Privacy Policy
Effective date: 2026-04-19 · Last updated: 2026-04-19
This Privacy Policy describes how PayBoltHub ("we", "us") collects, uses and shares personal data when you use our website, dashboard, APIs and related services (the "Service"). It is intended to be transparent and to meet the standards of the GDPR, the UK GDPR, the California CPRA and similar comprehensive privacy frameworks.
1. Controller
The data controller for your personal data is PayBoltHub, contactable at privacy@paybolthub.com. If we appoint a data protection representative or DPO, their contact details will be posted on this page.
2. What we collect and why
| Category | Examples | Purpose | Legal basis (GDPR) |
|---|---|---|---|
| Account | Email, hashed password, role, account creation date | Authenticate you, operate the Service | Performance of contract |
| Merchant profile | Business name, API keys, webhook URL & secret, fee tier | Provide merchant functionality | Performance of contract |
| Payment data | TRON addresses, transaction hashes, amounts, timestamps | Route payments, reconcile balances, produce statements | Performance of contract; legal obligation |
| KYC data (when required) | Identity documents, business registration documents, UBO data | Comply with AML/KYC obligations; fraud prevention | Legal obligation; legitimate interests |
| Technical data | IP address, user-agent, device identifiers, server logs, rate-limit counters | Security, rate-limiting, abuse prevention, debugging | Legitimate interests |
| Communications | Emails to support, account notifications | Respond to you, keep a record | Performance of contract; legitimate interests |
| Analytics (if enabled) | Anonymised page-view counts via Google Analytics 4 with IP anonymisation | Improve the website | Consent |
3. How we use your data
- Providing the Service — routing USDT payments, calculating fees, dispatching signed webhooks.
- Compliance — sanctions screening, AML monitoring, transaction reporting obligations.
- Security — detecting fraud, abuse, credential stuffing and unauthorised access.
- Communication — account, security and service notifications; product updates only with your consent.
- Product improvement — aggregate and anonymised usage analytics, crash reporting.
4. Sharing
We share personal data only with:
- Service providers acting under written data-processing agreements — cloud hosting (DigitalOcean, AMS3 region), email delivery (e.g. Unisender), AML / sanctions screening providers, monitoring and logging tooling.
- Public blockchains. Data that you submit to the TRON network (e.g. recipient addresses, amounts) is public by design and cannot be removed.
- Authorities when we are lawfully required to do so.
- Successors in a merger, acquisition or reorganisation, subject to the recipient honouring this Policy.
We do not sell or rent your personal data.
5. International transfers
Personal data may be processed in countries outside your jurisdiction, including the European Union and the United States. Where we transfer personal data out of the EEA / UK, we rely on Standard Contractual Clauses and, where applicable, supplementary measures.
6. Retention
- Account and transaction data: retained for the life of the account, and up to five (5) years thereafter to comply with financial-record-keeping obligations.
- KYC documents: retained for the minimum period required by applicable AML law, typically five (5) years after account closure.
- Server logs: retained for ninety (90) days, except where retention is extended for security investigation.
- Support correspondence: retained for two (2) years after the last interaction.
7. Your rights
Depending on where you live, you may have the rights to:
- Access the personal data we hold about you.
- Request correction or deletion, subject to legal-retention obligations.
- Object to or restrict certain processing.
- Receive your personal data in a portable format.
- Withdraw consent where processing is based on consent (this does not affect prior processing).
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights, email privacy@paybolthub.com. We respond within 30 days.
8. Security
We encrypt data in transit with TLS 1.2+. Passwords are hashed with bcrypt. Linked TRON private keys are stored encrypted at rest with AES-256-GCM. Outgoing webhooks are signed with per-merchant HMAC-SHA256 to let you verify authenticity. Access to production systems is restricted and logged. Despite these measures, no security system is impenetrable — we cannot guarantee absolute security.
9. Cookies
We use strictly-necessary cookies for authentication and session management. With your consent we may set analytics cookies (Google Analytics 4 with IP anonymisation) to measure aggregate site usage. You can control cookies through your browser or through our cookie banner when first visiting the site.
10. Children
The Service is not directed to children under 18. We do not knowingly collect personal data from children.
11. Automated decision-making
We use automated screening to score transactions for AML and fraud risk. A high score may lead to a transaction being held for manual review, but no solely automated decision with legal or significant effect is made without human review.
12. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top reflects the latest revision. Material changes will be communicated via email and dashboard notice.
13. Contact
Privacy questions and requests: privacy@paybolthub.com.