What we collect — and don't.

What we collect.

• Merchant enrollment. Legal entity name, contact email, chosen tier, rail allowlist. Stored in our D1 database. We store only a SHA-256 hash of your API key; we cannot recover it.
• Payment intent payloads. Payer ID, payee ID, amount, currency, rail. Stored as the canonical envelope in R2 (WORM) and sealed into the public chain. We do not read free-text memo fields beyond the OFAC screen.
• Receipts. The signed receipt for each intent. Public on the WORM chain by design — that's what makes /verify work with no API key.
• OFAC screen results. Yes/no flag plus the match details where applicable. Required for our regulatory posture.
• Webhook subscriber list. URL + secret (hashed) + event types you've subscribed to.
• Request metadata. IP address (rate-limit), user-agent. Used for abuse detection only.
• Hop-trace metadata. Each request's edge path through the flash_sync mesh. Used for routing diagnostics; surfaced in response headers, not persisted beyond the request lifecycle.

What we don't collect.

• No third-party analytics cookies. Cloudflare Web Analytics is cookieless and ships no personal data.
• No advertising trackers (no Meta Pixel, no Google Ads tag, no LinkedIn Insight).
• No data sales. We don't sell, rent, or barter your information with anyone, ever.
• No AI-training use of your payloads. See the machine-readable opt-out at /.well-known/tdm-policy (forthcoming).

Retention.

• Merchant records — kept while you are an active merchant and for 30 days after termination; then archived (cryptographic blinding) for the regulatory floor (currently 7 years for state MSB compliance; configurable to 10 for SEC 17a-4 alignment on enterprise tier).
• Intent + receipt envelopes — sealed in the WORM chain. Chain anchors and signed receipts cannot be deleted before regulatory retention expires. After retention, hot-storage mirrors are removed; chain anchors persist on Base L2.
• Webhook delivery logs — 30 days.
• Status-check history — 30 days per endpoint (see /api/status).
• Visual snapshots — daily captures kept indefinitely as part of the public record; see /snapshots.

Sub-processors.

Full list at /trust/regulatory. Material changes announced 30 days in advance via the changelog (forthcoming).

Your rights (GDPR / CCPA).

You may request access, correction, portability, or erasure of any data we hold about you by emailing privacy@epochpay.today. We respond within 30 days.

For records under regulatory retention, erasure happens via cryptographic blinding — we keep the hash (which is what makes the chain verifiable), the cleartext is redacted, the link from hash back to your identity is severed. This is the GDPR-aligned approach for immutable-record systems.

If you believe we've mishandled your data, you may complain to a supervisory authority. For EU/EEA residents, that's the data protection authority in your country.

International transfers.

Data is stored in US-region Cloudflare facilities (IAD / ENAM). For EU/EEA merchants we apply standard contractual clauses (SCCs); see /dpa for the DPA. Per-region pinning available on enterprise tier on request.

Children.

EpochPay is not directed to children. We don't knowingly collect data from individuals under 18.

Contact.

Privacy questions: privacy@epochpay.today. Postal: EpochCore LLC, Huntersville NC USA.