Zateway
TermsRefund Policy

Privacy Policy

Last updated: March 20, 2026 · Effective immediately

1. Introduction

This Privacy Policy describes how Zateway Technologies ("Company," "we," "us," or "our") collects, uses, stores, and protects your personal information when you use the Zateway platform, including our website, APIs, dashboards, checkout pages, and related services.

We are committed to protecting your privacy and handling your data with transparency. This policy applies to all users of the Service, including Merchants (who accept payments) and Customers (who make payments through Zateway-powered checkout pages).

2. Information We Collect

2.1 Information You Provide:
  • Account Data: Email address, business name, and password (hashed with bcrypt, 12 salt rounds) when you create a Merchant account.
  • Wallet Addresses: EVM-compatible addresses (Polygon, Base, Arbitrum, Optimism, BNB Smart Chain) and Solana wallet addresses that you provide for payment settlement.
  • Two-Factor Authentication: TOTP secrets (encrypted) if you enable 2FA.
  • Webhook Configuration: URLs and HMAC signing secrets for your webhook endpoints.
  • Team Members: Email addresses of team members you invite to your organization.
2.2 Information Collected Automatically:
  • Transaction Data: On-chain transaction hashes, token amounts, block numbers, confirmation counts, and settlement status. This data is sourced from public blockchains.
  • API Request Logs: IP addresses, request timestamps, API endpoints accessed, and rate limiting counters. Used exclusively for security and abuse prevention.
  • Device Information: Browser user-agent strings (used for session security, not tracking).
2.3 Information We Do NOT Collect:
  • Private keys or seed phrases — Zateway is non-custodial and never has access to your wallet keys.
  • Government-issued identification documents (unless required by applicable law in the future).
  • Bank account numbers, credit card numbers, or traditional financial account information.
  • Social media profiles or contacts.
  • Location data beyond IP-based geolocation (used only for sanctions compliance and rate limiting).

3. How We Use Your Information

  • Payment Processing: Matching on-chain payments to merchant payment sessions, verifying transaction finality, and triggering webhook notifications.
  • Dashboard & Analytics: Displaying your payment history, revenue metrics, and transaction details.
  • Security: Rate limiting, brute-force protection, CSRF prevention, IP-based sanctions screening, and fraud detection.
  • Communication: Sending payment confirmation emails, verification emails, password reset links, and critical security alerts.
  • Compliance: Maintaining audit trails, generating invoices, and meeting financial record-keeping obligations.
We do NOT use your information for advertising, behavioral profiling, or sale to third parties.

4. Data Storage & Security

  • Database: All data is stored in PostgreSQL with encryption at rest, hosted on Neon.tech with TLS-enforced connections.
  • Passwords: Hashed using bcrypt with 12 salt rounds. Raw passwords are never stored or logged.
  • API Keys: Hashed using SHA-256 before storage. The raw API key is displayed once upon creation and is never stored or retrievable.
  • JWT Tokens: Authentication tokens expire after 24 hours. Refresh tokens provide extended sessions with rotation.
  • Caching: Redis (Upstash) is used for rate limiting, session deduplication, and temporary state. Rate limiting data is cleared automatically within 5 minutes.
  • Encryption in Transit: All connections use TLS 1.2+ (HTTPS). No data is transmitted in plaintext.

5. Cookies

We use a minimal set of cookies strictly necessary for Service functionality:
  • zateway_token — Authentication session cookie. HttpOnly, Secure, SameSite: Strict. Expires after 24 hours.
  • zateway_mode — Dashboard mode toggle (live/test). Not HttpOnly. No sensitive data.
We do NOT use tracking cookies, analytics cookies, advertising cookies, or any third-party cookie-based tracking systems. No consent banner is required as we only use strictly necessary cookies.

6. Third-Party Services

We integrate with the following third-party services, each with their own privacy policies:
  • Blockchain RPC Providers: Alchemy (EVM chains), Helius (Solana) — these providers see public blockchain queries but do not receive your personal account data.
  • Resend: Email delivery service — receives recipient email addresses for transactional emails only.
  • Neon.tech: PostgreSQL hosting — data is stored with encryption at rest and TLS in transit.
  • Upstash: Redis hosting — stores ephemeral rate limiting and caching data only. No personally identifiable information is cached.
  • WalletConnect: Wallet connection protocol for EVM checkout — we do not receive or store wallet private keys through this integration.
We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

7. Blockchain Transparency

All payment transactions occur on public blockchains (Solana, Polygon, Base, Arbitrum, Optimism, BNB Smart Chain). Transaction hashes, wallet addresses, token amounts, and timestamps are permanently and publicly recorded on these networks. This transparency is an inherent feature of blockchain technology and is not controlled by Zateway.

Public block explorers (Polygonscan, Solscan, Basescan, Arbiscan, Optimistic Etherscan, BscScan) allow anyone to view these on-chain transactions. We recommend merchants use dedicated business wallets separate from personal wallets.

8. Data Retention

  • Account Data: Retained until you request account deletion.
  • Transaction Records: Retained indefinitely as required for financial compliance, audit trails, and dispute resolution.
  • API Request Logs: Retained for 90 days, then automatically purged.
  • Rate Limiting Data: Ephemeral, cleared automatically within 2–5 minutes.
  • Webhook Delivery Logs: Retained for 30 days.

9. Your Rights (GDPR / CCPA)

Regardless of your location, you have the following rights:
  • Right to Access: Request a copy of all personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Deletion: Request deletion of your account and associated personal data (subject to legal retention requirements for financial records).
  • Right to Data Portability: Export your transaction history in CSV or JSON format from the Dashboard.
  • Right to Object: Object to processing of your data for any purpose beyond Service delivery.
  • Right to Restrict Processing: Request that we limit processing of your data under certain conditions.
To exercise any of these rights, contact us at support@zateway.com. We will respond within 30 days.

10. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly.

11. International Data Transfers

Your data may be processed and stored in data centers located outside your country of residence, including in the United States and the European Union. We ensure appropriate safeguards are in place for all international data transfers in compliance with applicable data protection laws.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or a prominent notice on our website at least 7 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

13. Contact

For privacy-related questions, data requests, or concerns: