Skip to content
Payzium.

Payzium position document, informed by internal AI legal research (vault: sources/us-legal-review-responses-AI-DRAFT-2026-07-04.md), NOT counsel-cleared; published and adopted under founder authority per project instructions posture of 2026-07-05; instrument binds only upon founder execution.

Version 1.0, effective date on execution, owner Payzium Corp.

Privacy Policy - United States

Issuer: Payzium Corp, a Delaware corporation ("Payzium," "we," "us," "our").

This Privacy Policy explains how Payzium collects, uses, discloses, retains, and protects personal information from United States merchants and website visitors, and the choices and rights available to them. This Policy is drafted to a multi-state United States privacy standard, taking California's California Consumer Privacy Act as amended by the California Privacy Rights Act (together, the "CCPA") as the drafting anchor, even where Payzium is below applicable statutory thresholds. Payzium notes that the CCPA's former exemptions for employment-related and business-to-business personal information expired on December 31, 2022, and this Policy is written accordingly.

1. Scope

This Policy applies to personal information Payzium collects from and about United States residents and businesses through payzium.com, the pages that link to this Policy, the Payzium application and boarding-referral flow, and Payzium's communications with website visitors, applicants, merchants, and business contacts.

This Policy does not apply to:

  • personal information collected directly by the payment processor and its sponsoring member bank identified in the merchant's application and merchant processing agreement (together, the "Processor") in its own capacity as a controller; that information is handled under the Processor's own privacy notice and its merchant processing agreement with the merchant;
  • personal information Payzium receives about a resident of a jurisdiction outside the United States, which is handled under a separate policy applicable to that jurisdiction.

2. Categories of personal information we collect

Payzium collects the following categories of personal information. This inventory mirrors the data inventory in Payzium's written information security program at docs/security/wisp-v1.md and its supporting data-inventory artifact.

2.1 Identifiers and contact information

Business contact name and title; email address; telephone number; business legal name; business trade name; business address, city, state, and postal code; business industry; business tax identification number; owner and principal identifying information collected at the application stage.

2.2 Government identification and financial-account information

Government-issued photo identification image (front and back); Social Security Number where the Processor's underwriting requires it or where identity cannot otherwise be verified; date of birth where required for the same purposes; voided check image or equivalent banking-detail record; the last four digits of the merchant's bank account number stored in plaintext; the full bank account number stored encrypted at the application layer.

Social Security Numbers are handled outside the web-form path. The web application does not render a Social Security Number input field; where the Processor requires a Social Security Number, it is captured through the secure offline path documented in Payzium's written information security program.

2.3 Merchant application content

The merchant's most recent processing statements uploaded during the application; ownership and corporate documents (for example, articles of incorporation); attestations and authorizations submitted in the application; consent records for the application-stage consent set.

2.4 Commercial information

Applied-for services, program eligibility, program participation, communications history, and support-case history.

2.5 Device, connection, and usage information

Internet Protocol (IP) address, browser type and version, operating system, device type, screen size, language preferences, dates and times of interactions with the Services, pages viewed, links clicked, scroll depth, form interactions, referring URL, and the landing page on which the visitor first arrived.

2.6 Attribution information

Query-string parameters present in URLs used to reach us, including UTM parameters and click identifiers from advertising platforms; a first-touch attribution record written to the visitor's browser storage on first arrival, which expires after ninety (90) days.

2.7 Sensory information

Voicemails, call recordings where lawfully recorded and disclosed, and images or documents the merchant chooses to submit.

2.8 Inferences

Analytical outputs, benchmark comparisons, and pricing-model outputs derived from the categories above.

3. Sources

We collect the categories above from:

  • You, when you submit information through the application, contact us, request a callback, sign up for the waitlist, respond to communications, or otherwise interact with the Services.
  • Your devices and browsers, automatically, when you access the Services.
  • Third parties, including phone-validation providers, business-information data providers, referral sources or partners who submit information on your authorized behalf, and advertising platforms that provide click-level or aggregated attribution data.

