Skip to main content

Privacy policy

Last updated: April 21, 2026. This Privacy Policy describes how GetPayment ("GetPayment," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use our websites, applications, and services (collectively, the "Service"). It should be read together with our Terms of service.

Quick orientation. We process data to run the Service, authenticate users, process payments through partners such as Stripe, secure accounts, and comply with law. Where we reasonably suspect fraud, illegal payment activity, or serious violations of our agreements, we may restrict accounts (including locks described in our Terms of service) and share information with processors or authorities as permitted by law. Payment, payout, chargeback, and currency-conversion metadata are largely handled under the privacy notices and terms of those processors. You have rights depending on your region (access, deletion, objection, etc.) as described below.

Scope & data controller

This policy applies to personal information we process in connection with the Service. The data controller (or business, for U.S. state privacy laws) is the GetPayment entity operating the Service and identified in our legal notices or contact section once published.

If you interact with us only as an employee of a GetPayment customer, your employer may control certain business contact data; we process it as a processor or service provider on their instructions where applicable.

Information we collect

Depending on how you use the Service, we may collect:

Account & profile

  • Name, email address, password hash, company name, and preferences.
  • Verification details when required for security or payments (for example, phone number, government ID metadata processed by identity or payment partners).

Invoice & business activity

  • Invoice metadata and content you enter (descriptions, amounts, client names, due dates).
  • Hosted invoice views and analytics events we surface in the product (for example, link opens or views where enabled for your plan).

Payment and payout information

  • Subscription billing details processed by our payment processor (card brand and last four digits, billing address, subscription status). Full card numbers are handled by the processor, not stored by us as plain text on our servers.
  • Payout and bank-connected account tokens, verification status, and settlement references as exposed by Stripe or similar providers.
  • Chargeback and dispute identifiers and outcomes as reported by payment networks (may include payer bank or issuer categories at a summary level).
  • Payout and withdrawal requests you initiate (amounts, timestamps, status, failure or return codes, destination bank metadata such as last four digits of an account or masked identifiers, and internal references used for reconciliation).
  • Where currency conversion occurs in the payment or payout chain, we or our processors may process original and settled amounts, implied exchange rates or fee components at summary level, and rail identifiers needed for audit and support.

Technical & usage data

  • Device and browser type, IP address, approximate location derived from IP, timestamps, pages or screens viewed, and referring URLs.
  • Diagnostic logs, error reports, and security signals (failed logins, rate limits, fraud scores where used).

Communications

  • Support requests, feedback, and email correspondence content.

How we collect information

  • Directly from you when you register, complete forms, upload content, or contact us.
  • Automatically through cookies, pixels, server logs, and similar technologies when you use the Service.
  • From payment partners regarding transaction status, disputes, payouts, and compliance outcomes.
  • From integrated services you connect when we offer integrations in the future; we will describe them at connection time.

How we use information

We use personal information to:

  • Provide, operate, maintain, and improve the Service.
  • Authenticate users, personalize dashboards, enforce plan limits (such as daily invoice caps), and calculate platform fees.
  • Process subscriptions and communicate transactional messages (receipts, security alerts, legal notices).
  • Detect, prevent, and investigate fraud, abuse, chargeback risk, and security incidents.
  • Operate withdrawals and payouts (including validating requests, displaying history, reconciling FX or fee components reported by processors, and coordinating support when transfers fail or return).
  • Comply with legal obligations and respond to lawful requests from authorities.
  • Enforce our Terms of service, investigate suspected illegal or fraudulent payment activity, mitigate financial and regulatory risk, and protect the integrity of the Service, payers, and partners, including supporting account restrictions or locks where appropriate.
  • Analyze usage in aggregate or de-identified form to improve product design and reliability.
  • Send optional product updates or marketing where permitted; you may opt out of marketing as provided in those messages or your settings.

Legal bases (EEA, UK, Switzerland). Where GDPR or similar laws apply, we rely on contract (providing the Service), legitimate interests (security, analytics, product improvement balanced against your rights), legal obligation, and in some cases consent (for example, non-essential cookies or marketing where required).

Payments, payouts, refunds, disputes & enforcement

Payment card and bank-account data for your customers and for GetPayment subscriptions is processed by certified third-party processors. We receive limited tokens and transaction metadata needed to display status in the Service.

Refunds. Refund eligibility for your own customers is governed by your policies and processor tools; we may record refund events for billing and reconciliation.

Chargebacks. Dispute records may include dispute reason codes, amounts, timelines, and outcomes shared by the processor. We use this data for risk scoring, reporting to you in the product, and compliance with network rules.

