# Privacy Policy

> Privacy Policy for Stafiel stablecoin checkout and merchant payment services.

Canonical: https://stafiel.org/privacy-policy
Content type: privacy
Version: v1.0.0
Effective date: 2026-05-18T00:00:00.000Z
Updated: 2026-07-09T06:10:10.598Z

This Privacy Policy explains how Stafiel collects, uses, discloses, stores, and
protects information in connection with Stafiel websites, dashboards, hosted
checkout, widgets, APIs, documentation, operational tools, and related services.

The Services are intended for merchants, platforms, and other business users.
When a customer pays a merchant through a Stafiel checkout flow, Stafiel processes
information to provide the payment experience and related services for the
merchant.

For merchant account, website, security, compliance, support, and service
operation data, Stafiel generally acts as an independent controller or business
where applicable. For customer checkout, order, and payment data processed to
provide services to a merchant, Stafiel generally acts as a processor, service
provider, or similar role on behalf of that merchant, subject to applicable law
and any written agreement.

## 1. Information We Collect

We may collect information directly from you, from merchants, from customers,
from devices and browsers, from blockchain networks, from service providers, and
from other sources.

Information we collect may include:

- account information, such as name, business name, email address, login method,
role, permissions, account identifiers, and authentication metadata;

- business information, such as merchant profile, website, business category,
service configuration, supported assets, supported networks, wallet
configuration, and settlement preferences;

- checkout and order information, such as checkout session identifiers, order
amounts, currency, token, network, order metadata, product or service
descriptions submitted by the merchant, customer email if provided, return
URLs, and payment status;

- wallet and blockchain information, such as wallet addresses, signatures,
transaction hashes, token addresses, chain identifiers, contract addresses,
on-chain events, settlement records, refund records, confirmation data, and
publicly available blockchain information;

- API and integration information, such as API keys, webhook configuration,
webhook delivery records, request and response metadata, event logs,
idempotency keys, IP addresses, user agents, device identifiers, and technical
diagnostics;

- support and communication information, such as messages, form submissions,
attachments, email metadata, preferences, and records of communications;

- security, compliance, and risk information, such as fraud signals, abuse
indicators, sanctions or KYT/AML screening signals, blocked activity,
restricted region indicators, device and network signals, and investigation
notes;

- service measurement and, where enabled, analytics or marketing information,
such as website visits, referral data, engagement data, preferences, business
interests, and communications with Stafiel.

You should not submit sensitive personal information unless it is necessary for
your use of the Services or requested by Stafiel.

The individuals whose information may be processed include merchant users and
team members, merchant customers or payers, website visitors, support contacts,
and other people who interact with the Services or with merchant-configured
checkout flows.

## 2. How We Use Information

We may use information to:

- provide, operate, maintain, and improve the Services;

- create and manage merchant accounts, sessions, dashboards, and access controls;

- create checkout sessions, process payment status, monitor blockchain events,
support settlement paths, and provide refund or operational tools;

- authenticate users, support OAuth login, protect credentials, and secure
accounts;

- provide APIs, widgets, hosted checkout pages, webhooks, documentation, and
support;

- detect, prevent, investigate, and respond to fraud, abuse, security incidents,
unauthorized activity, service misuse, and technical issues;

- perform risk, sanctions, fraud, abuse, wallet, transaction, merchant,
customer, and region screening, including KYT, AML, and similar controls where
available, required, or enabled;

- enforce terms, policies, service limits, and compliance controls;

- maintain records, audit logs, operational logs, backups, and business records;

- communicate with merchants and users about accounts, service updates, support,
security, billing, legal notices, and operational matters;

- analyze usage, measure performance, understand product adoption, improve user
experience, and develop new features;

- conduct service measurement and performance analytics, and, where enabled and
permitted by applicable law, marketing, merchant communications, product
education, and business development;

- comply with law, legal process, tax, accounting, sanctions, regulatory,
reporting, audit, dispute, and enforcement obligations;

- protect the rights, safety, property, service integrity, and legitimate
interests of Stafiel, merchants, customers, partners, service providers, and
others.

