Legal

Privacy Policy

Last updated: February 23, 2026

1. Introduction

PebblePay ("we", "our", or "us") is committed to protecting the privacy of our Sellers and Buyers. This Privacy Policy explains how we collect, use, share, and protect personal information when you use our Platform.

As a Merchant of Record, we process transaction data on behalf of Sellers and are the data controller for buyer payment information.

2. Information We Collect

From Sellers:

Account information: email address, Telegram handle (optional).
Application data: monthly revenue, store URL, product descriptions, payout cryptocurrency wallet address, and geographic sales distribution.
Transaction data: sales history, payout records, and fee calculations.
Support data: ticket content and communications.

From Buyers:

Payment information: card details (processed securely via PCI-compliant payment processors; we do not store full card numbers).
Transaction data: purchase history, product details, amounts, and billing country.
Device and usage data: IP address, browser type, and referring pages.

Automatically Collected:

Log data: IP addresses, browser information, pages visited, timestamps.
Cookies: essential session cookies for authentication and preferences. We do not use third-party advertising cookies.

3. How We Use Your Information

To process transactions and payouts as Merchant of Record.
To collect and remit applicable taxes (sales tax, VAT, GST).
To verify Seller identity and eligibility during the application process.
To detect and prevent fraud, chargebacks, and unauthorized transactions.
To provide customer support and manage disputes.
To comply with legal obligations (e.g., financial regulations, tax reporting).
To send transactional notifications (payout confirmations, status updates).
To improve our Platform and services.

5. Data Retention

We retain personal data for as long as your account is active, plus the periods required by applicable law. As a UK-based company, we are required to comply with the UK Companies Act 2006 and HMRC requirements for record keeping.

Accounting and Transaction Records (6 Years Minimum):

Under UK law, we are required to retain accounting records for a minimum of 6 years from the end of the financial year they relate to. This includes:

Sales records and transaction history
Invoices and receipts
Transaction amounts and fee calculations
Payout calculations and records
Seller balance history
Refund records
Chargeback and dispute records

Other Data Retention Periods:

Account information: Duration of account plus 6 years after closure.
Support ticket data: 3 years after resolution.
Tax records: 6 years minimum as required by HMRC.
KYC/Identity verification data: 5 years after business relationship ends (per AML regulations).
Security logs: 1 year minimum for audit purposes.

You may request deletion of your account and personal data at any time. However, we are legally required to retain certain financial and transaction records as outlined above, even after account deletion. Data that is not subject to legal retention requirements will be deleted or anonymized upon request.

6. Data Security and PCI DSS Compliance

PebblePay maintains rigorous security controls in accordance with the Payment Card Industry Data Security Standard (PCI DSS) and industry best practices:

Payment Card Data Protection:

No Storage of Sensitive Authentication Data: We never store full card numbers (PAN), CVV/CVC codes, PIN data, or magnetic stripe data.
Tokenization: All payment card data is immediately tokenized by our PCI DSS Level 1 certified payment processors.
Point-to-Point Encryption (P2PE): Card data is encrypted from the point of capture through processing.
Secure Iframes: Payment forms are served via secure, isolated iframes directly from our payment processor, ensuring card data never touches PebblePay servers.

Technical Security Measures:

Encryption in transit using TLS 1.2/1.3 with strong cipher suites.
Encryption at rest for all stored personal data using AES-256.
Secure password hashing using bcrypt with appropriate cost factors.
Role-based access controls with principle of least privilege.
Multi-factor authentication required for administrative access.
Regular penetration testing and vulnerability assessments.
24/7 security monitoring and intrusion detection systems.
Secure development lifecycle with code review and security testing.

Compliance Validation:

Our payment processors undergo annual PCI DSS Level 1 audits by Qualified Security Assessors (QSAs).
Regular internal security assessments and compliance reviews.
Incident response procedures with defined escalation paths.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you.
Request correction of inaccurate data.
Request deletion of your data (right to erasure).
Object to or restrict processing of your data.
Data portability (receive your data in a structured format).
Withdraw consent where processing is based on consent.

To exercise any of these rights, contact our support team.

8. International Transfers

Your data may be transferred to and processed in countries other than your country of residence. We ensure that appropriate safeguards are in place for international transfers, including standard contractual clauses where required by GDPR.

9. Cookies

We use strictly necessary cookies for authentication and session management. We do not use advertising or tracking cookies. No cookie consent banner is required as we only use essential cookies necessary for the Platform to function.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or Platform notification. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For privacy-related inquiries, contact our support team.

