Privacy Policy

Last updated: March 5, 2026

At IPS Payments US, Inc. ("IPS," "Inyo," "we," "us," "our"), we are committed to protecting your personal information and respecting your privacy. This Privacy Policy applies to: (i) anyone interacting with IPS via the IPS website or through other portals to which you may have access (each, the "Site"); (ii) anyone using our developer environment, tools, API, integration or data processing services ("Services"); and (iii) individuals whose personal information is processed by us on behalf of our business customers (financial institutions, merchants, and other entities) in our capacity as a data processor. All such persons interacting with IPS or whose data we process are referred to as "User," "you," or "your." Where we process personal information on behalf of our business customers, those customers remain the data controllers and are responsible for providing appropriate notices to their end users.

If you are a financial institution and we are providing data processing services for you, then you remain the data controller and we act as a data processor on your behalf. This Privacy Policy describes how we handle personal information in our capacity as a data processor, as well as any personal information we collect and control directly in connection with our business operations. Where we process data on your behalf, our processing is governed by our data processing agreement with you.

Please read this Privacy Policy carefully before using our Site or Services. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you access or use our Site and Services. By accessing or using the Site, creating an account, submitting information to us (whether through the Site, in communications with us, or by other means), or otherwise interacting with our Services, you acknowledge that you have read and understood this Privacy Policy.

BACKGROUND

The Services are provided by IPS. During your registration on the Site, you may open an account through which you access Services (the "Account"). An Account includes a unique login to the Site, or other platform provided by IPS through which you may access the Services. Certain Services do not require you to create an Account with us, so we do not provide an account for all customers.

Services are provided pursuant to IPS terms of use that are separate from this Privacy Policy and are posted at the Site (the "Agreement"). Your rights and obligations and those of IPS with respect to your transactions are detailed in the Agreement and not in this Privacy Policy.

INFORMATION WE COLLECT AND PROCESS

We collect personal information directly from you when you express an interest in obtaining information about us or the Services, when you interact with the Site, or when you contact us. The personal information that we collect depends on the context of your interactions with us and the Site, the choices you make, and the Services you use. The personal information we collect may include but is not limited to the following:

Source	Category	Description
1. Information provided by User	Basic Information for the performance of the contract	User's name, Address, email address, phone number, tax number, financial information.
	Required by Law or in the context of KYC obligations	Date and place of birth
	Voluntarily provided by User	Transaction information including cardholder numbers or truncated or tokenized cardholder numbers, cardholder names, transaction amounts, merchant account identification (MID) information, card authorizations, settlement records, chargeback records, AFT (pull), OCT (push) payment transaction records. Note: When processing payment card data on behalf of our business customers, we maintain PCI DSS compliance and process such data in accordance with payment card industry security standards.
2. Information Collected Automatically	App, browser, and device information	Information about the device, operating system, and browser used; Other device characteristics or identifiers (e.g. plugins, the network you connect to); IP address
	Product usage information	Activity information: Information about what you view or click on while visiting our Site and how you use our Services. Diagnostic and Troubleshooting Information: Information about how our Services are performing when you use them, i.e. service-related diagnostic and performance information, including timestamps, crash data, Site performance logs, and error messages or reports.
3. Information we obtain from Affiliates and third parties	Provider Group of Companies ("Affiliates")	We may obtain information about you, such as Basic User Information, Transaction Information and Product Usage Information, from our Affiliates as a normal part of conducting business.
	Public Database Information	We may obtain information about you from public databases, such as the U.S. Department of the Treasury Office of Foreign Asset Control, United Nations Sanctions List, US ITA Consolidated Screening List, and the SEC EDGAR, including your name, address, email address, phone number, gender, national ID number and nationality/country of residence, date of birth, job role, public employment profile, listing on any sanctions lists maintained by public authorities, and other data as necessary.
	Blockchain Data	We may analyze public blockchain data, including timestamps of transactions or events, transaction IDs, digital signatures, transaction amounts, and wallet addresses.
	Information from our Marketing and Advertising Partners	We may receive information such as your name and contact information from our marketing partners, including in some instances what marketing content you viewed or the actions you take on Site.
	Information from Analytics Providers	We may receive information about your Site usage, interactions, age group, and survey responses (including prior to account creation, in some cases).
	Retail Merchant Information	If you use your account to conduct a transaction with a third-party merchant, bank or processor, they may provide us with data about you, such as your name and contact details, and your transaction with that counterparty.
	Research and In-App Survey Information	We use third-party service providers to conduct surveys to better understand our Users' experience and improve our Services. The information we receive from our research partners is pseudonymous.

