Contents

  1. Who we are
  2. Data we collect
  3. Data we don't collect
  4. How we use data
  5. Sharing with third parties
  6. Your customers' privacy
  7. Cookies
  8. How we protect data
  9. Data retention
  10. Your rights
  11. Children
  12. Changes to this policy
  13. Contact

1. Who we are

xD Pay ("we", "us") provides point-of-sale software that lets businesses accept crypto payments and receive regular money via CoinGate, a licensed payment processor. In this policy, "merchant" or "you" means the business using xD Pay, and "customer" means a person paying a merchant.

For merchant account data, xD Pay acts as the data controller. For payment processing, CoinGate acts as an independent controller under its own privacy policy.

2. Data we collect

Account data

  • Name, email address, and a password (stored only as a salted hash — we cannot read it).
  • Business details you provide during onboarding: business name, country, and payout currency preference.
  • Team member accounts (names and emails of cashiers you add).

Payment records

  • For each sale: the amount, currency, optional note (e.g. "2x Latte"), timestamp, status, and which team member created it.
  • Order references and status callbacks received from CoinGate (order IDs, payment status, paid amount and currency).

Connection credentials

  • Your CoinGate key, which you paste in during setup. It is encrypted at rest with AES-256-GCM and used only to create orders on your behalf.

Technical & security data

  • Server logs (IP address, browser type, timestamps) kept for security, rate limiting, and troubleshooting.
  • An audit log of security-relevant actions (sign-ins, settings changes, key updates).

3. Data we don't collect

By design, xD Pay never has:

  • Your crypto or your money. Funds flow from the customer to CoinGate to your bank. We are never in the money flow.
  • Wallet private keys or seed phrases — yours or your customers'.
  • Card numbers or bank credentials. Payouts are handled entirely by CoinGate.
  • Customer identity data. We don't ask paying customers to register, and we don't receive their names, emails, or wallet ownership details.
  • Advertising profiles. We don't run ads, use tracking pixels, or sell data to anyone.

4. How we use data

  • To provide the service — creating orders, showing QR codes, updating payment status, and keeping your sales history.
  • To keep accounts secure — authentication, session management, rate limiting, fraud and abuse prevention, and audit logging.
  • To communicate with you — service messages about your account, security, or changes to the product or these policies.
  • To comply with law — responding to valid legal requests and keeping records we're required to keep.

We do not use your data for advertising, and we do not sell or rent personal data to third parties.

5. Sharing with third parties

We share data only where necessary to operate the service:

RecipientWhat & why
CoinGate Order details (amount, currency, order reference) so payments can be processed and settled. CoinGate processes this under its own privacy policy and may perform its own compliance checks.
Hosting & infrastructure Our cloud hosting and database providers store data on our behalf under data processing agreements. They cannot use it for their own purposes.
Legal authorities Only when required by a valid legal process, and only the minimum necessary.

6. Your customers' privacy

Paying customers interact primarily with CoinGate's payment page, not with xD Pay. We receive only payment-level data from CoinGate (status, amounts, order references) — not customer identities. On-chain transactions are public by the nature of blockchains; neither xD Pay nor the merchant can remove data from a public blockchain.

7. Cookies

The xD Pay app uses a single, strictly necessary session cookie to keep you signed in. It is HTTP-only and signed. We do not use advertising or cross-site tracking cookies. This marketing website uses no cookies at all.

8. How we protect data

  • All traffic is encrypted in transit with HTTPS/TLS.
  • CoinGate keys are encrypted at rest with AES-256-GCM authenticated encryption.
  • Passwords are stored only as salted hashes.
  • Role-based access: cashiers can't view settings or credentials.
  • Payment status callbacks are verified with per-payment tokens to prevent forgery.
  • Security-relevant actions are audit-logged.

No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you as required by applicable law.

9. Data retention

  • Account data is kept while your account is active.
  • Payment records are kept while your account is active, since they are your business's sales history, and for a limited period afterwards where record-keeping laws require it.
  • Server and audit logs are retained for a limited period for security purposes and then deleted or anonymized.
  • When you delete your account, we delete or anonymize personal data that we are not legally required to keep.

10. Your rights

Depending on where you live (e.g. under the GDPR or similar laws), you may have the right to:

  • Access a copy of your personal data;
  • Correct inaccurate data;
  • Delete your data ("right to be forgotten");
  • Export your data in a portable format;
  • Object to or restrict certain processing;
  • Complain to your local data protection authority.

To exercise any of these rights, contact us using the details below. We'll respond within the timeframe required by applicable law.

11. Children

xD Pay is a business tool and is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, please contact us and we will delete it.

12. Changes to this policy

We may update this policy as the product or the law changes. The "Last updated" date at the top always reflects the current version. For material changes, we'll notify you in the app or by email before they take effect.

13. Contact

Questions about privacy or this policy? Reach us on X (Twitter) or through the support option inside the app.

Privacy-first by architecture

The best way to protect data is to never collect it. See how the system is built.