LIVE · v04.2.1 routing.engine = ✓ 18/18 PSPs p95 = 240ms · auth = 98.7% EUR · UTC · cluster eu-west-3
~/console $ open route
LegalPrivacy

Privacy policy.

Last updated · 19 May 2026 · v4.1

Whaliepay LLC takes the privacy of every merchant we serve — and every shopper whose payment we route — extremely seriously. This policy explains what data we process, why we process it, how long we keep it, who we share it with, and how to exercise your rights. Signed off by our DPO every six months. Audited annually as part of our SOC 2 Type II programme.

Article 1 · Who we are (the controller)

Whaliepay LLC, a Wyoming limited liability company with registered address 30 N Gould St Ste R, Sheridan, WY 82801, USA, filing number 2023-WHA-09127. Our EU representative under GDPR Article 27 is Whaliepay Europe B.V., Herengracht 442, 1017 BZ Amsterdam, the Netherlands, KvK 92847105. Contact: [email protected].

For data about merchants who hold a Whaliepay console account (admins, finance teams, integration developers), Whaliepay LLC is the data controller. For data about shoppers whose payments we route on behalf of a merchant, Whaliepay acts as a data processor on the merchant's behalf, under our Data Processing Addendum (signed at sign-up, reviewed every renewal).

Article 2 · What we collect from merchants

When you open a Whaliepay route, we collect from each merchant user: full name, professional email, role and seniority, IP at sign-in and at each session, the company name, registered office address, VAT or tax-ID number, the legal representative's identity for KYB purposes, IBAN of the settlement account, the PSP relationships you ask us to plug in, the routing rules you write, the audit log of any action taken in the console, and any messages exchanged with our solutions, integration or support teams.

Article 3 · What we process on behalf of merchants (about shoppers)

When you route a payment through Whaliepay, we process the following on the merchant's behalf: the shopper's billing name, billing address, billing email, BIN of the card (first 6 digits — never the full PAN), masked card number (last 4 digits), card scheme (Visa, Mastercard, Amex), card country, card-issuing bank's name when returned, IP address at payment, device fingerprint generated by the PSP partner, the amount, the currency, the merchant reference (order ID), the routing decision taken by our engine, the PSP that was selected, the auth response and the timestamps. We do not store full PANs, CVVs or expiry — those flow directly to the PSP under PCI-DSS scope and never touch Whaliepay servers.

Article 4 · What we never collect

We never collect: full card numbers (PAN), card CVVs or CVC2 codes, card expiry dates, bank passwords or any open-banking credential, shopper's social graph, employee performance data on behalf of merchants, biometric data, sensitive personal data within the meaning of GDPR Article 9. We do not run cross-site advertising pixels and we do not sell, rent or share data with any advertiser. Anti-fraud signals provided by PSP partners are processed in-flight only and never written to our database in identifiable form beyond the duration of the routing decision (typically < 240 ms).

Article 5 · Legal basis for processing

Merchant console data is processed on the legal basis of performance of a contract (Article 6(1)(b) GDPR), being our contract with each merchant. Shopper data is processed on the merchant's behalf on the legal basis of the merchant's legitimate interest in accepting payment for goods or services (Article 6(1)(f) GDPR). KYB documentation collected from merchants is processed on the basis of legal obligation under EU AML Directive 5 (2018/843) and the Dutch implementation (Wwft).

Article 6 · How long we keep data

Merchant console data is kept for the duration of the contract plus 90 days for recovery purposes. Audit logs of console actions are kept for 7 years to comply with our SOC 2 Type II and ISO 27001 controls. Routing decisions, including the metadata listed in Article 3, are kept for 5 years to comply with AML record-keeping obligations under Wwft Article 33. KYB documentation is kept for 7 years after the end of the merchant relationship. Anti-fraud telemetry is retained for 13 months for fraud-model retraining, then aggregated and anonymised.

Article 7 · Where the data lives

All Whaliepay production data — the routing engine, the console database, the audit log, the merchant settlement ledger — is hosted exclusively in the European Union, primarily in our eu-west-3 region (OVHcloud Strasbourg, France) with a hot standby in eu-central-1 (Scaleway Frankfurt, Germany). No production merchant or shopper data is transferred outside the EU. The card-acquiring scheme (Visa, Mastercard) operates its own infrastructure to which we transmit a tokenised reference; the scheme's own data-processing rules apply.