All personal information that you provide to us must be true, complete, and accurate, and you must promptly notify us of any changes to such personal information.

We may collect personal information otherwise with your consent or as permitted or required by law.

Purposes of the collection and processing

We process personal data for the following purposes, based on one or more applicable legal grounds. In certain cases, we process personal data on behalf of our business customers in our capacity as a data processor. In such cases, personal data relates to the users or customers of our business customers, and we process that data strictly in accordance with their instructions and our contractual obligations. Where required, we enter into data processing agreements with our business customers governing the transfer and processing of such personal data.

The following are the purposes for which we collect and process personal information:

Provide Services. User information is collected for account creation and identity verification. It may also be used for Services related to payment processing, transaction facilitation, fraud detection and prevention, and for technical support, issue resolution, and ensuring the safety and quality of the services. When processing data on behalf of our business customers (financial institutions and merchants), we process such data solely to provide the contracted data processing services and in accordance with their documented instructions.
Ensure Functionality. To ensure the proper functioning of the Site, as well as the provision of ordered Services, the information mentioned in Section 2 may be processed. This data processing is based on IPS's legitimate interest in providing a well-functioning Site and Services.
Communicate with You. We utilize the information to address your inquiries, fulfill your requests, and send crucial notifications. This encompasses activities such as sending periodic emails concerning company updates, policy changes, product/service enhancements, or press releases.
Marketing. We may use information about our direct business contacts and Account holders to market our services. This includes, for example, sending you email communications about products, offerings, events and webinars or customized offers or materials. We do not use personal information that we process on behalf of our business customers (as a data processor) for our own marketing purposes without explicit consent or as otherwise permitted by our agreement with the customer.
Improve Services. We use the information we have about you to improve our services. This includes, for example, identifying usage trends, developing data analysis, determining the effectiveness of our promotional campaigns, evaluating our business performance, researching, demonstrating, developing and improving our products and services, and ensuring quality control.
Comply with Laws. We use the information we have about you to comply with applicable laws, regulations, and contractual obligations. This includes, for example, conducting compliance and/or security checks, audits, or assessments, enforcing our contracts and agreements with our customers, or complying with applicable law enforcement obligations.
Protect assets. We use the information we have about you to protect our rights and interests, ensure the security of our assets, systems and networks, prevent, detect and investigate fraud, unlawful or criminal activities in relation to our services, and enforce our terms and conditions.
Other Purposes that require your consent. We may share or disclose your personal information for additional purposes and only with your prior consent when such consent is required by applicable law. We may also process your information to respond to your inquiries, customer service requests, or job applications.
De-identified or Aggregate Information. We may use the information we have about you to create de-identified or aggregate information, such as de-identified demographic or location information, information about devices used to access our services, or other relevant analyses.

OFFERS, PROMOTIONS AND OPTING OUT

We may use your personal information and information about your use of the Services for marketing and solicitation purposes. This may include sending you offers, promotions or information about additional products and services that may be of interest to you.

You may "opt out" or withdraw consent to the use and/or disclosure of your personal information for the purposes described in this section at any time by checking the appropriate box on an online or offline form, if available, or by contacting us as described in "Contact Us" below.

DELETION OF ACCOUNT

Upon your request for deletion of your Account or the personal information that we hold about you as a controller, we will process the request and delete your Account along with all your records and personal information, subject to any legal obligation to retain certain information. For personal information we process on behalf of our business customers, deletion requests should be directed to the applicable customer (the data controller), and we will cooperate with their instructions regarding deletion. In accordance with Federal and State regulations, including payment card industry requirements and financial services recordkeeping obligations, we will retain transaction records in archive for the period necessary to adhere to our record keeping obligations (typically at least five years for payment transaction records). We will only utilize the archive for limited purposes such as to fulfill our regulatory obligations, comply with audit requirements, or respond to requests from regulatory bodies having jurisdiction over our activities or those of our customers.

ELECTRONIC COMMUNICATION

Some of the Services are made available using online forms on the Site. Personal information you provide on online forms or by other electronic means will be collected used and disclosed as described generally in this Privacy Policy.

In addition, when you visit or use the Site, we collect information about the domain and host from which you access the Internet; your computer's Internet address; the browser and operating system software you use; the date and time you access this Site and the Internet address of the Site from which you linked to this Site when you visit us. We use this information to diagnose, administer and optimize this Site and web-related services. When registering or creating an Account with us, we collect your password, login name and other information we may request to identify you, maintain security of this Site and verify and control access to your Account or online profile. If you make inquiries through the e-mail links, forms or other contact methods provided on this Site, these inquiries are forwarded to the relevant office or department and are used to respond to your inquiry and maintain a record of correspondence.

