Privacy that explains the flow, not just the policy.

The data we collect depends on how you interact with PayBridgeNP. Merchants provide account, business, project, API, and provider credential information. Customers may provide payment references, contact details, and addresses where the merchant's checkout flow requests them.

• Account data — name, email, password hash, authentication settings, team-member roles, support history.
• Business and project data — merchant name, environment (live or sandbox), webhook endpoints, API keys, branding settings (logo, color, footer text), provider configuration.
• Transaction data — amount, currency, provider, payment status, session IDs, reference numbers, metadata, and callback / webhook delivery logs.
• Customer contact data — when collected by the merchant's checkout: customer name, email, phone number, billing and shipping addresses. Used to render the receipt, complete the payment, and send transactional notifications. PayBridgeNP does not market to customers.
• SMS log data — recipient phone, template name, message body, send status, provider reference, error reason. Visible to the merchant in their /sms history page and used by support to debug delivery issues.
• Email log data — recipient email, template name, send status, provider reference. Used by support to debug delivery issues.
• Website and analytics data — IP address, browser details, device information, pages visited, and Google Analytics-derived aggregates.

We use data to operate the platform, secure accounts, confirm payment outcomes, deliver webhooks, send transactional notifications, troubleshoot merchant issues, and improve reliability of the product.

• To create and manage merchant accounts, authenticate users, and protect access with security controls such as email verification and optional 2FA.
• To create checkout sessions, route customers to supported providers, verify provider callbacks, and keep payment state in sync.
• To deliver dashboards, public payment-tracking pages, refund records, webhook logs, SMS history, and operational reporting.
• To send customer-facing transactional notifications (payment receipts, refund confirmations, payment reminders) on behalf of the merchant.
• To detect abuse, enforce rate limits, investigate fraud or suspicious behavior, and comply with legal obligations.

PayBridgeNP shares data only where it is needed to complete the payment flow, deliver notifications, or operate the service. We do not sell merchant or customer personal data.

• Payment providers (eSewa, Khalti, Fonepay) receive the information required to initiate, verify, or reconcile transactions.
• Sub-processors listed below process data on our behalf for hosting, email delivery, SMS delivery, file storage, and analytics.
• Merchants receive payment status, customer contact data they collected, metadata, and webhook events for transactions created through their projects.
• We may disclose information if required by law, court order, lawful request, or to protect the rights, safety, and security of PayBridgeNP, merchants, customers, or the public.

PayBridgeNP relies on the following third-party providers to operate the platform. Each is bound by their own data-processing terms; we work only with vendors who provide reasonable security and privacy guarantees.

• Neon (United States / EU) — managed Postgres database hosting. Stores all merchant, project, transaction, and notification log data.
• Railway (United States) — application hosting for the API and Shopify integration services.
• Vercel (United States) — application hosting for the marketing site and merchant dashboard.
• Cloudflare (United States) — DNS, WAF, CDN, R2 object storage (merchant-uploaded brand and receipt logos at cdn.paybridgenp.com), and Cloudflare for SaaS (custom checkout hostnames for Premium merchants).
• Upstash (United States) — managed Redis used for sliding-window rate limits.
• Resend (United States) — transactional email delivery (verification, password reset, payment receipts, refund notifications, invoice reminders).
• bulk.bedbyaspokhrel.com.np (Nepal) — SMS gateway used to deliver transactional SMS to customer phones in Nepal.
• Google Analytics (United States) — aggregate website-traffic measurement.
• Mintlify (United States) — documentation hosting at docs.paybridgenp.com.
• Discord (United States) — community channel used for release notifications and support discussion. Joining is optional.
• Anthropic (United States) — AI inference (Claude) used exclusively within the PayBridgeNP ID Insights feature to extract transaction rows from uploaded bank and wallet statements. Only stripped, PII-free statement text reaches Anthropic - see the "PayBridgeNP ID - Insights imports" section below for the full scrubbing process. Calls go directly to Anthropic's API on a workspace configured for zero data retention; submitted statement text is not used to train models and is not retained server-side beyond the request. Anthropic privacy policy.

We will update this list when we add or remove a sub-processor that processes personal data. Material changes will be reflected in the "Last updated" date above.

PayBridgeNP sends transactional SMS and email on behalf of merchants — for example a "payment received" receipt to the customer who just paid, or a "complete your payment" reminder for an abandoned Shopify checkout. We never send marketing messages.

