Políticas

Paybis Privacy Policy

Last Updated: July 1, 2026

SIA "Paybis Europe", registration number: 40203730951, a company incorporated in Latvia, with its registered address at Brivibas street 171, Riga, Latvia, LV-1012, and Paybis USA LTD, file number: 5967173, a company incorporated in the United States, with its registered address at 321 South Boston Avenue, Tulsa, Oklahoma, 74103 (collectively referred to as "Paybis", "we", "us", or "our") is committed to protecting and respecting Your privacy.

This Privacy Policy governs our collection, processing, and use of Your Personal Data when You access our website (Paybis.com), use the Paybis mobile application, or use any of our services.

1. Data Controllers and Contact Information

The specific Paybis entity responsible as the Data Controller for Your Personal Data depends on Your country of residence:

  • SIA "Paybis Europe", registration number: 40203730951, a company incorporated in Latvia, with its registered address at Brivibas street 171, Riga, Latvia, LV-1012: For customers residing in the European Economic Area (EEA) and International Jurisdictions (hereby defined as any country or territory globally, excluding the United States of America, the member states of the European Economic Area (EEA).
  • Paybis USA LTD, file number: 5967173 a company incorporated in the United States, with its registered address at 321 South Boston Avenue, Tulsa, Oklahoma, 74103: For customers residing in the United States of America (US).

Data Protection Officer (DPO)

We have appointed a Data Protection Officer who handles all matters related to data privacy and protection. If You have any questions, concerns, or requests regarding this Privacy Policy or Your data rights, You can contact our DPO directly at: dpo@paybis.com.

2. Sources of Information

We collect information about You from several sources including, but not limited to:

  • Your paybis.com profile;
  • Your social network profiles (e.g., Facebook, Google) if used for registration or authentication;
  • Cryptocurrency blockchains (e.g., Bitcoin, Litecoin, Ethereum, BitcoinCash blockchains);
  • Your card-issuing bank and major credit card networks (e.g., Visa, Mastercard);
  • Our trusted third-party service providers, including authorized payment processors;
  • Publicly accessible sources, such as commercial registers, sanctions lists, and media.

3. Categories of Personal Data We Collect

We collect and process various categories of Personal Data depending on how You interact with our platform. These categories include:

  • Identity Data: Full name, date of birth, gender, nationality, signature, profile photograph, and corporate authorized individual details (including ID type, number, and issuing authority).
  • Contact Data: Residential address, email address, telephone number, and alternative contact channels.
  • Verification & Compliance Data (KYC): Government-issued photographic identification (e.g., passport, national ID card, or driver’s license), screenshots or videos from video/auto-authentication processes, proof of address documentation (e.g., utility bills or bank statements), proof of political exposure status (PEP), and details, suitability declarations, or supporting documentation regarding Your source of wealth/funds (such as contracts of sale or business analysis records).
  • Biometric Information: Facial-geometry data extracted from Your photographic ID and from "selfie" images or videos in order to execute automated identity verification and liveness checks.
  • Financial & Transaction Data: Bank account numbers, tokenised card details and the last four digits of Your card, crypto-asset wallet addresses, public blockchain transaction data (including private cryptographic keys for hosted custody solutions, deposit/withdrawal addresses, and transaction timestamps), transaction history, and trading volumes.
  • Tax Data: Taxpayer identification number(s), country of tax residence, and related information we are required to collect for tax-reporting purposes—including, for US customers and partners, information provided on IRS Forms W-9 or W-8 (such as Your tax classification and foreign-status certification).
  • Investment Knowledge & Experience Data: Information derived from financial appropriateness tests, including Your investment goals, risk tolerance, specific assets or markets of interest, preferred investment strategies, educational background, occupational or previous professional experience, and familiarity with specific digital assets or financial instruments.
  • Technical & Usage Data: IP address, geolocation details, device type, operating system, browser model/type, cookie data, statistical patterns regarding how You navigate our platform, unique device identification numbers, frequency and time of access, mouse movements, scroll pattern timing, crash reports, performance data, and network captcha identifiers.
  • Communications & Support Data: Interactive chat transcripts, customer support ticket submissions, data obtained through call-back functions, details provided voluntarily during research initiatives or discussion boards, and recordings of telephone conversations or electronic communications related to query resolution or transaction execution.
  • Marketing & Research Data: Consumer behavioral insights, localized preferences (e.g., language and region), survey entries, user satisfaction feedback, market research datasets, target group tracking vectors, media interactions (such as "likes," direct messages, or comments on social media platforms), and audio, video, or photographic footage captured during public corporate events or fairs.
  • Corporate & Institutional Data: For business accounts and corporate onboarding, we collect commercial register reports, business onboarding questionnaires, entity types, ultimate beneficial ownership (UBO) structures, VAT or corporate registration numbers, financial statement data, shareholder allocations, and records of recent, past, or planned commercial activities.
  • Promotional & Incentive Data: Proof of VIP status or eligibility configurations gathered to facilitate enrollment in cross-platform incentive programs, trading rewards, or affiliate initiatives.

Providing certain categories of Personal Data is a prerequisite to entering into and maintaining a contractual relationship with Paybis. Specifically:

  • Identity and Contact Data are required to create and maintain Your Paybis account. Without this data, we are unable to provide You with access to our platform.
  • Verification & Compliance (KYC) Data and Biometric Information are required by applicable law (including AML, CASP/MiCA, and financial regulatory obligations). We are legally prohibited from providing Services to unverified users. Failure to provide this information will prevent us from onboarding You or continuing to provide Services.
  • Financial & Transaction Data is necessary to process Your cryptocurrency transactions. Without it, individual transactions cannot be completed.

Where processing is based on Your consent (e.g., biometric verification or direct marketing), providing such data is voluntary. You may withdraw consent at any time, though this may affect certain features of the platform.

4. Collection and Storage of Payment Information

4.1. Payment Processing and Storage. In the provision of Services to You, we use secure, PCI-compliant third-party payment processors to handle financial transactions. We do not directly capture, process, or store Your complete Primary Account Number or CVV code on our own servers. When You choose to save a payment method to Your account for future purchases, our payment processor provides us with a secure, encrypted token and the last four digits of Your bank card.

4.2. Purposes of Processing. We strictly use Your tokenized payment information for the following purposes:

  • Transaction Fulfillment: To process payments for the services or purchases You initiate (Legal basis: Performance of a Contract).
  • User Convenience: To eliminate the need for You to manually re-enter Your billing details for future transactions, based on Your choice to save this information (Legal basis: Consent or Legitimate Interest).
  • Fraud Prevention: To cross-reference stored card details within our internal fraud screening databases. This is a vital security measure to ensure Your payment methods are not fraudulently applied to or utilized by unauthorized accounts (Legal basis: Legitimate Interest).

4.3. Information Received from Third Parties (Account Updater Services). To ensure Your saved payment methods remain current and ready for use, our third-party payment processors participate in "Account Updater" services provided by major credit card networks (such as Visa and Mastercard). If the physical bank card You have saved on file expires, is reported lost, or is replaced, Your card-issuing bank may automatically and securely transmit Your updated card details to our payment processor.

We process this automatically updated information solely to maintain the validity of Your billing profile and prevent failed transactions on future purchases. All payment data is handled in accordance with strict industry standards, including the Payment Card Industry Data Security Standard (PCI DSS).

4.4. Your Control Over Payment Data. Because the Account Updater service is managed directly by Your bank and the card networks, You may also contact Your card-issuing bank directly if You wish to opt out of their updater service entirely.

5. Marketing Communication

We may send You marketing communications about our products, services, and promotions. This section explains how we manage Your marketing preferences, the legal bases we rely on, and how You may exercise Your right to opt out at any time.

