Privacy Policy

2.1 Account Information

When you create a LuniPay account, we collect information such as:

• Full name and email address
• Business name and business registration details
• Physical business address
• Phone number
• Tax identification number or VAT registration
• Bank account information (for payouts)
• Profile picture or business logo (uploaded through Uploadthing)

2.2 Payment and Financial Information

When you use LuniPay to process payments, we collect financial transaction data. Importantly:

• LuniPay does not store credit card numbers or sensitive payment card data. All payment processing is handled securely by Stripe, our PCI-DSS compliant payment processor.
• We collect payment metadata including transaction amounts, currencies, payment methods used (card brand, funding type, last 4 digits where available), transaction timestamps, authorization status, settlement status, and payment status.
• We maintain records of balances, transfers, reversals, reserves, payouts to your bank account, payout destinations, payout amounts, processing fees, and FX conversions.
• We store invoice, payment link, subscription, installment, and checkout data including line items, amounts, payment history, receipts, customer communications, and hosted payment page activity.
• We collect Stripe Connect account information, including account identifiers, verification requirements, capability status, onboarding status, external account status, fraud signals, refund records, dispute records, and chargeback evidence.

2.3 Transaction and Invoice Data

We collect and store all invoice, payment link, recurring billing template, and installment plan data you create, including:

• Invoice descriptions, quantities, and pricing
• Dates (due dates, payment dates, payout dates)
• Payment statuses (draft, sent, viewed, paid, overdue, partially paid)
• Dispute and chargeback information
• Reminder history and engagement metrics

2.4 Customer Data (Your Customers)

When you add customers to LuniPay or send them invoices, we collect information about your customers, including:

• Customer name and email address
• Customer phone number
• Business/company information (for B2B invoices)
• Shipping/billing addresses (if provided)
• Information they enter when paying an invoice or accessing the customer portal

Important: For customer information that you enter to manage your own customer relationship, you are generally the data controller and LuniPay acts as a processor. LuniPay may also act as an independent controller where we use customer or payment information for payment operations, fraud prevention, security, disputes, compliance, support, reporting, or legal protection. You are responsible for obtaining necessary consents from your customers and complying with applicable data protection laws.

2.5 Usage and Analytics Data

We automatically collect information about how you use our Service:

• Device information (device type, operating system, browser type, browser version)
• IP address and geolocation data
• Pages visited, features used, and time spent on each page
• Clickstream data and navigation patterns
• Performance metrics (page load times, errors encountered)
• Search queries and filters you apply

This data is collected through analytics and monitoring tools including Vercel Analytics, PostHog, and error monitoring via Sentry.

2.6 Authentication Data

We collect authentication information to verify your identity:

• For Google OAuth: we receive your Google account profile information including name and email from Google
• For email/password authentication: we store a cryptographically hashed version of your password (we do not store your password in plain text)
• Session tokens and authentication cookies to maintain your login state
• For customer portal access: magic link tokens and session data

2.7 Mobile, Wallet, Notification, and Developer Data

When you use LuniPay mobile, wallet, notification, or developer features, we may collect additional operational data, including:

• Device platform, app version, notification permission status, Expo push tokens, browser push subscriptions, and related delivery records
• Apple Wallet pass identifiers, Apple device library identifiers, Apple push tokens, pass update status, and pass download or registration activity
• Tap to Pay readiness status, supported-device checks, setup state, terms acceptance status, acceptance timestamps, and information needed to diagnose reader or checkout failures
• Developer API keys metadata, API request logs, webhook endpoint settings, webhook delivery attempts, response codes, retry history, and event payload metadata

2.8 Communications

We collect information when you communicate with us:

• Contact form submissions (name, email, subject, message)
• Customer support inquiries and replies
• Email addresses you provide for notifications and invoices
• Feedback and bug reports you submit

4.1 Service Providers and Processors

We share information with third-party service providers who help us operate our Service:

