Privacy Policy

1.Introduction & Scope

Lumiria LLC, doing business as securepayAPI (“securepayAPI”, “we”, “us”, or “our”) cares about your privacy. This Privacy Policy explains what Personal Data we collect, how we use it, who we share it with, and the choices and rights available to you.

This Policy applies to our website at securepayapi.com, the securepayAPI dashboard, our APIs, and any related services we make available (collectively, the “Services”). When you use the Services, we process Personal Data in two distinct capacities:

• As a controller, when you sign up as a merchant (“Merchant”), interact with our Site, or represent a Merchant. We decide why and how your Personal Data is processed.
• As a processor, when we process payment and identity data of your end customers (“Customers”) on your behalf to provide the Services. In that case, the Merchant is the controller and Customers should consult the Merchant's privacy notice and contact the Merchant to exercise their rights. Where required, we will assist the Merchant in responding.

2.Personal Data We Collect

The categories below summarise the Personal Data we typically collect. The exact data depends on which Services you use and how you interact with us.

2.1 Merchants and Representatives

When you create an account, complete onboarding, or administer a Merchant account, we may collect:

• Identity — full name, date of birth, country of residence, government-issued identification (passport, driver's license, national ID), photographs and selfies submitted for verification, and biometric verification results;
• Contact — email address, phone number, residential or business address;
• Authentication — passwords (stored as salted hashes), session tokens, two-factor authentication tokens, and audit logs of sign-ins;
• Business — registered business name, EIN or other tax identifier, registration documents, beneficial-ownership and control-person information, principal place of business, website, and product description;
• Financial — settlement bank account details (verified through Plaid or by submitting account information directly), tax forms, and processing-volume estimates;
• Communications — messages you send to support, survey responses, and event-attendance data;
• Device & usage — IP address, device identifiers, browser and operating-system data, and dashboard activity logs.

2.2 Customers (your end users)

When you process a Transaction through us, we may receive about your Customer:

• Payment instrument — card brand, last four digits, expiration date, billing ZIP/postal code, network token, and (in transit) primary account number and card-verification value, which we do not store on our systems beyond what is permitted by PCI DSS;
• Transaction details — amount, currency, time, merchant of record, and a description you provide;
• Identity verification artefacts — only if you have enabled identity-verification flows for your Customers (handled via Sumsub as described in Section 5);
• Risk signals — IP address, device fingerprint, browser data, and behavioural signals used for fraud detection.

For data covered by this Section 2.2, we typically act as a processor on the Merchant's behalf.

2.3 Visitors

When you browse our website or fill out a form, we may collect device and usage data (IP, browser, pages viewed, referring URL, marketing campaign identifiers) and the contents of any form you submit (such as a contact request).

3.Sources of Personal Data

We collect Personal Data from the following sources:

• Directly from you — through the dashboard, API, support channels, sales conversations, and contact forms;
• From your devices — through cookies, server logs, and similar technologies;
• From the Merchant — if you are a Customer, we receive Personal Data about you from the Merchant when you transact with them;
• From identity- and business-verification vendors — including Sumsub, which performs KYC and KYB checks (document authenticity, face-match, business-registry lookups, sanctions and PEP screening) and returns verification results (see Section 5);
• From bank-data providers — including Plaid, which verifies bank-account ownership and returns limited account metadata (see Section 5);
• From card networks, acquirers, and sponsor banks — including Visa, Mastercard, American Express, Discover, JCB, and UnionPay, who return authorization, settlement, and dispute data;
• From public registries and screening providers — including business registries, sanctions and politically-exposed-person (PEP) lists, adverse-media databases, and credit reference agencies, in each case for risk and compliance purposes.

4.How We Use Personal Data

We process Personal Data for the following purposes:

• Provide the Services — create and operate your account, authenticate you, process payments and payouts, generate reports, and respond to your support requests;
• Onboarding and verification — perform KYC, KYB, and underwriting checks required by law, the Network Rules, and our banking partners;
• Fraud prevention and security — detect, investigate, and prevent fraudulent or unauthorized Transactions, account takeovers, abusive use, and security incidents;
• Compliance — comply with anti-money-laundering, counter-terrorist-financing, sanctions, tax, and other legal obligations, and respond to lawful requests from regulators and courts;
• Communications — send you transactional notices, security alerts, service announcements, and (with your consent or as otherwise permitted by law) marketing messages;
• Improve the Services — analyse aggregate usage, debug issues, and develop new features;
• Protect rights and safety — enforce our Terms, protect our users, partners, and the public, and assert or defend legal claims.

