Legal Document

Privacy
Policy

Effective Date: March 20, 2026
Version: 1.0
Entity: Convrt Payments LLC
Section 01

Introduction

Who We Are

Convrt Payments LLC ("Convrt," "we," "us," or "our") is a payment gateway and SaaS platform provider. This Privacy Policy explains how we collect, use, share, retain, and protect personal information in connection with our payment gateway services, website, and related products.

1108 Kane Concourse, Suite 306
Bay Harbor Islands, FL 33154 · United States

Privacy inquiries: privacy@convrtpayments.com
Data Protection Officer: dpo@convrtpayments.com

Scope

This Policy applies to:

  1. Merchants who register for and use Convrt's payment processing services
  2. End Users/Customers whose payment information is processed through our platform when purchasing from Merchants
  3. Website Visitors who access www.convrtpayments.com
  4. Business Contacts including prospective customers, partners, and service providers

Regulatory Framework

Convrt complies with applicable data protection and privacy laws, including:

  1. General Data Protection Regulation (GDPR) – EU Regulation 2016/679, applicable to personal data of EU/EEA residents
  2. UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 – applicable to UK residents
  3. California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) – Cal. Civ. Code §§ 1798.100 et seq., applicable to California residents
  4. Florida Information Protection Act (FIPA) – Fla. Stat. § 501.171, governing data breach notification
  5. Payment Card Industry Data Security Standard (PCI DSS) v4.0.1
  6. Other US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA)
  7. Applicable privacy laws in jurisdictions where we process data

Controller and Processor Roles

Under data protection law, Convrt acts in different capacities depending on the data:

  1. Data Controller for Merchant account data, business relationship data, and fraud/risk analytics
  2. Data Processor when processing End User payment data on behalf of Merchants to complete transactions
  3. Joint Controller in certain fraud prevention and compliance screening activities

Where Convrt acts as a Processor for Merchants, we offer a Data Processing Addendum (DPA) with Standard Contractual Clauses (SCCs) for cross-border transfers. Contact dpo@convrtpayments.com to request a DPA.

Section 02

Information We Collect

Merchant Account Information

Business Identity Data

  1. Business legal name, DBA names, business type (corporation, LLC, sole proprietor, etc.)
  2. Tax identification numbers (EIN, VAT number, or equivalent)
  3. Business registration documents and licenses
  4. Business address, phone number, email, website URL
  5. Industry classification and description of goods/services

Beneficial Owner and Representative Information

  1. Names, titles, and ownership percentages of beneficial owners (individuals owning 25% or more)
  2. Government-issued identification (passport, driver's license, national ID)
  3. Date of birth and nationality
  4. Residential address and contact information
  5. Authorized signatory information for account management

Financial Information

  1. Bank account details (account number, routing number, IBAN, SWIFT/BIC)
  2. Bank statements and proof of account ownership
  3. Credit reports and financial background checks
  4. Processing volume projections and historical transaction data

Transaction and Payment Data

Payment Instrument Information

  1. Cardholder name as it appears on card
  2. Card brand (Visa, Mastercard, Amex, Discover, etc.)
  3. Truncated card number (first 6 and last 4 digits) – full PAN is tokenized and not stored
  4. Card expiration date
  5. Billing address (street, city, state/province, postal code, country)
  6. Payment tokens and encrypted payment credentials for recurring billing
  7. Digital wallet identifiers (Apple Pay, Google Pay tokens)
Security Note: Convrt uses industry-standard tokenization. We do NOT store full unencrypted Primary Account Numbers (PANs) beyond authorization, Card Verification Values (CVV/CVC/CID), full magnetic stripe data (track data), or PIN numbers.

Device and Technical Data

  1. IP address (both IPv4 and IPv6)
  2. Device type, model, and operating system
  3. Browser type, version, and language settings
  4. Geolocation data (country, city, approximate location derived from IP)
  5. Device fingerprints and fraud detection signals

Cookies and Tracking Technologies

We use cookies, web beacons, pixels, and similar technologies. Cookie categories and their purposes:

Category Purpose Duration
Strictly Necessary Authentication, security, session management Session or 1 year
Functional Preferences, language, customization 1 year
Analytics Google Analytics, internal usage metrics 2 years
Advertising Remarketing, conversion tracking (with consent) 1 year

You can manage cookie preferences through our cookie consent banner or browser settings. Blocking strictly necessary cookies may limit functionality.

Fraud Prevention and Risk Data

To detect and prevent fraud, we collect and analyze:

  1. Transaction velocity patterns (frequency, amount, timing)
  2. Behavioral biometrics (typing patterns, mouse movements, touchscreen interactions where implemented)
  3. Email and phone verification data (validation scores, reachability)
  4. Cross-reference data from fraud databases and watchlists
  5. Chargeback history and dispute records
  6. Sanctions screening results (OFAC SDN, EU Consolidated List, UN lists)
  7. Adverse media and risk intelligence from third-party providers
  8. Device reputation scores and threat intelligence
Section 03

How We Use Personal Information

Legal Bases for Processing (GDPR/UK GDPR)

Under GDPR, we process personal data based on the following lawful bases:

  1. Performance of Contract (Art. 6(1)(b)) – to provide payment services, process transactions, and fulfill our obligations to Merchants
  2. Legal Obligation (Art. 6(1)(c)) – to comply with AML/KYC laws, tax reporting, court orders, and regulatory requirements
  3. Legitimate Interests (Art. 6(1)(f)) – for fraud prevention, risk management, service improvement, and business operations
  4. Consent (Art. 6(1)(a)) – for marketing communications, optional cookies, and other processing requiring explicit consent

Purposes of Processing

We use personal information to authorize, process, and settle payment transactions; tokenize payment credentials for secure storage and recurring billing; route transactions to appropriate Acquirers and Card Networks; manage refunds, voids, and chargebacks; facilitate Settlement to Merchant bank accounts; verify business identity and conduct KYC/AML checks; detect and prevent fraud using machine learning models; comply with AML/CFT laws; assess merchant risk profiles and chargeback exposure; improve platform performance; and deliver marketing communications (with consent where required).

Opt-Out: You may unsubscribe from marketing emails at any time using the "unsubscribe" link or by contacting privacy@convrtpayments.com.
Section 04

How We Share Personal Information

Payment Ecosystem Participants

  1. Acquiring Banks and Payment Processors – to authorize, clear, and settle transactions
  2. Card Networks (Visa, Mastercard, Amex, Discover) – for transaction routing, network rules compliance, and chargeback management
  3. Issuing Banks – for authorization requests and transaction disputes
  4. Payment Method Providers (Apple Pay, Google Pay, PayPal, etc.) – to process alternative payment methods
  5. ACH Networks and Banking Partners – for direct debit and bank transfer processing

Service Providers and Subprocessors

  1. Cloud Infrastructure (AWS, Google Cloud, Microsoft Azure) – hosting, storage, computing
  2. Identity Verification and KYC (Jumio, Onfido, Trulioo) – document verification, biometric authentication
  3. Fraud Prevention and Risk (Sift, Forter, Kount) – fraud scoring, device intelligence, behavioral analytics
  4. Sanctions and Compliance Screening (Dow Jones, Refinitiv World-Check) – watchlist monitoring, PEP screening
  5. Customer Support Tools (Zendesk, Intercom) – ticketing, live chat, help desk
  6. Analytics and Monitoring (Google Analytics, Datadog, Sentry) – website analytics, performance monitoring
  7. Marketing and CRM (HubSpot, Mailchimp, Salesforce) – email marketing, customer relationship management
  8. Legal and Professional Advisors – attorneys, accountants, auditors, consultants

All service providers are bound by confidentiality obligations and data processing agreements consistent with GDPR Article 28 and CCPA requirements. A complete list of subprocessors is available upon request by contacting dpo@convrtpayments.com.

No Sale of Personal Information (CCPA)

We Do Not Sell Your Data. Convrt does NOT sell personal information as defined under the CCPA/CPRA. We do not exchange personal data for monetary or other valuable consideration. Convrt also does not share personal information for cross-context behavioral advertising without explicit consent, as required by CPRA.
Section 05

International Data Transfers

Cross-Border Data Flows

Convrt is based in the United States. Personal data collected from individuals in the European Economic Area (EEA), United Kingdom, Switzerland, and other jurisdictions is transferred to and processed in the United States and other countries where our service providers operate. These countries may not provide the same level of data protection as your home jurisdiction.

Transfer Mechanisms and Safeguards

For transfers of personal data from the EEA/UK to the US and other non-adequate countries, Convrt implements the following safeguards:

  1. Standard Contractual Clauses (SCCs) – We use the European Commission's Standard Contractual Clauses (Commission Implementing Decision 2021/914). Merchants subject to GDPR may request execution of SCCs by contacting dpo@convrtpayments.com
  2. UK International Data Transfer Agreement (IDTA) – For transfers from the UK, we use the ICO International Data Transfer Agreement or Addendum to SCCs
  3. Supplementary Technical Measures – Encryption of data in transit (TLS 1.2+) and at rest (AES-256), tokenization of payment card data, access controls, data minimization, and regular security audits (PCI DSS Level 1, SOC 2 Type II)
  4. Adequacy Decisions – Where available, we rely on European Commission adequacy decisions for transfers to adequately protected countries
Section 06

Data Retention

Retention Periods

  1. Transaction Data: Seven (7) years from transaction date – to comply with IRS, tax authority, and financial record-keeping requirements, and meet PCI DSS and Card Network audit requirements
  2. Merchant Account Data: Duration of business relationship plus seven (7) years – for contract enforcement, audit, tax compliance, and fraud prevention
  3. KYC/AML Records: Five (5) years after relationship termination – as required by the US Bank Secrecy Act, FinCEN regulations, and comparable international AML laws
  4. Security Logs and Audit Trails: Minimum one (1) year, up to seven (7) years – depending on legal and regulatory requirements
  5. Marketing and Communications Data: Until consent is withdrawn or opt-out is requested, then deleted within 30 days
  6. Website Usage Data and Cookies: Up to two (2) years for analytics cookies; session cookies deleted when browser closes

Deletion and Anonymization

After retention periods expire, we securely delete or anonymize personal data using industry-standard methods including secure deletion from active systems and backups, anonymization through aggregation and removal of identifiers, and physical destruction of hardware at end of life. Retention periods may be extended if data is subject to legal holds, ongoing litigation, regulatory investigation, or dispute resolution.

