Last updated on May 25, 2025
Privacy Policy
1. Introduction
Payra, Inc. (“Payra,” “we,” “us,” or “our”) provides an invoicing, collections, and payment processing platform (the “Service”) to businesses and their authorized users. This Privacy Policy describes how we collect, use, disclose, retain, and protect personal information when you access or use our website at www.payra.com (the “Site”), our application dashboard, client-facing portals, payment tools, integrations, APIs, and any related services.
This Privacy Policy applies to all users of the Service, including business account holders (“Merchants”), their employees and authorized users, and the customers or end-users of Merchants who interact with Payra-powered invoices, portals, or payment links (“End Users”).
By accessing or using the Service, you acknowledge that you have read and understand this Privacy Policy. If you do not agree with our practices, please do not use the Service. If you are a Merchant, you are responsible for ensuring that your End Users are aware of and consent to the data practices described herein, to the extent required by applicable law.
2. Information We Collect
We collect information in the following categories:
2.1 Information You Provide Directly
Account Registration Information: Business name, contact name, email address, phone number, physical address, Employer Identification Number (EIN) or Tax Identification Number (TIN), and account credentials.
Payment and Financial Information: Bank account details (routing and account numbers), credit or debit card numbers, billing address, and other information necessary to process transactions. Note: Payra does not store full credit card numbers on its servers; card data is tokenized and processed by our PCI-DSS-compliant payment processor(s).
Invoice and Transaction Data: Invoice amounts, descriptions, due dates, line items, payment terms, payment history, and related correspondence.
Customer/End-User Data Provided by Merchants: Names, email addresses, phone numbers, mailing addresses, and other information Merchants input about their customers for invoicing and collection purposes.
Communications: Messages sent through our support channels, emails, feedback, survey responses, and any other communications with Payra.
Identity Verification Data: Government-issued identification, proof of business registration, or other documentation required for compliance with Know Your Customer (KYC) and anti-money laundering (AML) regulations.
2.2 Information Collected Automatically
Device and Browser Information: IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.
Usage Data: Pages visited, features used, click patterns, time spent on pages, navigation paths, referral URLs, and interaction with invoices or payment links.
Log Data: Server logs that record requests made to our servers, including timestamps, error codes, and diagnostic data.
Cookies and Tracking Technologies: We use cookies, web beacons, pixels, and similar technologies to collect information about your interactions with the Service. See Section 7 (Cookies and Tracking Technologies) for details.
Location Data: Approximate geographic location inferred from your IP address.
2.3 Information from Third Parties
Payment Processors: Transaction confirmations, chargeback notifications, fraud signals, and settlement data from our payment processing partners.
ERP/Accounting Integrations: When you connect Payra to third-party software (e.g., QuickBooks, Xero, or other ERP systems), we receive data necessary to synchronize invoices, payments, and customer records.
Credit and Identity Verification Services: Business credit information, identity verification results, and fraud screening data from third-party verification providers.
Publicly Available Sources: Business registration data, publicly filed documents, and other information available through public databases.
3. How We Use Your Information
We use the information we collect for the following purposes:
3.1 Service Delivery and Operations
Creating, maintaining, and administering your account.
Processing invoices, payments, collections, and refunds.
Facilitating communication between Merchants and their End Users regarding invoices and payment status.
Synchronizing data with connected ERP, accounting, and business software.
Providing customer support and responding to inquiries.
3.2 Security and Fraud Prevention
Detecting, investigating, and preventing fraudulent transactions, unauthorized access, and other illegal activities.
Verifying identity and conducting KYC/AML compliance checks.
Monitoring for security threats and protecting the integrity of the Service.
3.3 Improvement and Analytics
Analyzing usage patterns to improve features, performance, and user experience.
Conducting internal research and development.
Generating aggregated, de-identified analytics and benchmarking reports.
3.4 Communications
Sending transactional notifications (invoice delivery, payment confirmations, receipts, reminders).
Delivering product updates, feature announcements, and service-related notices.
Sending marketing communications where you have opted in or where permitted by law. You may opt out at any time (see Section 9).
3.5 Legal and Compliance
Complying with applicable laws, regulations, legal processes, and governmental requests.
Enforcing our Terms of Service and other agreements.
Establishing, exercising, or defending legal claims.
4. Legal Bases for Processing
We process personal information based on one or more of the following legal bases:
Legal Basis
Examples
Contractual Necessity
Processing payments, managing your account, delivering invoices, fulfilling our obligations under the Terms of Service.
Legitimate Interest
Fraud prevention, security monitoring, service improvement, internal analytics, and direct marketing to existing customers.
