$ kleepay legal --privacy
Privacy Policy
This Privacy Policy explains how KleePay Limited (“KleePay”, “we”, “us”, or “our”) collects, uses, discloses, and safeguards personal data when you access kleepay.ai, create an account, or use our programmable payment infrastructure and related services (collectively, the “Services”).
Contents
01 Scope & data controller
KleePay Limited, a company organised in the Hong Kong Special Administrative Region of the People's Republic of China (“Hong Kong”), is the data controller responsible for personal data processed in connection with the Services. Our processing is subject to the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (the “PDPO”), and, where applicable to you, the EU/UK General Data Protection Regulation (“GDPR”) and other comparable data-protection laws.
This Policy applies to applicants, account holders, authorised users, and visitors who interact with the Services, and it should be read together with our Terms of Use. Where the Services are offered to a business customer, that customer may act as a controller in its own right and this Policy describes our processing as their service provider and processor.
02 Personal data we collect
Information you provide
- Account & identity data: name, email address, business details, and information collected to satisfy identity verification, know-your-customer (KYC), and anti-money-laundering (AML) obligations.
- Waitlist & contact data: the email address and any message you submit when joining the waitlist or contacting us.
- Payment configuration: programmable card rules you define, such as spend limits, merchant scope, time-to-live, and authorization settings.
Information collected automatically
- Transaction & activity data: records of card issuance, authorisations, payment intents, policy checks, and settlement events generated by your agents and the Services.
- Device & technical data: IP address, browser and device type, operating system, and timestamps, collected through cookies and similar technologies.
- Usage data: pages viewed, features used, and diagnostic logs used to operate and secure the Services.
Information from third parties
We may receive data from identity-verification providers, card networks and issuing partners, fraud-prevention services, and analytics providers, which we combine with data we hold to deliver and protect the Services.
03 How we use personal data
- To provide, operate, and maintain the Services, including issuing programmable cards and authorising agent transactions;
- To verify identity and comply with KYC, AML, sanctions, and other legal and regulatory obligations;
- To detect, investigate, and prevent fraud, abuse, and security incidents;
- To communicate with you about your account, waitlist status, service changes, and support requests;
- To analyse and improve the performance, reliability, and design of the Services; and
- To establish, exercise, or defend legal claims, and to enforce our agreements.
04 Legal bases for processing
Where data-protection law (such as the EU/UK GDPR) applies, we rely on one or more of the following legal bases:
- Performance of a contract: to deliver the Services you or your organisation request;
- Legal obligation: to meet financial-services, tax, and record-keeping requirements;
- Legitimate interests: to secure, improve, and market the Services in a manner that is not overridden by your rights; and
- Consent: where required, for example for certain cookies or marketing communications, which you may withdraw at any time.
05 How we share personal data
We do not sell personal data. We disclose personal data only as described below:
- Service providers: cloud hosting, identity verification, card issuing and processing, and analytics partners who act on our instructions under appropriate contractual safeguards;
- Card networks & financial partners: as necessary to issue cards and settle transactions;
- Legal & regulatory recipients: authorities, regulators, or courts where disclosure is required by law or to protect our rights, users, or the public; and
- Corporate transactions: in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality protections.
5.1 Named sub-processors
The principal third-party processors we currently rely on to deliver the Services are listed below. We may add, replace, or remove sub-processors from time to time; material changes will be reflected in this Policy.
- RedotPay — card issuance, authorisation, and settlement on the Visa network. RedotPay independently collects and processes data required to issue and operate the card (see RedotPay Privacy Policy).
- Cactus — on-chain custody, deposits, and withdrawals; receives blockchain transaction data and wallet identifiers necessary to settle funding flows.
- Sumsub — identity verification (KYC) document and biometric processing; receives the documents and selfie material you submit to satisfy KYC.
- Amazon Web Services (AWS) — cloud infrastructure and storage in the Asia Pacific (Singapore) region.
