1. Introduction

InvisiPay, Inc. ("InvisiPay", "we", "our", or "us") is committed to protecting your personal data. This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, and what rights you have in relation to it.

This Policy applies to all products and services offered by InvisiPay, including the InvisiPay website, mobile application, U-Card, Privacy Pay, OTC Exchange, and Invisible Connect API (collectively, the "Services"). By using the Services, you consent to the practices described in this Policy.

We may update this Policy from time to time. If we make material changes, we will notify you by posting the revised Policy on our website or by email. Continued use of the Services after such notice constitutes your acceptance of the updated Policy.

2. Data Controller

InvisiPay, Inc. is the data controller responsible for your personal data collected through the Services. Our contact details are set out in Section 13.

3. Data We Collect

A. Identity & KYC Data

For Services that require identity verification (U-Card, OTC Exchange), we collect:

• Full legal name and date of birth
• Government-issued identification document type and number
• Nationality and country of residence
• Residential address
• Profile photograph or selfie (for liveness checks)
• Source of funds and purpose of account

B. Contact & Account Data

• Email address and phone number
• Account login credentials (stored in hashed form)
• Communication preferences

C. Financial & Transaction Data

• Blockchain wallet addresses you connect or register
• U-Card transaction records (merchant name, amount, date, location)
• OTC Exchange order history
• Privacy Pay (ZK shielded) transactions: Payment amounts and counterparty details are cryptographically hidden and are NOT accessible to InvisiPay. We only record on-chain commitment hashes and nullifiers as part of protocol operation.

D. Technical & Usage Data

• IP address and approximate geolocation
• Device type, operating system, and browser
• App usage analytics (pages visited, features used, session duration)
• Error logs and crash reports

4. How We Use Your Data

We use your personal data for the following purposes:

• Service delivery: Creating and managing your account, processing transactions, issuing and managing your U-Card.
• KYC/AML compliance: Verifying your identity, screening against sanctions lists, monitoring for suspicious activity, and reporting to relevant authorities as required by law.
• Security: Detecting and preventing fraud, unauthorised access, and other malicious activity.
• Product improvement: Analysing usage patterns to improve and develop our Services.
• Communications: Sending transaction confirmations, security alerts, product updates, and (with your consent) marketing communications.
• Legal obligations: Complying with applicable laws, regulations, court orders, and requests from regulatory authorities.

5. Data Sharing & Disclosure

We do not sell your personal data. We may share it with:

• Identity verification providers: Third-party KYC/AML service providers to verify your identity and screen for sanctions.
• Card network partners: Visa, Mastercard, and the issuing bank or e-money institution for U-Card processing.
• Payment processors: Banks and payment processors facilitating OTC Exchange transactions.
• Infrastructure providers: Cloud hosting, database, and security service providers (bound by data processing agreements).
• Analytics providers: Aggregated, anonymised analytics services to understand product usage.
• Regulatory authorities: Government agencies, law enforcement, and financial regulators where required by law.
• Professional advisers: Legal, accounting, and auditing firms under professional secrecy obligations.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.

6. International Transfers

InvisiPay operates globally. Your personal data may be transferred to and processed in countries outside your home jurisdiction. Where such transfers occur to countries not deemed to provide an adequate level of data protection, we implement appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the relevant data protection authority.

7. Data Retention

We retain your personal data for as long as necessary to provide the Services and fulfil the purposes described in this Policy, and to comply with our legal obligations (typically 5–7 years post-account closure for AML/financial record-keeping requirements). When data is no longer required, we securely delete or anonymise it.

8. Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

• TLS/SSL encryption for all data in transit
• AES-256 encryption for sensitive data at rest
• Two-factor authentication for account access
• Access controls on a strict need-to-know basis
• Regular security audits and penetration testing
• Incident response procedures

While we take all reasonable steps to protect your data, no security system is impenetrable. In the event of a data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.

9. Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your data, subject to legal retention obligations.
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at contact@invisipay.fi with the subject line "DATA REQUEST". We will respond within 15 business days.

10. Cookies & Tracking Technologies

Our website uses cookies and similar tracking technologies to recognise returning visitors, understand how the site is used, and improve the user experience. We use the following types of cookies:

• Strictly necessary: Required for the website to function (session management, security). Cannot be disabled.
• Analytics: Collect aggregated, anonymised data about how visitors use the site (e.g., pages visited, time on site).
• Preference: Remember your language and display settings.

On your first visit, a cookie consent banner allows you to accept, reject, or customise non-essential cookies. You can also manage cookies through your browser settings.

11. Children's Privacy

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will delete it promptly. If you believe we have inadvertently collected such data, please contact us at contact@invisipay.fi.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated Policy on our website and, where changes are material, notify you by email or in-app notification. The date at the top of this page indicates when the Policy was last revised.

13. Contact & Data Protection Officer

For privacy-related questions, requests, or complaints, please contact our Data Protection Officer:

InvisiPay, Inc. — Privacy Team
Email: contact@invisipay.fi
Subject line: "PRIVACY ENQUIRY"

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction.