Privacy Policy

Thentic Pay ("we", "us", "our") operates the payment infrastructure available at thentic.tech. We provide blockchain-based payment processing tools that allow merchants to accept cryptocurrency payments from their customers.

For the purposes of the EU General Data Protection Regulation (GDPR), we act as the data controller for the personal data of merchants who register accounts with us. For payment transaction data processed on behalf of merchants, we act as a data processor.

Merchant Registration Data

When you register as a merchant, we collect:

• Full name and email address
• A generated Merchant ID (alphanumeric, 28 characters)
• Account creation timestamp

Payment & Transaction Data

When payment requests are created or completed, we record:

• Payment amount (in USD and in the selected cryptocurrency token)
• Blockchain network and token used
• Recipient wallet address (provided by the merchant)
• Payer wallet address (obtained at transaction completion)
• Transaction status, type, and timestamp
• On-chain transaction hash
• Custom parameters provided by merchants (e.g. order IDs, customer references)
• Webhook URLs registered for notifications
• Subscription type and status (for recurring payments)

Technical & Usage Data

• IP address (used for rate limiting — up to 15 payment creation requests per minute)
• Timezone offset (used to display correct local timestamps)
• Browser and device information via analytics (see Cookies section)

Sanctions Screening Data

All wallet addresses submitted as payment recipients are screened against sanctions lists. See Section 6 for details.

• Service deliveryCreating and tracking payment requests, processing transactions on blockchain networks, and notifying merchants via webhooks.
• Account managementSending your Merchant ID by email and enabling access to the merchant dashboard.
• Legal complianceScreening wallet addresses against sanctions lists to comply with applicable AML and counter-terrorism financing (CTF) regulations.
• Rate limitingUsing IP addresses to enforce request limits and protect our infrastructure from abuse.
• AnalyticsUnderstanding aggregate usage patterns to improve the service (via Google Analytics — see Cookies).
• CommunicationSending transactional emails related to your account. We do not send marketing emails without your consent.

• Contract performance (Art. 6(1)(b) GDPR)Processing your name, email, and transaction data to provide the service you signed up for.
• Legal obligation (Art. 6(1)(c) GDPR)Sanctions screening and AML compliance required by applicable law.
• Legitimate interests (Art. 6(1)(f) GDPR)Rate limiting, fraud prevention, and security monitoring — balanced against your interests and rights.
• Consent (Art. 6(1)(a) GDPR)Analytics cookies, where required. You may withdraw consent at any time.

We do not sell your personal data. We share data only as necessary to operate the service:

• Resend (email delivery)Your name and email address are transmitted to Resend to deliver your Merchant ID confirmation email.
• Scorechain (sanctions screening)Recipient wallet addresses are submitted to Scorechain's API to check against international sanctions lists. No personal account data is shared — only the wallet address.
• Google AnalyticsAnonymized usage data may be shared for aggregate analytics. See Cookies section.
• Blockchain networksTransaction data is inherently public on the blockchains we support. Sending a payment broadcasts the transaction to the relevant network.
• Merchant webhooksIf a merchant registers a webhook URL, we send payment status notifications (including transaction details) to that URL.
• Legal authoritiesWe may disclose data if required by law, court order, or regulatory authority.

To comply with international sanctions regulations, every recipient wallet address submitted through our platform is screened using two methods:

• A local Specially Designated Nationals (SDN) list maintained by our system
• The Scorechain API, which checks against multiple international sanctions databases

If a wallet address matches a sanctions entry, the transaction is blocked and a record is kept for compliance purposes. This processing is based on our legal obligation under applicable AML/CTF regulations.

• Merchant account dataName and email retained for the duration of your account and up to 3 years after deletion, to comply with legal obligations.
• Transaction recordsRetained for a minimum of 5 years to satisfy financial record-keeping requirements.
• IP addressesUsed for rate limiting only — held transiently and not stored long-term.
• Webhook & custom parameter dataRetained for the lifetime of the associated transaction record.

You may request deletion of your personal account data at any time (subject to legal retention obligations) by contacting us.

If you are located in the EEA, UK, or Switzerland, you have the following rights:

• AccessRequest a copy of the personal data we hold about you.
• RectificationRequest correction of inaccurate or incomplete data.
• ErasureRequest deletion of your personal data, subject to legal retention requirements.
• RestrictionRequest that we limit how we process your data in certain circumstances.
• PortabilityReceive your data in a structured, machine-readable format.
• ObjectionObject to processing based on legitimate interests.
• Withdraw consentWhere processing is based on consent (e.g. analytics cookies), you may withdraw at any time.

To exercise any of these rights, contact us at eb@thentic.tech. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

We use Google Analytics (GA4) to understand how visitors use our website. This may set cookies and collect anonymized usage data including page views, session duration, and general location (country level).

We do not use advertising cookies or tracking cookies for retargeting. The analytics data we collect is aggregate and not used to identify individual users.

You can opt out of Google Analytics tracking by using the Google Analytics Opt-out Browser Add-on or by adjusting your browser's cookie settings.

We implement appropriate technical and organisational measures to protect your personal data, including:

• HTTPS encryption for all data in transit
• Rate limiting on all API endpoints to prevent abuse
• Dual-method sanctions screening before any transaction is processed
• Access controls limiting who can access production systems and data

No method of transmission or storage is 100% secure. If you become aware of any security vulnerability or incident, please contact us immediately at eb@thentic.tech.

Some of our service providers (including Resend and Scorechain) may process data outside the European Economic Area. Where this occurs, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) or the recipient country's adequacy decision.

Blockchain transactions are by nature global and public — transaction data broadcast to a blockchain network is accessible worldwide.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this document.

We encourage you to review this policy periodically. Continued use of Thentic Pay after changes are posted constitutes your acceptance of the updated policy.