)(a)) for non-essential cookies
Operating the Registry and discovery features
Performance of contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f))
Enforcing our Terms of Service and Acceptable Use Policy
Legitimate interest (Art. 6(1)(f))
Responding to legal requests and preventing harm
Legal obligation (Art. 6(1)(c)); Legitimate interest (Art. 6(1)(f))
Where we rely on legitimate interest as a legal basis, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may contact us at dpo@solvapay.com to request information about these assessments.
5. SolvaPay as Data Processor
When SolvaPay processes personal data on behalf of a Provider , SolvaPay acts as a data processor and the Provider acts as the data controller. For example, when an End-User makes a purchase from a Provider, certain transaction data (such as name, email, and purchase details) is shared with the Provider to fulfill the transaction.
This processing relationship is governed by our Data Processing Agreement.
In such cases, the Provider is responsible for ensuring that there is a valid legal basis for the processing of End-User data, and for providing appropriate privacy notices to their End-Users. We are not responsible for the privacy or data security practices of Providers, which may differ from those explained in this Privacy Policy
6. How We Share Your Personal Data
We do not sell your personal data. We share personal data only in the following circumstances:
6.1 Payment Service Providers
We share transaction and identity data with our Payment Service Provider(s) to process payments, facilitate payouts, and comply with financial regulations. Our Payment Service Providers are listed on our Sub-Processors page.
6.2 Infrastructure Providers
We use cloud infrastructure and database providers to host and operate the Service. Personal data is stored on servers managed by our infrastructure provider(s), including Google Cloud Platform and MongoDB Atlas, as listed on our Sub-Processors page.
6.3 Analytics Providers
We use the following analytics providers to analyze usage patterns and improve the Service:
- Google Analytics collects data through cookies to provide website usage analytics as described in our Cookie Policy. You may opt out of Google Analytics tracking. You can learn more about Google’s practices by visiting https://www.google.com/policies/privacy/partners/.
- Contentsquare collects behavioral data (such as mouse movements, clicks, scrolls, and page navigation) through cookies and scripts to help us understand how users interact with solvapay.com, hosted checkout pages, and the provider dashboard. Personal information fields are masked by default. Contentsquare uses cookies with your consent, as described in our Cookie Policy. You may opt out of Contentsquare tracking via the Cookie Policy.
6.5 Legal and Compliance Disclosures
We may access, preserve, and disclose your information if we believe doing so is required or appropriate to: (a) comply with law enforcement requests and legal process, such as a court order or subpoena; (b) respond to your requests; or (c) protect your, our, or others’ rights, property, or safety. For the avoidance of doubt, the disclosure of your information may occur if you post any objectionable content on or through the Services.
6.6 Business Transfers
We may transfer your information to service providers, advisors, potential transactional partners, or other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell, liquidate, or transfer all or a portion of our assets. The use of your information following any of these events will be governed by the provisions of this Privacy Policy in effect at the time the applicable information was collected
6.7 Aggregated and De-Identified Data
We may create aggregated, de-identified, or anonymized data from the personal data we collect by removing information that makes the data personally identifiable. We may use and share such aggregated or de-identified data for lawful business purposes, including analytics, benchmarking, service improvement, and industry reporting. This data will not be shared in a manner that could reasonably be used to identify you.
6.8 With Your Consent
We may share your personal data with third parties when you have given us consent to do so.
7. International Data Transfers
SolvaPay Inc. is a US-incorporated company, and SolvaPay AB operates from Sweden. Personal data is primarily stored in the European Union (EU) on Google Cloud infrastructure.
Where personal data is transferred outside the European Economic Area (EEA), including to the United States, we ensure that appropriate safeguards are in place in accordance with GDPR Article 46, including:
- Standard Contractual Clauses (SCCs): We use the EU Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers to SolvaPay Inc. and other recipients outside the EEA where no adequacy decision exists.
- Adequacy decisions: Where the European Commission has determined that a third country provides an adequate level of data protection.
For transfers from the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.
You may request a copy of the safeguards we use for international data transfers by contacting dpo@solvapay.com.
8. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.
Data Category
Retention Period
Basis
Transaction records and financial data
7 years from the date of the transaction
Legal obligation (Swedish Bokföringslagen; US tax and accounting requirements)
Account data (Providers)
Duration of the account relationship, plus 7 years following account closure
Legal obligation (bookkeeping); Legitimate interest (dispute resolution)
End-User contact and transaction data
7 years from the date of the transaction
Legal obligation (bookkeeping); Performance of contract
Identity verification and KYC data
Duration of the account relationship, plus the period required by applicable anti-money laundering legislation
Legal obligation
Technical and log data
12 months from collection
Legitimate interest (security, fraud prevention, debugging)
Analytics data
26 months (Google Analytics default, or as configured)
Consent; Legitimate interest
Communications and support records
3 years from the date of the last communication
Legitimate interest (service improvement, dispute resolution)
When personal data is no longer required, it is securely deleted or anonymized.
