Back to Home|
Privacy Policy
Legal Document

Privacy Policy

Gateway Central — Payment Infrastructure Platform

Last updated: April 4, 2026 · Effective: April 4, 2026

Gateway Central ('we', 'our', or 'the Company') is committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, store, and protect your data when you use our platform. By accessing or using our services, you agree to the practices described in this document.

1. Information We Collect

1.1 Account & Identity Information

When you register for a merchant account, we collect: full name or business name, email address, phone number, business registration details, and PayPal account identifiers (Client ID only — secret keys are encrypted at rest using AES-256). We never store your PayPal password.

1.2 Transaction Data

We collect and process data related to payment transactions, including: transaction amounts, currency, order references, masked item descriptions, timestamps, originating IP addresses, and transaction status. Raw product names may be stored in encrypted form for audit purposes and are not shared with third parties.

1.3 Technical & Usage Data

We automatically collect: IP addresses, browser type, operating system, device identifiers, pages visited, referral URLs, session duration, and API call logs. This data is used for security monitoring, fraud prevention, and service improvement.

1.4 Communication Data

When you contact our support team or submit inquiries via the contact form, we collect and retain the content of your messages, your email address, and any attachments you provide.

2. How We Use Your Information

2.1 Service Delivery

We use your information to create and manage your account, process and route payment transactions, operate the merchant rotation and volume management systems, provide API access credentials, and deliver technical support.

2.2 Security & Fraud Prevention

We use collected data to detect, investigate, and prevent fraudulent transactions, unauthorized access, and violations of our Terms of Use. Risk signals are processed automatically and may result in temporary account restrictions pending manual review.

2.3 Legal Compliance

We may process your data to comply with applicable laws, regulations, and binding legal orders from courts or government authorities, including anti-money laundering (AML) obligations and financial reporting requirements.

2.4 Communications

With your consent, we may send service announcements, security alerts, billing notifications, and product updates. You may opt out of non-essential communications at any time via your account settings or by contacting us directly.

3. Data Storage & Security

3.1 Storage Infrastructure

All data is stored on servers hosted within the European Economic Area (EEA) or with providers that comply with Standard Contractual Clauses (SCCs) for international data transfers. Our database infrastructure uses Neon Serverless PostgreSQL with encryption at rest.

3.2 Encryption Standards

PayPal API credentials are encrypted using AES-256 before storage. Passwords are hashed using bcrypt with a minimum cost factor of 12. API keys are hashed with bcrypt and presented to users only once at the point of creation — plaintext keys are never stored.

3.3 Access Controls

Access to production databases is restricted to authorized personnel with documented business need. All access events are logged. We enforce multi-factor authentication (MFA) for all administrative accounts. Row-level security policies ensure tenant data isolation.

3.4 Retention

Transaction data is retained for a minimum of 5 years to satisfy financial regulatory requirements. Account data is retained for the duration of the contract plus 2 years after termination. Log data is retained for 12 months. You may request earlier deletion subject to legal constraints.

4. Data Sharing & Third Parties

4.1 Payment Processors

We transmit transaction data to PayPal Inc. as required to process payments. PayPal's data processing is governed by PayPal's own Privacy Policy and applicable financial regulations. We do not sell your data to PayPal for marketing purposes.

4.2 Infrastructure Providers

We use the following sub-processors: Vercel Inc. (hosting and edge functions), Neon Inc. (database), and Vercel Analytics (aggregated usage analytics). Each provider is bound by data processing agreements that prohibit them from using your data for their own purposes.

4.3 No Data Sales

We do not sell, rent, trade, or otherwise transfer your personal information to third parties for their commercial benefit. Any sharing is strictly limited to what is necessary to operate our services or comply with the law.

4.4 Legal Disclosures

We may disclose your data if required by valid legal process (court orders, subpoenas, regulatory demands). Where permitted by law, we will notify you of such requests before disclosing your information.

5. Your Rights

5.1 Access & Portability

You have the right to request a copy of all personal data we hold about you in a structured, machine-readable format (JSON or CSV). Requests must be submitted via your account dashboard or by contacting our Data Protection Officer.

5.2 Rectification

You have the right to correct inaccurate or incomplete personal data. Account profile fields can be updated directly in your dashboard. For data embedded in immutable records (e.g., transaction logs), we will note the correction in associated metadata.

5.3 Erasure ('Right to be Forgotten')

You may request deletion of your personal data where it is no longer necessary for the purposes it was collected, where you withdraw consent, or where you object to processing and there are no legitimate grounds for continued processing. Certain data may be retained to satisfy legal obligations.

5.4 Restriction & Objection

You may request that we restrict processing of your data while a dispute is resolved. You may object to processing based on our legitimate interests. Where you object to direct marketing, we will always honor that request unconditionally.

5.5 Lodging Complaints

If you believe we have violated applicable data protection law, you have the right to lodge a complaint with the relevant supervisory authority. In Vietnam, this is the Ministry of Public Security (Bộ Công An). In the EU/EEA, the competent authority is determined by your country of residence.

6. Cookies & Tracking

6.1 Essential Cookies

We use session cookies to maintain your authenticated state (via NextAuth.js JWT tokens stored as HTTP-only cookies). These are strictly necessary and cannot be disabled without breaking core functionality.

6.2 Analytics

We use Vercel Analytics to collect aggregated, anonymized usage statistics. No personal identifiers are transmitted to Vercel Analytics. You may opt out by enabling the 'Do Not Track' header in your browser.

6.3 No Third-Party Advertising

We do not use advertising cookies, tracking pixels, or third-party retargeting technologies. We do not participate in behavioral advertising networks.

7. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email (to the address on your account) and via an in-platform notice at least 14 days before taking effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy. Prior versions will be archived and made available upon request.

8. Contact & Data Protection Officer

For all privacy-related inquiries, data access requests, or to exercise your rights, please contact our Data Protection Officer at: privacy@gatewaycentral.io. We will respond to all verifiable requests within 30 calendar days. For urgent security matters, please include 'URGENT' in the subject line.

Back to HomeTerms of Use