Where applicable law requires a legal basis for processing, those bases may
include performance of a contract, steps requested before entering into a
contract, compliance with legal obligations, legitimate interests in operating
and securing the Services, consent where required, and other bases permitted by
applicable law.

## 3. Blockchain Data

Blockchain networks are public or partially public systems. Wallet addresses,
transaction hashes, token transfers, contract events, timestamps, balances, and
related activity may be publicly visible, permanent, copied by third parties, and
outside Stafiel's ability to delete or modify.

Stafiel may read, index, verify, store, display, and use blockchain data to
provide payment status, settlement, refund, monitoring, compliance, support,
analytics, and operational features. Blockchain data may be combined with
merchant account data, checkout data, order metadata, wallet configuration, and
technical logs.

## 4. Cookies and Similar Technologies

We may use cookies, local storage, session storage, scripts, and similar
technologies for:

- strictly necessary functions, such as authentication, session continuity,
security, fraud prevention, and service operation;

- security and anti-abuse controls, such as Turnstile challenges, signed
verification sessions, rate limiting, and bot protection;

- functional preferences, such as language, theme, and privacy preference
settings;

- analytics or marketing features where enabled, permitted by applicable law,
and subject to any consent or preference choices that apply.

You may be able to control cookies through your browser, device settings, or
in-product privacy preference controls. Some features may not work correctly if
cookies or similar technologies are disabled.

## 5. Service Providers and Third Parties

We may disclose information to vendors, service providers, infrastructure
providers, professional advisers, financial or compliance partners, and other
third parties that help us provide, secure, analyze, market, support, or improve
the Services.

These may include:

- Cloudflare for hosting, Workers, Pages, D1, KV, R2, Queues, CDN, WAF, security,
Turnstile, bot management, logging, and infrastructure operations;

- Resend and email delivery providers for service emails, transactional emails,
account notices, order-related emails, and operational communications;

- GitHub for OAuth login, content versioning, legal and documentation sync,
webhooks, source management, and operational workflows;

- Google for OAuth login and account authentication;

- Alchemy for RPC services, webhook services, node infrastructure, chain data,
event monitoring, and payment detection;

- Ankr for RPC services and chain data;

- Helius for Solana RPC services, chain data, account data, and monitoring;

- TronGrid and TronScan for Tron RPC, explorer, transaction, wallet, contract,
and chain data services;

- blockchain networks, RPC providers, indexers, node operators, explorers, and
infrastructure providers for supported or future networks;

- analytics, measurement, marketing, attribution, and business development
providers where engaged;

- compliance, fraud prevention, AML/KYT, sanctions screening, abuse prevention,
security, and risk service providers where engaged;

- hosting, storage, monitoring, logging, database, queue, developer, and
operational service providers;

- lawyers, accountants, auditors, insurers, banks, payment partners, and other
professional or business advisers.

We may also send checkout, payment, refund, settlement, webhook, and event data
to merchant-configured endpoints or integrations. Merchants are responsible for
their own systems, endpoints, privacy practices, and customer communications.

## 6. Third-Party Wallets and Merchant Tools

If you or your customers use a third-party wallet, browser extension, exchange
wallet, blockchain explorer, RPC endpoint, or similar tool, that provider may
collect information directly under its own privacy policy and terms.

Stafiel may receive wallet addresses, signatures, transaction hashes, chain or
network identifiers, token information, wallet connection metadata, and related
payment status data needed to provide the Services. Stafiel does not control the
privacy or security practices of third-party wallet providers, exchanges,
browser extensions, or other external tools.

## 7. Legal, Compliance, and Safety Disclosures

We may disclose information if we believe disclosure is appropriate to:

- comply with law, legal process, sanctions, tax, accounting, regulatory,
supervisory, audit, or reporting obligations;

- respond to lawful requests from courts, regulators, law enforcement, government
authorities, or other authorized third parties;

- enforce our terms, policies, agreements, and service limits;

- detect, prevent, investigate, or respond to fraud, abuse, security incidents,
money laundering, sanctions risk, prohibited activity, or other harmful
activity;

- protect the rights, property, safety, service integrity, or legitimate
interests of Stafiel, merchants, customers, service providers, partners, or
others;

- support a merger, acquisition, financing, restructuring, sale of assets,
bankruptcy, corporate transaction, or similar business event.

