Skip to main content

Legal · Privacy

Privacy Policy

Version 3.8 Effective April 1, 2026 Applies to paymullet.com and the Merchant Dashboard

Plain-English summary

PayMullet processes two kinds of data: cardholder data (the card numbers your customers present) and merchant data (information about your business). Cardholder data never lingers on your systems or ours in readable form — it's tokenized the moment it enters our environment and stored in a PCI-audited vault separated by hardware key boundaries. Merchant data (your contact info, bank account for settlement, transaction records) is retained to meet the card brand, IRS, and FinCEN record-keeping rules that apply to acquirers. This policy explains exactly who we share that data with, how long we keep it, and what rights you have.

Note for consumers (cardholders): If your card was used at a business that runs on PayMullet, you're not our direct customer — the merchant is. Contact the merchant first for receipts, refund questions, or disputes. You also have chargeback rights through your card-issuing bank. We receive limited information about you from the merchant solely to authorize and settle the transaction.

Scope and parties

This Privacy Policy applies to PayMullet ("PayMullet," "we," "us") and the services made available at paymullet.com, the Merchant Dashboard, the PayMullet API, hosted payment pages, mobile SDKs, and certified terminals. Our role under data-protection law depends on the data type:

  • Cardholder Data (CHD) and Sensitive Authentication Data (SAD): We act as a payments processor and independent controller/joint controller with the acquiring Sponsor Bank, as permitted by the card brand rules.
  • Merchant information: We act as controller for the business-relationship data you provide in the Merchant Application, Dashboard, and support channels.
  • End-customer personal data provided to you by your cardholders: You (the Merchant) are controller; PayMullet is processor only to the extent strictly necessary to execute the transaction, detect fraud, and meet retention obligations.

A signed Data Processing Addendum (available in the Dashboard under Legal → Agreements) governs processor-role activity for merchants with EEA, UK, or Swiss customers.

What we collect

Cardholder data (from transactions)

When a cardholder presents a card to you, PayMullet or our P2PE terminal vendor receives:

  • Primary Account Number (PAN), encrypted at the read head or entered into a PCI-hosted field
  • Expiration date and, for card-not-present, CVV2/CVC2 (used once, never stored)
  • Track data or EMV cryptograms (destroyed immediately post-authorization)
  • Transaction amount, currency, and merchant descriptor
  • Device fingerprint, IP address, AVS/ZIP for CNP fraud scoring

We replace the PAN with a network token or PayMullet token before anything is written to durable storage. The original PAN lives only inside a PCI DSS Level 1 vault keyed with hardware security modules; it is never returned to your systems.

Merchant data (from you)

  • Underwriting: Legal name, EIN, beneficial owners (per FinCEN CDD), SSNs for sole proprietors, business address, government-issued ID for principals, website URL, processing history statements
  • Settlement: Depository account and routing number (funded via secure Plaid verification or micro-deposit)
  • Account: Email, phone, dashboard login credentials, API keys, webhook endpoints
  • Operational: Support tickets, chat transcripts, call recordings, audit logs of dashboard actions

Website visitor data

On paymullet.com we collect standard log data (IP, user-agent, referrer) and, with consent where required, analytics cookies. Details are in Cookies and tracking.

How we use data

We use the data above to:

  • Authorize, clear, and settle card transactions, and route ACH and push-to-card disbursements
  • Run underwriting, re-underwriting, and ongoing transaction monitoring required by the Sponsor Bank and card brands
  • Detect and prevent fraud, account takeover, and card-testing attacks (includes ML-based velocity, device, and geo models)
  • Investigate and respond to chargebacks, retrieval requests, and pre-arbitration cases
  • Meet Bank Secrecy Act, OFAC screening, IRS 1099-K, and state reporting obligations
  • Provide customer support and improve the Services
  • Send operational notices (required), and marketing messages (where you have not opted out)

Legal bases (GDPR/UK GDPR)

Where EU/UK data protection law applies, we rely on the following bases: performance of a contract (to process your transactions), legal obligation (AML, tax, card brand mandates), legitimate interests (fraud prevention, system security, product development), and consent (for non-essential cookies and marketing to prospects). We conduct documented legitimate-interest balancing tests before relying on that basis.

Who we share data with

Sponsor Bank / Acquirer
PayMullet is sponsored into the card networks by an FDIC-insured member bank. The Sponsor Bank receives merchant underwriting data, transaction summaries, reserve positions, and any MATCH-list triggering events, as required by card brand rules.
Card networks (Visa, Mastercard, Discover, American Express)
Each transaction is transmitted to the relevant network for authorization and settlement. Networks run their own fraud services (Visa Advanced Authorization, Mastercard Decision Intelligence) on transaction metadata.
Issuing banks
The cardholder's bank receives the authorization request and, during a dispute, receives the compelling evidence package you upload in the Dashboard.
Processor and P2PE vendors
Certified PCI-P2PE terminal vendors (TR-31 key-injected) and backend processor partners execute portions of the transaction path under written contracts requiring PCI DSS Level 1 compliance and SOC 2 Type II attestation.
Fraud and identity providers
Sift, Socure, Plaid, and Persona receive scoped subsets of merchant and transaction data for KYC/KYB, bank account verification, and fraud scoring.
Regulators and law enforcement
We respond to valid subpoenas, court orders, IRS information requests, SAR-adjacent FinCEN filings, and OFAC matches. We narrow production to what is legally required and, where allowed, notify you.
Professional advisors
Auditors, external counsel, and tax preparers under duty of confidentiality.
Corporate transactions
In a merger, acquisition, financing, or bankruptcy, data may transfer to the acquirer subject to this Policy.

