Privacy that explains the flow, not just the policy.

The data we collect depends on how you interact with PayBridgeNP. Merchants provide account, business, project, API, and provider credential information. Customers may provide payment references, contact details, and addresses where the merchant's checkout flow requests them.

• Account data — name, email, password hash, authentication settings, team-member roles, support history.
• Business and project data — merchant name, environment (live or sandbox), webhook endpoints, API keys, branding settings (logo, color, footer text), provider configuration.
• Transaction data — amount, currency, provider, payment status, session IDs, reference numbers, metadata, and callback / webhook delivery logs.
• Customer contact data — when collected by the merchant's checkout: customer name, email, phone number, billing and shipping addresses. Used to render the receipt, complete the payment, and send transactional notifications. PayBridgeNP does not market to customers.
• SMS log data — recipient phone, template name, message body, send status, provider reference, error reason. Visible to the merchant in their /sms history page and used by support to debug delivery issues.
• Email log data — recipient email, template name, send status, provider reference. Used by support to debug delivery issues.
• Website and analytics data — IP address, browser details, device information, pages visited, and Google Analytics-derived aggregates.

We use data to operate the platform, secure accounts, confirm payment outcomes, deliver webhooks, send transactional notifications, troubleshoot merchant issues, and improve reliability of the product.

• To create and manage merchant accounts, authenticate users, and protect access with security controls such as email verification and optional 2FA.
• To create checkout sessions, route customers to supported providers, verify provider callbacks, and keep payment state in sync.
• To deliver dashboards, public payment-tracking pages, refund records, webhook logs, SMS history, and operational reporting.
• To send customer-facing transactional notifications (payment receipts, refund confirmations, payment reminders) on behalf of the merchant.
• To detect abuse, enforce rate limits, investigate fraud or suspicious behavior, and comply with legal obligations.

PayBridgeNP shares data only where it is needed to complete the payment flow, deliver notifications, or operate the service. We do not sell merchant or customer personal data.

• Payment providers (eSewa, Khalti, Fonepay, ConnectIPS, HamroPay) receive the information required to initiate, verify, or reconcile transactions.
• Sub-processors listed below process data on our behalf for hosting, email delivery, SMS delivery, file storage, and analytics.
• Merchants receive payment status, customer contact data they collected, metadata, and webhook events for transactions created through their projects.
• We may disclose information if required by law, court order, lawful request, or to protect the rights, safety, and security of PayBridgeNP, merchants, customers, or the public.

PayBridgeNP relies on the following third-party providers to operate the platform. Each is bound by their own data-processing terms; we work only with vendors who provide reasonable security and privacy guarantees.

• Neon (United States / EU) — managed Postgres database hosting. Stores all merchant, project, transaction, and notification log data.
• Railway (United States) — application hosting for the API and Shopify integration services.
• Vercel (United States) — application hosting for the marketing site and merchant dashboard.
• Cloudflare (United States) — DNS, WAF, CDN, and R2 object storage. Stores merchant-uploaded brand and receipt logos at cdn.paybridgenp.com.
• Upstash (United States) — managed Redis used for sliding-window rate limits.
• Resend (United States) — transactional email delivery (verification, password reset, payment receipts, refund notifications, invoice reminders).
• bulk.bedbyaspokhrel.com.np (Nepal) — SMS gateway used to deliver transactional SMS to customer phones in Nepal.
• Google Analytics (United States) — aggregate website-traffic measurement.
• Mintlify (United States) — documentation hosting at docs.paybridgenp.com.
• Discord (United States) — community channel used for release notifications and support discussion. Joining is optional.

We will update this list when we add or remove a sub-processor that processes personal data. Material changes will be reflected in the "Last updated" date above.

PayBridgeNP sends transactional SMS and email on behalf of merchants — for example a "payment received" receipt to the customer who just paid, or a "complete your payment" reminder for an abandoned Shopify checkout. We never send marketing messages.

• What goes out — payment receipts, refund confirmations, abandoned-checkout reminders, invoice notifications, security alerts, and platform-level account emails (verification, password reset).
• SMS log — every dispatch (whether sent or suppressed) is recorded with recipient phone, template, body, status, and provider reference. Merchants can view this in their dashboard at /sms.
• Per-template controls — merchants can disable any template (payment success, payment failed, refund, invoice reminders) from /settings/emails and /sms settings.
• Sandbox mode — when a merchant is in sandbox, SMS dispatches are logged but never reach the provider. No real money or messages move during testing.
• Free plan — SMS dispatch is suppressed but logged so merchants can preview what would have gone out before upgrading to Premium.

PayBridgeNP publishes an official Model Context Protocol (MCP) server so merchants can connect AI assistants (Claude, ChatGPT, Cursor, and others) to their merchant data. Agents authenticate with a scoped token issued by the merchant from their dashboard.

• Read access — agents can list and inspect payments, refunds, customers, invoices, webhooks, and KPIs the merchant could see in the dashboard.
• Write access (Premium only) — issuing refunds, creating payment links, modifying subscriptions. Confirmation prompts are surfaced for money-moving actions.
• Audit trail — every MCP-driven action is logged to the dashboard activity log with the agent identifier, so merchants can see exactly what the agent did.
• Merchant responsibility — the merchant is responsible for the AI assistant they connect, the prompts they issue, and the data they share with that assistant. Disconnect a token from /mcp at any time.

Merchants can upload brand and receipt logos from the dashboard (/settings and /settings/emails). These files are stored in Cloudflare R2 and served from cdn.paybridgenp.com using unguessable random filenames.