## 8. Automated Decisions and Service Limits

Stafiel may use automated or rule-based controls to protect the Services,
including blocklists, restricted region controls, wallet or transaction risk
rules, rate limits, abuse detection, security checks, and compliance controls.
These controls may block, reject, delay, suspend, limit, or flag accounts,
checkout sessions, merchant configurations, wallet addresses, return URLs,
transactions, or other activity for review.

Where required by applicable law, you have the right to request human review,
express your point of view, and contest a decision or limitation that
significantly affects you. Stafiel may keep applying controls where needed for
security, legal, sanctions, fraud, abuse, service integrity, or risk reasons.

## 9. International Processing

Stafiel and its service providers may process information in multiple countries
and regions. Privacy, data protection, government access, and other laws may
differ from those in your location. By using the Services, you understand that
information may be processed, stored, transferred, or accessed internationally
where permitted by applicable law.

## 10. Data Retention

We retain information for as long as reasonably needed for the purposes described
in this Privacy Policy, including service operation, security, fraud prevention,
AML/KYT monitoring, sanctions compliance, legal compliance, tax, accounting,
audit, dispute resolution, contract enforcement, backup retention, business
records, product improvement, and legitimate business purposes.

Retention periods may vary depending on the type of information, the service
context, legal requirements, risk considerations, merchant instructions, and
operational needs. Blockchain data may be public, permanent, and outside
Stafiel's ability to delete or modify. Audit logs, security records, transaction
records, AML/KYT records, sanctions records, tax records, accounting records,
dispute records, legal hold records, and compliance-related information may be
retained for longer periods where appropriate or required.

## 11. Security

We use technical, administrative, and organizational measures designed to protect
information. No system, network, blockchain, wallet, or transmission method is
fully secure. You are responsible for securing your accounts, credentials,
devices, wallets, private keys, seed phrases, API keys, webhook secrets, and
merchant systems.

If you believe your account, wallet, credentials, or integration has been
compromised, contact us promptly and take steps to secure your systems.

## 12. Your Choices and Rights

Depending on your location and applicable law, you may have rights to request
access, correction, deletion, portability, restriction, objection, consent
withdrawal, or review of certain decisions regarding personal information.

We may deny, limit, delay, or condition requests where permitted by law, including
where information is needed for compliance, security, fraud prevention, AML/KYT
monitoring, sanctions screening, tax, accounting, audit, dispute resolution,
contract enforcement, service integrity, backup retention, legal claims, or
protection of rights and safety.

If Stafiel processes information on behalf of a merchant, we may direct customer
requests to that merchant and may reasonably assist the merchant in responding
where required by applicable law or a written agreement. Blockchain data may be
public, permanent, and outside Stafiel's ability to delete or modify.

To exercise the rights described above, please contact us at
[privacy@stafiel.com](mailto:privacy@stafiel.com), or use any data subject request mechanism Stafiel may make
available. Stafiel may verify your identity and the scope of your request before
responding.

You may opt out of certain marketing communications by using the unsubscribe
mechanism in those communications or by contacting us. We may still send service,
security, legal, transactional, and operational messages.

## 13. Children

The Services are not intended for children or for individuals under 18. We do not
knowingly collect personal information from children. If you believe a child has
provided information to us, contact us so we can review the request.

## 14. Merchant Responsibilities

Merchants are responsible for providing legally required notices to their
customers, obtaining required consents, responding to customer privacy requests,
and ensuring that merchant-provided order data, customer data, webhook endpoints,
return URLs, and integrations comply with applicable law.

Merchants should not submit customer information to Stafiel unless they have the
right to do so and the information is appropriate for the payment, checkout,
support, compliance, or operational purpose.

## 15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Updates may be posted on the
website, shown in the dashboard, or communicated by other reasonable means where
required by applicable law. Continued use of the Services after an update becomes
effective means the updated Privacy Policy applies to your use of the Services.

## 16. Contact

Questions about this Privacy Policy may be sent to [privacy@stafiel.com](mailto:privacy@stafiel.com).

The English language version of this Privacy Policy controls. Translations, if
provided, are for convenience only.