1. Introduction

As a Merchant of Record, we process transaction data on behalf of Sellers and are the data controller for buyer payment information.

2. Information We Collect

From Sellers:

Account information: email address, Telegram handle (optional).
Application data: monthly revenue, store URL, product descriptions, payout cryptocurrency wallet address, and geographic sales distribution.
Transaction data: sales history, payout records, and fee calculations.
Support data: ticket content and communications.

From Buyers:

Payment information: card details (processed securely via PCI-compliant payment processors; we do not store full card numbers).
Transaction data: purchase history, product details, amounts, and billing country.
Device and usage data: IP address, browser type, and referring pages.

Automatically Collected:

Log data: IP addresses, browser information, pages visited, timestamps.
Cookies: essential session cookies for authentication and preferences. We do not use third-party advertising cookies.

3. How We Use Your Information

To process transactions and payouts as Merchant of Record.
To collect and remit applicable taxes (sales tax, VAT, GST).
To verify Seller identity and eligibility during the application process.
To detect and prevent fraud, chargebacks, and unauthorized transactions.
To provide customer support and manage disputes.
To comply with legal obligations (e.g., financial regulations, tax reporting).
To send transactional notifications (payout confirmations, status updates).
To improve our Platform and services.

5. Data Retention

Accounting and Transaction Records (6 Years Minimum):

Under UK law, we are required to retain accounting records for a minimum of 6 years from the end of the financial year they relate to. This includes:

Sales records and transaction history
Invoices and receipts
Transaction amounts and fee calculations
Payout calculations and records
Seller balance history
Refund records
Chargeback and dispute records

Other Data Retention Periods:

Account information: Duration of account plus 6 years after closure.
Support ticket data: 3 years after resolution.
Tax records: 6 years minimum as required by HMRC.
KYC/Identity verification data: 5 years after business relationship ends (per AML regulations).
Security logs: 1 year minimum for audit purposes.

6. Data Security and PCI DSS Compliance

PebblePay maintains rigorous security controls in accordance with the Payment Card Industry Data Security Standard (PCI DSS) and industry best practices:

Payment Card Data Protection:

No Storage of Sensitive Authentication Data: We never store full card numbers (PAN), CVV/CVC codes, PIN data, or magnetic stripe data.
Tokenization: All payment card data is immediately tokenized by our PCI DSS Level 1 certified payment processors.
Point-to-Point Encryption (P2PE): Card data is encrypted from the point of capture through processing.
Secure Iframes: Payment forms are served via secure, isolated iframes directly from our payment processor, ensuring card data never touches PebblePay servers.

Technical Security Measures:

Encryption in transit using TLS 1.2/1.3 with strong cipher suites.
Encryption at rest for all stored personal data using AES-256.
Secure password hashing using bcrypt with appropriate cost factors.
Role-based access controls with principle of least privilege.
Multi-factor authentication required for administrative access.
Regular penetration testing and vulnerability assessments.
24/7 security monitoring and intrusion detection systems.
Secure development lifecycle with code review and security testing.

Compliance Validation:

Our payment processors undergo annual PCI DSS Level 1 audits by Qualified Security Assessors (QSAs).
Regular internal security assessments and compliance reviews.
Incident response procedures with defined escalation paths.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you.
Request correction of inaccurate data.
Request deletion of your data (right to erasure).
Object to or restrict processing of your data.
Data portability (receive your data in a structured format).
Withdraw consent where processing is based on consent.

To exercise any of these rights, contact our support team.

Privacy Policy

1. Introduction

2. Information We Collect

From Sellers:

From Buyers:

Automatically Collected:

3. How We Use Your Information

4. Data Sharing

5. Data Retention

Accounting and Transaction Records (6 Years Minimum):

Other Data Retention Periods:

6. Data Security and PCI DSS Compliance

Payment Card Data Protection:

Technical Security Measures:

Compliance Validation:

7. Your Rights

8. International Transfers

9. Cookies

10. Changes to This Policy

11. Contact

Privacy Policy

1. Introduction

2. Information We Collect

From Sellers:

From Buyers:

Automatically Collected:

3. How We Use Your Information

4. Data Sharing

5. Data Retention

Accounting and Transaction Records (6 Years Minimum):

Other Data Retention Periods:

6. Data Security and PCI DSS Compliance

Payment Card Data Protection:

Technical Security Measures:

Compliance Validation:

7. Your Rights

8. International Transfers

9. Cookies

10. Changes to This Policy

11. Contact