COOKIES

We use Internet technologies like cookies and web beacons to facilitate the services we provide on our Site and your use of this Site, including:

To assist us in providing services to you;
To allow you to navigate the Site during your visit without having to re-enter your password;
To store your preferences and other information and to track activity on our Site;
To better understand the effectiveness of our promotional campaigns;
To determine whether you came to our Site from a banner ad or an affiliate Site;
To deliver Information specific to your interests on additional Sites; and
To determine whether you've acted on our promotional messages.

A "cookie" is a text file placed on your computer's hard drive by a web server, which allows for personalization of certain aspects of your visit to that Site. "Web beacons" are transparent electronic images placed in the web code that collect non-personal information while visiting a Site. Cookies and web beacons can usually be disabled by changing your browser preferences. Your browser usually has documentation on how to disable cookies and web beacons. Note that disabling cookies may limit the performance of the Site. If cookies are disabled, certain features of our Site may not function properly, and you may not be able to register or use your Account.

CHILDREN'S PRIVACY

Our Services are intended for business use and are not directed to children under the age of 13. We do not knowingly collect personal information directly from children under 13.

In many cases, we process personal information on behalf of business customers or Users as a service provider, and therefore we act as a data processor, including through our APIs and integration tools. Our customers are responsible for determining whether their end users are permitted to use their products and services, providing appropriate notices, and obtaining any legally required consents or authorizations from end users.

If we become aware that personal information of a child under 13 has been provided to us other than through a customer-controlled integration, or that we have otherwise collected such information in a manner that is subject to legal restrictions, we will take reasonable steps to delete it promptly, unless we are required to retain it for legal or security purposes. If you believe that a child under 13 has provided personal information to us, please contact us using the contact information listed below.

EXTERNAL SITES

This Site may be linked to or from third party websites. These links are provided as a convenience only, and IPS is not responsible for the content or privacy practices of sites that are linked to or from this Site. You are advised to review the privacy policies of any third-party websites you visit as IPS is not responsible for such third-party services.

Consent to the collection, use and disclosure of personal information may be given in various ways. Consent can be express (for example, orally, electronically or on a form you may sign describing the intended uses and disclosures of personal information) or implied (for example, when you provide information necessary for a service you have requested). You may provide your consent in some circumstances where notice has been provided to you about our intentions with respect to your personal information and you have not withdrawn your consent for an identified purpose. This could be done, for example, by using an "opt out" option provided, if any. Consent may be given by your authorized representative (such as a legal guardian or a person having a power of attorney).

Generally, by providing us with your information including personal and bank account related information, you are indicating your consent to our collection, use and disclosure of such information for the purposes described in this Privacy Policy. Such verification will be completed by IPS using the services of its third-party service providers.

You may withdraw your consent to our collection, use and disclosure of personal information at any time, subject to contractual and legal restrictions and reasonable notice. Note that if you withdraw your consent to certain uses of your personal information, we may no longer be able to provide all or some of our products or Services. Note also that where we have provided or are providing Services to you, your consent will be valid for so long as necessary to fulfill the Services and for the purposes described in this Privacy Policy or as otherwise described at the time of collection, and you may not be permitted to withdraw consent to certain necessary uses and disclosures (for example, but not limited to, maintaining reasonable business and transaction records, disclosures to the United States and foreign government entities as required to comply with laws, and reporting on credit information after credit has been granted, if applicable).

We may also be required or permitted under applicable law to collect, use or disclose personal information without your consent, for example to comply with a court order, to comply with local or federal regulations or a legally permitted inquiry by a government agency, or to collect a debt owed to us.

CONFIDENTIALITY AND SECURITY

We have put in place appropriate technical and organizational security measures designed to protect your personal information from being accidentally lost, misused, accessed, altered, or disclosed in an unauthorized way. As a payment processor handling sensitive financial data, we maintain compliance with PCI DSS (Payment Card Industry Data Security Standards) and implement industry-standard security controls including encryption of data in transit and at rest, network segmentation, intrusion detection systems, regular security assessments, and employee security training. We limit access to your personal information to only those employees, agents, contractors, and other third parties who have a legitimate business need to know. All such personnel are bound by confidentiality obligations and process personal information only on our instructions and in accordance with this Privacy Policy and applicable data protection laws. We conduct regular security audits and maintain incident response procedures to address any potential data breaches.

