Skip to main content

Privacy Policy

Last updated: March 1, 2026 · Effective: April 1, 2026

1. Who We Are

PayClaw LLC (“PayClaw,” “we,” “us,” “our”) provides a technology platform for AI agent identity and payment. We offer two products:

  • Badge — Verifies an AI agent's identity to merchants before it shops. Badge is free and involves no financial transactions. When your agent presents itself to a merchant, Badge provides a cryptographic verification token that confirms the agent is acting on behalf of an authorized user, without revealing your personal identity to the merchant.
  • Spend — Issues single-use virtual Visa cards for agent purchases. Virtual cards are issued by our sponsor bank through our card issuing partner Lithic, Inc. PayClaw is a technology partner and program manager — not a bank, card issuer, or money transmitter. Spend is currently available in sandbox mode (test transactions only).

This Privacy Policy explains how we collect, use, and protect your information when you use our website, dashboard, API, and MCP server (collectively, the “Service”). We collect only the information necessary to provide the Service.

2. Data Controller

PayClaw LLC is the data controller for the personal data described in this Privacy Policy. We determine the purposes and means of processing your personal data in connection with the Service.

For data protection inquiries, contact us at privacy@payclaw.io.

3. Information We Collect

Account Information

When you create an account via OAuth (Google or GitHub), we receive your email address and name from the OAuth provider. We do not collect or store passwords — authentication is handled entirely through your OAuth provider. You may optionally provide additional information such as your full name for display purposes. If you enable Spend, our card issuing partner Lithic, Inc. may collect additional identity information (name, address, date of birth, and government-issued identification) as required by applicable Know Your Customer (KYC) regulations.

API Keys

We store a one-way cryptographic hash (SHA-256) of your API keys. We cannot see or recover your raw API key after creation. We also store the first 8 characters of each key for display and identification purposes, along with a user-assigned label and timestamps for creation, revocation, and last use.

Consent Events

Every time you generate an API key, we log the consent event, including: your user ID, the consent type (Badge or Spend), the version of the disclosure text shown to you, metadata about where consent was given (browser and page), and the timestamp. These records document that you reviewed and accepted the disclosure before authorizing your agent.

Verification Tokens (Badge)

When your agent requests identity verification, we generate a cryptographic verification token (HMAC-SHA256). This token is derived from your user ID, a timestamp, and a server-side secret. The token cannot be reversed to reveal your identity without our server-side secret. We also store: a session identifier provided by the agent, the verification layer (identity or payment), optional merchant context if the agent provides it, and token creation and expiration timestamps. Tokens expire after 24 hours.

Badge Events

After a verification token is issued, we record events about the outcome of your agent's interaction with the merchant. This includes: the event type (identity presented, trip complete, trip success, or trip failure), the outcome (accepted, denied, inconclusive, or no sampling), the merchant name (if provided by the agent), and a brief detail about the outcome. Badge events can only be created when a valid verification token exists — no token means no tracking.

Spend Transaction Data

If you use Spend, we record: wallet balance, deposit records (amount, Stripe payment intent ID, status), purchase intent declarations (merchant, estimated amount, description, policy result), card records (Lithic card token and last four digits only — we do not store full card numbers), and transaction records (amount, merchant, status, reconciliation result). This data powers your dashboard, our intent authorization engine, and our compliance obligations.

Usage and Security Data

We collect standard server logs (IP address, request timestamps, user agent) for security monitoring, rate limiting, and abuse prevention. We maintain an audit log of all significant actions on your account, including key generation, card issuance, deposits, and settings changes.

Waitlist and Feedback

If you join our waitlist or submit feedback, we collect your email address, user type, and any feedback content including the page URL and browser information at the time of submission.

4. Information We Do NOT Collect or Store

  • Your real credit or debit card number. Payment processing is handled entirely by Stripe. We never see, transmit, or store your card details.
  • Virtual card numbers (PANs). Virtual cards are issued and managed by Lithic, Inc. and our sponsor bank. We store only the Lithic card token and last four digits for display.
  • Passwords. We use OAuth-based authentication (Google, GitHub). We do not collect or store passwords.
  • Your agent's browsing history, cart contents, or price data. Badge tracks only whether your agent's identity was accepted or denied by a merchant. We do not collect what pages the agent visited, what items it looked at, what prices it saw, screenshots, page content, or any data outside the scope you consented to.
  • Ambient or background agent behavior. We record events only within the scope of an active verification token that you authorized. No token means no tracking.
  • Phone number, SSN, government ID, or date of birth. We do not collect these at signup. If you enable Spend, Lithic, Inc. (not PayClaw) collects identity information required for KYC directly.

5. Consent Model (Badge)

Badge operates on a token-based consent model. When you generate an API key, you are shown a disclosure describing exactly what your agent will present to merchants and what data will be recorded. Generating the key after reviewing this disclosure constitutes your consent for the declared scope.