Article 8 · Subprocessors

Our current subprocessors are: OVHcloud SAS (hosting, Strasbourg), Scaleway SAS (hosting standby, Frankfurt), Cloudflare Inc. with EU SCC (CDN), Datadog France SAS (monitoring, Paris), Sentry EU (error tracking, Frankfurt), Stripe Payments Europe Ltd (PSP, Dublin), Adyen N.V. (PSP, Amsterdam), Checkout.com SAS (PSP, Paris), Mollie B.V. (PSP, Amsterdam), 14 additional PSPs listed at /integrations.html. We update this list within 7 days of any change and notify all merchants by email 30 days in advance of any material change.

Article 9 · Your rights as a merchant user

Each merchant user can exercise the following rights by emailing [email protected] or by raising a ticket from the Whaliepay console: right of access (Article 15 GDPR), right of rectification (Article 16), right of erasure (Article 17, subject to legal retention obligations), right to restrict processing (Article 18), right to data portability (Article 20, we provide JSON exports of console data within 7 business days), and right to object (Article 21). We respond to all rights requests within 30 days, typically within 5 business days. We do not charge a fee. You may also lodge a complaint with your DPA — our lead supervisory authority in the EU is the Dutch DPA (Autoriteit Persoonsgegevens) given our EU representative is located in Amsterdam.

Article 10 · Rights of shoppers

Shoppers should exercise their data subject rights with the merchant they transacted with, since the merchant is the data controller. Shoppers may also write to [email protected] to ask Whaliepay to relay the request to the relevant merchant — we relay within 48 hours of receipt and copy the shopper on the relay. Whaliepay does not action a shopper's rights request directly on the merchant's data without instruction from the merchant, except where required by an enforceable court order or regulator decision.

Article 11 · Security and certifications

TLS 1.3 in transit (TLS 1.2 minimum), AES-256 at rest with keys managed by AWS KMS in eu-west-3 and rotated every 90 days. Backups encrypted with separate keys, replicated every 6 hours to a second region, tested for restoration weekly. SAML SSO and FIDO2 hardware-key 2FA mandatory for all Whaliepay staff. Audit logs on every administrative action with 7-year retention. Quarterly external penetration tests by NCC Group (Amsterdam office); last test completed 14 March 2026, reports available under NDA. Certifications: SOC 2 Type II (renewed annually), ISO 27001:2022 (3-year cycle, last renewal Sep 2025), PCI-DSS Level 1 (validated quarterly through our PSP scope-reduction architecture, AOC available under NDA).

Article 12 · Cookies and tracking

Whaliepay uses a small set of strictly necessary cookies to keep merchant users signed in to the console and to remember language preference. We use server-side Plausible Analytics (EU edition, no cookies, no fingerprinting) on the marketing site. We do not embed Google Analytics, Meta Pixel, LinkedIn Insight or any cross-site tracker. Full cookie inventory at /legal/cookies.html.

Article 13 · International transfers

No production data leaves the EU. The internal tooling exceptions (Datadog US fallback if EU is down, Sentry US fallback) operate under European Commission Standard Contractual Clauses (Decision 2021/914) with supplementary measures including additional EU-managed encryption keys. A Transfer Impact Assessment is available on request to [email protected].

Article 14 · Automated decision-making

Whaliepay's routing engine takes an automated decision about which PSP to route each payment to. This decision is made on the basis of historical auth-rate, current PSP health, card BIN, MCC, geography and the routing rules each merchant has written. Where the decision results in a payment being declined by the selected PSP, the rejection is communicated to the merchant in real time with the PSP's response code, allowing the merchant to apply its own retry policy. Whaliepay does not make solo automated decisions that produce a legal or similarly significant effect on a shopper within the meaning of GDPR Article 22 — the legal effect (charge declined, payment refused) is taken by the PSP under its own rules.

Article 15 · Children

Whaliepay is a B2B service for adult employees of merchant companies. We do not knowingly collect data about anyone under 16 (or the relevant national age of digital consent). If we become aware of such data, we delete it immediately.

Article 16 · Changes to this policy

We update this policy whenever our practices change. Material changes are announced 30 days in advance by email to all active merchants and noted in the public changelog at /changelog.html. The "Last updated" date at the top of this document reflects the current version. Previous versions are archived and available on request.

Article 17 · Contact

For any privacy question, write to [email protected] — we answer within 5 business days. Our Data Protection Officer is reachable at [email protected]. For a formal Article 27 request to our EU representative, write to Whaliepay Europe B.V., att. DPO, Herengracht 442, 1017 BZ Amsterdam, the Netherlands.

— The Whaliepay engineering & legal team, Amsterdam · Lyon · Berlin, 19 May 2026.