4. Purposes for which we use personal information

We use personal information for the following purposes:

  • Provide the Services. Review and prepare your application; refer approved applications to the Processor; confirm the baseline for the Payzium Savings Guarantee (United States); provide and support the Services.
  • Communicate with you. Confirm submissions, respond to questions, follow up, send service updates, and administer Payzium programs.
  • Verify and authenticate. Validate the contact information you provide (including telephone-number validation), confirm authorization, and reduce duplicate or fraudulent submissions.
  • Improve our Services. Analyze aggregate usage patterns and conversion behavior in order to improve the website, the pricing tools, and the customer experience.
  • Marketing and outreach. Where permitted by applicable law, send you commercial communications about Payzium services that we believe will be relevant to your business.
  • Comply with law and protect rights. Comply with applicable legal obligations (tax, accounting, anti-fraud, anti-money-laundering, sanctions screening); respond to lawful requests; exercise or defend legal claims.
  • Administer partner and referral relationships. Where a partner or referral source is involved, share submission status and outcome information with that source to administer the relationship.

5. Categories of recipients

We disclose personal information to the following categories of recipients. We do not name the specific parties in this Policy at the categories of "processor" or "sponsoring member bank" because those parties are identified in the merchant's application and merchant processing agreement, and the merchant is directed to those documents for the operative disclosure.

  • The payment processor and its sponsoring member bank identified in your merchant application and merchant processing agreement, for the purposes of underwriting, boarding, and operating the merchant account.
  • Underwriting partners and identity-verification providers, for the purpose of verifying the applicant and completing the merchant application.
  • An electronic-signature provider, for the purpose of executing merchant application documents and program instruments.
  • Service providers, for the categorical purposes of hosting the Services and storing application data; running the submission database; delivering transactional email; validating phone numbers; providing website analytics; supporting attribution measurement for paid campaigns; and providing automated parsing and analysis of statement and application data. These service providers process personal information on our behalf and under written contract.
  • Professional advisors and, in connection with corporate transactions, our auditors, lawyers, accountants, and insurers, under duties of confidentiality; and, in connection with a merger, acquisition, financing, reorganization, sale of assets, or insolvency, personal information may be transferred as part of that transaction, subject to confidentiality protections and applicable law.
  • Referral sources and partners who submit an application on your authorized behalf, limited to submission status and high-level outcome information necessary to administer the relationship.
  • Government authorities and other parties, when we believe in good faith that disclosure is necessary to comply with applicable law or legal process, to enforce our terms, to protect our rights, property, or safety, or the rights, property, or safety of others, or to investigate fraud or security incidents.

6. No sale or sharing for cross-context behavioral advertising

Payzium does not sell personal information for monetary consideration. Payzium does not share personal information for cross-context behavioral advertising within the meaning of the CCPA or comparable state laws. Where you arrive at the Services from a paid advertising campaign, we may receive click-level or aggregated attribution data from the originating platform, and we may pass conversion events back to that platform, only where you have provided any consent required by applicable law.

7. Retention

Payzium retains personal information under the consolidated retention schedule stated in Payzium's written information security program at docs/security/data-retention-and-disposal.md. This Policy does not create a separate United States retention regime; it points to the same schedule that applies across Payzium's data flows. The current schedule, at a summary level, is:

  • Draft applications (no submission): thirty (30) days of inactivity, after which the application record and any uploaded files are destroyed.
  • Submitted applications on which no decision is made: ninety (90) days of inactivity, after which the record and any uploaded files are destroyed.
  • Applications declined by Payzium or the Processor's underwriting: three hundred sixty-five (365) days from the decision date, after which the record is anonymized to a minimal decision record and any uploaded files are deleted.
  • Onboarded merchants: duration of the engagement and up to seven (7) years after the last interaction, to comply with tax, accounting, anti-money-laundering, and dispute-resolution obligations.
  • Callback and CRM contact records: while the person remains a customer, prospect, or partner, and up to thirty-six (36) months after the last interaction unless a longer period is required by law or by an active engagement.
  • Server and security logs: up to twelve (12) months.
  • Communications: while necessary to support the relationship and to demonstrate compliance, generally up to seven (7) years.
  • Records to evidence consent and rights requests: as required by applicable law to evidence Payzium's compliance.

Where a longer or shorter period is required by applicable law or by an active regulatory, contractual, or dispute-related obligation, that period controls.

8. Cookies, analytics, and similar technologies

Payzium currently uses website analytics on the Services through Vercel Analytics, gated behind the visitor's cookie-consent choice on the Services. Analytics does not fire unless and until the visitor accepts analytics cookies through the on-page consent mechanism.