How Consent Works

  • Consent moment: You review the disclosure text at API key generation and generate the key with knowledge of what your agent will do.
  • Consent boundary: No verification token can be issued, and no Badge event can be recorded, without a valid API key. The token IS the consent boundary.
  • Current scope: [BROWSE] — agent identity declarations and their outcomes at merchants.
  • Future scopes: Additional scopes (such as search, cart, and checkout activity) may be offered in future versions. Each additional scope will require separate, explicit opt-in consent.
  • Revoking consent: Revoke your API key at any time via the dashboard. Revoking a key immediately stops all future token generation and event recording for that key.

We log the version of the disclosure text shown to you at the time of key generation, so there is a permanent record of what you consented to.

6. What Merchants See

When your agent presents its Badge identity to a merchant, the merchant receives: a cryptographic verification token (which cannot be reversed to identify you), the agent type, the authorized scope, and a contact email (agent_identity@payclaw.io).

Merchants cannot derive your identity from the token alone. If a merchant contacts us to verify a token, we will confirm only whether the token is valid, expired, or revoked. We will not disclose your identity to a merchant without your explicit consent.

7. How We Use Your Information

  • To provide and operate the Service (account management, identity verification, card issuance coordination, transaction processing)
  • To generate and manage verification tokens for agent identity (Badge)
  • To record Badge event outcomes within your consented scope
  • To enforce spending policies and authorization rules you configure (Spend)
  • To generate your dashboard (trip outcomes for Badge, transaction audit trail for Spend)
  • To power automated intent authorization decisions (see Section 12)
  • To detect and prevent fraud, abuse, and unauthorized access
  • To comply with legal and regulatory obligations
  • To send you critical account notifications (security alerts, transaction confirmations)

Legal Basis for Processing

We process your information on the following bases:

  • Consent — for Badge identity verification and event recording (you consent by generating an API key after reviewing the disclosure; see Section 5)
  • Contractual necessity — to provide the Service you signed up for, including Spend transaction processing
  • Legal obligation — to comply with financial record-keeping, KYC/AML, and tax requirements
  • Legitimate interest — to prevent fraud, improve the Service, maintain security, and generate aggregate analytics

8. Third-Party Services

We share data with the following partners, solely to operate the Service. Each partner operates under a data processing agreement with PayClaw.

Supabase

Hosts our database and authentication system. Stores your account data, verification tokens, Badge events, transaction records, and hashed API keys. Data stored in the United States. Subject to Supabase's Privacy Policy.

Google & GitHub (OAuth Identity Providers)

Handle authentication only. When you sign in, we receive your name and email address from the provider you choose. We do not receive or store your Google or GitHub password. Subject to Google's Privacy Policy and GitHub's Privacy Statement.

Lithic, Inc. & Sponsor Bank

Our card issuing partner and sponsor bank (Spend only). Receives identity information for KYC verification and card issuance. Processes virtual card transactions. Subject to Lithic's Privacy Policy.

Stripe

Processes account deposits (Spend only). Receives your payment card details directly on Stripe's hosted checkout page. PayClaw does not see or store your payment card number. Subject to Stripe's Privacy Policy.

Vercel

Hosts our web application. Collects standard request logs (IP, timestamp, user agent, path) and anonymous performance metrics. No personally identifiable information is collected by Vercel Analytics. Subject to Vercel's Privacy Policy.

Resend

Sends transactional emails (account verification, transaction notifications, security alerts). Receives your email address and notification content. Subject to Resend's Privacy Policy.

When your agent completes a Spend purchase, virtual card credentials are shared with the merchant to process the transaction. When your agent presents Badge identity, the verification token and disclosure are shared with the merchant. These are inherent to how the Service works and are not a “sale” of your data.

We do not sell your data to third parties. We do not share your data for cross-context behavioral advertising. We do not use your data for advertising or marketing targeting. We do not use Google Analytics, Facebook Pixel, retargeting pixels, or any third-party marketing analytics.

9. Data Security

  • All data is encrypted in transit (TLS) and at rest
  • API keys are stored as irreversible SHA-256 cryptographic hashes
  • Verification tokens are HMAC-SHA256 — they cannot be reversed to reveal user identity without our server-side secret
  • All accounts use OAuth-based authentication (Google or GitHub)
  • Multi-factor authentication (MFA) is required for Spend-enabled accounts
  • Row-level security (RLS) ensures users can only access their own data
  • Administrative access is logged and restricted
  • Virtual card issuing infrastructure is PCI-DSS compliant (managed by Lithic, Inc.)
  • Automated security scanning on every code change, with secret detection and dependency auditing
  • Full audit trail on all significant account actions

10. Data Retention

We retain your data for the minimum period necessary to provide the Service, comply with legal obligations, and resolve disputes. The following table describes our retention periods by data category:

Data CategoryRetention PeriodBasis
Account data (profiles)Until account deletion + 30-day grace periodContractual necessity
API keys (hashed)Until revoked + 90 daysSecurity audit trail
Consent recordsPermanent (never deleted)Proof of consent (GDPR Art. 7(1))
Verification tokensTokens expire at 24 hours; records archived at 90 daysConsent boundary proof
Badge events2 years, or until account deletion (whichever is earlier); anonymized on deletionLegitimate interest
Spend transactions7 yearsFinancial record-keeping (BSA/AML, tax)
Audit logs7 yearsLegal obligation
Server logs (Vercel)Per Vercel's retention policyHosting provider policy
Waitlist and feedback1 year after conversion or last contactLegitimate interest

You may request account deletion by contacting us. Upon deletion, we will remove your account data and anonymize associated Badge events (by removing the user ID linkage). We will retain data where required by law, including: financial transaction records and audit logs (7 years), consent records (permanent), and any data subject to an active legal hold or investigation.

Anonymization satisfies erasure requirements — once data can no longer be attributed to an identifiable individual, it is no longer personal data.

11. Cookies and Similar Technologies

We use strictly necessary cookies to maintain your authenticated session. These cookies are set by our authentication provider (Supabase) and are required for the Service to function. They cannot be disabled while using the Service.

We do not use cookies for advertising, cross-site tracking, or behavioral profiling. Our hosting provider (Vercel) may collect anonymous performance metrics using cookieless analytics.

You can control cookies through your browser settings, but disabling session cookies will prevent you from using the Service.

12. Automated Decision-Making

PayClaw's intent authorization engine uses automated processing to evaluate purchase requests from your AI agents (Spend only). This includes checking purchase intents against your configured spending limits, merchant whitelists, and per-intent caps. Transactions may be automatically approved or declined based on these rules.

Our post-purchase auto-audit system automatically flags transactions where the actual charge deviates from the declared intent by more than 20%.

You may request human review of any declined transaction or audit flag by contacting support@payclaw.io.

13. Data Breach Notification

In the event of a security breach involving your personal information, we will notify you in accordance with applicable law. Where required by GDPR, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach involving personal data, and will notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms. Notification will include: the nature of the breach, the types of information involved, the steps we are taking to address it, and steps you can take to protect yourself.

We maintain a written security incident response plan and will cooperate with applicable regulators as required.

14. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data (subject to legal retention requirements; see Section 10)
  • Request restriction of processing
  • Data portability (receive your data in a structured, machine-readable format)
  • Object to processing based on legitimate interest
  • Withdraw consent for Badge identity verification at any time (by revoking your API key)
  • Request human review of automated decisions (see Section 12)

To exercise these rights, contact us using the methods listed in Section 19.

Response timelines: For requests under GDPR (EU/EEA/UK residents), we will respond within 30 days, extendable by 60 days for complex requests with notice. For requests under CCPA (California residents), we will respond within 45 days, extendable by 45 days with notice.

Right to lodge a complaint: If you are in the EU/EEA, you have the right to lodge a complaint with your local supervisory authority if you believe our processing of your personal data violates applicable law.

15. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

  • Right to Know. You may request the categories and specific pieces of personal information we have collected about you, the sources of that information, our purposes for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete. You may request deletion of your personal information. We may retain information where permitted by law, including for: completing transactions, detecting fraud, complying with legal obligations, and exercising or defending legal claims.
  • Right to Correct. You may request correction of inaccurate personal information we hold about you.
  • Right to Opt Out of Sale/Sharing. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at privacy@payclaw.io or write to us at the mailing address in Section 19. We will verify your identity before processing your request and respond within 45 days.

Categories of Personal Information

In the preceding 12 months, we have collected the following categories of personal information:

  • Identifiers: name, email address, IP address, API key hashes, verification token identifiers
  • Financial information: transaction records, account balances, deposit records (note: we do not collect or store payment card numbers)
  • Commercial information: purchase intents, transaction history, merchant interactions, Badge event outcomes
  • Internet activity: server logs, request timestamps, user agent strings
  • Personal information per Cal. Civ. Code §1798.80: name, address (collected by Lithic, Inc. for KYC, Spend only)

16. Children

Badge requires an OAuth account (Google or GitHub), which requires users to be at least 13 years old. Spend requires users to be at least 18 years old. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will promptly delete that information.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@payclaw.io.

17. Data Location and International Transfers

Your data is primarily stored and processed in the United States by our service providers (Supabase, Vercel, Stripe, Lithic).

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data transfer restrictions, your personal data will be transferred to the United States for processing. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other valid transfer mechanisms, to ensure that your personal data receives an adequate level of protection when transferred outside the EEA.

If any sub-processor processes data outside the United States, they do so under appropriate data transfer safeguards as required by applicable law.

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on our website at least 30 days before changes take effect. Your continued use of the Service after changes constitutes acceptance.

19. Contact

For privacy questions, data requests, or concerns:

For transaction disputes or unauthorized activity, contact support@payclaw.io.

For agent identity verification inquiries (merchants), contact agent_identity@payclaw.io.