Unfortunately, the transmission of information via the internet is not completely secure. Although we implement industry-standard encryption protocols and will do our best to protect your personal information, we cannot guarantee absolute security of data transmitted over public networks; any such transmission is at your own risk. We strongly recommend that you use secure, private networks when transmitting sensitive information to our Site or Services. Once we have received your information, we implement strict procedures and security features in accordance with PCI DSS and other applicable security standards to prevent unauthorized access. In the event of a data breach that affects personal information, we will notify affected individuals and relevant authorities as required by applicable law and our contractual obligations to our business customers.

Our record retention policies dictate that we maintain information about you, including your opt-out choices, for a fixed time. If you do not perform another transaction during the fixed time, your Information, as well as your opt-out choice will be removed. If you perform another transaction or otherwise provide us with personal information thereafter, you will be afforded another opportunity to opt-out.

HOW LONG DO WE KEEP YOUR INFORMATION?

We will retain your personal information for at least five (5) years from the date of the last transaction or interaction, as required by payment card industry rules, anti-money laundering regulations, and other financial services legal requirements. Where we process data on behalf of our business customers, retention periods are determined by our contractual obligations to those customers and applicable legal requirements, which may require retention for seven (7) years or longer for certain payment transaction records, tax records, and compliance documentation.

When we have no ongoing legitimate business need to process or store your personal information, and at least five (5) years have passed since you last used our Services or provided us with information, we will either delete or anonymize such information. If this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

ACCESS AND CORRECTION

We may establish and maintain a file of your personal information for the purposes described in this Privacy Policy, which will be accessible at the location listed in the Contact Us section below. If you wish to request access or correction of your personal information that we control directly, you may write to the mailing address provided below, with attention to the Privacy Officer. If we process your personal information on behalf of one of our business customers (such as a financial institution or merchant), please direct your access or correction request to that customer, as they are the data controller. We will cooperate with our customers to facilitate such requests as required by our contractual obligations and applicable law. Your right to access or correct your personal information is subject to applicable legal restrictions, including the GDPR and CCPA where applicable, as well as verification requirements to protect against fraudulent requests. To protect your privacy and security, we may require additional information to verify your identity when requesting access or correction, which may include government-issued identification, account credentials, or other authenticating information. As a financial services provider, we share your personal information for our everyday business purposes, such as to process your transactions, maintain your Account(s), respond to court orders and legal investigations, comply with payment card network rules, conduct fraud prevention activities, and fulfill our obligations to our business customers. Federal law gives consumers the right to limit some but not all sharing. You may not limit sharing of information necessary for transaction processing, fraud prevention, legal compliance, or fulfillment of our contractual obligations to financial institutions and merchants. Certain states may have additional rights.

Consumer Requests, Appeals, and Complaints (U.S.)

You have the right to submit a request to exercise your rights under the applicable privacy law of your residency (such as access, deletion, correction, or opt-out, as available). Where available by applicable law, we will provide a process for you to appeal our decision if we decline to act on your request.

If your appeal is denied (or if you otherwise believe we have violated applicable state privacy law), you may have the right to submit a complaint to the appropriate government agency in your state, which is typically your State Attorney General's Office or a designated consumer protection or privacy regulator. For example, certain state privacy laws expressly require that, when an appeal is denied, we provide an online mechanism or other method for you to contact the relevant authority to file a complaint (e.g., Virginia, Connecticut, Colorado, Texas, Oregon, Delaware, New Jersey, Iowa, Tennessee, Indiana, Montana).

To help you identify the correct agency for your state, you may use the National Association of Attorneys General's "Consumer File a Complaint" directory to locate your State Attorney General's consumer complaint resources.

In California, you may also submit certain privacy complaints to the California Privacy Protection Agency (CPPA).

CHANGES

We reserve the right to modify this Privacy Policy from time to time, with such modifications being effective upon their posting on the Site or as otherwise required by law. You can get updated versions of this Privacy Policy by calling us at the telephone number listed below or by visiting the Site. We urge you to review this Privacy Policy frequently to obtain the current version. Your continued use of the services or provision of personal information following any changes to this Privacy Policy constitutes your acceptance of any such changes.

STATE SPECIFIC INFORMATION RIGHTS

California

This Privacy Notice for California Residents ("Notice") supplements the information contained in IPS's Privacy Policy and applies to all visitors, users, and others who reside in the State of California ("consumers" or "you"). We adopt this Notice to comply with the California Consumer Privacy Act of 2018 (CCPA) and any other applicable privacy laws. Any terms used but not defined herein shall have the meaning ascribed to them in these laws.

In this privacy notice, "Personal Information" has the same meaning as under CCPA, California Civil Code Section 1798.100 et seq.: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information does not include information that has been de-identified or aggregated.

