Privacy Policy

The data controller responsible for your personal information is:

Payorth, Inc.
Registered in the State of Delaware, United States
Contact: privacy@payorth.com

For users in Nigeria, Payorth operates as a Data Controller under the Nigeria Data Protection Regulation (NDPR) and the Nigeria Data Protection Act 2023 (NDPA). For users in South Africa, Payorth is the Responsible Party under POPIA. For users in Kenya, Payorth is a registered Data Controller under the Kenya Data Protection Act 2019.

Information you provide directly:

• Phone number (used for account authentication via OTP)
• Business name, owner name, and country of operation
• Business address, logo, and registration details
• Bank account details (stored encrypted; never displayed in full)
• BVN or CAC registration number (Nigeria), or equivalent identity verification data
• Invoice data: customer names, phone numbers, amounts, and line items
• Contact details of your customers that you input into the platform

Information generated through your use of the Service:

• Invoice history, payment records, credit notes, and receipts
• WhatsApp message logs (content, delivery status, timestamps)
• Media files uploaded or received via WhatsApp (e.g., proof of payment)
• Audit logs of actions taken within your account
• Subscription and billing records

We process your information for the following purposes:

• Providing, maintaining, and improving the Service
• Processing and tracking invoices and payments
• Sending automated WhatsApp reminders and receipts to your customers on your behalf
• Verifying your identity and business registration (BVN, CAC, or equivalent)
• Fraud detection, risk management, and security monitoring
• Billing and subscription management
• Customer support and account communications
• Analytics to understand how the Service is used (aggregated, not sold)
• Compliance with applicable laws, regulations, and lawful government requests

We process your data only where we have a lawful basis to do so: performance of a contract with you, compliance with a legal obligation, your consent, or our legitimate interests (where not overridden by your rights).

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

• Payment processors (Paystack, Stripe, M-Pesa, Yoco, Mobile Money) — to facilitate payment collection on your behalf
• WhatsApp / Meta— via the Meta WhatsApp Business Platform API, to deliver invoices, reminders, and receipts to your customers. Message transmission is subject to Meta's Data Policy.
• AI providers (OpenAI, Anthropic) — for natural language processing. Personal identifiers are minimized before transmission. Data Processing Agreements are in place that prohibit use of your data for model training.
• Identity verification providers — to verify your BVN or CAC registration number (Nigeria), or equivalent ID in other jurisdictions
• Cloud infrastructure — we use industry-standard cloud providers to host and operate the Service. These providers are bound by data processing agreements.
• Accounting platforms (Xero, QuickBooks, Sage, Zoho Books) — only when you explicitly authorize a connection via OAuth. Disconnecting the integration revokes our access.
• Professional advisers — lawyers, accountants, auditors under confidentiality obligations
• Law enforcement and regulators — where required by applicable law, court order, or regulatory requirement
• Business transfers — in connection with a merger, acquisition, asset sale, or restructuring of Payorth, Inc., subject to the acquiring party agreeing to terms consistent with this Privacy Policy

We implement technical and organizational measures to protect your personal data against unauthorized access, loss, disclosure, or destruction:

• All data in transit is encrypted via TLS 1.2+ with HSTS preload
• Sensitive fields (bank details, BVN) are encrypted at rest using AES-256
• JWT-based authentication with 24-hour session expiry and 30-minute idle timeout
• All financial actions are audit-logged with actor, timestamp, and context
• Role-based access controls within organization accounts

No method of transmission over the internet or electronic storage is 100% secure. In the event of a personal data breach that is likely to affect your rights, we will notify you and the relevant supervisory authority within the timeframes required by applicable law. See our Security page for full technical details.

We retain personal data for as long as your account is active or as necessary to provide the Service. Specific retention periods:

• Account data — retained while your account is active; deleted 30 days after a deletion request is confirmed
• Financial records (invoices, payments, receipts) — retained for a minimum of 7 years to comply with accounting and tax laws in Nigeria, South Africa, Kenya, and other operating jurisdictions
• WhatsApp message logs — retained for the duration of the associated invoice lifecycle, plus 90 days
• Audit logs — retained for 2 years from the date of the logged action
• Compliance records — a minimal compliance record is retained after account deletion to satisfy regulatory obligations (NDPA s.36, POPIA s.24, GDPR Art.17, Kenya DPA s.40, Ghana DPA Act 843)

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate or incomplete data
• Deletion — request deletion of your personal data (subject to legal retention obligations)
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — request that we restrict processing in certain circumstances
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing

You can exercise many of these rights directly through your account dashboard. For all other requests, contact us at privacy@payorth.com. We will respond within the timeframe required by applicable law (30 days under NDPR and GDPR; 21 days under POPIA; 21 days under Kenya DPA).

