Privacy

Privacy Policy

How Cryptrum Pay collects, uses, stores and protects information about merchants, end customers and visitors. Last updated July 2026.

1. Who we are

Cryptrum Pay (“we”, “us”) operates a non-custodial cryptocurrency payment gateway. This policy describes what data we process, why, and the choices you have.

2. Data we collect

From merchants: account identifiers (name, business name, email, phone, country, billing address), KYC documents you upload, authentication data (hashed password, 2FA secret), wallet metadata (encrypted seed, derived addresses, transaction IDs), usage data (API timestamps, IP, device) and CPT billing records.

From customers paying through a merchant's checkout: optional email or order ID (if the merchant collects it), on-chain data (addresses, tx hash, amount, network) and browser data used for fraud signals, deleted after 90 days.

From visitors: standard server logs retained 30 days, plus cookies / local storage.

3. Why we process it

  • Provide the service — create accounts, run scanners, deliver webhooks, send receipts.
  • Verify identity (KYC) and meet regulatory obligations.
  • Detect and prevent fraud — IP allowlists, rate limits, anomaly detection.
  • Bill you — track CPT consumption, send invoices, run autopay.
  • Service communications — verification, password reset, security alerts.

4. How long we keep data

  • KYC documents: 5 years after account closure (regulatory requirement).
  • Transaction history: 7 years for financial-records compliance.
  • API logs: 90 days hot, 1 year archived. Webhook payloads: 30 days.
  • Server access logs: 30 days.

5. Who we share with

We do not sell personal data. We share narrowly with sub-processors that run our infrastructure (cloud hosting, email delivery, SMS OTP), KYC verification partners when required for review, law enforcement when compelled by valid legal process, and auditors under written confidentiality. A current sub-processor list is available from [email protected].

6. Your rights

Request access, correction, export or deletion of your personal data by emailing [email protected] — we respond within 30 days. KYC and financial records under mandatory retention cannot be deleted before the regulatory period expires; we will tell you which records fall under that rule.

7. Security

Secret material — HD wallet seeds, API keys, OAuth tokens — is encrypted at rest with AES-256-GCM. All traffic uses TLS 1.2+. Every privileged action is recorded in an immutable audit log. See our Security page for details.

8. International transfers & children

Our infrastructure is hosted across multiple regions with GDPR safeguards (Standard Contractual Clauses where applicable). The service is not intended for individuals under 18.

9. Updates

We email all active merchants when this policy materially changes. The version date above is the source of truth.

Start accepting crypto today.

Create an account, mint a key, and watch your first payment land in under a minute. 1,000,000 free CPT included — no card needed.

Start your journey Book demo