CorePay

Privacy Policy

  1. Introduction

    This Privacy Policy (the “Policy”) explains how CorePay (the “Service”) collects, uses, discloses, and protects personal data when you visit or use our websites, documentation pages, APIs, payment-link gateway, embed generator, and webhook/signing infrastructure (collectively, the “Platform”).

    CorePay provides payment links, static embeds, and APIs that redirect payers to third-party payment providers and (where enabled) deliver signed webhook notifications to merchants. CorePay is an orchestration platform and a technical integration layer and does not itself process or execute payments.

  2. Data Controller

    CorePay is designed to operate without collecting personal data such as names, email addresses, government IDs, or payment card details.

    What Personal Data We Collect

    We collect only what is necessary to operate the Service, secure it, and support integrations.

    Data you provide to us (primarily Merchants/Providers)

    • Webhook configuration data: webhook URL (stored only temporarily and deleted after 7 days applicable for once-off payments, with the exception of recurring payments), and where provided, technical configuration parameters required for delivery (e.g., environment flags, retry preferences where supported).
    • Payment-link parameters: receiver identifiers, selected provider identifier, currency/asset, amount, and other fields you submit to generate a link or embed (note: these fields may include identifiers you choose to provide).
    • Support communications: messages, email address, and any information you include when contacting support.

    Data we collect automatically (users, payers, merchants)

    • Technical logs: We do not collect technical logs, but we may in the future collect: IP address, user agent, device/browser metadata, request timestamps, referrer URL (where provided by your browser), error logs, and basic security logs (e.g., rate-limit events).
    • Operational identifiers: Payment ID, provider identifier, request/response metadata needed for troubleshooting and abuse prevention.

    Data received from Providers (server-to-server reporting)

    To support reconciliation and webhook delivery, Providers may send CorePay payment-status data linked to a Payment ID. Depending on the integration, this may include:

    • payment status (e.g., created/paid/failed), amount, currency/asset, timestamp;
    • sender/receiver identifiers as provided by the Provider;
    • transaction reference(s) or hash(es), where applicable;
    • any additional fields the Provider includes that are required for the integration.

    CorePay does not receive or store your full payment card number, CVV, online banking credentials, or private keys. Payment credentials are provided directly to the Provider or payment rail used to complete the transaction.

  3. Definitions

    • “Personal Data” means information that identifies or can reasonably be linked to an individual.
    • “Merchant” means a person/entity using CorePay to generate payment links/embeds or receive webhooks.
    • “Payer” means a person who follows a CorePay link/embed to complete payment with a third-party provider.
    • “Provider” means a third-party payment provider/exchange/integration used for payment flows.
    • “Payment ID” means the identifier assigned to a payment flow for reconciliation and (where enabled) webhook delivery.

  4. Legal Bases for Processing

    Where applicable data protection laws require a legal basis (e.g., GDPR, CPA, CCPA), we process personal data on one or more of the following bases:

    • Performance of a contract: to provide the Service, generate links/embeds, deliver webhooks, and support integrations.
    • Legitimate interests: to operate, secure, and improve the Service, prevent abuse, and maintain service integrity.
    • Legal obligations: to comply with applicable laws, lawful requests, and enforcement obligations.
    • Consent: where required (e.g., certain cookies/marketing). You may withdraw consent at any time without affecting processing already performed.

  5. International Transfers

    CorePay may process and store data in jurisdictions where we or our service providers operate. Where required by law, we implement appropriate safeguards for international transfers (such as standard contractual clauses or equivalent measures).

  6. Data Security

    We use appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit, secure key management for webhook signing, monitoring, and least-privilege access. No system is completely secure; you are responsible for securing your own systems, including any webhook endpoints you operate.

  7. Data Retention

    We retain personal data only as long as necessary for the purposes described in this Policy, including to operate the Service, resolve disputes, enforce agreements, and comply with legal obligations. Typical retention categories include:

    • Operational logs and security events: retained for a limited period for security and troubleshooting.
    • Payment ID and webhook delivery records: retained as needed for reconciliation, dispute handling, and system integrity.
    • Support communications: retained as needed to resolve issues and maintain records.

    Where feasible, we delete or anonymise data after the relevant retention period (7 days).

  8. Changes to This Policy

    We may update this Policy from time to time. We will post the updated version on the Platform and update the “Last updated” date. Continued use of the Service after changes take effect indicates acceptance.

  9. Contact

    Privacy questions or requests: [email protected] or at https://corepay.money/support.

Last Updated: June 3, 2026