- Umami Cloud — privacy-respecting product analytics (SaaS, operated by Umami Software Inc.); receives anonymised page-view and event data. Umami does not use cookies that identify you across sites and does not collect personally identifiable information by default.
06 International data transfers
We are based in Hong Kong but the Services run on cloud infrastructure that may process and store personal data in other jurisdictions, including Singapore (AWS Asia Pacific) and other regions where our sub-processors operate. Where we transfer personal data across borders, we implement appropriate safeguards including, as applicable:
- EU Standard Contractual Clauses (SCCs) for transfers originating in the EEA or the UK;
- Equivalent contractual safeguards with our sub-processors that reflect the principles of the Hong Kong PDPO; and
- Operational measures (encryption in transit, access controls, data-minimisation reviews) to keep the data protected regardless of where it is stored.
07 Data retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, including to satisfy legal, accounting, regulatory, or reporting requirements. When data is no longer required, we delete or irreversibly anonymise it.
The principal retention periods we apply are:
- Identity verification (KYC) records: retained for at least 5 years after the end of your relationship with us, as required by the Hong Kong Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615).
- Transaction records (cards, wallet, intents, ledger): retained for at least 7 years after the transaction, consistent with card-network rules and accounting-record retention requirements.
- Account and contact data: retained for the lifetime of your account and for a reasonable period thereafter to resolve disputes, enforce our agreements, and comply with law.
- Operational and security logs (including agent / API key activity): retained for up to 2 years, then deleted or aggregated.
- Marketing opt-outs: retained indefinitely so we can honour your opt-out.
Retention periods may be extended where required to respond to an investigation, regulatory enquiry, or pending legal claim.
08 Security
We maintain technical and organisational measures designed to protect personal data against unauthorised access, loss, or misuse, including encryption in transit, access controls, network segmentation, and local authorization before transactions are authorised. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
8.1 Local-only signing key (KleePay Local Wallet)
The KleePay Local Wallet (klw) holds the Ed25519 signing key used to authorise transactions on your behalf. This key is generated on, and remains on, your own device — it is encrypted at rest with a password only you know and is never transmitted to KleePay. We therefore have no ability to read, copy, recover, or reset that key. If you lose access to a device holding a klw keystore, you will need to revoke the corresponding agent from your dashboard and provision a new device; the funds remain safe because the lost key, on its own, cannot move money without the policy enforcement we apply server-side.
09 Your privacy rights
Depending on your location, you may have the right to:
- Access the personal data we hold about you and request a copy;
- Request correction of inaccurate or incomplete data;
- Request erasure of your data, subject to legal retention requirements;
- Object to or restrict certain processing, and withdraw consent where processing relies on consent;
- Request portability of data you provided to us; and
- Lodge a complaint with your local data-protection authority.
If you are in Hong Kong, you additionally have the rights granted under the PDPO (Cap. 486) — including the data-access and data-correction rights under sections 18 and 22 — and may lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD). If you are in the EEA or the UK, you may lodge a complaint with your local supervisory authority. If you are a California resident, you may exercise the rights granted by the California Consumer Privacy Act (CCPA), including the right to know, the right to delete, and the right to non-discrimination for exercising those rights.
To exercise these rights, contact us at [email protected]. We may need to verify your identity before responding, and we will respond within the time frame required by the applicable law (and in any event no later than 30 days for routine requests).
10 Cookies & analytics
We use cookies and similar technologies to operate the Services, remember your preferences, measure performance, and improve your experience. You can control non-essential cookies through your browser settings or any consent controls we provide. Disabling certain cookies may affect the functionality of the Services.
11 Children’s privacy
The Services are intended for businesses and individuals aged 18 or older. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
12 Changes to this Policy & contact
We may update this Policy from time to time to reflect changes in our practices or applicable law. We will post the revised version at kleepay.ai/privacy and update the “Last updated” date above. Material changes will be communicated through the Services or by email where appropriate.
Questions about this Policy or our data practices can be directed to KleePay Limited at [email protected].