Privacy policy

Introduction

PayRadar, Inc. ("PayRadar," "we," "us," or "our") operates the PayRadar.ai platform, an AI-powered revenue intelligence service that connects to third-party tools and data sources on behalf of our customers. This Privacy Policy explains how we collect, use, store, share, and protect information when you visit our website at payradar.ai (the "Website"), use our platform and services (the "Service"), or otherwise interact with us.

We take data privacy seriously — especially because our Service involves processing data from multiple third-party platforms including payment processors, analytics tools, advertising platforms, commerce platforms, and CRM systems. This policy is designed to give you clear, specific information about how we handle each type of data.

By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

We collect information in three broad categories: information you provide directly, information collected automatically, and information ingested from third-party tools you connect to the Service.

1.1 Information You Provide Directly

When you create an account, request a demo, contact us, or otherwise interact with the Service, you may provide:

Account information — your name, email address, company name, job title, phone number, and billing information.

Communication information — any messages, feedback, support requests, or other content you send to us.

Payment information — if you subscribe to a paid plan, we collect billing details such as credit card number, expiration date, and billing address. Payment processing is handled by our third-party payment processor; we do not store full credit card numbers on our servers.

Form submissions — information you provide through forms on our Website, such as demo request forms, including your role, company size, monthly revenue, and the tools you currently use.

1.2 Information Collected Automatically

When you visit our Website or use the Service, we automatically collect:

Usage data — pages viewed, features used, actions taken within the Service, time spent, and interaction patterns.

Device and browser data — IP address, browser type and version, operating system, device type, screen resolution, and language preferences.

Cookies and similar technologies — we use cookies, pixels, and similar tracking technologies to operate the Website, remember your preferences, and analyze usage patterns. See Section 8 (Cookies) for details.

Log data — server logs that record requests made to our systems, including timestamps, URLs, referring pages, and error information.

1.3 Information Ingested From Connected Third-Party Tools

This is the category most specific to PayRadar. When you connect third-party tools to the Service, we ingest data from those tools on your behalf to provide revenue intelligence and analytics. The types of data we ingest depend on which tools you connect.

From advertising platforms (Google Ads, Facebook/Meta Ads) — campaign data, ad spend, impressions, clicks, cost per click, cost per acquisition, conversion events, audience segment identifiers, and campaign performance metrics. We do not access or store the content of your ads, creative assets, or audience targeting criteria beyond segment-level identifiers.

From analytics and behavior tools (Google Analytics, PostHog, Google Tag Manager, Mida) — session data, page views, event data, funnel metrics, conversion events, A/B test variant assignments and results, user behavior metrics (bounce rate, time on page, scroll depth), and traffic source attribution. We do not access session recordings, heatmaps, or video content from these tools. We may access aggregated behavioral metrics derived from such recordings (such as funnel completion rates) where available through the tool's API.

From commerce and subscription platforms (Shopify, Sticky.io) — order data, transaction amounts, product information, cart and checkout events, subscription status, rebill events, subscription lifecycle data, customer identifiers (internal IDs only — not names or emails unless required for matching), and refund and cancellation data.

From payment processors (NMI, Stripe, Authorize.net, Adyen, Braintree, Square) — transaction data including amounts, dates, authorization responses, decline codes, settlement data, chargeback and dispute data, refund data, BIN-level card information (first 6-8 digits, card brand, card type, issuing bank, country of issuance), and merchant identifiers. We do not store full card numbers (PANs), CVV/CVC codes, or cardholder names.

From CRM platforms (HubSpot) — contact records (name, email, company, lifecycle stage), deal data, engagement metrics, and customer segmentation data. We access only the fields necessary to correlate customer lifecycle data with payment and acquisition data.

From data warehouses (Google BigQuery) — query results from SQL queries you configure or approve. We execute queries against your data warehouse on your behalf; the scope of data accessed depends on the queries and permissions you configure.

From notification and communication tools (Slack) — we send messages to Slack channels you designate. We do not read or access your Slack message history, files, or channels beyond the delivery of our notifications.

2. How We Use Information

We use the information we collect for the following purposes:

To provide and operate the Service — processing and analyzing your connected data to generate revenue intelligence insights, dashboards, alerts, reports, and AI-powered recommendations.

To power AI features — using your connected data to answer natural-language queries, generate cross-tool insights, produce daily digests, detect anomalies, predict trends, and provide proactive recommendations. See Section 5 (AI and Machine Learning) for details on how AI processes your data.

To manage your account — creating and maintaining your account, processing subscriptions, communicating about your account, and providing customer support.

To improve the Service — analyzing aggregate usage patterns to improve features, fix bugs, optimize performance, and develop new capabilities. We use aggregated, de-identified data for this purpose, not your raw connected data.

To communicate with you — sending service-related notifications, responding to inquiries, providing support, and sending marketing communications where you have opted in.

To ensure security and prevent fraud — monitoring for suspicious activity, enforcing our Terms of Use, and protecting the rights and safety of our users and third parties.

To comply with legal obligations — responding to lawful requests from governmental authorities and complying with applicable laws and regulations.

3. How We Store and Protect Information

3.1 Data Storage

Your data is stored on cloud infrastructure provided by reputable third-party hosting providers. Our primary data infrastructure includes:

Application data and user accounts — stored in Supabase (hosted on AWS infrastructure) with encryption at rest.

Analytics and time-series data — stored in ClickHouse Cloud with encryption at rest. This is where ingested data from your connected tools is stored and queried.

Cached and temporary data — stored in Redis with appropriate TTLs (time-to-live) to ensure temporary data is automatically purged.

All data is stored in data centers located in the United States. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. See Section 10 (International Data Transfers) for more information.

3.2 Security Measures

We implement industry-standard security measures to protect your data, including:

Encryption in transit — all data transmitted between your browser and our servers, between our servers and third-party APIs, and between internal services is encrypted using TLS 1.2 or higher.

Encryption at rest — all stored data is encrypted at rest using AES-256 encryption.

Access controls — we implement role-based access controls, multi-factor authentication for internal systems, and the principle of least privilege for all system access.

API security — connections to third-party tools use OAuth 2.0 or API key authentication with encrypted credential storage. We never store third-party credentials in plaintext.

Infrastructure security — our cloud infrastructure is configured with network isolation, firewall rules, intrusion detection, and regular security patching.

Monitoring and logging — we maintain security logs and monitor for unauthorized access attempts and anomalous activity.

Incident response — we maintain an incident response plan and will notify affected customers within 72 hours of discovering a data breach that affects their data.

3.3 Payment Card Industry (PCI) Compliance

Although we ingest transaction data from payment processors, we do not store, process, or transmit full payment card numbers (PANs), CVV/CVC codes, or magnetic stripe data. The BIN-level data we store (first 6-8 digits) is not considered cardholder data under PCI DSS. Our payment processing for subscription billing is handled by PCI-compliant third-party processors.

4. Data Ownership and Your Data Rights

4.1 You Own Your Data

The data you provide and the data ingested from your connected third-party tools remains your data. We do not claim ownership of your data. We process your data solely to provide the Service to you, as described in this Privacy Policy and our Terms of Use.

4.2 Data Portability

You may request an export of your data at any time by contacting us at privacy@payradar.ai. We will provide your data in a commonly used, machine-readable format (such as CSV or JSON) within 30 days of your request.

4.3 Data Deletion

You may request deletion of your data at any time. Upon receiving a deletion request:

Connected tool data — data ingested from your third-party tools will be permanently deleted from our systems within 30 days.

Account data — your account information will be deleted within 30 days, except where we are required by law to retain certain records (such as billing records for tax compliance).

Backups — data may persist in encrypted backups for up to 90 days after deletion from active systems, after which it will be permanently purged.

Aggregated data — de-identified, aggregated data that cannot be traced back to you or your business may be retained for analytics and product improvement purposes.

You can also disconnect individual third-party tools at any time through your account settings. When you disconnect a tool, we stop ingesting new data from that tool. Previously ingested data from that tool will be retained unless you specifically request its deletion.

4.4 Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Right to access — request a copy of the personal information we hold about you.

Right to rectification — request correction of inaccurate personal information.

Right to erasure — request deletion of your personal information.

Right to restriction — request that we limit our processing of your personal information.

Right to data portability — request your personal information in a structured, commonly used format.

Right to object — object to our processing of your personal information for certain purposes.

Right to withdraw consent — where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, contact us at privacy@payradar.ai. We will respond within 30 days (or within the timeframe required by applicable law).

5. AI and Machine Learning

Our Service uses artificial intelligence and machine learning to analyze your data and provide insights. This section explains how AI processes your data and the safeguards we have in place.

5.1 How AI Processes Your Data

When you ask Radar AI a question or when the system generates proactive insights, your connected data is processed as follows:

Data stays in our infrastructure. Your raw data is stored in our ClickHouse database and queried by our application. When AI generates insights, it works with query results from your data — the data does not leave our infrastructure for AI processing unless specifically described below.

Third-party AI model usage. We use third-party large language model (LLM) providers to power natural language understanding and response generation. When processing your queries, we send structured, aggregated data summaries to the LLM — not your raw transaction records. For example, the LLM might receive "approval rate by card brand for the last 7 days" as a table of aggregate numbers, not individual transaction records.

No training on your data. We do not use your data to train AI models — whether our own or third-party models. Your data is used exclusively for inference (generating responses and insights) and is not retained by our LLM providers for training purposes. We maintain contractual agreements with our LLM providers that prohibit them from using customer data for model training.

Data minimization. We minimize the data sent to AI models. We do not send personally identifiable information (PII), full card numbers, or customer names to LLM providers. The data sent consists of aggregated metrics, trend data, and statistical summaries.

5.2 Automated Decision-Making

Our Service provides AI-generated recommendations (such as "shift ad budget from Audience A to Audience B" or "revert A/B test variant"). These recommendations are informational only. We do not take automated actions that affect your business operations, ad spend, billing, or payment processing without your explicit confirmation. All recommendations require human review and action.

6. How We Share Information

We do not sell your personal information or your connected data. We share information only in the following circumstances:

6.1 Service Providers

We share information with third-party service providers who help us operate the Service, including:

Cloud infrastructure providers — for hosting and data storage.

Payment processors — for processing subscription billing (they receive only the billing information necessary to process your payment).

AI model providers — for powering natural language features (they receive only aggregated, de-identified data summaries as described in Section 5).

Email and communication providers — for sending service notifications and marketing communications.

Analytics providers — for understanding Website usage patterns (using aggregated, anonymized data).

All service providers are bound by contractual obligations to protect your information and use it only for the purposes we specify.

6.2 With Your Consent

We may share information with third parties when you explicitly direct us to do so — for example, if you enable an integration that sends PayRadar insights to a third-party tool like Slack.

6.3 Legal Requirements

We may disclose information if required to do so by law, regulation, legal process, or governmental request. We will notify you of such requests unless prohibited by law from doing so.

6.4 Business Transfers

If PayRadar is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such transfer and any changes to this Privacy Policy.

6.5 Aggregated and De-Identified Data

We may share aggregated, de-identified data that cannot reasonably be used to identify you or your business. For example, we may publish industry benchmark reports based on aggregated payment performance data across our customer base. Such data will never contain information attributable to any individual customer.

7. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy.

Account data — retained for the duration of your account and for up to 12 months after account closure (to facilitate reactivation and for legal compliance).

Connected tool data — retained for the duration specified by your subscription plan (30 days for Free plans, 12 months for Pro plans, custom for Enterprise/ISO plans). Data older than your plan's retention window is automatically deleted.

Billing records — retained for up to 7 years after the relevant transaction for tax and legal compliance.

Usage logs — retained for up to 24 months for security, debugging, and product improvement.

Communication records — retained for up to 36 months.

You may request early deletion at any time as described in Section 4.3.

8. Cookies and Tracking Technologies

8.1 Cookies We Use

Essential cookies — required for the Website and Service to function. These include session cookies, authentication cookies, and security cookies. You cannot opt out of essential cookies.

Analytics cookies — used to understand how visitors interact with our Website. We use Vercel Analytics and may use additional analytics tools. These cookies collect aggregated, anonymized data about page views, navigation paths, and session duration.

Marketing cookies — used to measure the effectiveness of our advertising and to deliver relevant content. These are only set if you have opted in to marketing cookies.

8.2 Managing Cookies

You can manage cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Please note that blocking essential cookies may prevent the Service from functioning properly.

8.3 Do Not Track

We respect Do Not Track (DNT) signals sent by your browser. When we detect a DNT signal, we disable non-essential tracking on our Website.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to know — you may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collection, and the categories of third parties with whom we share it.

Right to delete — you may request deletion of your personal information, subject to certain exceptions.

Right to opt out of sale or sharing — we do not sell personal information or share it for cross-context behavioral advertising. There is no need to opt out because we do not engage in these practices.

Right to non-discrimination — we will not discriminate against you for exercising your privacy rights.

Right to correct — you may request correction of inaccurate personal information.

Right to limit use of sensitive personal information — if we collect sensitive personal information, you may limit its use to what is necessary to provide the Service.

To exercise these rights, contact us at privacy@payradar.ai or by using the contact information in Section 13.

10. International Data Transfers

Our Service is operated in the United States. If you are accessing the Service from the European Economic Area (EEA), United Kingdom (UK), Switzerland, or other jurisdictions with data transfer restrictions, your data will be transferred to the United States.

For transfers from the EEA, UK, and Switzerland, we rely on:

Standard Contractual Clauses (SCCs) — we use European Commission-approved Standard Contractual Clauses to provide appropriate safeguards for data transferred outside the EEA.

Data Processing Agreements — we maintain Data Processing Agreements with our sub-processors that include appropriate data protection commitments.

If you require a Data Processing Agreement (DPA) for your use of the Service, please contact us at privacy@payradar.ai.

11. European Privacy Rights (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have rights under the General Data Protection Regulation (GDPR) or UK GDPR, including the rights described in Section 4.4.

Legal basis for processing. We process your data on the following legal bases:

Contract performance — processing necessary to provide the Service under our agreement with you (Article 6(1)(b)).

Legitimate interests — processing necessary for our legitimate interests, such as improving the Service and ensuring security, where those interests are not overridden by your rights (Article 6(1)(f)).

Consent — where you have given specific consent, such as for marketing communications (Article 6(1)(a)).

Legal obligation — processing required to comply with applicable laws (Article 6(1)(c)).

Data Protection Officer. For inquiries related to GDPR compliance, contact us at privacy@payradar.ai.

Supervisory authority. You have the right to lodge a complaint with your local data protection supervisory authority.

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@payradar.ai.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how we handle your information, contact us at:

PayRadar, Inc. Email: privacy@payradar.ai Website: https://payradar.ai

For data protection inquiries, please include "Privacy Request" in the subject line of your email. We will respond within 30 days.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable laws. When we make material changes, we will notify you by email (using the address associated with your account) and by posting a notice on our Website at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. The "Last Updated" date at the top of this page indicates when the policy was last revised.