You also have the right to lodge a complaint with your local data protection authority (e.g., NITDA in Nigeria; Information Regulator in South Africa; Office of the Data Protection Commissioner in Kenya).

We use only essential cookies necessary for authentication and secure session management. We do not use advertising, tracking, or third-party analytics cookies that profile you across other websites.

We use self-hosted or privacy-preserving analytics to understand aggregate usage patterns and improve the Service. This data is not sold or shared with advertisers.

We may send you service-related communications (account alerts, billing notices, security notifications) which are necessary to provide the Service and cannot be opted out of while your account is active.

We may also send you product updates, tips, and promotional communications. You may unsubscribe from marketing emails at any time by clicking "Unsubscribe" in any marketing email or by contacting us at privacy@payorth.com. Opting out of marketing does not affect service communications.

Payorth uses the Meta WhatsApp Business Platform API to send and receive messages on your behalf. By using WhatsApp features in the Service, you acknowledge:

Data processed via WhatsApp:

• Phone numbers of your customers (provided by you)
• Message content: invoice text, reminders, receipts, and customer replies
• Media files: proof-of-payment images received from customers
• Delivery metadata: sent, delivered, read, and failure timestamps

Consent & Opt-In:

By creating an invoice or adding a customer contact, you confirm that you have obtained that customer's consent to receive WhatsApp messages for invoicing and payment purposes, as required by applicable law and Meta's policies. Customers may opt out by replying "STOP" or by contacting you directly.

Third-Party Sharing:

Message content is transmitted through Meta's infrastructure as required for delivery. Message content may be processed by our AI providers solely for intent classification, with personal identifiers minimized. We do not share WhatsApp message data with advertisers or any other third parties.

The Service is intended for use by businesses, not individuals under the age of 18. We do not knowingly collect personal data from anyone under 18 years of age. If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@payorth.com and we will take prompt steps to delete it.

Payorth uses large language model AI to process your natural-language instructions and generate invoices, reminders, and classifications. This constitutes automated processing of your data, but does not constitute automated decision-making that produces legal or similarly significant effects on you as defined under GDPR Art. 22 or equivalent provisions.

All AI-generated financial actions are subject to a deterministic validation layer and require your confirmation before execution. You retain full human oversight of all financial outputs.

When you use the Service, our servers automatically collect certain technical information, including:

• IP address and approximate location (country/region)
• Browser type and version, operating system
• Pages visited, features used, and time spent in the Service
• Error logs and performance data
• API request metadata (endpoint, response time, status code)

This data is used for security monitoring, debugging, and service improvement. It is retained for a maximum of 90 days in operational logs and is not sold.

Payorth operates across Nigeria, South Africa, Kenya, Ghana, Cameroon, India, and the United States. Your data may be processed in any country where we or our service providers operate infrastructure, including the United States and within the European Economic Area.

Where we transfer personal data from a jurisdiction with data protection laws to a country with a different level of protection, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs), adequacy decisions, or the specific derogations permitted under applicable law (e.g., NDPR Article 2.11, POPIA Chapter 9, GDPR Chapter V).

Nigeria (NDPA 2023 / NDPR):

Nigerian data subjects have rights of access, correction, deletion, and objection. Complaints may be directed to the Nigeria Data Protection Commission (NDPC).

South Africa (POPIA):

South African data subjects have rights of access, correction, deletion, and objection. Complaints may be directed to the Information Regulator of South Africa.

Kenya (Data Protection Act 2019):

Kenyan data subjects have rights of access, rectification, erasure, and objection. Complaints may be directed to the Office of the Data Protection Commissioner (ODPC).

European Union / EEA (GDPR):

EU/EEA data subjects have the full suite of rights under GDPR Articles 15–22, including the right to erasure ("right to be forgotten") and the right to data portability. Complaints may be directed to your local Supervisory Authority.

The Service may contain links to third-party websites or integrations (e.g., Xero, QuickBooks, Stripe). This Privacy Policy does not apply to those third-party services. We are not responsible for the privacy practices of any third party and encourage you to review their privacy policies before sharing your data with them.

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date and, where required by law, seeking your fresh consent or providing advance notice via email or in-app notification. Your continued use of the Service after the effective date of any revised Policy constitutes acceptance of the changes.

For all privacy-related inquiries, data subject access requests, or complaints:

Privacy: privacy@payorth.com

Security: security@payorth.com

Payorth, Inc. · Registered in the State of Delaware, United States