Section 07

Data Security

Technical Safeguards

  1. Encryption: TLS 1.2+ for data in transit; AES-256 encryption for data at rest
  2. Tokenization: Payment card data tokenized using PCI-compliant tokenization services
  3. Network Security: Firewalls, intrusion detection/prevention systems (IDS/IPS), network segmentation, DDoS protection
  4. Access Controls: Role-based access control (RBAC), principle of least privilege, multi-factor authentication (MFA)
  5. Vulnerability Management: Regular security assessments, penetration testing, quarterly ASV scans, patch management
  6. Monitoring and Logging: 24/7 security monitoring, SIEM, audit logging, anomaly detection
  7. Endpoint Security: Anti-malware, endpoint detection and response (EDR), device encryption
  8. Secure Development: Secure coding practices, code reviews, security testing in CI/CD pipelines

Certifications and Audits

  1. PCI DSS Level 1 Service Provider – annual QSA audit
  2. SOC 2 Type II – annual audit of security, availability, and confidentiality controls
  3. ISO/IEC 27001 (target certification) – information security management system
  4. Quarterly ASV Scans – by PCI-approved scanning vendors

Audit reports and certifications are available to Merchants under NDA upon request.

Data Breach Notification

In the event of a data breach involving personal data, Convrt will investigate and contain the breach promptly and notify affected individuals and supervisory authorities as required by applicable law, including within 72 hours of discovery for GDPR-reportable breaches. We will cooperate with regulatory investigations and forensic analysis.

Section 08

Your Rights & Choices

Rights Under GDPR and UK GDPR

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:

Right of Access
Request confirmation of whether we process your personal data and obtain a copy of that data (Art. 15).
Right to Rectification
Request correction of inaccurate or incomplete personal data (Art. 16).
Right to Erasure
Request deletion of your personal data when no longer necessary or where processing was unlawful (Art. 17).
Right to Restriction
Request that we limit processing of your data while accuracy is verified or processing is unlawful (Art. 18).
Right to Portability
Request your data in a structured, machine-readable format (JSON, CSV) for transfer to another controller (Art. 20).
Right to Object
Object to processing based on legitimate interests or for direct marketing purposes at any time (Art. 21).
Automated Decision-Making
Right not to be subject to decisions based solely on automated processing that produce legal effects (Art. 22).
Withdraw Consent
Where processing is based on consent, you may withdraw at any time without affecting prior lawful processing.

You also have the right to lodge a complaint with your national supervisory authority. EU Data Protection Authorities: edpb.europa.eu | UK ICO: ico.org.uk

Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the CCPA and CPRA:

  1. Right to Know – Request disclosure of categories and specific pieces of personal information collected, sources, business purposes, and third parties with whom we share it
  2. Right to Delete – Request deletion of personal information we collected from you, subject to legal exceptions
  3. Right to Correct – Request correction of inaccurate personal information
  4. Right to Opt-Out – Opt out of the sale or sharing of personal information (we do not sell personal information)
  5. Right to Limit Use of Sensitive Personal Information – Limit the use and disclosure of sensitive personal information to necessary service provision
  6. Right to Non-Discrimination – We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at privacy@convrtpayments.com. We will respond within 45 days (extendable by an additional 45 days with notice). We may request verification of your identity before processing your request.

How to Exercise Your Rights

Submit requests to: privacy@convrtpayments.com
Data Protection Officer: dpo@convrtpayments.com
Response time: 30 days (GDPR) / 45 days (CCPA), extendable with notice
Section 09

Children's Privacy

The Services are intended for business use by adults. We do not knowingly collect, solicit, or process personal information from individuals under the age of 18 ("children"). Our Services are directed at businesses and their authorized representatives.

If we become aware that we have inadvertently collected personal information from a child under 18, we will take prompt steps to delete that information. If you believe we may have collected information from a child, please contact us at privacy@convrtpayments.com.

Section 10

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  1. Post the revised Policy on our website with an updated "Effective Date"
  2. Notify registered Merchants by email to the Account contact email address
  3. Provide advance notice of at least 30 days for material changes affecting how we use personal data, except where immediate changes are required by law
  4. Obtain renewed consent where required by applicable law

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Policy. We recommend reviewing this Policy periodically.

Prior versions of this Privacy Policy are available upon request by contacting privacy@convrtpayments.com.

Section 11

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Convrt Payments LLC — Privacy Team
1108 Kane Concourse, Suite 306
Bay Harbor Islands, FL 33154 · United States

General Privacy: privacy@convrtpayments.com
Data Protection Officer: dpo@convrtpayments.com
Security Issues: security@convrtpayments.com

For EU/EEA residents, if you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.