← Back to PaytreePrivacy Policy
Effective: July 4, 2026 · Last updated: July 4, 2026
Paytree Inc. (“Paytree”, “we”, “our”) operates paytree.to and the associated services (the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have over it. If any of this is unclear, email us at privacy@paytree.to — we'll answer in plain English.
1. Information We Collect
We collect only what we need to run the Service and improve it.
- Account: name, email address, hashed password, and username.
- Profile content: bio, links, photos, products, vault items, and any other content you publish on your page.
- Payments: your Stripe Connect account ID and payout status. Card and bank details are held by Stripe — we never see or store them.
- Buyer email addresses: collected when a visitor unlocks a vault or completes a purchase, so we can deliver the item and let you contact them.
- Analytics: page views, link clicks, referrer, coarse geographic location (country / city), and device type. IP addresses are truncated within 30 days.
- Session data: a first-party authentication cookie so you stay signed in.
- Support communications: emails you send us and our replies.
2. How We Use Your Information
- Operate the Service — publishing your page, processing sales, delivering vault content.
- Send transactional emails — welcome, vault-unlock codes, purchase confirmations, receipts, security alerts.
- Show you analytics about your page.
- Detect and prevent fraud, abuse, and violations of our Terms.
- Improve and diagnose the platform (bug fixes, performance, usability testing).
- Comply with legal obligations (tax reporting, subpoenas, sanctions screening).
We do not sell your personal data, and we do not use it to train third-party AI models.
3. Legal Bases (GDPR)
If you are in the EU, UK, or Switzerland, we process your data under one of these legal bases:
- Contract — to provide the Service you signed up for.
- Legitimate interests — to secure the Service, prevent fraud, and improve the product.
- Legal obligation — to comply with tax, financial, and law-enforcement requirements.
- Consent — for anything outside the above, and always for optional features like the AI sales agent.
4. Service Providers
We share data only with the vendors necessary to operate the Service, each under a data-processing agreement that limits their use to the purposes below:
- Stripe — payment processing and payouts (Stripe Connect).
- Neon — Postgres database hosting (data stored in US or EU regions).
- Vercel — application hosting, file storage (Blob), and analytics.
- Resend — transactional email delivery.
- Anthropic — the AI sales agent (Ultra plan only). Only the AI-agent prompts and your page content are sent — no email addresses or PII.
- Google — optional “Sign in with Google”.
- Microsoft Clarity — session replay for UX debugging. Password and card inputs are automatically masked.
5. International Data Transfers
Our primary infrastructure is hosted in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. Where required, transfers rely on the European Commission's Standard Contractual Clauses or an equivalent lawful transfer mechanism.
6. Cookies & Similar Technologies
Paytree uses first-party cookies only. We do not run advertising or cross-site tracking cookies.
- Essential — authentication (session cookie), CSRF protection. You cannot disable these without losing the ability to sign in.
- Analytics — Vercel Analytics (aggregated, cookieless) and Microsoft Clarity for session replay. You can opt out by enabling “Do Not Track” in your browser.
7. Data Retention
- Account data — kept while your account is active.
- Analytics events — 24 months, then aggregated and anonymized.
- Transactional records — up to 7 years, as required by US and EU financial regulations.
- Backup snapshots — 35 days on a rolling window; deletions propagate within that window.
8. Your Rights
Depending on where you live, you have some or all of these rights over your personal data:
- Access — a copy of the data we hold about you.
- Correction — fix inaccurate information.
- Deletion — remove your account and its data.
- Portability — export your data in a machine-readable format.
- Objection — object to certain processing.
- California residents (CCPA/CPRA) — the right to know, delete, correct, and opt-out of “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined by the CCPA.
You can exercise most of these rights directly from Settings, or by emailing privacy@paytree.to. We respond within 30 days.
9. Security
Passwords are hashed with argon2id. All data is encrypted in transit (TLS 1.3) and at rest (AES-256 at the storage layer). Access to production systems is limited to authorized staff, audited, and requires two-factor authentication. No system is perfectly secure, but we treat any unauthorized access as a top-priority incident and will notify affected users within 72 hours as required by GDPR Art. 34.
10. Children
Paytree is not directed to children under 13 (or under 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, email privacy@paytree.to and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced in-app or by email at least 14 days before they take effect. The “Last updated” date at the top always reflects the current version.
12. Contact
Privacy questions, data requests, or complaints: privacy@paytree.to. If you are in the EU and are not satisfied with our response, you may complain to your local data protection authority.