Legal Obligation
Complying with tax reporting requirements, AML/KYC regulations, responding to lawful subpoenas or court orders.
Consent
Marketing communications to prospective customers, use of non-essential cookies, and any other processing where we have obtained your explicit consent.
5. Disclosure of Information
We do not sell your personal information. We may share your information with the following categories of recipients:
5.1 Service Providers and Processors
We engage third-party companies to perform functions on our behalf, including:
Payment processors and banking partners (for transaction processing and settlement).
Cloud hosting and infrastructure providers (for data storage and computing).
Email and communication service providers (for transactional and marketing emails).
Analytics and monitoring tools (for usage analytics and performance monitoring).
Identity verification and fraud prevention services.
Customer support platforms.
These service providers are contractually obligated to use your information only for the purposes of providing services to Payra and in accordance with this Privacy Policy.
5.2 Merchants and End Users
When an End User makes a payment through Payra, relevant transaction information is shared with the Merchant who issued the invoice. Similarly, Merchant business names and payment instructions are displayed to End Users in invoices, portals, and payment confirmations.
5.3 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar transaction, your information may be transferred as part of that transaction. We will notify affected users of any change in ownership or control of personal information.
5.4 Legal and Regulatory
We may disclose information when we believe in good faith that disclosure is necessary to:
Comply with applicable law, regulation, legal process, or governmental request.
Enforce our Terms of Service or other agreements.
Protect the rights, property, or safety of Payra, our users, or others.
Detect, prevent, or address fraud, security, or technical issues.
5.5 With Your Consent
We may share your information with third parties when you have given us explicit consent to do so.
6. Data Retention
We retain personal information only as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
Data Category
Retention Period
Basis
Account Information
Duration of account + 3 years after closure
Contractual and legal obligations
Transaction Records
7 years from transaction date
Tax, financial reporting, and regulatory compliance
Payment Card Data (tokenized)
Until token is no longer needed or account closure
PCI-DSS requirements
Usage/Analytics Data
24 months (then aggregated/anonymized)
Legitimate interest in service improvement
Marketing Preferences
Until opt-out or account deletion
Consent
Support Communications
3 years from resolution
Legitimate interest in quality assurance
KYC/AML Verification
5 years after relationship ends
Regulatory compliance (BSA/AML)
Upon expiration of the applicable retention period, we will securely delete or anonymize the information. Where deletion is not feasible (e.g., information in backup archives), we will isolate and protect the information from further processing until deletion is possible.
7. Cookies and Tracking Technologies
7.1 Types of Cookies We Use
Category
Purpose
Examples
Strictly Necessary
Essential for platform operation, authentication, security, and fraud prevention.
Session cookies, CSRF tokens, load balancing
Functional
Remember preferences, language settings, and display configurations.
Language preference, dashboard layout
Analytics
Understand how users interact with the Service to improve performance and features.
Google Analytics, Mixpanel, or similar
Marketing
Deliver relevant advertisements and measure ad campaign effectiveness.
Meta Pixel, Google Ads, LinkedIn Insight
7.2 Managing Cookies
You can manage your cookie preferences through our cookie consent banner displayed upon your first visit, or at any time by adjusting your browser settings. Note that disabling strictly necessary cookies may impair the functionality of the Service.
You may also opt out of interest-based advertising through the Digital Advertising Alliance (DAA) at optout.aboutads.info, the Network Advertising Initiative (NAI) at optout.networkadvertising.org, or through your device settings.
8. Data Security
We implement and maintain commercially reasonable administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. These measures include, but are not limited to:
Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256 or equivalent standards.
Access Controls: Role-based access controls, multi-factor authentication for administrative access, and principle of least privilege for system access.
PCI-DSS Compliance: Payment card data is handled in compliance with the Payment Card Industry Data Security Standard (PCI-DSS). Payra does not store raw credit card numbers; card data is tokenized by our PCI-DSS-certified payment processor(s).
Infrastructure Security: Firewalls, intrusion detection/prevention systems, regular vulnerability assessments, and penetration testing.
Employee Training: All employees with access to personal data receive security awareness training and are bound by confidentiality obligations.
Incident Response: We maintain a documented incident response plan that is tested and updated regularly.
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. If you have reason to believe your interaction with us is no longer secure, please contact us immediately at privacy@payra.com.
9. Your Rights and Choices
Depending on your location and applicable law, you may have some or all of the following rights regarding your personal information:
9.1 General Rights
Right to Access: Request a copy of the personal information we hold about you.
Right to Correction: Request correction of inaccurate or incomplete personal information.
Right to Deletion: Request deletion of your personal information, subject to legal retention requirements.
