Legal

Privacy Policy

Effective date: 11 April 2026Questions: privacy@paymonei.com

Important Notice

Paymonei is a software orchestration platform that provides billing and payment workflow tools. We do not hold, transmit, or have custody of financial funds at any time. All financial transaction execution and settlement is performed exclusively by our licensed third-party financial institution partners. This means the data described in this policy relates to software access, analytics, and workflow state — not to the custody of money.

1. Introduction & Scope

This Privacy Policy describes how Omniasky Technology Pte Ltd, a company registered in Singapore that holds the proprietary technology and intellectual property of the Paymonei platform (“Omniasky”, “we”, “our”, or “us”), collects, uses, and protects personal data when you access or use the Paymonei platform and any associated websites, APIs, dashboards, or hosted services (collectively, the “Services”).

Technology development and platform management services are delivered by our affiliated entity, PT Evora Vera Teknologi, a limited liability company incorporated in Indonesia, acting as our authorized technology partner.

Neither Omniasky Technology Pte Ltd nor PT Evora Vera Teknologi is a bank, payment institution, money services business, or virtual asset service provider. We are software companies. Financial execution services are provided by our regulated, licensed partners on a separate contractual basis.

This Policy applies to:

  • Merchants: Businesses and authorised representatives of businesses who create a Paymonei account to access our billing and workflow software. Paymonei is a business-to-business software platform and is not intended for use by private individuals acting in a personal capacity.
  • Transaction Participants: Individuals who complete a payment via a merchant’s hosted checkout link or payment page powered by Paymonei software. Data relating to these individuals is processed on behalf of the merchant.
  • Visitors: Anyone browsing paymonei.com or our subdomains.

By using the Services, you confirm that you have read and understood this Policy. If you are accessing the Services on behalf of an organisation, you represent and warrant that you have authority to accept this Policy on that entity’s behalf.

2. Information We Collect

2.1 From Merchants (Our B2B Subscribers)

When a business registers, configures, or operates a Paymonei account, we collect:

  • Account credentials: Name, business email address, password hash.
  • Business profile data: Legal entity name, business registration number, registration country, registered address, nature of business, and industry type — used to configure your billing software and determine applicable features.
  • Authorized representative details: Full name, role or title, and contact information of the individual registering or administering the account on behalf of the business.
  • Director and beneficial owner information: Names and roles of company directors provided during account onboarding, used for platform access verification purposes as described in Section 2.2 below.
  • API integration data: API keys, webhook URLs, and integration event logs so that your systems can connect to our software engine.
  • Dashboard usage analytics: Feature interactions, session duration, and click paths — used to improve the software product.
  • Support communications: Any information you voluntarily share when contacting our support team.

2.2 Business Verification Data

To protect the integrity of our software platform and prevent misuse, we conduct identity verification on authorized representatives and directors of merchant businesses prior to enabling platform access.

As part of this process, we share the identification information you provide with our third-party verification partners:

  • Identity verification providers — for identity verification of directors and authorized representatives.

These providers perform identity document verification and biometric liveness checks on our behalf under their own data processing terms. Biometric processing (facial comparison, liveness detection) is executed on the verification partner’s infrastructure. We retain the submitted identity information and verification records — including verification reference identifiers and, where required to satisfy regulatory audit trail obligations, copies of submitted identity documents — for the duration of the merchant relationship and for a minimum of five (5) years thereafter, in order to respond to requests from regulatory authorities, banking partners, or licensed financial execution partners.

Paymonei operates technology-layer risk controls — including transaction velocity monitoring, device and IP risk scoring, and suspicious activity pattern detection — to protect the integrity of our software platform. These controls work in concert with the regulated Anti-Money Laundering (AML), Counter-Terrorism Financing (CFT), sanctions screening, and statutory transaction monitoring obligations fulfilled by our licensed financial execution partners under their respective regulatory frameworks.

2.3 From Transaction Participants

When a transaction participant accesses a Paymonei-hosted checkout link or payment page generated by a merchant, we collect the minimum data needed to render and track the software workflow:

  • Contact metadata: Name, email address, and shipping address — used to generate invoice records and confirmation emails on behalf of the merchant.
  • Device and network context: IP address, browser type, operating system, referrer URL — forwarded (encrypted) to our licensed execution partners for fraud-scoring purposes.
  • Session token: An encrypted, temporary identifier used solely to maintain checkout session state. It contains no financial credentials.

All payment instrument data is collected and processed entirely within the secure, regulated environments of our licensed financial execution partners. Paymonei’s software initiates and monitors payment workflow state only. We do not receive, process, or retain any payment instrument credential at any point in the transaction flow. Our partners’ payment collection environments are independently certified, regulated, and audited under their respective financial licences.