5.Identity, Business & Bank Verification (Sumsub & Plaid)

5.1 Sumsub (Identity & Business Verification)

We use Sum and Substance Ltd. (Sumsub), a third-party verification provider, to perform both individual identity checks (KYC) and business checks (KYB) during onboarding and on a periodic basis thereafter. When you submit identification documents, selfies, or business records, your data is uploaded directly to Sumsub through embedded flows or API calls and processed on Sumsub's infrastructure.

For individual (KYC) verification, Sumsub performs document authenticity checks, face-match comparisons, liveness checks, and screening against sanctions, politically-exposed-person (PEP), and adverse-media lists. We receive a verification outcome (approved, declined, or further review needed), a reference identifier, and summary attributes (such as document type, document country, and extracted name and date of birth) that we use to satisfy our KYC obligations.

For business (KYB) verification, Sumsub validates business registration documents, looks up entity records in public business and corporate registries, identifies and verifies beneficial owners and control persons, and screens the business and its principals against sanctions, PEP, and adverse-media lists. We receive a verification outcome, an entity-reference identifier, and structured attributes (such as legal name, registration number, jurisdiction of formation, registered address, and beneficial-owner identities) that we use to satisfy our KYB obligations.

We retrieve the underlying documents, images, videos, biometric templates, and registry artefacts from Sumsub on demand only when we have a legitimate need to do so (for example, a compliance review, investigation, or response to a regulatory request).

Sumsub processes your Personal Data as a controller for fraud-prevention purposes and as our processor for the KYC and KYB verification it performs on our behalf. Sumsub's privacy practices are described at sumsub.com/privacy-notice.

5.2 Plaid (Bank Account Verification)

We use Plaid Inc. (Plaid) to verify ownership of the bank account you nominate for settlement and, where you choose, to confirm balances or recent activity. When you connect a bank account, you are taken to a Plaid-hosted flow where you authenticate with your financial institution. Your banking credentials are submitted directly to Plaid; securepayAPI does not see, transmit, or store your bank-login credentials.

From Plaid we receive a connection token and the limited account metadata necessary for the Services (for example: institution name, account type, account holder name, masked account and routing numbers, and verification status). When we need additional account data — such as balance or recent transactions for risk review — we retrieve it via the Plaid API on demand and only when permitted by your authorization. We do not maintain an independent store of full bank-transaction history.

Plaid's use of your data is described in its end-user privacy policy at plaid.com/legal.

5.3 Other Verification Sources

For business and ownership verification we may also query public business registries, secretary-of-state databases, sanctions lists (OFAC, UN, EU, UK), and adverse-media providers. These checks are performed at onboarding and may be repeated periodically for ongoing compliance.

6.How We Share Personal Data

We share Personal Data only with the following categories of recipients and only for the purposes described in this Policy:

• Service providers and sub-processors — cloud-infrastructure and database providers, transactional-email providers, customer-support tooling, and analytics providers, in each case bound by written agreements requiring confidentiality and adequate security;
• Identity- and bank-verification vendors — Sumsub and Plaid, as described in Section 5;
• Acquirers, sponsor banks, and Card Networks — to authorise, clear, and settle Transactions, and to handle disputes;
• Affiliates — entities under common ownership with Lumiria LLC, for the purposes described in this Policy;
• Merchants — when you are a Customer, we share necessary Transaction data with the Merchant whose goods or services you purchased;
• Government and regulatory authorities — courts, law-enforcement agencies, financial regulators, and tax authorities when required by law, court order, or to protect against fraud and abuse;
• Professional advisers — auditors, lawyers, accountants, and consultants under duties of confidentiality;
• Acquirers of our business — in connection with a merger, acquisition, financing, reorganization, or sale of all or part of our assets, with notice to you where required by law.

We do not sell Personal Data, and we do not share Personal Data for cross-context behavioral advertising, including for purposes of the California Consumer Privacy Act, the Colorado Privacy Act, or comparable laws.

7.Where We Process Personal Data

securepayAPI is a North Carolina limited liability company, and the Services are operated from and primarily directed to merchants and customers in the United States. Our primary processing infrastructure is located in the United States.

Some of our Sub-processors operate or store data in other countries (for example, Sumsub and Plaid). Where we transfer Personal Data outside your country of residence, we rely on appropriate safeguards required under applicable law. A current list of Sub-processors and the safeguards in place is available on request to privacy@securepayapi.com.

8.Data Retention

We retain Personal Data for as long as we need it to provide the Services and to comply with our legal and contractual obligations.

• Account and Merchant records — for the life of your account and, after closure, for the period required by financial-services and AML record-keeping laws (typically five to seven years in the United States);
• Transaction records — for the period required by the Network Rules, banking-partner agreements, and applicable law (typically five to seven years);
• KYC and identity-verification artefacts — held by Sumsub or other vendors as described in Section 5; we retrieve them on demand, and retention there is governed by our and the vendor's policies and applicable law;
• Communications and support tickets — typically up to three years after the last interaction;
• Marketing data and consent records — until you withdraw consent or object, plus a reasonable period to maintain evidence of opt-out;
• Server logs and security telemetry — typically up to thirteen months;
• De-identified or aggregated data — indefinitely, for analytics and product improvement.