9. Data Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS/SSL) and at rest.
- Access controls and authentication mechanisms.
- Regular security assessments and monitoring.
- Employee access limited to those who require it for their role.
- Incident response procedures for data breaches.
While we strive to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and will notify affected individuals without undue delay, in accordance with applicable law.
10. Your Rights
10.1 Rights Under GDPR (EU/EEA)
If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation:
- Right of access (Art. 15) — You have the right to request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — You have the right to request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17) — You have the right to request deletion of your personal data, subject to legal retention obligations.
- Right to restriction of processing (Art. 18) — You have the right to request that we restrict the processing of your personal data in certain circumstances.
- Right to data portability (Art. 20) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
- Right to object (Art. 21) — You have the right to object to processing based on legitimate interests, including profiling. You also have the right to object to processing for direct marketing purposes at any time.
- Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
- Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
10.2 Rights Under UK GDPR
If you are located in the United Kingdom, you have equivalent rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. You have a right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe the Processing of your Personal Data does not comply with applicable data protection laws.
We would, however, appreciate the chance to deal with your concerns before you approach a supervisory authority, so please contact us in the first instance.
10.4 Rights Under PIPEDA (Canada)
If you are a Canadian resident, you have the following rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):
- Right to access — You have the right to request access to the personal information we hold about you.
- Right to correction — You have the right to challenge the accuracy and completeness of your personal information and have it amended as appropriate.
- Right to withdraw consent — You may withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions and reasonable notice.
- Right to complain — You have the right to file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.
SolvaPay collects, uses, and discloses personal information only for purposes that a reasonable person would consider appropriate in the circumstances, and with the knowledge and consent of the individual (except where permitted or required by law).
11. Exercising Your Rights
To exercise any of your rights described in Section 10, please contact us at:
Email: dpo@solvapay.com
Please include sufficient information to identify yourself and specify the right(s) you wish to exercise. We will respond to verified requests within the timeframes required by applicable law:
- GDPR / UK GDPR: within one (1) month (extendable by two additional months for complex requests).
- CCPA/CPRA: within forty-five (45) days (extendable by an additional forty-five days with notice).
- PIPEDA: within thirty (30) days.
We may request additional information to verify your identity before processing your request. We will not charge a fee for processing your request unless permitted by applicable law (e.g., manifestly unfounded or excessive requests under GDPR).
For specific information about requesting deletion of your personal data, including what data may be subject to legal retention obligations, please see our Data Deletion Policy.
Marketing Communications. You can unsubscribe from our promotional emails via the link provided in the emails. Even if you opt out of receiving promotional email messages from us, you will continue to receive administrative messages from us.
12. Children's Privacy
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that data as soon as reasonably practicable.
If you believe that a child under 16 has provided personal data to us, please contact us at dpo@solvapay.com.
13. Payment Card Security
SolvaPay does not directly access, process, or store raw payment card numbers. All payment card information is collected and processed by our Payment Service Provider(s), which maintain Payment Card Industry Data Security Standard (PCI DSS) compliance. For details on the security practices of our Payment Service Provider(s), please refer to their respective privacy policies, linked on our Sub-Processors page.
14. Third-Party Links
The Service may contain links to third-party websites or services. This Privacy Policy does not apply to third-party websites or services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party website or service that you visit.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will post the updated Privacy Policy on this page and update the "Last Updated" date.
For material changes that significantly affect how we process your personal data, we will provide notice through the Service or by email prior to the change becoming effective. Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.
16. Contact Us
If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact:
SolvaPay Inc.
Registered Agent: 8 The Green Ste R, Dover, DE 19901, USA
Business Address: Grev Turegatan 10B, 114 46 Stockholm, Sweden
SolvaPay AB (Org. Nr. 559378-3672)
Grev Turegatan 10B, 114 46 Stockholm, Sweden
Data Protection Officer: dpo@solvapay.com
General inquiries: contact@solvapay.com
If you are in the EU/EEA and wish to contact a supervisory authority, you may find the relevant authority at edpb.europa.eu. If you are in the UK, you may contact the ICO at ico.org.uk. If you are in Canada, you may contact the Office of the Privacy Commissioner at priv.gc.ca.