Legal Basis and How You Receive Marketing Communications

We will only send You direct marketing communications where we have a valid legal basis to do so:

  • Consent: Where You have provided Your express consent following a clear opt-in action (e.g., subscribing to our newsletter or opting in during account registration). We use a confirmed opt-in process to validate that the email address provided belongs to You.
  • Legitimate Interests: Where You are an existing customer and we market similar products and services to those You have used. We will only do so subject to Your right to object at any time and to the extent permitted by applicable law.

What Our Marketing Communications May Include

Our marketing communications may include:

  • Product updates, new feature announcements, and service notifications;
  • Promotional offers, referral programmes, and incentives;
  • Market insights, educational content, and crypto-related news relevant to our services;
  • Surveys and invitations to participate in research or user feedback initiatives.

How to Opt Out

You may withdraw Your consent or object to receiving marketing communications at any time, free of charge and without providing a reason, by:

  • Using the unsubscribe link included in every marketing email;
  • Adjusting Your notification preferences within Your Paybis account settings; or
  • Contacting our Data Protection Officer at dpo@paybis.com.

Please note that opting out of marketing communications will not affect the delivery of transactional or service-related communications that are necessary for the performance of Your contract with us (e.g., transaction confirmations, security alerts, or account notifications).

6. Legal Bases for Processing

Under applicable data protection laws (such as the GDPR for EEA residents), we must establish a valid legal basis for processing Your Personal Data. The table below maps out our purposes against their corresponding legal bases:

Purpose of ProcessingCategory of Personal Data InvolvedLegal Basis for Processing
Creating, operating, and maintaining Your user profile on Paybis.Identity Data, Contact Data, Technical & Usage Data, Corporate & Institutional Data, Promotional & Incentive DataPerformance of a contract with You (Art. 6(1)(b) GDPR).
Facilitating purchases, sales, and swaps of cryptocurrencies, as well as wallet services.Identity Data, Financial & Transaction Data, Corporate & Institutional DataPerformance of a contract with You (Art. 6(1)(b) GDPR).
Verifying Your identity, monitoring accounts for suspicious activity, and performing mandatory screening against sanctions lists.Identity Data, Verification & Compliance Data (KYC), Biometric Information, Financial & Transaction Data, Tax Data, Investment Knowledge & Experience Data, Corporate & Institutional DataCompliance with our legal obligations under applicable AML/CFT law (Art. 6(1)(c) GDPR).
Authenticating that You are the genuine holder of the identity document presented (biometric facial matching ⁄ liveness).Biometric InformationSubstantial public interest under EU and Latvian AML law (Art. 9(2)(g) GDPR), supported by Your explicit consent (Art. 9(2)(a) GDPR).
Transmitting originator and beneficiary information to counterparty crypto-asset and payment service providers when You send or receive transfers.Identity Data, Financial & Transaction Data, Corporate & Institutional DataCompliance with a legal obligation under Regulation (EU) 2023/1113 (Art. 6(1)(c) GDPR).
Reporting Your account and transaction information to tax authorities under the EU crypto-asset tax-reporting rules (DAC8) and equivalent obligations.Identity Data, Tax Data, Financial & Transaction Data, Corporate & Institutional DataCompliance with a legal obligation under Council Directive (EU) 2023/2226 (DAC8) as transposed in Latvia (Art. 6(1)(c) GDPR).
Responding to Your queries, handling ticket submissions, and resolving transaction disputes.Identity Data, Contact Data, Financial & Transaction Data, Communications & Support DataPerformance of a contract (Art. 6(1)(b)) and our legitimate interest in providing effective support (Art. 6(1)(f) GDPR).
Detecting, preventing and investigating fraud, money laundering and abuse of the platform (including blocked VPN/proxy use).Identity Data, Verification & Compliance Data (KYC), Financial & Transaction Data, Technical & Usage Data, Communications & Support DataCompliance with legal obligations (Art. 6(1)(c)) and our legitimate interests in protecting the platform and users (Art. 6(1)(f) GDPR).
Maintaining the security, stability and continuity of our systems and improving and optimising our services (UI/UX, analytics).Technical & Usage DataOur legitimate interest in a secure, reliable and well-functioning platform (Art. 6(1)(f) GDPR); consent for non-essential cookies.
Sending updates, newsletters, and promotional offers regarding products You may enjoy.Contact Data, Technical & Usage Data, Marketing & Research Data, Promotional & Incentive DataYour consent (Art. 6(1)(a)); for existing customers, our legitimate interest in marketing similar products subject to Your right to object (Art. 6(1)(f) GDPR).
Operating, defending or transferring our business (corporate transactions, audits, insurance, legal claims).Potentially all categories (Identity, Contact, Verification/KYC, Biometric, Financial/Transaction, Tax, Investment Knowledge, Technical/Usage, Communications/Support, Marketing/Research, Corporate/Institutional, Promotional/Incentive Data)Our legitimate interests and, where applicable, compliance with legal obligations (Art. 6(1)(f) and 6(1)(c) GDPR).