Where these periods conflict, the longest period required by law applies.

9.Your Rights & Choices

Depending on the U.S. state in which you live, you may have some or all of the following rights regarding the Personal Data we hold about you. These rights derive from laws including the California Consumer Privacy Act (CCPA, as amended by the CPRA) and similar state laws in Colorado, Connecticut, Utah, and Virginia, and other state privacy laws as they come into force.

• Right to know — to confirm whether we Process your Personal Data and obtain a description of the categories collected, sources, purposes, and recipients;
• Right to access — to obtain a copy of the specific pieces of Personal Data we hold about you;
• Right to correct — to have inaccurate Personal Data corrected;
• Right to delete — to request deletion, subject to exceptions for legal, fraud-prevention, security, and other retention obligations;
• Right to portability — to receive certain Personal Data in a portable, machine-readable format;
• Right to opt out of sale or sharing — we do not sell Personal Data and we do not share Personal Data for cross-context behavioral advertising, but you may submit a request to confirm or change this status;
• Right to limit use of sensitive personal information — to limit our use of sensitive personal information to specified business purposes;
• Right to non-discrimination — we will not deny you Services, charge you a different price, or provide a different level of service for exercising your privacy rights;
• Right to appeal — where a state law provides for an appeal of our response, you may submit an appeal by replying to our response; if you are not satisfied with the result of the appeal, you may contact your state attorney general.

To exercise any of these rights, contact us at privacy@securepayapi.com. We may need to verify your identity before responding. An authorised agent may submit a request on your behalf with proof of authorisation as required by law. If you are a Customer of one of our Merchants, please direct your request to that Merchant first; we will support the Merchant in responding.

10.Security

We maintain administrative, technical, and physical safeguards designed to protect Personal Data against unauthorised access, disclosure, alteration, and destruction. These include encryption of data in transit (TLS) and at rest, access controls, network-level protections, regular reviews of our security practices, and contractual security commitments from our sub-processors.

securepayAPI maintains a PCI DSS programme appropriate to the scope of card-data processing we perform. We minimise our handling of full card numbers by relying on network tokenization and tokenized references provided by Card Networks and our acquiring partners.

You also play a critical role in security: keep your password and API keys confidential, use strong unique credentials, enable two-factor authentication, and notify us immediately if you suspect any unauthorised use of your account by emailing legal@securepayapi.com.

No system is perfectly secure. We cannot guarantee that Personal Data will never be subject to unauthorised access or use.

11.Cookies & Similar Technologies

We use cookies and similar technologies (such as local storage and pixel tags) to operate our Site and dashboard, remember your preferences, authenticate you, measure how the Services are used, and detect fraud.

Strictly-necessary cookies are required for the Services to function and cannot be turned off through our cookie controls. Analytics and functionality cookies are used only with your consent where required by applicable law. You can manage cookie preferences through your browser or, where presented, through the cookie banner on our Site.

We do not use cookies to deliver third-party cross-context behavioral advertising.

12.Children

The Services are intended for businesses and adults. We do not knowingly collect Personal Data from children under thirteen (13) years of age, and where applicable law sets a higher minimum age, we do not knowingly collect Personal Data below that age either. If you believe a child has provided us with Personal Data, please contact privacy@securepayapi.com and we will take appropriate steps to delete it.

13.Automated Decision-Making

We use automated systems to support certain decisions, including:

• KYC and identity outcomes — relying on Sumsub's automated checks (document authenticity, face-match, liveness) when deciding whether to onboard, request additional information, or decline an application;
• Fraud and risk scoring — applying rules and machine-learning models to score Transactions and accounts in real time, and to delay, decline, or hold suspicious activity.

A decision to decline onboarding or to suspend Services is reviewable by a human upon your request. To request human review, or to contest a decision that has a legal or similarly significant effect on you, contact us at privacy@securepayapi.com.

14.Changes to this Policy

We may update this Policy from time to time. When we make a material change, we will notify you by email, through the dashboard, or by posting an updated version on our Site at least thirty (30) days before the change takes effect, except where a shorter period is required by law or to address a security or legal risk. The “Last updated” date at the top of this Policy reflects the most recent version.

15.Contact

For privacy questions, requests, or complaints, please contact:

Lumiria LLC d/b/a securepayAPI
1451 Richardson Rd. Ste. 109 #127, Apex, NC 27523, USA
Privacy: privacy@securepayapi.com
Legal: legal@securepayapi.com
Phone: +1 844 680 0679

You may also contact your state attorney general's office if you have an unresolved concern about our privacy practices.