• Stripe: For payment processing, invoicing, Connect account management, financial data, payouts, refunds, disputes, verification, and compliance
• Neon: For secure cloud database hosting of operational account, payment, invoice, customer, ledger, and reporting data
• SendGrid: For sending transactional and marketing emails
• Vercel: For hosting, server infrastructure, analytics, and performance monitoring
• Sentry: For error tracking and application monitoring
• PostHog: For product analytics, feature usage, session diagnostics, and account-level product insights
• Uploadthing: For secure file storage (logos, invoice PDFs, documents)
• Upstash: For Redis caching, rate limiting, and session management
• Trigger.dev: For scheduled jobs, background processing, notification delivery, webhook retries, and other operational workflows
• Expo, Apple, Google, and browser push providers: For mobile push notifications, web push notifications, wallet passes, and device-level platform services
• NextAuth.js: For authentication infrastructure and session management

All service providers are contractually obligated to use your information only as necessary to provide their services and to maintain the confidentiality and security of your data.

4.2 Your Customers

When you send an invoice or payment link to a customer, they will receive your business name, contact information, invoice or payment details, and any other information you choose to include. They may access the customer portal using a magic link, where they can view their payment history and manage their payment methods.

4.3 Team Members

If you invite team members to manage your LuniPay account, they may have access to your customer data, invoices, and financial information based on their assigned role and permissions.

4.4 Legal Requirements and Enforcement

We may disclose your information when required by law or when we believe in good faith that such disclosure is necessary to:

• Comply with legal process (subpoena, warrant, court order)
• Enforce our Terms of Service and other agreements
• Respond to government or law enforcement requests
• Protect the safety, rights, and property of LuniPay, our users, or the public
• Prevent fraud, security incidents, or other illegal activities
• Investigate customer complaints, suspected scams, refund requests, chargebacks, payout reviews, or merchant compliance concerns with Stripe, card networks, banks, affected customers, or other parties involved in the transaction

7.1 General Rights

Subject to applicable law, you have the following rights:

• Access: You have the right to access your personal information by logging into your LuniPay account or contacting us.
• Correction: You can update, correct, or modify your account information through your account settings.
• Deletion: You have the right to request deletion of your account and associated personal data, subject to applicable legal requirements.
• Data Portability: You can request a copy of your data in a structured, machine-readable format.
• Marketing Opt-Out: You can opt out of receiving marketing emails by clicking the unsubscribe link in any email or by contacting us.

7.2 Jamaica Data Protection Rights

If Jamaica's Data Protection Act applies to your information, you may have rights to be informed about how your personal data is processed, access personal data held about you, request correction of inaccurate data, object to certain processing, prevent processing likely to cause damage or distress, and complain to Jamaica's Office of the Information Commissioner.

We will handle Jamaican data protection requests in line with applicable law and may need to verify your identity before responding.

7.3 EU and UK Data Protection Rights (GDPR)

If you are located in the European Union or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Restrict Processing: You can request that we limit how we use your data.
• Right to Object: You can object to our processing of your personal data for legitimate interests.
• Right to Withdraw Consent: You can withdraw consent you've provided at any time.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority.

Our legal basis for processing your data includes performance of a contract with you, compliance with legal obligations, and our legitimate interests (fraud prevention, security, service improvement).

7.4 California Privacy Rights (CPRA/CCPA)

If you are a California resident, you have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to Know: You can request to know what personal information we collect and how we use it.
• Right to Delete: You can request deletion of personal information we hold about you (with certain exceptions).
• Right to Opt-Out: You can opt out of the "sale" or "sharing" of your personal information (as defined by CCPA).
• Right to Correct: You can request correction of inaccurate personal information.
• Right to Limit Use: You can limit our use of your sensitive personal information where applicable.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

LuniPay does not sell personal information for money and does not knowingly sell or share personal information of children under 16. We also do not use sensitive personal information for purposes that require a right to limit under California law unless we provide the required notice and choice.

To exercise these rights, contact us at support@lunipay.io.

8.1 Types of Cookies We Use

• Essential Cookies: Required for authentication, session management, and basic functionality. These cannot be disabled.
• Analytics Cookies: Used to understand how users interact with our Service. These are used by Vercel Analytics and PostHog to track page views, product usage, user flows, and performance metrics.
• Performance Cookies: Used to monitor application performance and errors (Sentry).

8.2 Third-Party Tracking

LuniPay does not use third-party advertising networks or tracking pixels for retargeting or behavioral advertising. We do not allow advertisers to track you across websites. We do use product analytics tools, including PostHog, to understand and improve how the Service is used.