7. Recipients of Personal Data

We do not sell Your Personal Data. We only share Your Personal Data with selected third parties who are contractually bound to safeguard Your data to a standard no less protective than this policy:

  • Affiliates and Group Entities: Sharing between SIA "Paybis Europe", Paybis USA LTD, Paybis Poland Sp.z o.o. and other corporate affiliates for service provision and intra-group operations.
  • Identity Verification and Screening Providers: Third parties that perform KYC checks, biometric matching, sanctions/PEP screening and background checks.
  • Payment Infrastructure Providers: Acquiring banks, card issuers, card networks and payment processors that clear and settle fiat funds.
  • Counterparty crypto-asset and payment service providers: When You send or receive transfers, we share the originator (sender) and beneficiary (recipient) information that we are legally required to transmit under the "Travel Rule" with the crypto-asset or payment service provider on the other side of the transaction.
  • Blockchain Networks: Public transaction data (such as wallet addresses and transaction amounts) are natively published to the public ledger when initiating crypto transfers.
  • Professional advisers and corporate counterparties: auditors, legal and tax advisers, insurers, and parties to a corporate transaction (e.g. merger, reorganisation or financing).
  • Authorities: Financial Intelligence Units, tax authorities, regulators, courts and law-enforcement bodies, where required by law or to detect and prevent financial crime. This includes mandatory reporting of Your account and transaction information to tax authorities under the EU crypto-asset tax-reporting rules (DAC8, Council Directive (EU) 2023/2226).

8. International Transfers of Personal Data

As a globally operating platform, Paybis may transfer Your Personal Data to countries outside the European Economic Area (EEA), including to countries that may not provide a level of data protection equivalent to that in Your home jurisdiction.

Where such transfers occur, we ensure they are protected by appropriate safeguards, which may include one or more of the following mechanisms:

  • Adequacy Decision: The transfer is to a country that the European Commission has determined provides an adequate level of data protection.
  • Standard Contractual Clauses (SCCs): We rely on the Standard Contractual Clauses approved by the European Commission (as updated in 2021), which contractually obligate the recipient to protect Your Personal Data to EEA standards.
  • Binding Corporate Rules (BCRs): Where transfers are made to Paybis group entities, we may rely on approved BCRs.

9. Data Retention

We retain Your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including satisfying any legal, accounting, or reporting mandates.

  • Standard Compliance Retention: In accordance with statutory record-keeping and Anti-Money Laundering (AML) obligations, Paybis is legally required to retain all relevant customer data, verification records, and transaction histories for at least five (5) years after the account is formally closed or the business relationship is terminated. This period may be extended where a competent authority so requires.
  • Account and contract data: retained for the duration of Your relationship with us and for the period needed to resolve disputes and enforce our agreements.
  • Tax records: retained for the period required by applicable tax law and the DAC8 reporting framework.
  • Marketing data: retained until You withdraw consent or object, after which we suppress Your details to honour Your preference.

