Privacy Policy
Last updated: January 30, 2025 | Effective: January 30, 2025
1. Introduction and Scope
Sovgate, Inc. ("Sovgate," "we," "our," or "us") is committed to protecting your privacy and handling your personal data with transparency and care. This Privacy Policy explains how we collect, use, share, and protect personal information when you use our payment processing services, websites, mobile applications, APIs, and related services (collectively, the "Services").
This Privacy Policy applies to all users of our Services, including:
- Merchants: Businesses that integrate our payment solutions ("Business Users")
- End Customers: Individuals who make transactions through our platform
- Representatives: Authorized persons acting on behalf of Business Users
- Visitors: Individuals accessing our websites or services
By using our Services, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your personal information as described in this Privacy Policy. If you do not agree with our practices, please do not use our Services.
Contact Information: For privacy-related questions or to exercise your rights, contact our Data Protection Officer at [email protected] or use the contact details provided in Section 13.
2. Information We Collect
2.1 Information You Provide Directly
We collect personal information that you voluntarily provide when registering for an account, using our Services, or communicating with us:
Account and Registration Information
- Full name, email address, phone number
- Business name, type, and registration details
- Postal address and jurisdiction of incorporation
- Account credentials and security preferences
- Tax identification numbers and business licenses
Financial and Payment Information
- Bank account details and routing information
- Payment card information (encrypted and tokenized)
- Transaction amounts, currency, and descriptions
- Financial statements and business performance data
- Credit reports and financial risk assessments
Identity Verification and Compliance
- Government-issued identification documents
- Social Security Numbers or equivalent identifiers
- Date of birth and proof of address
- Beneficial ownership information
- Enhanced due diligence documentation
Transaction and Usage Data
- Purchase details and merchant information
- Refund requests and chargeback records
- Customer support communications
- Service preferences and customizations
- Integration and API usage patterns
2.2 Information Collected Automatically
When you access or use our Services, we automatically collect certain technical and usage information:
Device and Technical Information
- IP addresses and geolocation data
- Device identifiers, browser type, and operating system
- Screen resolution and device capabilities
- Network connection type and service provider
- Time zone and language preferences
Usage and Interaction Data
- Pages visited, time spent, and navigation patterns
- Search queries and feature usage
- Error logs and performance metrics
- API calls and integration activities
- Customer support interactions and chat logs
Cookies and Tracking Technologies
- Essential cookies for service functionality
- Analytics cookies for service improvement
- Preference cookies for user experience
- Security cookies for fraud prevention
- Web beacons and similar tracking technologies
2.3 Information from Third Parties
We may receive information about you from third-party sources to provide our Services and ensure compliance:
- Financial Partners: Banks, card networks, payment processors, and acquiring banks
- Identity Verification Services: Credit bureaus, identity verification providers, and KYC vendors
- Public and Government Sources: Regulatory databases, sanctions lists, and business registries
- Business Partners: Technology integrators, referral partners, and marketplace platforms
- Data Enhancement Services: Contact information verification and business intelligence providers
3. Legal Basis and Purposes for Processing
We process your personal information based on the following legal grounds under applicable data protection laws, including GDPR Article 6:
3.1 Contract Performance (GDPR Art. 6(1)(b))
Processing necessary to perform our contract with you or take pre-contractual steps:
- Account creation, management, and authentication
- Payment processing and transaction settlement
- Providing customer support and technical assistance
- Delivering requested services and features
- Managing subscriptions and billing
- Communicating about service-related matters
3.2 Legal Compliance (GDPR Art. 6(1)(c))
Processing necessary to comply with legal obligations:
- Know Your Customer (KYC) and identity verification
- Anti-Money Laundering (AML) and sanctions screening
- PCI DSS and payment card industry compliance
- Tax reporting and regulatory filings
- Data breach notification requirements
- Court orders and law enforcement requests
3.3 Legitimate Interests (GDPR Art. 6(1)(f))
Processing necessary for our legitimate business interests, balanced against your rights:
- Fraud detection and prevention
- Risk assessment and underwriting
- Service improvement and product development
- Network and information security
- Analytics and performance monitoring
- Business development and marketing (B2B)
- Mergers, acquisitions, and corporate transactions
3.4 Consent (GDPR Art. 6(1)(a))
Processing based on your explicit consent, which you may withdraw at any time:
- Marketing communications and newsletters
- Non-essential cookies and analytics
- Product updates and promotional materials
- Market research and surveys
- Beta testing and early access programs
3.5 Vital Interests (GDPR Art. 6(1)(d))
Processing necessary to protect vital interests (rarely applicable):
- Emergency situations requiring immediate action
- Prevention of harm to individuals or public safety
4. How We Share Your Information
We may share your personal information in the following circumstances, always with appropriate safeguards:
4.1 Service Providers and Processors
We share information with trusted third parties who provide services on our behalf:
- Payment Networks: Visa, Mastercard, American Express for transaction processing
- Financial Institutions: Acquiring banks, issuing banks, and settlement providers
- Cloud Infrastructure: AWS, Google Cloud for hosting and data storage
- Identity Verification: Jumio, Onfido for KYC and compliance screening
- Communication Services: SendGrid, Twilio for email and SMS delivery
- Analytics and Monitoring: New Relic, Datadog for performance monitoring
- Customer Support: Zendesk, Intercom for help desk services
A complete list of our data processors is available in our Subprocessor List.
