Privacy Policy.

QairoPay, Inc., a Delaware corporation ("QairoPay," "we," "us"), respects your privacy. This Privacy Policy describes how we handle personal data we collect when you visit our websites, use our platform, or otherwise interact with us directly. It does not describe how we handle personal data that flows through our platform on behalf of our business customers — see Section 1 for that distinction.

1. Which role we play

1.1 As controller. We act as a "controller" (under the GDPR and UK GDPR) and "business" (under the California Consumer Privacy Act, as amended by the CPRA) for personal data we collect directly from individuals interacting with us, including:

• employees, administrators, and billing contacts of QairoPay business customers ("Tenants");
• visitors to qairopay.com and other QairoPay-operated sites;
• prospects who request demos, contact sales, or subscribe to our communications;
• applicants for employment;
• individuals exercising data-subject rights with respect to QairoPay.

This Privacy Policy describes that processing.

1.2 As processor / service provider. We act as a "processor" and "service provider" for personal data that Tenants submit to or generate through the platform about their own end users — pass holders, cardholders, scanner events, KYC outcomes, etc. The Tenant is the controller of that data; QairoPay processes it only on the Tenant's documented instructions under a Data Processing Addendum.

If you are an end user of a QairoPay-powered pass or card program and want to exercise rights regarding your data, please contact the business that issued your pass or card. We will refer requests to that business unless directed otherwise. Our handling of that data is governed by the Tenant's Privacy Policy and our DPA, not this Privacy Policy.

2. What personal data we collect

Account and contact data

Name, work email, work phone (optional), job title, employer, country, and the role you hold in your QairoPay workspace. Collected when you create an account, accept an invitation, or are added by an administrator at your employer.

Authentication and access data

Hashed passwords (we never see the plaintext), enrolled multi-factor methods (TOTP, WebAuthn registration metadata), session cookies, recovery codes, and IP addresses used to log in. Used to authenticate you, enforce session policy, and detect anomalous access.

Billing data

Card payments are processed by Stripe. QairoPay receives the card brand, last-4, expiration, and a Stripe customer/payment-method token. We do not store the primary account number, CVC, or full magnetic-stripe data. We also receive invoice line items, payment receipts, and tax-related metadata (billing address, VAT/EIN where provided).

Communications

The contents of support tickets, sales emails, scheduled-meeting metadata, and product feedback you submit. Voice or video calls are recorded only with affirmative consent obtained at the start of the call; recordings are stored for the period stated at consent and used to improve the conversation that produced them.

Usage and technical data

Server logs (request paths, response codes, latencies), client telemetry (page views, button clicks, screen sizes), device metadata (browser, OS, language), IP address, referrer URL, and a per-session identifier. Used to operate, secure, debug, and improve the platform.

Marketing data

Newsletter and gated-content opt-ins, marketing-email open and click events, web-form submissions, advertising attribution parameters (e.g., UTM tags), and engagement with our sales communications. Only collected with consent where required.

Recruiting data

Information submitted by candidates for QairoPay employment — résumé, work history, interview notes, references. Governed by a separate Candidate Privacy Notice (available on request) and retained per Section 8.

Beneficial-owner KYB data

To onboard a Tenant business, we collect entity-formation documents and, under our anti-money-laundering program, identity information about the Tenant's beneficial owners and controllers (name, date of birth, residential address, government-ID type and number, verification result). Where the data subject is a beneficial owner of a Tenant, QairoPay is the controller for the KYB processing.

Sensitive personal information (limited)

The only categories of sensitive personal information defined under U.S. state laws that we knowingly process about individuals in our controller capacity are: account credentials, government-issued ID information (collected for beneficial-owner KYB), and limited financial-account information (Stripe payment-method tokens). We do not use this information to infer characteristics about a data subject.

3. Where we get the data

• From you — when you create an account, sign an order form, complete a form, attend a meeting, or contact us.
• Automatically — when you use our products or browse our websites, via the cookies, SDKs, and logs described in Section 5.
• From your employer — if a Tenant administrator adds you to a workspace.
• From service providers and public sources — for example, business-data enrichment providers, sanctions-screening lists, registries that publish beneficial-owner information, and identity-verification partners (Persona) for KYB.

4. How we use personal data

We use personal data to:

• Provide the Services. Authenticate users, run the platform, surface dashboards, deliver support, and process payments.
• Secure the Services. Detect and respond to fraud, abuse, intrusions, and acceptable-use violations; investigate incidents; maintain audit logs.
• Bill for the Services. Generate invoices, collect payment, handle disputes, and meet tax-record-keeping obligations.
• Communicate. Send service-related notices, security alerts, billing notices, and, with consent where required, marketing communications you can unsubscribe from at any time.
• Comply with law. Run KYB and sanctions screening, file regulatory reports, respond to lawful requests, and enforce our Terms.
• Improve the Services. Analyze aggregated usage to identify rough edges, prioritize work, and measure performance. We do not use customer data to train AI models offered to other customers.