10. Your Data Privacy Rights

The rights available to you depend on your place of residence and the laws that apply to the processing of your Personal Data.

10.1. Rights for customers in the EEA and International Jurisdictions

Where SIA "Paybis Europe" is the Data Controller, you have the following rights:

  • Right to Access. You have the right to obtain confirmation as to whether we are processing your Personal Data, request a copy of it, and receive detailed information about how we process it.
  • Right to Rectification. You have the right to request that we correct any inaccurate Personal Data and complete any incomplete information we hold about you.
  • Erasure ("right to be forgotten"). You can ask us to delete your Personal Data at any time. We will honor this request unless an overriding exception applies. We cannot delete your data if we still need it to provide active services to you, if we have an alternative legal basis or overriding legitimate interest to keep it, or—most importantly—if we are legally required to retain it to comply with applicable regulatory obligations. In the absence of these exceptions, we will process your deletion request promptly.
  • Right to Restrict Processing. You have the right to request that we restrict the processing of your Personal Data if You believe the data we have is inaccurate, and we need time to verify it; or our processing was unlawful, but you want us to restrict the data's use instead of erasing it; or we no longer need your data, but you need us to hold onto it for a legal claim or defense.
  • Right to Object. You may ask us to stop using your Personal Data if we are doing so based on our "legitimate interests". Unless we can demonstrate a legally overriding necessity to continue—or we need the information for a legal dispute—we will halt the processing. Furthermore, you can permanently opt out of all direct marketing communications at any moment.
  • Right to Data Portability. If we process your data via automated systems based on your consent or a contract, you are entitled to request a digital, machine-readable export of that data.
  • Right regarding Automated Decision-Making. Paybis ensures that you are not subjected to significant or legally binding decisions made entirely by algorithms or profiling systems. If any automated processing is utilized, you always retain the right to demand a human review, present your perspective, and formally contest the algorithm's outcome.
  • Right to Withdraw Consent. Whenever you have given us permission to use your data (e.g., for marketing or biometrics), you are free to revoke that permission at any point. We will immediately cease using your data for that specific purpose, though this revocation will not retroactively invalidate any lawful processing that occurred before you changed your mind.
  • Right to Lodge a Complaint. You have the right to lodge a complaint with a competent data protection supervisory authority, in particular in the EEA Member State of your habitual residence, or the place of the alleged infringement. In Latvia, this is the Data State Inspectorate (Datu valsts inspekcija).

10.2. Rights for US residents

Where Paybis USA LTD is the Data Controller, and depending on the US state in which you reside and subject to the exemptions and limits in applicable law, you have the following rights:

  • Right to Know and Access. You may request confirmation of whether we process your Personal Data and obtain access to it, including the categories and specific pieces of Personal Data collected, the categories of sources, the business or commercial purposes for collecting or disclosing it, and the categories of third parties to whom we disclose it or with whom we share it.
  • Right to Correct. You may request that we correct inaccurate Personal Data we hold about you.
  • Right to Delete. You may request that we delete the Personal Data we have collected from you, subject to legal exceptions (including our regulatory record-keeping obligations).
  • Right to Data Portability. You may obtain a copy of your Personal Data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit it to another entity.
  • Right to Opt Out. You may opt out of the "sale" or "sharing" of Personal Data, of targeted advertising (cross-context behavioural advertising), and of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. You may exercise these rights through a recognised opt-out preference signal, such as the Global Privacy Control, which we treat as a valid request where required by law.
  • Right to Limit Use of Sensitive Personal Data. You may request that we limit the use and disclosure of your sensitive Personal Data (such as government-issued identifiers, account log-in credentials, precise geolocation, or biometric data) to the purposes permitted under applicable law. In certain states, we will process sensitive Personal Data only with your consent.
  • Right to Non-Discrimination. We will not discriminate or retaliate against you for exercising any of your privacy rights.
  • Right to Appeal and to Use an Authorised Agent. You may appeal a refusal of your request, and you may use an authorised agent to submit requests on your behalf, subject to verification of your identity and, where applicable, the agent's authority.

