Talk to an engineer

Legal

Privacy Policy

This policy explains what personal data we handle when you use the Naturpay checkout, SDK and API, why we process it, and the choices and rights you have over it. We keep it plain and concrete.

Last updated 1 June 2026

Who we are

Naturpay is operated by NATURPAY LLC, with its registered office at 312 W 2nd St, Unit 3948, Casper, WY 82601, USA. In this policy, "Naturpay", "we", "us" and "our" refer to that entity, which acts as the data controller for the personal data described here.

When a merchant uses our checkout to take payments from their own customers, that merchant is the controller for the buyer relationship and Naturpay acts as a processor on their behalf. This policy covers the data we handle in our own right; merchant-specific handling is governed by our agreement with each merchant.

Data we collect

We collect only what we need to run the checkout, operate your account and keep the platform secure. The categories below describe what we gather across our website, dashboard and APIs.

  • Account data — the name, work email, password hash, organization details and role of the people who sign up for and administer a Naturpay account.
  • Transaction data — payment amounts, currency, status, network response codes, tokenized payment-method references and the metadata you attach to intents and payouts.
  • Device data — IP address, browser and SDK version, operating system, time zone and similar technical signals used for fraud screening and debugging.
  • Usage data — dashboard activity, API call logs, documentation visits and diagnostic events that tell us how the product is used and where it breaks.

Why we process it

We process personal data to provide and maintain the checkout, authenticate account access, route and settle payments, prevent fraud and abuse, meet our legal and regulatory obligations, and improve the reliability of the SDK and API.

Our legal bases are the performance of our contract with you, our legitimate interests in operating a secure and dependable service, compliance with applicable law, and, where required, your consent. Where we rely on legitimate interests, we balance them against your rights and you can object as described below.

Card data

Card details are captured by isolated fields served and hosted by Naturpay, then exchanged for a token before anything leaves the buyer's browser. Raw card numbers are not written to your servers and are not exposed through our standard API responses, which return only tokenized references and safe display details such as the last four digits and card brand.

We handle cardholder data in line with the Payment Card Industry Data Security Standard (PCI DSS) and apply network tokenization where it is supported. Because the sensitive fields run inside the Naturpay component rather than your own code, integrating the checkout keeps your PCI scope to the lightest self-assessment tier.

Sharing

We do not sell personal data. We share it only where it is necessary to run the service and under appropriate contractual safeguards.

  • Card networks, acquiring banks and payment partners, to authorize, clear and settle transactions.
  • Infrastructure and subprocessors such as cloud hosting, logging and fraud-screening providers that operate under data-processing terms.
  • Authorities and regulators when we are legally required to respond, or to detect and prevent fraud and financial crime.

International transfers

Naturpay operates across multiple regions, so personal data may be processed in countries other than the one you are in. Where we transfer data outside the European Economic Area or the United Kingdom, we rely on recognized safeguards such as the European Commission's Standard Contractual Clauses and equivalent mechanisms, together with technical measures including encryption in transit and at rest.

Retention

We keep personal data only for as long as we need it for the purposes set out here, then delete or anonymize it. Account data is retained while your account is active and for a reasonable period afterwards. Transaction and settlement records are kept for the longer of the life of the account and the periods required by financial, tax and anti-fraud laws. Diagnostic logs are kept on a rolling, shorter window.

Your rights

If you are in the European Economic Area or the United Kingdom, you have rights under the GDPR over the personal data we hold about you.

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct data that is inaccurate or incomplete.
  • Erasure — ask us to delete your data where there is no overriding legal reason to keep it.
  • Restriction — ask us to limit how we process your data in certain circumstances.
  • Portability — receive the data you gave us in a structured, machine-readable format.
  • Objection — object to processing we carry out on the basis of legitimate interests.

You can exercise any of these rights using the contact details below, and you have the right to complain to your local data protection authority.

Security

We protect personal data with encryption in transit and at rest, network isolation for sensitive systems, least-privilege access controls, audit logging and continuous monitoring. Access to production data is restricted to the people who need it, and our handling of cardholder data is independently assessed against PCI DSS. No method of transmission or storage is ever perfectly secure, but we work continuously to reduce risk.

Contact

For any privacy question or to exercise your rights, email us at hello@natur-pay.com and we will respond within the timeframes required by law.