2.4 Automatically Collected Technical Data

  • Server logs: Timestamped records of API requests, response codes, and event metadata for system reliability and debugging.
  • Performance metrics: Latency, uptime, and error rates collected by our infrastructure monitoring tools.

3. How We Use Your Information

We process personal data only for the following specific, lawful purposes:

PurposeLawful Basis
Registering and provisioning a merchant business account and enabling access to our softwarePerformance of contract (with merchant)
Verifying the identity of authorized business representatives during merchant onboardingLegitimate interest (platform integrity and fraud prevention)
Generating invoice PDFs and tracking billing workflow status on behalf of merchantsPerformance of contract (with merchant)
Powering the merchant’s analytics dashboard and reporting toolsLegitimate interest (product delivery)
Sending automated dunning, reminder, and receipt notifications on behalf of merchantsPerformance of contract
Operating technology-layer risk controls (velocity monitoring, device scoring, suspicious pattern detection) to protect platform integrityLegitimate interest (fraud prevention and platform security)
Forwarding device context (IP, user agent) to licensed execution partners for transaction fraud scoringLegitimate interest (fraud prevention)
Retaining identity verification records and merchant onboarding data for regulatory audit trail purposesLegal obligation / Legitimate interest (regulatory readiness)
Improving software features and fixing bugs through usage analyticsLegitimate interest (product improvement)
Communicating product updates, security notices, and support responsesPerformance of contract / Legitimate interest
Complying with a court order, regulatory demand, banking partner inquiry, or applicable lawLegal obligation
Establishing, exercising, or defending legal claimsLegitimate interest (legal protection)

We do not use personal data for automated decision-making that produces legal or similarly significant effects without human review.

3a. Public Blockchain Data

Where merchants activate blockchain-based settlement options through our platform, payment transactions are executed by our licensed financial execution partners on public blockchain networks. Paymonei does not initiate, sign, or broadcast blockchain transactions directly.

Transaction data recorded on-chain — including public wallet addresses and transaction amounts — is publicly accessible, immutable, and maintained by the relevant blockchain network. This data is outside our ability to modify, delete, or restrict. The right to erasure (where applicable under privacy law) cannot be applied to data recorded on a public blockchain, as this is an inherent characteristic of public blockchain protocols.

Paymonei does not operate or control any public blockchain network. On-chain data resulting from payment activity is governed by the terms and privacy practices of our licensed execution partners and the relevant blockchain protocol. If you have concerns about on-chain data, please refer to the privacy documentation of the relevant execution partner.

4. How We Share Information

We do not sell, rent, or trade personal data. We share data only with the following categories of recipients, for the purposes stated:

RecipientPurpose
Licensed Financial Execution Partners
Payment institutions, banks, and regulated financial service providers		To route payment workflow instructions and enable transaction execution under their own regulatory licences.
Identity Verification PartnersTo verify the identity of business representatives during merchant onboarding for platform access control purposes.
Fraud Prevention & Risk Signal ProvidersTo share device and network context signals (IP address, user agent, device fingerprint) for fraud scoring, threat intelligence, and platform abuse prevention.
Cloud Infrastructure & Technology ProvidersTo host, operate, and maintain our software infrastructure.
Analytics VendorsTo analyse platform usage, feature adoption, and software performance. We use only privacy-respecting analytics tools. IP addresses used for analytics are anonymised at collection.
Affiliated Group EntitiesTo deliver technology development and platform management services as our authorized technology partner, under an intra-group data sharing agreement.
Legal & Governmental AuthoritiesWhere required by a court order, subpoena, governmental inquiry, regulatory demand, or applicable law. We notify affected merchants where legally permitted.
Prospective Buyers or AcquirersIn the event of a merger, acquisition, or asset sale, data may be disclosed to advisers and transferred to new owners. Merchants will be notified before data becomes subject to a different privacy policy.

All third-party providers we engage are required to apply data protection standards consistent with this Policy and are bound by appropriate data processing agreements.

4.1 Licensed Financial Execution Partners

When a merchant or transaction participant initiates a payment workflow through our software, we transmit the minimum necessary data (session context, device metadata, and invoice reference) to our licensed third-party financial institution partners who are independently regulated to provide payment execution and settlement services. These partners process payment credentials and fund movement under their own regulatory licences and privacy frameworks.

Paymonei operates technology-layer risk monitoring that works in concert with our licensed partners’ regulated AML/CFT obligations, sanctions screening, and statutory transaction monitoring. Both layers collectively maintain platform security and compliance integrity.

We contractually require all such partners to apply data protection standards no less protective than those described in this Policy.

4.2 Identity Verification Partners

We share authorized representative and director identity information with verification providers during merchant onboarding, for platform access control purposes. We share only the required information to complete verification. We retain the verification outcome and reference identifier.

