Privacy Policy
PayPapi ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and applicable EU data protection law.
1. Who We Are (Data Controller)
PayPapi is the data controller for personal data processed through the paypapi.io platform and related services.
- Company: PayPapi
- Contact: support@paypapi.io
- Data Protection Officer (DPO): support@paypapi.io
2. Data We Collect
2.1 Data you provide directly
- Account data: full name, email address, and password when you register
- Billing data: billing address, payment method details (processed by Stripe; we do not store card numbers)
- Subscription data: subscription names, costs, renewal dates, vendor information, and usage notes you enter
- Support communications: messages and attachments sent to our support team
- Business profile data: company name, VAT number, team member emails (Business plans)
2.2 Data we collect automatically
- Device and usage data: IP address, browser type, operating system, referring URLs
- Platform analytics: pages visited, features used, session duration, clicks and interactions
- Cookies and similar technologies: as described in our Cookie Policy
- Security logs: failed login attempts, unusual access patterns
2.3 Data from third parties
- OAuth / SSO: If you sign up via Google or another OAuth provider, we receive your name and email from that provider
- Enrichment data: publicly available firmographic data to enrich business accounts (e.g. company size, industry)
3. Anonymous Usage Data (Opt-in)
With your explicit consent, PayPapi may collect anonymous, aggregated usage data. This includes your total monthly and annual subscription spend (a single number) and the number of subscriptions per category (Streaming, Software, Cloud, Music, Other). We never collect the name of any specific service, individual subscription amounts, or any information that could identify you.
This is entirely optional, enabled only if you choose to participate in onboarding or Settings, and can be disabled at any time. This data is used solely for product improvement and is never sold to third parties.
4. Why We Process Your Data (Legal Bases)
We rely on the following GDPR legal bases for processing your personal data:
- Provide and operate the Service. Data used: account, subscription, billing. Legal basis: Art. 6(1)(b) contract performance.
- Process payments and prevent fraud. Data used: billing data, security logs. Legal basis: Art. 6(1)(b) and 6(1)(f) legitimate interest.
- Improve the platform (analytics). Data used: usage data, cookies. Legal basis: Art. 6(1)(f) legitimate interest.
- Send transactional emails (renewal alerts, invoices). Data used: email, subscription data. Legal basis: Art. 6(1)(b) contract performance.
- Send marketing communications. Data used: email, usage behaviour. Legal basis: Art. 6(1)(a) consent.
5. How Long We Keep Your Data
We retain personal data only as long as necessary for the purposes described in this policy:
- Account and subscription data: for the duration of your account plus 30 days after deletion (then permanently erased)
- Billing and invoice data: retained for 7 years to comply with EU financial and tax regulations
- Usage and analytics data: rolling 90-day window, then automatically purged
- Support communications: retained for 3 years for legal defence purposes
- Security logs: retained for 12 months for security investigation purposes
6. Who We Share Your Data With
We do not sell your personal data. We share data only with the following categories of recipients:
5.1 Service providers (data processors)
- Stripe (Ireland/US): payment processing
- AWS / Google Cloud (EU regions): cloud infrastructure and hosting
- Mixpanel / PostHog: product analytics
- Intercom: customer support chat
- SendGrid / Mailchimp: transactional and marketing email
All processors are bound by Data Processing Agreements and may only process your data on our documented instructions.
5.2 Legal and regulatory disclosure
We may disclose personal data to law enforcement, courts, or regulators where required by applicable EU or member state law, or to protect the rights, safety, or property of PayPapi or its users.
5.3 Business transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to equivalent data protection obligations.
7. International Data Transfers
We primarily process data within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g. to US-based service providers), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- adequacy decisions where applicable
You may request a copy of the relevant transfer mechanisms by contacting support@paypapi.io.
8. Your Rights Under GDPR
- Right of access (Art. 15): obtain a copy of the personal data we hold about you
- Right to rectification (Art. 16): correct inaccurate or incomplete data
- Right to erasure (Art. 17): request deletion of your data where no longer necessary
- Right to restriction (Art. 18): restrict processing in certain circumstances
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format
- Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent (Art. 7(3)): withdraw consent for consent-based processing at any time
- Right to lodge a complaint: lodge a complaint with your national data protection authority
A list of EU supervisory authorities is available at edpb.europa.eu. We will not discriminate against you for exercising any of these rights.
9. Security
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
- encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- role-based access controls and least-privilege principles
- regular security assessments and penetration testing
- multi-factor authentication for internal systems
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, inform affected users without undue delay.
10. Children's Privacy
The PayPapi Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at support@paypapi.io and we will delete it promptly.
11. Cookies
We use cookies and similar tracking technologies as described in our Cookie Policy. You can manage your cookie preferences at any time via the cookie settings panel on our website.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 30 days before they take effect. The "Last updated" date at the top of this document indicates the most recent revision.
13. Contact and Complaints
For any privacy-related queries or to exercise your rights, contact our Data Protection Officer:
- Email: support@paypapi.io
If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority. In Romania, this is the ANSPDCP (dataprotection.ro).