• What goes out — payment receipts, refund confirmations, abandoned-checkout reminders, invoice notifications, security alerts, and platform-level account emails (verification, password reset).
• SMS log — every dispatch (whether sent or suppressed) is recorded with recipient phone, template, body, status, and provider reference. Merchants can view this in their dashboard at /sms.
• Per-template controls — merchants can disable any template (payment success, payment failed, refund, invoice reminders) from /settings/emails and /sms settings.
• Sandbox mode — when a merchant is in sandbox, SMS dispatches are logged but never reach the provider. No real money or messages move during testing.
• Free plan — SMS dispatch is suppressed but logged so merchants can preview what would have gone out before upgrading to Premium.

PayBridgeNP publishes an official Model Context Protocol (MCP) server so merchants can connect AI assistants (Claude, ChatGPT, Cursor, and others) to their merchant data. Agents authenticate with a scoped token issued by the merchant from their dashboard.

• Read access — agents can list and inspect payments, refunds, customers, invoices, webhooks, and KPIs the merchant could see in the dashboard.
• Write access (Premium only) — issuing refunds, creating payment links, modifying subscriptions. Confirmation prompts are surfaced for money-moving actions.
• Audit trail — every MCP-driven action is logged to the dashboard activity log with the agent identifier, so merchants can see exactly what the agent did.
• Merchant responsibility — the merchant is responsible for the AI assistant they connect, the prompts they issue, and the data they share with that assistant. Disconnect a token from /mcp at any time.

Merchants can upload brand and receipt logos from the dashboard (/settings and /settings/emails). These files are stored in Cloudflare R2 and served from cdn.paybridgenp.com using unguessable random filenames.

• Public reads — receipt logos must be embeddable in customer emails, so the URL is public. Filenames contain only a timestamp and 128 random bits — no merchant ID or other internal identifier is exposed.
• Replacement — uploading a new logo replaces the previous one and best-effort deletes the older object from R2.
• Removal — clicking "Remove logo" in the dashboard nulls the URL on your account and best-effort deletes the R2 object.

PayBridgeNP ID (id.paybridgenp.com) is a consumer identity layer that lets buyers view their spending history across eSewa, Khalti, Fonepay, and their bank accounts. The Insights feature allows users to upload wallet exports and bank account statements to build a unified transaction view. This section explains exactly what happens to uploaded files.

• What you upload — eSewa or Khalti transaction exports (CSV or XLS), or bank account statement files (PDF or Excel) from any Nepali bank.
• PII scrubbing before AI processing — before any text from your bank statement leaves our servers, an automated process strips the following fields line by line: your account holder name, account number (replaced with the placeholder [ACCOUNT]), opening and closing balances, available balance, branch name and address, phone number, email, SWIFT code, and IFSC code. Transaction rows - which are anchored by a date - pass through untouched. The LLM receives only dates, amounts, and narration text.
• AI-assisted extraction — the scrubbed text is sent directly to Anthropic's Claude (a third-party AI service, listed in the sub-processors section above) on a workspace configured for zero data retention. The model identifies transaction rows and returns a structured list of dates, amounts, and descriptions. No other information from the statement is returned or stored, and Anthropic does not retain the submitted text or use it for training.
• Immediate file deletion — the original statement file is held in server memory only for the duration of parsing and is never written to disk or object storage. After the AI extraction is complete, the in-memory bytes are released. Only the extracted transaction rows are persisted in the database.
• What is stored — for each extracted transaction: date, amount (in paise), a direction flag (debit or credit), currency (NPR), a narration description (max 255 characters), and the source kind (esewa, khalti, or bank). No account numbers, balances, or personal identifiers from the statement are stored.
• Duplicate detection — we compute a SHA-256 hash of each uploaded file before parsing. If the same file has already been imported, we return an "already imported" response without re-running the AI extraction or creating a duplicate record.
• Retention and deletion — imported transactions are retained for as long as your PayBridgeNP ID account is active. You can delete any individual import (and all its transactions) from the Insights import page. Deleting your account removes all Insights data.
• Access — imported transaction data is private to your PayBridgeNP ID account. PayBridgeNP staff can access de-identified aggregate statistics for reliability monitoring, but do not routinely read individual transaction narrations.

We keep information for as long as it is needed to provide the service, maintain reliable payment records, resolve disputes, meet compliance obligations, and enforce our agreements.

• Free plan — list endpoints (payments, refunds, sessions, webhooks, SMS log) are clamped to the most recent 30 days. Older records still exist for audit but are not surfaced in the API or dashboard.
• Premium plan — full historical retention with no list-endpoint cap.
• Sensitive credentials — provider API keys and signing secrets are encrypted at rest with AES-GCM using a key not stored in source control.
• Passwords — hashed with Argon2id; never stored in plaintext or sent to third parties.
• Sandbox data — kept indefinitely for the merchant's reference; sandbox SMS and emails are never delivered to recipients.