We do not sell cardholder data or merchant data, and we do not share it for cross-context behavioral advertising.

Retention

We retain data only as long as we need it, with card brand and tax record-keeping as a floor.

Retention schedule (summary):
  • Authorization data (SAD): Destroyed post-authorization, never stored. Card track, CVV, and PIN blocks cannot persist under PCI DSS 3.2.
  • Transaction records: 7 years after the transaction date (IRS §6001; card brand dispute windows).
  • Chargeback case files: 7 years after case close.
  • Underwriting records: 5 years after the account closes (BSA).
  • Beneficial ownership records: 5 years after account closure (FinCEN CDD rule).
  • OFAC and SAR supporting records: 5 years after filing.
  • 1099-K: 4 years (IRS §6721).
  • Support tickets and call recordings: 24 months.
  • Marketing email logs: Until opt-out plus 90 days for unsubscribe suppression.
  • Web analytics: Raw logs 90 days; aggregated forever.

Cardholder data and PCI scope

If you use only our hosted fields, iframes, P2PE terminals, or Terminal SDK, your systems are descoped from PCI DSS to SAQ A or SAQ P2PE-HW — you never touch CHD in cleartext. If you relay cleartext PAN through your own servers (custom API integration using /charges with a raw card), you are in full PCI DSS scope (typically SAQ D-Merchant), and you agree to maintain an Attestation of Compliance.

We will not accept integrations that store track data, CVV, or PIN blocks under any circumstance. Attempting to do so is a material breach of the Merchant Agreement.

International transfers

PayMullet processes in the United States. For data originating in the EEA, UK, or Switzerland, we rely on the EU Standard Contractual Clauses (Module 1 or Module 4 as applicable), the UK International Data Transfer Addendum, and the Swiss FADP addendum, supplemented by encryption-in-transit (TLS 1.3) and at-rest (AES-256) controls. A transfer-impact assessment is available on request for enterprise accounts.

Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to processing based on legitimate interests. Where PayMullet is processor (for your customers' data), direct those requests to the merchant first; we will support the merchant's response.

  • California (CCPA/CPRA): We do not sell or share personal information for cross-context behavioral advertising. You may request access, deletion, correction, and portability.
  • EU/UK (GDPR): Access, rectification, erasure, restriction, portability, objection; lodge complaints with your supervisory authority.
  • Other US states (VA, CO, CT, UT, TX, OR, DE, MT, IA, TN, etc.): We honor state-specific rights as required by each statute.

To exercise rights, email privacy@paymullet.com. We respond within the statutory window (typically 45 days CPRA, 30 days GDPR). We authenticate requesters using information already on file — we will not create new data to verify you.

GLBA and commercial data

PayMullet is a non-bank financial institution that provides financial services to businesses. Because our customers are businesses — not consumers — the Gramm-Leach-Bliley Act consumer notice and opt-out provisions generally do not apply to the merchant relationship. We nonetheless apply the GLBA Safeguards Rule's administrative, technical, and physical controls to any nonpublic personal information we encounter (e.g., sole-proprietor SSN).

Cookies and tracking

On paymullet.com and the Dashboard, we use:

  • Strictly necessary cookies for session, CSRF, and theme preference (no consent required)
  • Analytics via first-party proxy (PostHog, self-hosted) — active only after consent in regions that require it
  • Fraud signals — device fingerprinting on the Dashboard login page (legitimate interest: security)

We honor the Global Privacy Control (GPC) signal for California residents. We do not use third-party advertising cookies.

Security

See the full Security page. Highlights: PCI DSS Level 1 (Service Provider), SOC 2 Type II, TLS 1.3, AES-256-GCM at rest, HSM-backed key hierarchy, MFA-required dashboard access, role-based access control with least privilege, continuous logging to an append-only SIEM.

Children

PayMullet's services are offered to businesses. We do not knowingly collect personal information from children under 13 (or 16 in applicable jurisdictions). If you believe a child's data has entered our systems through a merchant, contact us and we will investigate.

Changes to this policy

Material changes will be posted in the Dashboard and emailed at least 30 days before they take effect. The "Version" and "Effective" date above will update. Prior versions are archived and linked from the change log.

Contact the Privacy team

Email privacy@paymullet.com. For postal mail: PayMullet, Attn: Data Protection Officer, 568 Broadway, Suite 702, New York, NY 10012. EU representative under Article 27 GDPR available in the Dashboard under Legal → Representatives.