4.2 Legal and Regulatory Authorities
We may disclose information when required by law or to protect our rights:
- Government agencies and regulatory authorities (FinCEN, OFAC, etc.)
- Law enforcement agencies pursuant to valid legal process
- Courts and judicial proceedings
- Tax authorities for reporting and compliance obligations
- Supervisory authorities for data protection matters
4.3 Business Transfers
Information may be transferred in connection with corporate transactions:
- Mergers, acquisitions, or sales of assets
- Corporate reorganization or restructuring
- Bankruptcy or insolvency proceedings
- Due diligence processes (with appropriate confidentiality protections)
4.4 With Your Consent or Direction
We may share information when you explicitly consent or direct us to do so:
- Integration with third-party services you choose
- Sharing with your authorized representatives
- Marketing partnerships you opt into
- Public testimonials or case studies (with permission)
4.5 Aggregated and Anonymized Data
We may share aggregated, anonymized, or statistical data that cannot reasonably be used to identify you, including industry benchmarks, payment trends, and market research insights.
5. Data Security and Protection
We implement industry-leading security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:
Technical Safeguards
- Encryption: AES-256 for data at rest, TLS 1.3 for data in transit
- Access Controls: Multi-factor authentication and role-based permissions
- Network Security: Firewalls, intrusion detection, and DDoS protection
- Data Tokenization: Payment data tokenization and secure key management
- Vulnerability Management: Regular security assessments and penetration testing
- Monitoring: 24/7 security monitoring and automated threat detection
Organizational Safeguards
- Employee Training: Regular security awareness and privacy training
- Background Checks: Comprehensive screening for personnel with data access
- Incident Response: Established procedures for detecting and responding to breaches
- Business Continuity: Disaster recovery plans and data backup procedures
- Vendor Management: Security assessments of all third-party providers
- Regular Audits: Internal and external security compliance audits
Compliance Certifications
Our security practices comply with or exceed the following standards:
Level 1
Type II
Certified
Compliant
Data Breach Notification: In the unlikely event of a data breach affecting your personal information, we will notify you and relevant authorities within 72 hours as required by applicable law, including details about the breach and steps we are taking to address it.
6. International Data Transfers
As a global payment platform, we may transfer your personal information across international borders to provide our Services. We ensure appropriate safeguards are in place for all international transfers:
6.1 Transfer Mechanisms
- Adequacy Decisions: Transfers to countries with adequate data protection as recognized by the European Commission or other relevant authorities
- Standard Contractual Clauses (SCCs): EU Standard Contractual Clauses approved by the European Commission for international transfers
- Binding Corporate Rules: Internal policies ensuring consistent data protection across our global operations
- Certification Programs: Participation in recognized international data protection frameworks
- Approved Codes of Conduct: Adherence to industry-specific privacy codes approved by supervisory authorities
6.2 Processing Locations
Your data may be processed in the following regions:
United States
Primary data centers in Virginia, California, and Oregon
European Union
Data centers in Ireland, Germany, and Netherlands
Asia Pacific
Processing facilities in Singapore and Tokyo
6.3 Data Localization
Where required by applicable law, we maintain local data processing and storage capabilities. For EU customers, we provide data processing within the European Economic Area (EEA) upon request. Contact our Data Protection Officer for specific data localization requirements.
7. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements:
Operational Data
- Active account data: Duration of relationship
- Transaction records: 7 years
- Payment card data: 30 days post-transaction
- Support communications: 3 years
Compliance Data
- KYC documents: 7 years post-closure
- AML screening: 7 years
- Audit logs: 3 years
- Legal holds: Until resolution
When data is no longer needed, we securely delete or anonymize it in accordance with our Data Retention Policy. Data subject to legal proceedings or investigations is retained until resolution.