Merchants can request updates or deletion of account information, subject to records we need to retain for legitimate business or legal reasons. Customers should generally contact the merchant first for questions about a specific purchase, because the merchant controls the underlying transaction purpose.

You can also manage cookie preferences through your browser settings. For privacy requests, contact support@paybridgenp.com and include enough detail for us to verify the request safely.

When a merchant installs PayBridgeNP for Shopify on their Shopify store, the app processes a limited set of customer data to facilitate payment collection. This section explains what is collected, why, and how long it is retained.

• Customer email and phone number — read from the Shopify orders/create webhook payload. Used exclusively for transactional payment-link delivery: SMS and email messages that contain a secure link to the PayBridgeNP hosted checkout. Not used for marketing, profiling, or automated decision-making.
• Customer name — read from the order payload to personalise the payment notification message (e.g. "Hi Aarav, complete your payment..."). Stored only within the checkout session metadata.
• Retention — customer email and phone number are stored on the pending-order record while the order is active (awaiting payment, reminders in progress). Once the order reaches a terminal state (paid, cancelled, or expired), these fields are automatically nulled out after 90 days by a daily retention scrub. This satisfies Shopify's data-minimisation requirements (L1.8).
• GDPR compliance — the app implements Shopify's mandatory GDPR webhooks: customers/data_request (logs matching row count without echoing PII), customers/redact (nulls email and phone on matching rows), and shop/redact (purges all data for the shop and deletes the shop record).
• Address fields — the app reads the customer's shipping name for the greeting. When the merchant has the Protected Customer Data Access scope granted by Shopify, address fields may also be passed through to PayBridgeNP for tax and fulfilment context. Address data is never persisted by the Shopify app outside the order's checkout session.
• Cross-app routing — customer SMS is dispatched via PayBridgeNP's central messaging service (subject to merchant plan, sandbox mode, per-template toggles, and rate limits). The Shopify app does not call the SMS provider directly.

PayBridgeNP for WooCommerce acts as a standard WooCommerce payment gateway plugin. It redirects customers to the PayBridgeNP hosted checkout page and receives payment confirmation via signed webhooks. The plugin does not store any additional customer data beyond what WooCommerce itself stores.

• Order metadata — the plugin attaches the WooCommerce order ID and order key to the PayBridgeNP checkout session as metadata. This is used to match the incoming payment webhook to the correct order. The metadata is stored on the PayBridgeNP API alongside the checkout session record.
• No PII stored by the plugin — customer name, email, phone, and address are managed entirely by WooCommerce's own order storage. The PayBridgeNP plugin reads the order total and key but never independently copies or persists personal data.
• Webhook payloads — signed webhook deliveries from PayBridgeNP to WooCommerce contain payment status, provider reference, and amount. They do not contain customer PII. The signing secret is stored in wp_options by WooCommerce's built-in settings API.

PayBridgeNP for WHMCS is a standard WHMCS payment gateway module, available on the WHMCS Marketplace. It works the same way as the WooCommerce plugin: customers are redirected to the PayBridgeNP hosted checkout, and the invoice flips to Paid via signed webhook callback.

• Invoice metadata only — the module passes the WHMCS invoice ID and amount to PayBridgeNP. Customer details remain managed by WHMCS's built-in client database.
• No additional PII storage — the module does not extract or copy WHMCS client records.

If you are a customer whose data has been processed through a PayBridgeNP-powered checkout:

• Right to access — you can request a copy of the personal data PayBridgeNP holds about you by emailing support@paybridgenp.com with enough identifying information for us to locate your records (e.g. the order reference, your email, or the merchant's store name).
• Right to deletion — you can request deletion of your personal data. For Shopify integrations, email and phone are automatically deleted after 90 days; a manual deletion request accelerates this. Transaction audit records (amounts, dates, provider references) are retained for legal compliance and cannot be deleted.
• Right to rectification — if any personal data PayBridgeNP holds about you is inaccurate, you can request correction by contacting support@paybridgenp.com.
• Merchant responsibility — because PayBridgeNP processes customer data on behalf of the merchant, data subject requests should first be directed to the merchant whose store you purchased from. The merchant may then work with PayBridgeNP to fulfil the request.
• Response timeline — we respond to data subject requests within 30 days. If we cannot complete your request within that period, we will notify you of the reason for the delay and the expected completion date.