If there are any conflicts between this section and any other provision of this Privacy Policy and you are a California resident or a business contact whose information we process, the portion that is more protective of Personal Information shall control to the extent of such conflict. Where we process Personal Information on behalf of our clients as a data processor, our clients' instructions and our contractual obligations to them shall take precedence, subject to applicable law. If you have any questions about this section or whether any of the following rights apply to you, please contact us.

Scope

The personal information that we collect, use, and disclose will vary based on our relationship or interaction with the individual or entity. As a B2B data processor serving banks and merchants, we process personal information in two primary capacities: (1) as a data controller for our own business operations (e.g., employee data, vendor contacts, direct client contacts), and (2) as a data processor on behalf of our clients who determine the purposes and means of processing. When acting as a data processor, we process personal information according to our clients' instructions and applicable data processing agreements. Some personal information may be subject to more restrictive privacy laws, including financial services regulations and payment card industry standards.

How We Use Your Personal Information

When acting as a data controller, we may use or disclose personal information for one or more of the following purposes. When acting as a data processor for our clients, we process personal information solely in accordance with our clients' documented instructions and applicable data processing agreements:

To provide our payment processing and related services to our clients (banks and merchants) and fulfill our contractual obligations.
To maintain and support our Site.
To process transactions and payments on behalf of our clients, and to detect, prevent, and investigate fraud and other prohibited activities in accordance with applicable payment industry standards and regulations.
To improve our services and platform functionality for our business clients.
To comply with legal obligations, including financial services regulations, anti-money laundering requirements, and to respond to valid law enforcement requests and court orders.
For testing, research, analysis, and product development, using aggregated or de-identified data where possible to protect individual privacy.
For internal and external audits, security purposes, and compliance assessments, including PCI-DSS audits and financial services regulatory examinations.
Fraud prevention.

In the last 12 months, we may have shared your personal information with the following categories of third parties:

Service providers and subprocessors performing tasks on our behalf or on behalf of our clients, subject to appropriate data processing agreements and security requirements.
Affiliates and subsidiaries for internal business purposes, subject to the same data protection obligations as set forth in this policy and our client agreements.
Third-party service providers that our clients have contracted with to integrate our payment processing services with their systems, pursuant to our clients' instructions.
Government entities and law enforcement, as required by law or in response to valid requests by public authorities.
Marketing and analytics service providers for our own business development purposes, using only business contact information collected in our capacity as a data controller.

Sale of Personal Information

IPS does not sell personal information. As a B2B data processor, we do not sell, rent, or trade personal information processed on behalf of our clients. We share data only with subprocessors and service providers who are contractually obligated to maintain appropriate security measures and use the information solely for the purposes we specify or as directed by our clients. All subprocessors are required to comply with applicable data protection laws and industry standards, including PCI-DSS requirements.

Your Rights Under the CCPA

As a resident of California or any other jurisdiction where such rights are recognized by law, you may have the following rights. Please note that when we process personal information as a data processor on behalf of our clients (banks and merchants), requests regarding such data should be directed to the applicable client, as they are the data controller. We will cooperate with our clients to facilitate the exercise of data subject rights as required by our contractual obligations and applicable law:

Right to Know and Data Portability
Right to Delete and Correct
Right to Opt-Out
Right to Non-Discrimination

How to Exercise Your Rights

To exercise the rights described above, you or your authorized agent must send us a request that: (1) provides sufficient information to allow us to verify that you are the person about whom we have collected Personal Information, and (2) describes your request in sufficient detail to allow us to understand, evaluate and respond to it. Each request that meets both of these criteria will be considered a "Valid Request." We may not respond to requests that do not meet these criteria. We will only use Personal Information provided in a Valid Request to verify your identity and complete your request. You do not need an account to submit a Valid Request.

We will work to respond to your Valid Request within 45 days of receipt. In certain circumstances, we may require an additional 45 days to complete your request. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request.

You may submit a Valid Request by emailing or contacting us at the contact information below. You may also authorize an agent (an "Authorized Agent") to exercise your rights on your behalf. To do this, you must provide your Authorized Agent with written permission to exercise your rights on your behalf, and we may request a copy of this written permission from your Authorized Agent when they make a request on your behalf. Please see our contact information below.

Non-Discrimination

IPS will not discriminate against you for exercising any of your rights under the CCPA.

CONTACT US

If you have any questions or concerns about how we collect, store, process or disclose information concerning you please contact us:

IPS Payments US, Inc. 49 Prospect St., Cambridge, MA, 02139 USA Email: [email protected]