10.3. How to exercise your rights

You can exercise any of the rights above by contacting our Data Protection Officer at dpo@paybis.com. Where we have reasonable doubts about your identity, we may request additional information to verify it, which we use only for that purpose. If an authorised agent submits a request on your behalf, we may require proof of authorisation.

Exercising your rights is free of charge. Where a request is manifestly unfounded or excessive (in particular, because it is repetitive), we may charge a reasonable fee or decline to act; if we decline, we will explain why and tell you how to challenge that decision or lodge a complaint.

11. Automated Decision-Making and Profiling

We do not use Your Personal Data for automated decision-making or profiling as defined by Article 22 of the GDPR. At Paybis, You will not be subject to decisions based entirely on automated processing that significantly affect You or produce legal consequences.

12. Security of Your Personal Data

The security of Your Personal Data is fundamental to how we operate. We implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, and to protect Your Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorised access or disclosure — safeguarding its confidentiality, integrity, availability and resilience.

These measures are documented in our internal information-security framework, are proportionate to the nature, scope and purposes of our processing, and are reviewed and updated regularly to reflect evolving risks and good industry practice. They include, among others:

  • The encryption of Personal Data, supported by managed cryptographic-key controls;
  • Strict access controls based on roles and a "need-to-know" principle, segregation of duties, and periodic reviews of access rights;
  • Comprehensive network and endpoint protection, including firewalls, intrusion detection and prevention, anti-malware, and secure system configurations;
  • Continuous monitoring and logging, maintaining audit trails that allow us to identify and investigate anomalies and security incidents;
  • Active vulnerability and patch management alongside regular security testing;
  • Reliable backup, recovery, and IT resilience measures, including business continuity and disaster recovery procedures that are tested periodically;
  • The use of pseudonymization, anonymization, and data minimization techniques;
  • Robust physical security measures for our premises, systems, and equipment.

Our staff are bound by confidentiality obligations and receive mandatory, recurring data-protection and security training, and any third parties that process Personal Data on our behalf are subject to due diligence and to written data-processing agreements requiring equivalent safeguards.

If a Personal Data breach occurs and is likely to result in a high risk to Your rights and freedoms, we will notify the competent supervisory authority and, where required by law, the affected individuals, without undue delay.

You also play an important role in keeping Your account secure. Please keep Your login credentials and authentication devices confidential, stay alert to phishing and fraudulent messages, and contact us immediately if You suspect any unauthorized access to Your account. No method of transmission or storage can be guaranteed to be completely secure, but we work continuously to protect Your Personal Data and to maintain and improve our safeguards.

13. Supervisory Authority

If You have any concerns about how we handle Your Personal Data, we encourage You to contact our Data Protection Officer at dpo@paybis.com so we can address the issue directly.

Regardless of whether You contact us first, You always have the right to lodge a complaint with a competent supervisory authority. In Latvia, this is the Data State Inspectorate (Datu valsts inspekcija), and in the US, this includes federal regulators such as the Federal Trade Commission or Your respective State Attorney General.

14. Changes to This Privacy Policy

We regularly review and update this Privacy Notice to ensure it accurately reflects our current data processing practices, technological changes, and legal obligations. Paybis is committed to providing clear, up-to-date information regarding Your privacy rights. If we make significant modifications to this policy, we will notify You. If required by applicable data protection laws, we will also ask for Your explicit consent.

15. How to Contact Us

If You have any questions or concerns regarding this Privacy Notice, or if You wish to exercise Your data protection rights, please contact our Data Protection Team at: dpo@paybis.com.