Right to Data Portability: Request a machine-readable copy of your data for transfer to another service.
Right to Restrict Processing: Request limitation of how we process your information in certain circumstances.
Right to Object: Object to processing based on legitimate interests, including direct marketing.
Right to Withdraw Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
9.2 How to Exercise Your Rights
To submit a rights request, contact us at privacy@payra.com or through the “Privacy Settings” section of your account dashboard. We will verify your identity before processing your request and respond within the timeframe required by applicable law (generally 30–45 days). If we need additional time, we will notify you of the extension and the reason.
9.3 Marketing Opt-Out
You can opt out of marketing communications at any time by clicking the “unsubscribe” link in any marketing email, updating your communication preferences in your account settings, or contacting us at support@payra.com. Opting out of marketing will not affect transactional or service-related communications.
10. State-Specific Privacy Disclosures (United States)
Residents of certain U.S. states have additional rights under state privacy laws. This section provides supplemental disclosures as required.
10.1 California (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect, the purposes for collection, whether we sell or share your information, and the categories of third parties with whom we share it. Payra does not sell personal information and does not share personal information for cross-context behavioral advertising. You may also designate an authorized agent to submit requests on your behalf.
Categories of Information Collected: Identifiers, financial information, commercial information, internet/electronic network activity, geolocation data, professional/employment information, and inferences drawn from the foregoing.
10.2 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Other States
Residents of Virginia, Colorado, Connecticut, and other states with comprehensive privacy laws may exercise rights to access, correct, delete, and port their data, as well as opt out of targeted advertising, sale of personal data, and profiling. To appeal a denial of a rights request, please contact us at privacy@payra.com with the subject line “Privacy Rights Appeal.”
11. International Data Transfers
Payra is based in the United States, and personal information is primarily stored and processed in the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where our service providers operate.
Where required by applicable law, we implement appropriate safeguards for international data transfers, which may include Standard Contractual Clauses (SCCs), data processing agreements, or reliance on an adequacy decision. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, please note that U.S. data protection laws may not be equivalent to those in your jurisdiction.
12. Children’s Privacy
The Service is designed for use by businesses and is not directed to individuals under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate parental or guardian consent, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at privacy@payra.com.
13. Data Breach Notification
In the event of a security breach that results in the unauthorized access, disclosure, or loss of personal information, Payra will:
Investigate and contain the breach as quickly as possible.
Notify affected individuals and applicable regulatory authorities within the timeframes required by law (e.g., 72 hours under GDPR, or as required by applicable U.S. state breach notification laws).
Provide a description of the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach.
Offer appropriate remediation, which may include credit monitoring, identity theft protection, or other measures depending on the nature and severity of the breach.
Notifications will be sent via email to the address associated with your account, and/or by posting a notice on our website, and/or by other means as required by applicable law.
14. Third-Party Links and Integrations
The Service may contain links to third-party websites, applications, or integrations (including ERP systems, accounting software, and payment networks) that are not operated by Payra. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you access through or in connection with the Service. Connecting a third-party integration authorizes the data exchange described in the integration setup and the applicable third party’s terms.
15. Merchant Responsibilities as Data Controllers
Merchants who use Payra to invoice and collect payments from their customers act as data controllers (or the equivalent under applicable law) with respect to the End-User data they submit to Payra. As a Merchant, you are responsible for:
Obtaining all necessary consents and providing all required notices to your End Users regarding your collection and use of their personal information through the Service.
Ensuring that the End-User data you submit to Payra is accurate and lawfully collected.
Complying with all applicable data protection laws in your jurisdiction.
Responding to or forwarding End-User rights requests that relate to data you control.
Payra acts as a data processor (or service provider under CCPA) with respect to End-User data submitted by Merchants and will process such data solely in accordance with the Merchant’s instructions and this Privacy Policy.
16. “Do Not Track” Signals
Some browsers transmit “Do Not Track” (DNT) signals. There is currently no uniform standard for responding to DNT signals. We do honor Global Privacy Control (GPC) signals as required by applicable law. We do not currently respond to DNT browser signals, but we will update this policy if a standard is established.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
Update the “Last Updated” date at the top of this page.
Provide notice via email to the address associated with your account and/or a prominent notice within the Service at least 30 days prior to the changes taking effect.
Where required by law, obtain your consent before applying material changes.
Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the changes. We encourage you to review this page periodically.
18. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Payra, Inc.
Attn: Privacy Officer
Email: privacy@payra.com
Support: support@payra.com
Mailing Address: [INSERT ADDRESS]
For data protection inquiries or to file a complaint, you may also contact the relevant supervisory authority in your jurisdiction