Privacy Policy

Who We Are

GhostPay Mesh is the operator of the GhostPay Mesh platform — an offline-capable cryptographic settlement infrastructure protocol. Our platform enables the creation, transfer, and synchronization of Cryptographic Settlement Promises (CSPs/PLCs) without requiring continuous internet connectivity.

This Privacy Policy describes how we collect, use, disclose, and protect information obtained through our website, mobile applications, APIs, SDKs, and related services.

Privacy contact: contact@ghostpaymesh.com

Data We May Collect

Depending on how you interact with the Service, we may collect:

Technical and Usage Data

• IP address and approximate geographic location
• Browser type, version, and operating system
• Device type, model, and app/SDK version
• Pages visited, features accessed, interaction timestamps
• Error logs and crash reports

Communication Data

• Name, email, and information submitted via contact forms or support requests
• Company name and role (if provided)

Account Data (if applicable)

• Email address, display name, account preferences
• API key identifiers (not secret key values)

Settlement Data

• Technical identifiers required by ASAAS for settlement processing (e.g., transaction reference IDs)

Privacy by Design and Minimal Collection

GhostPay Mesh is built on a privacy-by-design architecture. Privacy is embedded into every technical decision from the start.

• Offline-first architecture — The core protocol functions without connecting to our servers. CSPs/PLCs are created, signed, and transferred directly between devices. Transaction content never passes through our infrastructure.
• On-device key generation — Cryptographic keys are generated and stored on your device. We never transmit, store, or have access to your private keys.
• Minimal server-side data — The offline-capable design means significantly less personal data compared to conventional centralized systems.
• No mandatory registration — In many usage scenarios, the Service can be accessed without creating an account.
• Data minimization — We collect only what is necessary for the specific purpose.

Legal Bases for Processing

We process personal data only where we have a valid legal basis. Applicable frameworks:

LGPD (Brazil)

• Consent (Art. 7, I) — Analytics cookies, marketing communications.
• Legitimate interest (Art. 7, IX) — Security, fraud prevention, service improvement.
• Contract performance (Art. 7, V) — Processing necessary to provide the requested Service.
• Legal obligation (Art. 7, II) — Compliance with AML/KYC and other regulatory requirements.

GDPR / UK GDPR (EU and UK users)

• Consent (Art. 6(1)(a)), Contract performance (Art. 6(1)(b)), Legitimate interests (Art. 6(1)(f)), Legal obligation (Art. 6(1)(c)).

CCPA/CPRA (California)

We process information in accordance with California privacy law. California residents have specific rights detailed in Section 11.

Purposes of Processing

• Service operation — Provide, maintain, and improve Service functionality.
• Security and fraud prevention — Detect and prevent unauthorized access, fraud, and abuse.
• Compliance — Fulfill AML, counter-terrorism financing, and other legal obligations applicable to our regulated partners.
• Service improvement — Analyze usage patterns and diagnose technical issues.
• Legal obligations — Record-keeping, regulatory reporting, responding to lawful authority requests.
• Communication — Respond to inquiries and support requests.

Sharing with Third Parties

We do not share your personal data with third parties except in the following circumstances:

• ASAAS (settlement partner) — Technical settlement data is shared with ASAAS Gestão Financeira Instituição de Pagamento S.A., regulated by Banco Central do Brasil. ASAAS may collect additional KYC/AML data directly from you.
• Infrastructure providers — Cloud hosting, CDN, error tracking, and analytics providers acting as data processors under our instruction.
• Legal requirements — Disclosure when required by applicable law, court order, or regulatory authority.
• Business transfers — In the event of merger, acquisition, or restructuring, subject to equivalent privacy protections.

We Do Not Sell Your Personal Data

GhostPay Mesh does not sell, rent, trade, or otherwise transfer your personal data to third parties for their own commercial purposes.

• We do not sell personal data to data brokers.
• We do not trade personal data for advertising purposes.
• We do not share personal data with advertising networks for behavioral targeting.
• For California residents: we do not "sell" or "share" personal information as defined under CCPA/CPRA.

Data Retention

• Usage and technical logs — Up to 90 days, then deleted or anonymized.
• Account data — Duration of account plus 5 years after closure.
• Contact and support data — Up to 3 years from last interaction.
• Settlement records — Minimum 5 years as required by Brazilian financial regulations, or longer if required by law.
• Legal hold — Data may be retained longer during active legal disputes or regulatory investigations.

Information Security

We implement technical and organizational measures including:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of sensitive data at rest.
• Access controls limiting data access to authorized personnel.
• Regular security assessments and vulnerability testing.
• Incident response procedures for detecting and responding to breaches.

No security measure is perfect. In the event of a breach posing risk to your rights, we will notify affected individuals and applicable authorities as required by law.

International Data Transfers

GhostPay Mesh is headquartered in Brazil and may process data using infrastructure in Brazil and other countries. For EU/UK data transfers, we implement appropriate safeguards required by GDPR/UK GDPR, including Standard Contractual Clauses (SCCs) and Transfer Impact Assessments where required.

Your Rights as a Data Subject

Rights under LGPD (Brazil)

• Access — confirm processing and obtain a copy of your data.
• Correction — request correction of incomplete or inaccurate data.
• Anonymization, blocking, or deletion of unnecessary or excessive data.
• Portability — request transfer of your data to another provider.
• Deletion after consent revocation.
• Information about sharing with third parties.
• Revocation of consent at any time.
• Opposition to processing based on legitimate interest.

Rights under GDPR / UK GDPR (EU and UK)

• Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction (Art. 18), Portability (Art. 20), Objection (Art. 21), rights against automated decision-making (Art. 22), and right to lodge a complaint with a supervisory authority.

Rights under CCPA/CPRA (California)

• Right to know, delete, opt out of sale/sharing, non-discrimination, correct inaccurate data, and limit use of sensitive personal information.

To exercise your rights, contact us as described in Section 14.

Cookies and Similar Technologies

• Strictly necessary — Session management, security tokens, authentication. Cannot be disabled.
• Functional — Language preferences, display settings. Non-essential but improve experience.
• Analytics — Anonymized/pseudonymized usage statistics. Consent is sought via our cookie preference interface.

You can control cookies through your browser settings or our cookie preference center. Disabling certain cookies may limit Service functionality.

Children's Privacy

The Service is intended for individuals at least 18 years of age. We do not knowingly collect data from individuals under 18 without verifiable parental consent.

The Service is strictly prohibited for individuals under 13 years of age under any circumstances. If we learn we have inadvertently collected data from a person under 13, we will delete it promptly. Contact us at contact@ghostpaymesh.com if you believe your child under 13 has provided us data.

How to Request Data Deletion, Access or Correction

To exercise any data subject right, contact:

Email: contact@ghostpaymesh.com
Subject: "Data Subject Request — [Your Right]"

Please include your name, email, the right you wish to exercise, and sufficient information to identify the data at issue. We will acknowledge within 5 business days and respond within the timeframes required by applicable law (15 business days under LGPD; 30 days under GDPR).

Changes to This Policy

We may update this Privacy Policy from time to time. Updated versions will be published with a revised "Last updated" date. For material changes, we will provide reasonable prior notice. Continued use of the Service after the effective date constitutes acknowledgment of the changes.

Contact

For privacy questions, requests, or concerns:

GhostPay Mesh
contact@ghostpaymesh.com
Alameda Rio Negro, N° 503 — Sala Comercial 2011, Alphaville Industrial, Barueri — SP — 06454-000 — Brazil

Brazilian data subjects: ANPD — www.gov.br/anpd. EU/EEA data subjects: you may lodge a complaint with your local supervisory authority.