Privacy Policy

1. Who We Are

PayClaw LLC (“PayClaw,” “we,” “us,” “our”) provides a technology platform that enables AI agents to make authorized purchases on behalf of users using virtual payment cards. Virtual cards are issued by [BANK_NAME], Member FDIC, through our card issuing partner Lithic, Inc. PayClaw is a technology partner and program manager — not a bank, card issuer, or money transmitter.

This Privacy Policy explains how we collect, use, and protect your information when you use our website, dashboard, API, and MCP server (collectively, the “Service”). We collect only the information necessary to provide the Service.

2. Information We Collect

Account Information

When you create an account, we collect your email address and authentication credentials. If you sign in via GitHub or Google, we receive your name and email from those providers. For KYC verification, our card issuing partner Lithic, Inc. collects your name, address, date of birth, and government-issued identification as required by applicable law.

Transaction Data

We record purchase intents (merchant, estimated amount, description), transaction outcomes (actual amount, merchant name), and auto-audit results. This data powers your dashboard, our intent authorization engine, and our compliance obligations.

API Keys

We store a one-way cryptographic hash of your API keys. We cannot see or recover your raw API key after creation.

Usage Data

We collect standard server logs (IP address, request timestamps, user agent) for security monitoring, rate limiting, and abuse prevention.

3. Information We Do NOT Collect or Store

• Your real credit or debit card number. Payment processing is handled entirely by Stripe. We never see, transmit, or store your card details.
• Virtual card numbers (PANs). Virtual cards are issued and managed by Lithic, Inc. and [BANK_NAME]. Card credentials are delivered directly to your agent via the Lithic API and are not stored on PayClaw servers.
• Your password in plain text. Passwords are hashed by our authentication provider before storage.

4. How We Use Your Information

• To provide and operate the Service (account management, card issuance coordination, transaction processing)
• To enforce spending policies and authorization rules you configure
• To generate your transaction audit trail and dashboard
• To power automated intent authorization decisions (see Section 9)
• To detect and prevent fraud, abuse, and unauthorized access
• To comply with legal and regulatory obligations
• To send you critical account notifications (security alerts, transaction confirmations)

Legal Basis for Processing

We process your information on the following bases:

• Contractual necessity — to provide the Service you signed up for
• Legal obligation — to comply with financial record-keeping, KYC/AML, and tax requirements
• Legitimate interest — to prevent fraud, improve the Service, and maintain security
• Consent — where required by applicable law

5. Third-Party Services

We share data with the following partners, solely to operate the Service. Each partner operates under a data processing agreement with PayClaw.

When your agent completes a purchase, virtual card credentials are shared with the merchant to process the transaction. This is inherent to how card payments work and is not a “sale” of your data.

We do not sell your data to third parties. We do not share your data for cross-context behavioral advertising. We do not use your data for advertising.

6. Data Security

• All data is encrypted in transit (TLS) and at rest
• API keys are stored as irreversible cryptographic hashes
• Multi-factor authentication (MFA) is mandatory for all accounts
• Row-level security (RLS) ensures users can only access their own data
• Administrative access is logged and restricted
• Virtual card issuing infrastructure is PCI-DSS compliant (managed by Lithic, Inc.)

7. Data Retention

We retain your account data and transaction history for as long as your account is active. Transaction records and audit logs are retained for a minimum of 7 years to comply with financial record-keeping requirements.

You may request account deletion by contacting us. Upon deletion, we will remove your account data except where retention is required by law (including financial record-keeping obligations, ongoing investigations, or fraud prevention). Non-financial account data (such as notification preferences) is deleted promptly upon account closure.

8. Cookies and Similar Technologies

We use strictly necessary cookies to maintain your authenticated session. These cookies are required for the Service to function and cannot be disabled.

We do not use cookies for advertising or cross-site tracking. Our hosting provider (Vercel) may collect anonymous performance metrics. Our authentication provider (Supabase) uses session cookies for login state.

You can control cookies through your browser settings, but disabling session cookies will prevent you from using the Service.

9. Automated Decision-Making

PayClaw's intent authorization engine uses automated processing to evaluate purchase requests from your AI agents. This includes checking purchase intents against your configured spending limits, merchant whitelists, and per-intent caps. Transactions may be automatically approved or declined based on these rules.

Our post-purchase auto-audit system automatically flags transactions where the actual charge deviates from the declared intent by more than 20%.

You may request human review of any declined transaction or audit flag by contacting support@payclaw.io.

10. Data Breach Notification

In the event of a security breach involving your personal information, we will notify you in accordance with applicable law. Notification will include: the nature of the breach, the types of information involved, the steps we are taking to address it, and steps you can take to protect yourself.

We maintain a written security incident response plan and will cooperate with applicable regulators as required.

11. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (subject to legal retention requirements)
• Export your transaction data
• Withdraw consent for optional data processing
• Request human review of automated decisions (see Section 9)

To exercise these rights, contact us using the methods listed in Section 14. We will respond to verifiable requests within 45 days.

12. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

• Right to Know. You may request the categories and specific pieces of personal information we have collected about you, the sources of that information, our purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete. You may request deletion of your personal information. We may retain information where permitted by law, including for: completing transactions, detecting fraud, complying with legal obligations, and exercising or defending legal claims.
• Right to Correct. You may request correction of inaccurate personal information we hold about you.
• Right to Opt Out of Sale/Sharing. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at privacy@payclaw.io or write to us at the mailing address in Section 14. We will verify your identity before processing your request and respond within 45 days.

Categories of Personal Information

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers: name, email address, IP address, API key hashes
• Financial information: transaction records, account balances (note: we do not collect or store payment card numbers)
• Commercial information: purchase intents, transaction history, merchant interactions
• Internet activity: server logs, request timestamps, user agent strings
• Personal information per Cal. Civ. Code §1798.80: name, address (collected by Lithic, Inc. for KYC)

13. Children

The Service is not directed to individuals under 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 13, we will promptly delete that information.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@payclaw.io.

14. Data Location

Your data is stored and processed in the United States. Our service providers (Supabase, Vercel, Stripe, Lithic) primarily process data in the United States. If any sub-processor processes data outside the US, they do so under appropriate data transfer safeguards.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on our website at least 30 days before changes take effect. Your continued use of the Service after changes constitutes acceptance.

16. Contact

For privacy questions, data requests, or concerns:

• Email: privacy@payclaw.io
• Mail: PayClaw LLC, [MAILING_ADDRESS]

For transaction disputes or unauthorized activity, contact support@payclaw.io.