SagaPay (“we,” “us,” or “our”) operates an AI-Optimized B2B PayFi Trade Finance platform that tokenizes invoices as Real-World Assets (RWAs) and provides instant liquidity using stablecoins. This Privacy Policy describes how we collect, use, disclose, and protect your information when you use our website at sagapay.one and our related services (collectively, the “Platform”).
By accessing or using the Platform, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with any part of this policy, please do not use our services.
1. Information We Collect
1.1 Personal Information
When you create an account or use our Platform, we may collect:
- Full legal name, email address, and phone number
- Job title, role, and organizational affiliation
- Authentication credentials managed by Clerk (our identity provider)
- Profile photos and communication preferences
1.2 Business Information
For invoice factoring services, we collect:
- Company legal name, registration number, and jurisdiction
- Business address, tax identification numbers (EIN/VAT)
- Invoice data: amounts, due dates, buyer/seller details, payment terms
- Financial statements and bank account details for disbursement
- Organizational membership and team member information
1.3 Financial & Transaction Data
We process the following financial information:
- Invoice documents (PDF uploads) and extracted financial parameters
- Factoring transaction history, advance rates, and fee calculations
- Payment and billing records processed through Stripe
- Blockchain wallet addresses and on-chain transaction hashes
- USDC stablecoin disbursement records
1.4 KYC/AML Verification Data
As a regulated financial services platform, we collect Know Your Customer (KYC) and Anti-Money Laundering (AML) data through our verification partner Didit, including:
- Government-issued photo identification documents
- Proof of business registration and beneficial ownership declarations
- Sanctions screening results and risk assessment outcomes
- Liveness verification biometric data (processed and stored by Didit)
1.5 Automatically Collected Data
- IP address, browser type, device identifiers, and operating system
- Pages viewed, timestamps, click patterns, and session duration
- Referral URLs and search terms used to reach our Platform
- Error logs and performance metrics for service reliability
2. How We Use Your Information
We use the collected information for the following purposes:
2.1 Invoice Processing & AI Extraction
Uploaded invoice documents are processed by our AI engine powered by OpenAI GPT-4o (text and vision models). The AI extracts structured financial parameters including amounts, dates, buyer/seller information, and payment terms. This extraction is automated and occurs within our Temporal.io workflow orchestration system.
2.2 Risk Scoring & Underwriting
We use AI-driven risk scoring algorithms to assess the creditworthiness of invoices. Risk scores are computed using extracted invoice data, historical payment patterns, and buyer verification results. All risk assessments above threshold require mandatory human approval (human-in-the-loop review).
2.3 Account Management & Authentication
We use Clerk for identity management, multi-factor authentication, organization setup, and role-based access control. Session tokens and JWT claims are used to enforce row-level security (RLS) in our database.
2.4 Blockchain Settlement & Tokenization
Verified invoices are tokenized as ERC-3643 compliant NFTs on the Neon EVM (Solana). We use your wallet address and transaction data to process on-chain settlements and USDC stablecoin disbursements.
2.5 Compliance & Legal Obligations
We process your data to comply with applicable anti-money laundering regulations, tax reporting requirements, financial services regulations, and valid legal process requests.
2.6 Service Improvement & Analytics
We analyze aggregated and anonymized usage data to improve our platform, optimize AI model performance, enhance security, and develop new features.
3. Data Sharing & Third Parties
We do not sell your personal information. We share data only with the following categories of service providers necessary to operate the Platform:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing & subscription billing | Billing details, payment method tokens, transaction amounts |
| Didit | KYC/AML identity verification | Government ID documents, selfie/liveness data, business registration |
| OpenAI | AI invoice extraction & risk analysis | Invoice document content (text and images) for processing |
| Clerk | Authentication & identity management | Email, name, profile data, organization membership |
| Supabase | Database & file storage | All platform data (encrypted at rest, RLS-enforced) |
| Neon EVM | Blockchain settlement | Wallet addresses, tokenized invoice metadata, transaction data |
We may also share information with law enforcement or regulatory authorities when required by applicable law, subpoena, court order, or other valid legal process.
