Privacy Policy

Effective Date: April 14, 2026 · Last Updated: April 14, 2026

YembiPay is committed to protecting the privacy of our Partners and their recipients. This policy explains what data we collect, why we collect it, how we use it, and your rights regarding that data.

1. Who We Are

YembiPay Inc. ("YembiPay," "we," "us") is a B2B stablecoin settlement infrastructure provider. Our registered address is [ADDRESS TO BE ADDED]. For privacy inquiries, contact us at privacy@yembipay.com.

2. Data We Collect

2.1 Partner Data (B2B — Your Organization)

Data Type	Purpose	Retention
Organization name, address	KYB verification, account management	Duration of relationship + 5 years
Contact name, email	Account communication, support	Duration of relationship + 5 years
API key hashes	Authentication	Until key rotation or account closure
API usage logs	Rate limiting, billing, security	1 year
IP addresses	Security, rate limiting, fraud prevention	90 days

2.2 Settlement Data (Transaction-Level)

Data Type	Purpose	Retention
Settlement amounts (USDC + local)	Transaction processing, compliance	7 years (BSA requirement)
Wallet addresses (sender)	On-chain settlement, OFAC screening	7 years
Recipient bank account (masked)	Local rail delivery	7 years
FX rates, fees	Settlement calculation, audit trail	7 years
Compliance screening results	Regulatory compliance, audit	7 years
On-chain transaction hashes	Settlement verification, audit	Permanent (public blockchain)

2.3 Travel Rule Data (When Applicable)

Data Type	Purpose	Retention
Originator name, address	FATF Travel Rule compliance	5 years
Beneficiary name	FATF Travel Rule compliance	5 years

Travel Rule data is collected for settlements exceeding $3,000 USD (or lower thresholds where required by local law).

2.4 Data We Do NOT Collect

Private keys or wallet seed phrases (never transmitted to us)
Social Security numbers or government IDs (KYC is your responsibility)
Browsing history, cookies for tracking, or advertising data
Biometric data

3. How We Use Your Data

Purpose	Legal Basis (GDPR)
Process settlement transactions	Contract performance
OFAC/AML compliance screening	Legal obligation
Generate compliance certificates	Legal obligation
Rate limiting and fraud prevention	Legitimate interest
Billing and invoicing	Contract performance
System monitoring and debugging	Legitimate interest
Respond to legal requests (subpoenas, court orders)	Legal obligation

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described below.

4. Data Sharing

We share data only with:

Recipient	Data Shared	Purpose
Local payment rail providers (JamClear, Safe-tt, etc.)	Recipient account, amount	Deliver local currency to recipient's bank
Blockchain (Base L2)	Wallet addresses, amounts	On-chain settlement (public by design)
AWS (infrastructure provider)	Encrypted data at rest	Hosting, storage, monitoring
Compliance screening providers	Wallet addresses, entity names	OFAC/AML screening
Law enforcement (when legally required)	As required by subpoena or court order	Legal compliance

We require all third-party processors to maintain equivalent data protection standards.

5. Data Security

We implement the following security measures:

Encryption at rest: All data stored in encrypted databases (AES-256)
Encryption in transit: All API traffic over TLS 1.2+
Access control: Role-based access with least-privilege principle
API authentication: HMAC-signed API keys, never transmitted in plaintext
PII redaction: Personal data is automatically redacted from application logs
Audit logging: All data access is logged with tamper-evident audit trail
Wallet security: Private keys stored in encrypted environment files with restricted access (chmod 600), never in code or logs

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

6.1 For All Users

Access: Request a copy of the data we hold about your organization
Correction: Request correction of inaccurate data
Deletion: Request deletion of your data (subject to regulatory retention requirements)
Portability: Request your data in a machine-readable format (JSON)

6.2 Additional Rights Under GDPR (EU/EEA)

Restriction: Request restriction of processing
Objection: Object to processing based on legitimate interest
Withdraw consent: Where processing is based on consent
Complaint: File a complaint with your local data protection authority

6.3 Additional Rights Under CCPA (California)

Know: Right to know what personal information is collected and how it's used
Delete: Right to request deletion of personal information
Opt-out: Right to opt out of the sale of personal information (we do not sell data)
Non-discrimination: Right not to be discriminated against for exercising CCPA rights

To exercise any of these rights, contact privacy@yembipay.com. We will respond within 30 days.

7. Data Retention

We retain data for the minimum period required by law or our operational needs:

Transaction records: 7 years (Bank Secrecy Act / AML requirements)
Compliance screening results: 7 years
Travel Rule data: 5 years
API access logs: 1 year
IP addresses: 90 days
Account data: Duration of relationship + 5 years

After the retention period, data is either deleted or anonymized (aggregate statistics with no personal identifiers).

8. International Data Transfers

YembiPay is based in the United States. If you are located outside the US, your data will be transferred to and processed in the US. We rely on:

Standard Contractual Clauses (SCCs) for EU/EEA data transfers
Adequate security measures as described in Section 5

9. Blockchain Data

Settlement transactions are recorded on the Base L2 blockchain. Blockchain data is:

Public: Transaction hashes, wallet addresses, and amounts are visible to anyone
Immutable: Once recorded, blockchain data cannot be deleted or modified
Pseudonymous: Wallet addresses are not directly linked to personal identities on-chain

We cannot delete blockchain data. Right-to-erasure requests apply to our off-chain databases only.

10. Cookies and Tracking

Our API does not use cookies. Our website (yembipay.com) uses only essential cookies for functionality. We do not use:

Advertising cookies or tracking pixels
Third-party analytics that track individual users
Social media tracking widgets

11. Children's Privacy

Our Services are designed for business use only. We do not knowingly collect data from individuals under 18. If you believe we have inadvertently collected such data, contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email to registered Partners at least 30 days before taking effect. The "Last Updated" date at the top reflects the most recent revision.

13. Contact

For privacy-related inquiries:

Privacy: privacy@yembipay.com
General: hello@yembipay.com
Data Protection Officer: [TO BE APPOINTED — required if processing EU data at scale]

DISCLAIMER: This document is a template and has not been reviewed by legal counsel. YembiPay should engage a licensed attorney specializing in data privacy and fintech regulation to review and adapt this Privacy Policy before it is published or relied upon.