Payzium also emits first-party operational events, referred to internally as "funnel-events," that capture personally identifiable information-free application-flow milestones for internal debugging, performance monitoring, and durable audit purposes. These first-party events do not use third-party cookies and are subject to the retention schedule at Section 7.

We do not place advertising cookies for retargeting before you have provided the consent required in your jurisdiction. Where a specific analytics or attribution technology is added or removed, we will update the vendor entries in our written information security program and, when material, this Policy.

9. GLBA and FCRA scope note

Personal information within the scope of the Gramm-Leach-Bliley Act (GLBA) and the FTC's Safeguards Rule at 16 CFR Part 314, and consumer reports and information within the scope of the Fair Credit Reporting Act (FCRA) at 15 U.S.C. § 1681 and following, is handled under those frameworks and Payzium's written information security program at docs/security/wisp-v1.md. Payzium does not itself pull consumer reports on merchants; when the Processor pulls a consumer report as part of underwriting, the Processor is the user of that report and the party with permissible purpose and adverse-action responsibilities under the FCRA, and Payzium's role is to collect and transmit the merchant's written authorization together with the application package. The consent set used at the application stage is set out at docs/legal/us/consent-strings-us-v1.md.

10. How we protect personal information

Payzium maintains administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction, under Payzium's written information security program at docs/security/wisp-v1.md. These include encryption in transit, encryption at rest for identified sensitive fields, access controls based on role and least privilege, infrastructure logging and monitoring, secure software development practices, service-provider due diligence, and incident response.

Breach notification. If Payzium learns of a security incident that requires notification under an applicable United States law, including but not limited to breach-notification laws in individual states and the FTC Safeguards Rule notification obligation for events involving at least 500 consumers, Payzium will notify the applicable regulator or authority and affected individuals in accordance with the timelines and content requirements of the applicable law.

11. Your privacy rights

Depending on your state of residence, applicable state privacy law may give you some or all of the following rights with respect to your personal information:

  • Access: the right to know the categories of personal information collected, the categories of sources, the purposes for use, the categories of recipients, and the specific pieces of personal information Payzium holds about you.
  • Deletion: the right to request that Payzium delete personal information collected from you, subject to statutory exceptions (for example, information Payzium needs to complete a transaction you requested, detect security incidents, comply with a legal obligation, or exercise legal rights).
  • Correction: the right to request that Payzium correct inaccurate personal information Payzium maintains about you.
  • Opt out of sale or of sharing for cross-context behavioral advertising: as described in Section 6, Payzium does not sell personal information and does not share personal information for cross-context behavioral advertising. Where an applicable state law considers a particular disclosure a "sale" or "sharing," you have the right to opt out.
  • Non-discrimination: the right not to be treated in a discriminatory manner because you exercise any of the rights above.
  • Sensitive personal information: where applicable, the right to limit our use and disclosure of "sensitive personal information" as defined by applicable state law, to those uses necessary to perform the services requested, to prevent, detect, and investigate security incidents, and to comply with law.
  • Authorized agent: where applicable state law allows, the right to designate an authorized agent to submit a request on your behalf, with verification requirements set out in the request instructions.

Rights request channel. To submit a rights request, email privacy@payzium.com with the subject line "Privacy rights request" and describe the request. You may also mail a written request to the contact address in Section 13. Payzium will verify the request as required by applicable state law and will respond within the statutory timeline. If Payzium denies a request, Payzium will state the reason and, where applicable state law provides for an appeal, will identify the appeal channel.

12. Children's privacy

The Services are intended for businesses and the individuals acting on their behalf in a professional capacity. Payzium does not knowingly collect personal information from children under the age of 18. If you believe a child has submitted personal information to us, please contact us using the details in Section 13 and we will delete the information.

13. How to contact us

Payzium Corp

Attention: Privacy

4498 Main St Ste 4 #5450

Amherst NY 14226

United States

Email: privacy@payzium.com

14. Changes to this Policy

Payzium may update this Policy from time to time. When we do, we will revise the version and effective date at the top. If the changes are material, we will provide additional notice (for example, by email to active users, by a banner on the Services, or as required by applicable law) before the changes take effect. Your continued use of the Services after the effective date of a revised version constitutes acceptance of the revised Policy.

15. Versioning

This is version 1.0 of the Payzium Privacy Policy (United States), effective on execution. Prior versions, if any, are superseded on the effective date of a later version.