• Public reads — receipt logos must be embeddable in customer emails, so the URL is public. Filenames contain only a timestamp and 128 random bits — no merchant ID or other internal identifier is exposed.
• Replacement — uploading a new logo replaces the previous one and best-effort deletes the older object from R2.
• Removal — clicking "Remove logo" in the dashboard nulls the URL on your account and best-effort deletes the R2 object.

We keep information for as long as it is needed to provide the service, maintain reliable payment records, resolve disputes, meet compliance obligations, and enforce our agreements.

• Free plan — list endpoints (payments, refunds, sessions, webhooks, SMS log) are clamped to the most recent 30 days. Older records still exist for audit but are not surfaced in the API or dashboard.
• Premium plan — full historical retention with no list-endpoint cap.
• Sensitive credentials — provider API keys and signing secrets are encrypted at rest with AES-GCM using a key not stored in source control.
• Passwords — hashed with Argon2id; never stored in plaintext or sent to third parties.
• Sandbox data — kept indefinitely for the merchant's reference; sandbox SMS and emails are never delivered to recipients.

Merchants can request updates or deletion of account information, subject to records we need to retain for legitimate business or legal reasons. Customers should generally contact the merchant first for questions about a specific purchase, because the merchant controls the underlying transaction purpose.

You can also manage cookie preferences through your browser settings. For privacy requests, contact support@paybridgenp.com and include enough detail for us to verify the request safely.

When a merchant installs PayBridgeNP for Shopify on their Shopify store, the app processes a limited set of customer data to facilitate payment collection. This section explains what is collected, why, and how long it is retained.

• Customer email and phone number — read from the Shopify orders/create webhook payload. Used exclusively for transactional payment-link delivery: SMS and email messages that contain a secure link to the PayBridgeNP hosted checkout. Not used for marketing, profiling, or automated decision-making.
• Customer name — read from the order payload to personalise the payment notification message (e.g. "Hi Aarav, complete your payment..."). Stored only within the checkout session metadata.
• Retention — customer email and phone number are stored on shopify_pending_payments rows while the order is active (awaiting payment, reminders in progress). Once the order reaches a terminal state (paid, cancelled, or expired), these fields are automatically nulled out after 90 days by a daily retention scrub. This satisfies Shopify's data-minimisation requirements (L1.8).
• GDPR compliance — the app implements Shopify's mandatory GDPR webhooks: customers/data_request (logs matching row count without echoing PII), customers/redact (nulls email and phone on matching rows), and shop/redact (purges all data for the shop and deletes the shop record).
• Address fields — the app reads the customer's shipping name for the greeting. When the merchant has the Protected Customer Data Access scope granted by Shopify, address fields may also be passed through to PayBridgeNP for tax and fulfilment context. Address data is never persisted by the Shopify app outside the order's checkout session.
• Cross-app routing — customer SMS is dispatched via the apps/api dispatcher (subject to merchant plan, sandbox mode, per-template toggles, and rate limits). The Shopify app does not call the SMS provider directly.

PayBridgeNP for WooCommerce acts as a standard WooCommerce payment gateway plugin. It redirects customers to the PayBridgeNP hosted checkout page and receives payment confirmation via signed webhooks. The plugin does not store any additional customer data beyond what WooCommerce itself stores.

• Order metadata — the plugin attaches the WooCommerce order ID and order key to the PayBridgeNP checkout session as metadata. This is used to match the incoming payment webhook to the correct order. The metadata is stored on the PayBridgeNP API alongside the checkout session record.
• No PII stored by the plugin — customer name, email, phone, and address are managed entirely by WooCommerce's own order storage. The PayBridgeNP plugin reads the order total and key but never independently copies or persists personal data.
• Webhook payloads — signed webhook deliveries from PayBridgeNP to WooCommerce contain payment status, provider reference, and amount. They do not contain customer PII. The signing secret is stored in wp_options by WooCommerce's built-in settings API.

PayBridgeNP for WHMCS is a standard WHMCS payment gateway module, available on the WHMCS Marketplace. It works the same way as the WooCommerce plugin: customers are redirected to the PayBridgeNP hosted checkout, and the invoice flips to Paid via signed webhook callback.

• Invoice metadata only — the module passes the WHMCS invoice ID and amount to PayBridgeNP. Customer details remain managed by WHMCS's built-in client database.
• No additional PII storage — the module does not extract or copy WHMCS client records.

If you are a customer whose data has been processed through a PayBridgeNP-powered checkout:

• Right to access — you can request a copy of the personal data PayBridgeNP holds about you by emailing support@paybridgenp.com with enough identifying information for us to locate your records (e.g. the order reference, your email, or the merchant's store name).
• Right to deletion — you can request deletion of your personal data. For Shopify integrations, email and phone are automatically deleted after 90 days; a manual deletion request accelerates this. Transaction audit records (amounts, dates, provider references) are retained for legal compliance and cannot be deleted.
• Right to rectification — if any personal data PayBridgeNP holds about you is inaccurate, you can request correction by contacting support@paybridgenp.com.
• Merchant responsibility — because PayBridgeNP processes customer data on behalf of the merchant, data subject requests should first be directed to the merchant whose store you purchased from. The merchant may then work with PayBridgeNP to fulfil the request.
• Response timeline — we respond to data subject requests within 30 days. If we cannot complete your request within that period, we will notify you of the reason for the delay and the expected completion date.