4.3 Cloud Infrastructure & Service Providers

We use the following categories of third-party providers to operate our software infrastructure:

  • Cloud hosting
  • Database: Managed database providers
  • Monitoring & observability: Logging and error tracking tools
  • Email delivery: Transactional email providers (for invoice dispatch)

All providers are bound by data processing agreements and, where applicable, standard contractual clauses.

4.4 Data Residency & Regional Storage

We apply regional data storage to ensure personal data is held in proximity to the users it relates to and in compliance with applicable local data localisation requirements. Cross-region data transfers occur only where technically necessary for system reliability and redundancy. All such transfers are encrypted in transit using TLS 1.2 or higher.

4.5 Intra-Group Processing

Our affiliated entities operate within the same group. Data is shared between them solely to deliver and support the Paymonei software product. Both entities apply the data protection standards described in this Policy and are bound by a formal intra-group data sharing agreement.

4.6 Legal Disclosure

We may disclose personal data to competent authorities, courts, or regulators where we are required to do so by applicable law, a valid legal order, or where we have a good-faith belief that disclosure is necessary to prevent harm. We will notify affected users where legally permitted to do so.

4.7 Business Transfers

In the event of a merger, acquisition, or sale of substantially all assets, personal data may be transferred as part of that transaction. We will inform users via notice on our website or by email before data is transferred and becomes subject to a different privacy policy.

5. Cookies & Tracking

We use the following categories of cookies and tracking technologies:

  • Strictly necessary cookies: Session authentication tokens and CSRF protection. These cannot be disabled without breaking core software functionality.
  • Performance cookies: Anonymous telemetry used to measure page load times and API reliability.
  • Analytics trackers: We may use privacy-respecting analytics tools to understand feature adoption. IP addresses used for analytics are anonymised at collection.

We do not use cross-site advertising trackers or interest-based profiling. You may manage cookie preferences via your browser settings. Disabling non-essential cookies will not affect your ability to use the core software.

6. Data Security & Retention

6.1 Security Measures

We apply industry-standard technical and organisational security controls to protect personal data from unauthorised access, disclosure, alteration, or destruction:

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Data at rest is encrypted using AES-256.
  • Access to production systems is restricted by role-based access control and multi-factor authentication.
  • We conduct periodic security reviews and code audits.

Important: our security controls protect software data and instructions. The financial funds themselves are secured and insured by our licensed execution partners under their own regulatory requirements.

6.2 Retention Periods

Data CategoryRetention Period
Merchant account dataDuration of account + 5 years after closure
Director and business profile dataDuration of account + 5 years after closure (consistent with merchant account data for regulatory audit readiness)
Identity verification records (including submitted identity documents and verification outcomes)Minimum 5 years after the merchant relationship ends, to support regulatory authority requests, banking partner inquiries, or legal proceedings — as stated in Section 2.2
Invoice and billing records7 years (driven by corporate tax requirements)
Transaction participant session data90 days from checkout event
Server log data30–90 days
Support communications3 years from last contact

When retention periods expire, data is securely deleted or anonymised. We do not retain personal data for longer than necessary solely on the basis of potential future litigation.

7. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding personal data we hold about you:

  • Right to access: Request a copy of the personal data we hold about you.
  • Right to correction: Request that inaccurate or incomplete data be corrected.
  • Right to deletion (“right to be forgotten”): Request deletion of your data, subject to our legal retention obligations. Note that data relating to transaction participants is held on behalf of the merchant — deletion requests for such data may require coordination with the relevant merchant.
  • Right to restrict processing: Request that we limit how we use your data in specific circumstances.
  • Right to data portability: Receive a structured, machine-readable copy of data you have provided to us.
  • Right to object: Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

Singapore residents (PDPA): You may exercise access and correction rights in accordance with the Personal Data Protection Act 2012.

Indonesia residents (UU PDP): You may exercise rights in accordance with Law No. 27 of 2022 on Personal Data Protection.

EEA/UK residents (GDPR/UK GDPR): If you access our services from the EEA or UK, we process your data under GDPR/UK GDPR and you have all rights listed above plus the right to lodge a complaint with your national supervisory authority.

To exercise any of these rights, email privacy@paymonei.com. We will respond within 30 days. We may need to verify your identity before acting on a request.

8. Contact

For any questions, concerns, or requests relating to this Privacy Policy or our data practices, contact our privacy team:

Privacy Team

Paymonei

privacy@paymonei.com

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. Where changes are material, we will provide at least 14 days’ advance notice via email to registered merchants and via a prominent notice on our website prior to the revised Policy taking effect. The “Effective date” at the top of this page reflects the date of the most recent revision.

Your continued access to or use of the Services after the effective date of any revised Policy constitutes your acceptance of the updated terms. If you do not agree with a revised Policy, you must discontinue use of the Services before the effective date and notify us at privacy@paymonei.com.