Privacy Policy

This policy describes how ZettaPay (the “protocol”, “we”, “us”) handles information when you integrate our payment APIs, use our merchant dashboard, or pay an invoice generated through our infrastructure. We process the minimum data required to operate a Solana USDC payment protocol — nothing more.

1. Wallet-less by design

ZettaPay never requests a wallet connection. We do not custody funds. We do not hold private keys. Every transaction settles directly from payer to merchant on Solana. Our role is limited to:

• Generating Solana Pay URIs and QR codes from public information.
• Observing the public Solana ledger to detect confirmed transfers.
• Dispatching signed webhooks to merchant endpoints on confirmation.

2. What we collect

2.1 Merchant data

• Public wallet address — supplied by you at signup; appears on-chain.
• Merchant handle — a short slug you choose (e.g. @my-store).
• Contact email — for magic-link authentication and operational notices.
• Webhook URL — required to be served over TLS.
• API key fingerprint — we store a hashed prefix to enable rotation; full keys are never persisted in cleartext.

2.2 Transaction metadata

• Invoice identifiers, amounts (USDC), timestamps, and Solana transaction signatures — all of which are already public on-chain.
• Optional metadata fields you attach to invoices (e.g. order IDs). Treat this surface as semi-public.

2.3 Operational data

• Request logs (IP, user agent, endpoint, status) retained for 30 days for abuse detection and rate limiting.
• Error traces via Sentry (scrubbed of headers, tokens, and request bodies).
• Dashboard analytics sessions tied to your merchant handle, not personal identifiers.

3. What we do not collect

• Private keys, seed phrases, or signed transaction blobs from any wallet.
• Cardholder data, bank account numbers, or routing information — we do not process fiat directly.
• KYC documents. Identity verification, when required, is performed by our fiat onramp partner (MoonPay) under their own privacy policy.
• Behavioral tracking cookies or third-party advertising pixels.

4. How we use information

• To route payments, generate QR codes, and confirm settlements on Solana.
• To authenticate merchant API calls and dashboard sessions.
• To send transactional notifications (webhook deliveries, daily digests, security alerts).
• To enforce rate limits, detect abuse, and comply with applicable law.

We do not sell or rent your data, and we do not share it for marketing purposes.

5. Sub-processors

We rely on a short list of infrastructure providers, each bound by data-processing agreements:

• Vercel — hosting and edge compute.
• Supabase — managed Postgres, row-level security.
• Sentry — error monitoring (scrubbed payloads).
• MoonPay — fiat onramp (operates under its own privacy policy and KYC obligations).
• Helius / Triton / public Solana RPC — read-only access to public ledger state.

6. Data retention

• Transaction records: retained for 7 years for accounting and audit traceability.
• Webhook delivery logs: 90 days.
• Request logs and rate-limit counters: 30 days.
• Sentry traces: 90 days.

You may request deletion of your merchant account by emailing the address below. On-chain records cannot be deleted — that is the nature of public blockchains.

7. Your rights

Subject to local law, you may request access to, correction of, or deletion of personal data we hold about you. Contact privacy@zettapay.dev and we will respond within 30 days. EU and UK residents have additional rights under the GDPR/UK GDPR, including the right to lodge a complaint with a supervisory authority.

8. Security

• TLS 1.2+ enforced on every endpoint.
• Webhooks signed with HMAC-SHA256 and replay-protected with idempotency keys.
• Database row-level security; service-role keys never reach the client bundle.
• Continuous static analysis on Rust on-chain code; bug bounty active prior to mainnet expansion.

9. International transfers

Our infrastructure is global. By using ZettaPay you consent to processing of operational data in jurisdictions where our sub-processors operate. Where applicable, transfers from the EEA/UK rely on Standard Contractual Clauses.

10. Children

ZettaPay is not directed to individuals under 18. We do not knowingly collect data from minors.

11. Changes

We will publish material changes here with a revised “effective date”. Continued use of the protocol after a change constitutes acceptance of the revised policy.

12. Contact

Privacy questions: privacy@zettapay.dev
General support: /contact