8. Your Privacy Rights
Depending on your jurisdiction and applicable law, you may have the following rights regarding your personal information:
8.1 Universal Rights
Access and Transparency
- Request access to your personal data
- Obtain details about our processing activities
- Receive a copy of data in a portable format
Control and Correction
- Correct inaccurate or incomplete data
- Update your account information
- Manage communication preferences
Deletion and Restriction
- Request deletion of your personal data
- Restrict processing in certain circumstances
- Object to processing based on legitimate interests
Consent and Objection
- Withdraw consent for processing
- Opt-out of marketing communications
- Object to automated decision-making
8.2 GDPR Rights (EU/EEA Residents)
Under the General Data Protection Regulation, you have enhanced rights including:
- Right to lodge a complaint with supervisory authorities
- Right to data portability in machine-readable format
- Right to object to automated decision-making and profiling
- Right to appoint an authorized representative
- Right to compensation for damages caused by GDPR violations
8.3 US State Privacy Rights
Residents of certain US states have additional rights under local privacy laws:
California (CCPA/CPRA)
- Right to know what personal information is collected and how it's used
- Right to delete personal information
- Right to opt-out of sale or sharing of personal information
- Right to non-discrimination for exercising privacy rights
- Right to correct inaccurate personal information
- Right to limit use of sensitive personal information
Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA)
- Right to access, correct, and delete personal data
- Right to data portability
- Right to opt-out of targeted advertising and sales
- Right to opt-out of automated decision-making
8.4 Exercising Your Rights
To exercise your privacy rights:
- Submit a Request: Email [email protected] or use our privacy portal at privacy.sovgate.com
- Verify Your Identity: We may request additional information to verify your identity and protect against fraudulent requests
- Response Timeline: We will respond within 30 days (GDPR) or 45 days (US state laws), with possible extensions if needed
- No Discrimination: We will not discriminate against you for exercising your privacy rights
Authorized Representatives: You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization and you may need to verify your identity directly.
10. Third-Party Services and Links
Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by Sovgate. We are not responsible for the privacy practices of these third parties.
Third-Party Integrations
When you choose to integrate with third-party services:
- We may share specific data required for the integration to function
- The third party's privacy policy will govern their use of your data
- You can revoke integration permissions through your account settings
- We recommend reviewing the privacy policies of all integrated services
Important: This Privacy Policy does not apply to third-party services. We encourage you to read the privacy policies of any third-party services you use in conjunction with our platform.
11. Children's Privacy
Our Services are not intended for children under the age of 16 (or the applicable age of digital consent in your jurisdiction, such as 13 in the United States under COPPA). We do not knowingly collect personal information from children under this age.
If We Learn of Child Data Collection
If we become aware that we have collected personal information from a child under the applicable age:
- We will take steps to delete such information promptly
- We will not use the information for any purpose
- We will not share the information with third parties
- We will notify the parent or guardian if required by law
If you believe we've collected information from a child under the applicable age, please contact us immediately at [email protected] so we can take appropriate action.
12. Privacy Policy Updates
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will provide notice as follows:
Notification Methods
- Update the "Last updated" date at the top of this policy
- Email notification to registered users
- Prominent notice on our website and dashboard
- In-app notifications for mobile users
Implementation Timeline
- Material changes: 30 days advance notice
- Administrative changes: Immediate effect
- Legal requirement changes: As required by law
- Emergency changes: Immediate with retroactive notice
Your continued use of our Services after the effective date of changes constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you may terminate your account before the effective date.
Archive Access: Previous versions of this Privacy Policy are available upon request. Contact [email protected] to access historical versions.
13. Contact Information
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below:
Data Controller
San Francisco, CA 94105
United States
Privacy Contacts
EU Representative
For GDPR-related inquiries from EU/EEA residents:
Supervisory Authority Complaints
You have the right to lodge a complaint with supervisory authorities:
EU/EEA Residents
Contact your local Data Protection Authority or the Irish Data Protection Commission (lead supervisory authority)
US Residents
Contact your state Attorney General's office or relevant privacy authority
Response Commitment: We will acknowledge receipt of your privacy inquiry within 2 business days and provide a substantive response within 30 days (or as required by applicable law). For urgent privacy matters, please mark your communication as "Urgent Privacy Matter."