Privacy Policy

This page is maintained by payHME to describe what data we collect, why, and what we don't. payHME is non-custodial — we don't see customer funds or keys, and we work hard to collect as little personal data as we can while still running a reliable gateway.

1. What we collect about merchants

• Account info: email, name, and authentication data (Google OAuth or password hash). Required to sign you in.
• Store configuration: store name, website, currency, webhook URLs, xpubs or receiving addresses you provide.
• Billing data: plan, usage counters (invoice count, volume), and on-chain TXC top-up deposit addresses.
• Operational logs: request metadata for debugging, rate-limiting, and abuse prevention.

2. What we collect about your customers

Very little. The hosted checkout (the /i/<invoice> page) does not require customers to sign up, log in, or provide identity. We store the invoice's receiving address, fiat and crypto amounts, status, and the on-chain transaction hash once it appears. We do not collect customer names, emails, IP-based tracking, or wallet identity beyond what is already public on the blockchain.

3. What we never see

• Customer wallet balances.
• Customer private keys, seed phrases, or mnemonics.
• Merchant wallet private keys. We derive receiving addresses from the public xpub you provide. Funds always settle to you, not to us.

4. Cookies & analytics

We use only the cookies necessary to keep you signed in. We do not run third-party advertising trackers. If we add product analytics later, we will disclose them here.

5. Third-party services

To deliver the gateway we rely on a small set of subprocessors:

• Lovable Cloud — hosting, database, and authentication infrastructure.
• Alchemy — read-only block-chain RPC for Ethereum, Base, Tron, and Solana.
• CoinMarketCap — fiat/crypto exchange rates.
• Public block explorers — for BTC and TXC transaction confirmation.
• Telegram (optional) — only if you opt in to payment notifications.

6. How long we keep data

Account and store data is kept while your account is active. You may delete your account at any time, which removes your stores, invoices, and personal data within 30 days, subject to legal retention requirements. On-chain transactions themselves are public and permanent — we cannot remove those.

7. Your rights

You may request access to, correction of, or deletion of your personal data by emailing hello@honest.money. If you are in the EU/UK, you have rights under the GDPR / UK GDPR including the right to object and to lodge a complaint with your local supervisory authority.

8. Security

Connections are encrypted in transit (HTTPS). Row-level security isolates merchant data so one merchant cannot read another's. Webhook secrets are hashed at rest. As with any internet service, we cannot guarantee absolute security; please use a strong unique password and enable two-factor authentication on your email account.

9. Children

payHME is for businesses and adults. We do not knowingly collect data from anyone under 18.

10. Changes

We will post changes to this policy here, update the effective date, and announce material changes in-product or by email.

11. Contact

Privacy questions: hello@honest.money.

payHME is part of the Honest Money Ecosystem.