Lawful bases (GDPR / UK GDPR). Where these laws apply, we rely on the following bases:

• Performance of a contract — to provide the Services to you or your employer.
• Legitimate interests — to secure the platform, prevent fraud, communicate about our products to existing business contacts, and improve the Services. We balance these interests against your rights and freedoms.
• Legal obligation — to comply with AML, tax, accounting, and other applicable laws.
• Consent — for non-essential cookies, marketing to individuals where the law requires opt-in, and recording calls. You can withdraw consent at any time.

5. Cookies and similar technologies

We and a limited number of service providers use cookies, web beacons, local storage, and similar technologies on our websites and dashboards. Cookies fall into the following categories:

• Essential — session, authentication, CSRF, load-balancing, and security cookies. Cannot be disabled without breaking the site.
• Analytics — first-party product analytics that measure feature usage on the dashboard, and privacy-respecting web analytics on marketing pages. Only set where consent is not required, or after consent is given.
• Marketing — limited attribution and remarketing tags on marketing pages. Set only with consent and not used to target ads to children.

You can review and change preferences via the cookie banner on the website, your browser settings, or, where supported, an opt-out preference signal (see Section 13). [VERIFY: link to a cookie-preferences modal once the consent banner is implemented.]

6. Who we share personal data with

Sub-processors

We use a small set of sub-processors under written agreements that bind them to standards consistent with this Privacy Policy. The current list is maintained at qairopay.com/subprocessors and includes, as of the date of this policy, Google Cloud Platform (hosting and KMS), Stripe (billing), Persona (KYC/KYB), Bridge by Stripe (USDC on-ramp), Postmark (transactional email), Datadog (observability), and the customer support and CRM platforms QairoPay operates. We provide advance notice of material changes to that list as described in our DPA.

Card program partners

The QairoPay Spend Card is issued by a sponsor bank (the "Issuing Bank") under a card-network license. Personal data necessary to issue cards, authorize transactions, and meet bank-secrecy-act obligations is shared with the Issuing Bank, the issuer-processor, and the relevant card network.

Professional advisors

Our auditors, lawyers, accountants, and insurers, where reasonably necessary and bound by duties of confidence.

Corporate transactions

In a merger, acquisition, reorganization, or sale of all or substantially all of QairoPay's assets, personal data may transfer to the acquirer or successor entity, subject to confidentiality and standard transactional protections.

Government and legal requests

We disclose personal data to government authorities only where required by valid legal process, where a person's life or safety is at risk, or where applicable law specifically authorizes the disclosure. We require valid process, narrow the scope of the disclosure where possible, and notify affected individuals or the Tenant unless legally prohibited.

No sale; no cross-context behavioral advertising

We do not sell personal data, and we do not "share" personal data for cross-context behavioral advertising as those terms are defined under the CCPA. We have not sold or shared personal data in the preceding 12 months.

7. International data transfers

QairoPay's production infrastructure is hosted in the United States. Personal data we process may be transferred to, stored in, and processed in the United States and in other countries where our sub-processors operate. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that does not have an adequacy decision, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and supplementary technical and organizational measures (including the encryption controls described on our Security page). [VERIFY: confirm current EU-US Data Privacy Framework certification status before publication; if certified, list here.]

8. Retention

Indicative retention windows for the data categories in Section 2:

• Account data — duration of the relationship plus 30 days, after which it is deleted or anonymized, subject to legal holds.
• Authentication data — sessions for the configured TTL; recovery codes until used or rotated; MFA enrollment for the duration of the account.
• Billing records — seven years to satisfy U.S. tax record-keeping rules.
• Support tickets and communications — 24 months after the matter closes.
• Audit logs — 12 months in hot storage and a further 6 years in encrypted archive, as required by financial-services record-keeping rules.
• Marketing data — until you unsubscribe or 24 months since your last engagement, whichever is shorter.
• Recruiting data — 12 months after a hiring decision unless you consent to longer retention for future roles.
• Beneficial-owner KYB data — five years after the account is closed, as required by the Bank Secrecy Act.
• Server logs — 30 days, except security-investigation artifacts retained for the life of the investigation.

Where required by law or a legal hold, we may retain data longer. After retention windows close, data is deleted or irreversibly anonymized.

9. Security

We implement technical and organizational measures appropriate to the risk of processing, including AES-GCM-256 encryption at rest with envelope encryption, TLS 1.3 in transit, role-based access control with just-in-time grants, hardware-key MFA for production access, and append-only audit logging. See the Security page for the full posture.

No security measure is perfect. If you believe your account has been compromised, contact [email protected].

10. Children's privacy

QairoPay's services are intended for businesses and the adult professionals who work for them. We do not knowingly collect personal data from individuals under the age of 16 in our controller capacity. If you believe a child has provided personal data to QairoPay, contact [email protected] and we will delete it.