4. Blockchain Data
⚠ Important Notice About Blockchain Transparency
Transactions recorded on the Neon EVM (Solana) blockchain are public and immutable. Once invoice data is tokenized as an on-chain RWA NFT, the associated transaction hashes, wallet addresses, token metadata, and settlement records cannot be modified or deleted. This is an inherent property of blockchain technology.
We minimize on-chain data by storing only essential transaction identifiers and tokenized representations on the blockchain. Sensitive business data (invoice contents, personal information, financial details) is stored off-chain in our encrypted database, with only cryptographic references recorded on-chain.
Your blockchain wallet address may be publicly associated with your tokenized invoice transactions. We recommend using dedicated business wallets separate from personal cryptocurrency holdings.
5. Data Security
We implement industry-standard technical and organizational measures to protect your information:
- Encryption at Rest: All data stored in Supabase Postgres is encrypted using AES-256 encryption at rest
- Encryption in Transit: All data transmitted between your browser and our servers is protected by TLS 1.3
- Row-Level Security (RLS): Multi-tenant data isolation enforced at the database level using Clerk JWT claims
- Secure File Storage: Invoice PDFs are stored in Supabase Storage with per-tenant access policies
- Access Controls: Role-based access control (RBAC) enforced through Clerk Organizations with least-privilege principles
- Audit Logging: Immutable audit trails record all data access, modifications, and compliance-related actions
- Incident Response: We maintain documented incident response procedures and will notify affected users within 72 hours of a confirmed data breach
While we employ rigorous safeguards, no system is completely impenetrable. We cannot guarantee absolute security and encourage you to use strong passwords and enable multi-factor authentication.
6. Your Rights
6.1 Rights Under the GDPR (European Economic Area)
If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data (subject to legal retention obligations and blockchain immutability)
- Right to Restrict Processing: Request limitations on how we process your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or direct marketing
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
Legal basis for processing: We process your data under contractual necessity (to provide factoring services), legal obligation (AML/KYC compliance), legitimate interest (platform security and improvement), and consent (marketing communications).
6.2 Rights Under the CCPA (California)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by the CPRA):
- Right to Know: Request disclosure of the categories and specific pieces of personal information we collect
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
To exercise any of these rights, please contact us at privacy@sagapay.one. We will respond to verified requests within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.
7. Data Retention
We retain your personal and business data for as long as necessary to provide our services and comply with legal obligations:
- Account Data: Retained for the duration of your active account. Upon account closure, personal data is deleted within 30 days, except where retention is required by law.
- Financial Records: Transaction records, invoices, and factoring agreements are retained for a minimum of 7 years to comply with tax and financial reporting requirements.
- KYC/AML Records: Identity verification records are retained for 5 years after the end of the business relationship, as required by anti-money laundering regulations.
- Blockchain Records: On-chain data is immutable and cannot be deleted. See Section 4 for details.
- Audit Logs: System audit trails are retained for a minimum of 3 years for compliance and security purposes.
9. International Data Transfers
SagaPay operates globally, and your data may be transferred to and processed in countries outside your country of residence, including the United States, where our primary infrastructure is hosted.
For transfers from the EEA, UK, or Switzerland, we rely on the following legal mechanisms:
- EU-US Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all sub-processors
- Adequacy decisions by the relevant data protection authority
Additionally, blockchain transactions are inherently global — on-chain data is replicated across a decentralized network of validator nodes in multiple jurisdictions.
10. Children's Privacy
SagaPay is a B2B financial services platform designed exclusively for business use. Our services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children.
If we discover that we have inadvertently collected data from a minor, we will promptly delete such information. If you believe a child has provided us with personal data, please contact us at privacy@sagapay.one.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations. When we make material changes:
- We will update the “Last Updated” date at the top of this page
- We will notify registered users via email at least 30 days before material changes take effect
- We will display a prominent notice on our Platform
- Where required by law, we will obtain your consent before applying changes
We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after changes become effective constitutes your acceptance of the revised policy.
12. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
For EEA residents: If you are unsatisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority (DPA).