Payout, FX & withdrawal records

When you withdraw funds or receive payouts through a connected processor account, we process the personal and financial identifiers needed to display status, prevent fraud, and meet bookkeeping obligations. That can include your legal identity and tax details held by the processor, payout rail metadata, and logs of API or dashboard actions related to withdrawals.

Currency conversion. If settlement, chargebacks, refunds, or bank payouts involve more than one currency, processors and banks generate conversion records (for example, debited amount, credited amount, timestamp, and fee breakdowns at the level the processor exposes to us). We process this information to reconcile balances, explain fees in support tickets, and investigate discrepancies. Fee allocation for disputes and FX is described in our Terms of service (chargebacks) and Terms of service (withdrawals and conversion).

Negative balances & recovery. Where a processor reports a negative Connect balance, clawback, or offset linked to disputes, returns, or corrections, we may process account identifiers, amounts, and timestamps associated with those events to enforce our agreements and coordinate with the processor, consistent with the enforcement section of our Terms of service.

Lawful use, investigations & account restrictions

We do not tolerate use of the Service to facilitate illegal activity or fraudulent payments. When we reasonably believe such conduct has occurred or may occur, we may process related personal information to investigate, mitigate harm, enforce our agreements, and comply with Payment Rules and applicable law, including temporarily or permanently restricting access to your account (for example, an account lock that prevents use of the platform), withholding or delaying payouts pending review, and sharing relevant information with payment processors, financial institutions, professional advisers, or governmental or regulatory authorities where required or permitted.

The categories of data involved may include account identifiers, invoice and transaction metadata, device and security logs, verification outcomes, and communications you send to us. Retention for enforcement and regulatory purposes is described in Retention. For contractual terms governing prohibited conduct and remedies, see our Terms of service.

Sharing and subprocessors

We may disclose personal information to:

  • Payment processors (for example, Stripe, Inc. and affiliates) for payments, payouts, identity verification, and fraud prevention, subject to their privacy policies.
  • Hosting and infrastructure providers that store encrypted data and serve the application.
  • Email and transactional messaging providers for account and invoice-related communications.
  • Analytics or error reporting vendors if enabled, typically with pseudonymous identifiers.
  • Professional advisers (lawyers, auditors) under confidentiality obligations.
  • Authorities when required by law or to protect rights, safety, and security.
  • Business transfers in a merger, acquisition, or asset sale, with notice where required by law.

We use written agreements with subprocessors that process personal data on our behalf and require appropriate safeguards.

International transfers

We may process or store information in countries other than your own, including the United States. Where required, we rely on Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms.

Retention

We retain personal information for as long as your account is active or as needed to provide the Service, comply with legal obligations (tax, AML, bookkeeping), resolve disputes, and enforce our agreements. Retention periods vary by data category; invoice and transaction records may be kept longer where required for accounting or processor obligations.

Financial and dispute records. Payment, payout, chargeback, refund, and currency-conversion logs may be retained for extended periods, often several years, where required by tax authorities, payment network rules, anti-money laundering obligations, or litigation holds, even after you close your account. Some records exist primarily on processor systems under their retention schedules; we retain references and copies sufficient for legal defense, audits, and regulatory inquiries.

Deletion limits. Where retention is mandated by law or contract, we may decline deletion requests until the retention period expires, or we may delete your copy while a processor retains authoritative records under its own policy.

Security

We implement administrative, technical, and organizational measures designed to protect personal information, including encryption in transit (HTTPS), access controls, least-privilege principles, and vendor security reviews where appropriate. No method of transmission or storage is completely secure; we encourage strong passwords and MFA where offered.

Your privacy rights

Depending on where you live, you may have the right to access, correct, delete, or export personal information; object to or restrict certain processing; withdraw consent where processing is consent- based; and lodge a complaint with a supervisory authority.

United States (state privacy laws). Residents of certain states may have additional rights (for example, California's Right to Know, Delete, Correct, and Opt Out of sale/sharing of personal information). We do not “sell” personal information in the traditional sense; we may use cookies for analytics as described in our cookie practices when implemented.

To exercise rights, contact us using the details below. We may verify your request and respond within timelines required by law.

Cookies & similar technologies

We and our partners may use cookies, local storage, and similar technologies for session management, security, preferences, and analytics. Essential cookies are necessary for the Service to function. Where required, we will obtain consent before non-essential cookies and provide a preference mechanism.

Children

The Service is not directed to children under 16 (or the age required in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected such information, contact us and we will delete it promptly.

Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy with a new "Last updated" date and, where changes are material, provide additional notice (such as an email or prominent in-product notice) as required by law.

Contact

For privacy requests, questions about this policy, or to exercise your rights, contact us at the email address or contact form published on this website when available. Include sufficient detail for us to evaluate your request and verify your identity where appropriate.