Legal

Privacy Policy

Last updated June 5, 2026

Introduction

We at Pagayo ("Pagayo", "we", or "us") are committed to protecting your privacy and keeping secure any information you share with us. This Privacy Policy explains how we collect, use, disclose, and process your personal data when you use Pagayo's platform, APIs, and related tools, including at www.pagayo.com and all related software made available by Pagayo to build, manage, and operate your online and in-person sales ("Service").

This policy also describes the data protection rights available to you under applicable law, including the EU General Data Protection Regulation (GDPR). Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have been informed of and consent to our practices regarding your personal data.

This Privacy Policy does not apply where Pagayo acts solely as a data processor on behalf of a business customer (a "Tenant") — for example, when your employer has provisioned a Pagayo account for your business. In that case, our use of the data is governed by the agreement between Pagayo and that business.

1. Personal data we collect

A. Personal data you provide to us directly

We collect personal data when you create an account, use our Service, or contact us. This includes:

  • Account information. When you sign up for Pagayo, we collect identifiers such as your name, email address, and business details.
  • Payment information. If you subscribe to a paid plan, we collect payment details. Payment transactions are processed by our payment providers (Stripe and Mollie); Pagayo does not store full card numbers.
  • Business and transaction data. To operate the platform, we process the orders, products, customers, and other business data that you and your team enter into Pagayo. This data belongs to you (the Tenant) and is stored in your dedicated database environment.
  • Communications. If you contact us via email or through the platform, we collect your name, contact information, and the contents of any messages you send.

B. Personal data we receive from your use of the Service

When you use the Service, we also receive certain technical data automatically:

  • Device and browser information. Your device or browser sends us information about how you access and use the Service, including device type, browser version, operating system, and network information.
  • Log information. We collect server logs that include your IP address, browser type, error logs, and information about how you interact with the Service.
  • Usage data. We collect information about your use of the Service — such as the pages you view, features you use, and actions you take — to understand how the platform performs and where it can be improved.
  • Cookies and similar technologies. We use cookies and similar technologies to operate and improve the Service. See the section on your rights and choices below for more information.
  • Location information. For security purposes — for example, to detect unusual login activity — we may derive a general geographic location from your IP address.

C. Data we do not collect

Pagayo does not knowingly collect sensitive personal data such as biometric data, health information, or data about racial or ethnic origin. We do not knowingly collect data from children under the age of 16. If we learn that a user is under 16, we will delete the relevant data and account.

2. How we use personal data

We use personal data for the following purposes:

  • To provide and maintain the Service, including core platform functionality.
  • To create, manage, and administer your account, including facilitating payments and responding to support requests.
  • To improve and develop the Service, including debugging, identifying issues, and building new features.
  • To communicate with you, including sending service updates, security alerts, and billing notifications.
  • To prevent, detect, and investigate fraud, abuse, and security incidents.
  • To comply with our legal obligations and protect the rights, safety, and property of users, Pagayo, or third parties.
  • To enforce our Terms of Service and other applicable agreements.

We do not use your business or transaction data (the data you enter into Pagayo as part of your store or operations) to train machine learning models, nor do we permit third parties to do so.

Where required by law, in particular under GDPR, we rely on one or more of the following legal bases to process your personal data: performance of a contract, compliance with a legal obligation, our legitimate interests (where these do not override your interests or rights), or your consent.

3. How we share personal data

We may disclose your personal data in the following circumstances:

  • Service providers. We work with third-party vendors who support our operations — including Cloudflare (infrastructure and edge network), Stripe and Mollie (payment processing), and AWS Simple Email Service (transactional email). These parties process personal data only as necessary to perform services on our behalf.
  • Business transfers. In the event of a merger, acquisition, or other corporate transaction, personal data may be transferred as part of that transaction.
  • Legal compliance. We may disclose personal data to authorities or other parties where required by law, to respond to lawful requests or investigations, or to protect the safety, rights, or property of any person.
  • With your consent. We may share personal data when you explicitly give us permission to do so.

We do not sell personal data. We do not share personal data for cross-contextual behavioural advertising.

4. Retention

We retain your personal data only for as long as necessary to operate the Service and to support legitimate business needs such as legal compliance, safety, and dispute resolution. The appropriate retention period depends on the type of data, the purpose for which it was collected, its sensitivity, and applicable legal requirements.

When you delete your account, we will delete or anonymise your personal data within a reasonable timeframe, unless we are required by law to retain it longer.

5. Security

Pagayo is built on Cloudflare's global edge network. We apply technical and organisational measures to protect your personal data against unauthorised access, loss, misuse, alteration, or destruction. These measures include encryption in transit (TLS), isolated per-tenant database environments, and access controls.

No method of transmission over the internet is completely secure. You should use caution when deciding what information to share with the Service. If you believe your account has been compromised, contact us immediately at privacy@pagayo.com.

6. Your rights and choices

Depending on where you live and the laws that apply, you may have certain rights regarding your personal data. Under the GDPR (which applies to users in the European Economic Area and the United Kingdom), these rights include:

  • Right of access. You can request a copy of the personal data we hold about you.
  • Right to rectification. You can ask us to correct inaccurate or incomplete personal data.
  • Right to erasure. You can ask us to delete your personal data, subject to certain exceptions (for example, where we are required to retain data by law).
  • Right to data portability. You can request your personal data in a structured, machine-readable format.
  • Right to object. You can object to certain types of processing, including processing based on our legitimate interests.
  • Right to restriction. You can ask us to restrict processing in limited circumstances, such as while a correction request is pending.
  • Right to withdraw consent. Where processing is based on your consent, you can withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint. You have the right to lodge a complaint with a supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

To exercise any of these rights, please contact us at privacy@pagayo.com. We may ask you to verify your identity before processing your request. We will respond within the timeframe required by applicable law (generally 30 days under GDPR).

Cookies

We use essential cookies to operate the Service (for example, to keep you signed in). We do not use third-party tracking cookies or advertising cookies. You can control cookie preferences through your browser settings; note that disabling essential cookies may affect the functionality of the Service.

7. Privacy policy changes

We may update this Privacy Policy from time to time. When we do, we will publish an updated version and a new effective date at the top of this page. For material changes, we will notify you by email or through a notice in the Service.

Your continued use of the Service after any change constitutes your acceptance of the updated policy.

8. Contacting us

If you have any questions or concerns about this Privacy Policy or how we handle your personal data, please contact us:

Pagayo
Email: privacy@pagayo.com

If you are located in the EEA or the UK and believe we have not adequately addressed your concerns, you have the right to contact your local data protection authority.