Privacy Policy — Payorth

1. Information We Collect

Information you provide directly

Category	Data Collected	Purpose
Account	Phone number, owner name, business name, country	Account creation, authentication
Business profile	Address, logo, registration number, bank details	Invoice generation, payment settlement
Identity	BVN (Nigeria), company registration (CAC)	KYC / regulatory compliance
Financial	Invoices, payments, credit notes, bank statements	Core service functionality
Contacts	Your customers' names, phone numbers, emails	Invoice delivery, payment reminders
Conversations	WhatsApp messages exchanged with Payorth AI	Command processing, service improvement

Information collected automatically

Device data — browser type, operating system, IP address (for rate limiting and fraud detection)
Usage data — pages visited, features used, session duration (for product improvement)
Transaction metadata — timestamps, payment provider responses, webhook delivery status

2. How We Use Your Information

We process your information under the following legal bases:

Contract performance — to provide the invoicing, payment collection, and accounts receivable services you signed up for
Legitimate interest — to improve our product, prevent fraud, and ensure platform security
Legal obligation — to comply with financial regulations, tax reporting, and law enforcement requests
Consent — for optional marketing communications (you can withdraw at any time)

Specifically, we use your data to:

Create and deliver invoices to your customers via WhatsApp
Schedule and send automated payment reminders on your behalf
Process payment transactions through our integrated payment providers
Generate financial analytics and reports (dashboard, DSO, collection rate)
Verify your identity and business registration for trust and compliance
Reconcile bank statements against invoices
Sync data with accounting platforms (Xero, QuickBooks, Sage, Zoho Books) when you connect them
Detect, investigate, and prevent fraudulent or unauthorized transactions
Provide customer support and respond to your inquiries

3. Who We Share Your Data With

We do not sell your personal information. We share data only with the following service providers, and only to the extent necessary:

Partner	Data Shared	Why
Paystack	Customer email, invoice amount, currency	Payment processing (Nigeria, Ghana)
Stripe	Customer email, invoice amount, currency	Payment processing (United States)
M-Pesa	Customer phone, amount	Mobile money payments (Kenya)
Yoco	Customer email, invoice amount	Payment processing (South Africa)
Twilio / WhatsApp	Message content, phone numbers	WhatsApp message delivery
OpenAI / Anthropic	Anonymized message text	Natural language processing for AI assistant
ID verification	BVN, business registration	KYC verification
Accounting platforms	Invoices, payments, contacts	Sync (only when you explicitly connect)

We may also disclose information when required by law, regulation, court order, or governmental request, or to protect our rights, property, or the safety of our users.

4. How We Protect Your Data

Encryption in transit — all data transmitted over TLS 1.2+ with HSTS enforced
Encryption at rest — sensitive fields (bank details, BVN, OAuth tokens) encrypted with AES-256
Access control — all data scoped by organization ID; no cross-tenant access possible
Authentication — passwordless OTP-based login; sessions expire after 24 hours with 30-minute idle timeout
Audit logging — all financial actions logged with timestamps and actor identification
Masking — bank account numbers and BVN never displayed in full through our API or dashboard
Webhook security — all payment provider webhooks verified using HMAC signatures with constant-time comparison

For complete details, see our Security page.

5. Data Retention

Data Type	Retention Period	Reason
Account data	Duration of account + 30 days	Service provision and grace period
Financial records	7 years after creation	Tax and accounting regulations
Audit logs	3 years	Security and compliance
Conversations	Duration of account	Service functionality, dispute resolution
Usage / analytics	24 months	Product improvement

When you delete your account, we remove your personal data within 30 days, except for financial records we are legally required to retain.

6. Your Rights

Depending on your location and applicable data protection law, you have the following rights:

👁️

Right to AccessRequest a copy of all data we hold about you

✏️

Right to RectificationCorrect inaccurate or incomplete data

🗑️

Right to ErasureDelete your account and personal data

📦

Right to PortabilityExport your data in machine-readable format (CSV)

⛔

Right to RestrictLimit how we process your data

🚫

Right to ObjectOpt out of processing based on legitimate interest

To exercise any of these rights, contact us at privacy@payorth.com. We will respond within 30 days as required by applicable law.

7. Cookies & Tracking

Cookie	Type	Purpose
Session token	Essential	Maintains your authenticated session
CSRF token	Essential	Prevents cross-site request forgery
Preferences	Functional	Remembers dashboard settings

We do not use third-party advertising or tracking cookies. We do not participate in ad networks, retargeting, or behavioral profiling. We do not use Google Analytics or Facebook Pixel.

8. International Data Transfers

Payorth operates across five countries — Nigeria, South Africa, Kenya, Ghana, and the United States. Your data may be processed in any country where we or our service providers maintain infrastructure.

When we transfer data internationally, we ensure appropriate safeguards:

Standard contractual clauses (SCCs) with data processors
Encryption of data in transit and at rest
Data processing agreements with all third-party providers
Regular assessment of data protection adequacy in destination countries

9. Children's Privacy

Payorth is a business-to-business service designed for use by adults operating businesses. We do not knowingly collect information from anyone under the age of 18. If we discover that a child has provided us with personal information, we will promptly delete it. If you believe a child has provided us with data, please contact us at privacy@payorth.com.

10. Regulatory Compliance

Payorth is designed to comply with the data protection laws in each country where we operate:

Nigeria — Nigeria Data Protection Regulation (NDPR) and NDPA 2023. Registered and compliant with NITDA requirements.
South Africa — Protection of Personal Information Act (POPIA). We appoint an Information Officer and provide subject access request channels.
Kenya — Data Protection Act, 2019 (DPA). We comply with the ODPC requirements.
Ghana — Data Protection Act, 2012 (Act 843). We adhere to the Data Protection Commission guidelines.
European Union — General Data Protection Regulation (GDPR). Data protection by design and by default.
United States — Industry best practices and applicable state privacy laws including CCPA/CPRA where applicable.

🇳🇬 NDPR / NDPA 🇿🇦 POPIA 🇰🇪 DPA 2019 🇬🇭 Act 843 🇪🇺 GDPR 🇺🇸 CCPA

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Send a notification via WhatsApp or the dashboard for significant changes
Give at least 30 days' notice before changes take effect

12. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have a complaint about how we handle your data:

Data Protection Officer: privacy@payorth.com
General inquiries: hello@payorth.com
WhatsApp: Message us directly on the Payorth number linked to your account

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (e.g., NITDA in Nigeria, the Information Regulator in South Africa, or the ODPC in Kenya).