11. Your rights

Subject to applicable law, you may have the following rights with respect to personal data we hold about you as controller:

• Access — request a copy of the personal data we hold about you.
• Rectification / correction — request correction of inaccurate or incomplete data.
• Erasure / deletion — request deletion of your personal data, subject to legal-retention exceptions.
• Restriction — request that we restrict processing in certain circumstances.
• Portability — receive your personal data in a structured, commonly used, machine-readable format.
• Objection — object to processing based on legitimate interests or for direct-marketing purposes.
• Withdraw consent — withdraw consent at any time where processing is based on consent.
• Opt-out — opt out of any sale or sharing for cross-context behavioral advertising (we do neither, but the right exists).
• Non-discrimination — we will not retaliate or charge a different price for exercising any of these rights.

How to exercise. Email [email protected] with a description of your request. We may need to verify your identity using information already on file; we won't ask for sensitive data we don't need. We aim to respond within 30 days for GDPR requests and within 45 days for CCPA requests, with one extension where the law permits.

Authorized agents. California residents may use an authorized agent to submit requests; we will ask for written authorization and may verify directly with the consumer.

Appeals. If you are dissatisfied with our response, you may appeal by replying to our response email; an appeal will be reviewed by a different team member. You may also lodge a complaint with your local supervisory authority — in the EEA, your national Data Protection Authority; in the UK, the Information Commissioner's Office; in California, the California Privacy Protection Agency.

End-user requests. If you are an end user of a Tenant's QairoPay-powered program, please direct your request to the Tenant. We will refer Tenant end-user requests to the relevant Tenant unless the Tenant has directed us in writing to handle them directly.

12. California disclosures

Notice at collection. The categories of personal information described in Section 2 are collected directly from California residents and used for the purposes in Section 4. Specifically, we collect: identifiers (name, email, IP); commercial information (purchase history, billing metadata); internet-or-other-network activity information (usage logs, page views, click events); geolocation information (coarse, derived from IP); professional or employment-related information; and the categories of sensitive personal information listed in Section 2.

Retention. See Section 8.

Sale and sharing. We do not sell personal information and do not share personal information for cross-context behavioral advertising. Accordingly, we do not provide a "Do Not Sell or Share My Personal Information" link because there is nothing to opt out of; we honor opt-out preference signals (such as Global Privacy Control) as a confirmation of this default.

Sensitive personal information. We do not use sensitive personal information to infer characteristics about a California resident, and we use it only for the purposes specified by the CCPA's regulations (security, fraud prevention, providing the Services).

Shine the Light. California Civil Code § 1798.83 allows California residents to request a list of categories of personal information disclosed to third parties for direct-marketing purposes during the preceding calendar year. We do not disclose personal information to third parties for their direct-marketing purposes.

13. Other US state laws

Residents of U.S. states that have enacted comprehensive privacy legislation (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Iowa, Delaware, Indiana, Montana, New Hampshire, New Jersey, and Tennessee) have rights substantially similar to those described in Section 11. We honor the Global Privacy Control opt-out preference signal where supported by applicable law. Appeals procedures are described in Section 11.

14. EEA, UK, and Switzerland disclosures

Controller identity. QairoPay, Inc. is the controller. [VERIFY: registered office address in Delaware.]

Data Protection Officer. [VERIFY: name and contact for the DPO, where the GDPR appointment threshold is met. Email [email protected] reaches the role.]

EU representative. [VERIFY: identity of QairoPay's appointed representative in the EU under GDPR Article 27, with mailing address. Required for processing of data subjects in the EU absent an EU establishment.]

UK representative. [VERIFY: identity of QairoPay's appointed representative in the UK under UK GDPR Article 27, with mailing address.]

Lawful bases are in Section 4; transfers in Section 7; rights and complaints in Section 11.

15. Automated decision-making

We do not engage in solely automated decision-making producing legal or similarly significant effects on data subjects within the meaning of GDPR Article 22. Identity-verification outcomes provided by Persona (and any sanctions-screening alerts) are reviewed by a human analyst before they result in account suspension or denial of service.

16. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to administrators on the dashboard and by email at least 30 days before they take effect, or sooner where required by law. The "Last updated" date at the top of this policy will always reflect the current version. Prior versions are archived and available on request.

17. Contact

QairoPay, Inc., a Delaware corporation. Address: [VERIFY: registered office in Delaware]. For privacy questions, data-subject requests, or complaints, contact [email protected]. EU and UK data-subject inquiries may also be sent to our appointed representatives at the addresses listed in Section 14.

Legal disclaimer. This Privacy Policy is a starting draft prepared with AI assistance and is not legal advice. QairoPay's counsel must review, customize, and finalize this policy — including the DPO designation, EU/UK representative appointments, registered office address, and the current sub-processor list — before publication. Items marked [VERIFY] require human confirmation.