Legal

Privacy Policy

What data Strimz collects, what we do with it, and the rights you have over it.

Effective: 1 May 2026·Last updated: 1 May 2026

Overview

Strimz Labs Ltd. ("Strimz", "we") collects only the data needed to operate the Service , authenticate you, settle payments, and send you receipts and product communications. We do not sell personal data and we do not run third-party advertising on our surfaces.

This policy applies to data we process about merchants who sign up at strimz.finance and about end-customers who pay through Strimz checkouts.

Data we collect

From merchants:

  • Name and email address (provided to Privy at sign-up).
  • Business information you provide during onboarding (legal name, trading name, sector, country, registered address, tax ID).
  • Payout wallet address.
  • API keys you create (we store a SHA-256 hash and the prefix; the full secret is never persisted).
  • Webhook endpoint URLs and signing secret hashes.
  • Dashboard activity logs (which keys were created, who invited a teammate, etc.).
  • Communication you send us via support channels.

From end-customers paying via your Strimz checkout:

  • Wallet address (visible on-chain).
  • Email address (only if your checkout collects it).
  • Payment metadata you pass through the SDK.

We also collect technical information automatically: IP address, browser user agent, locale, and the URLs you visit on our marketing site. We use a self-hosted analytics setup that anonymises IP addresses at ingestion.

Data we never collect

  • Private keys or seed phrases. Wallet authentication is delegated to Privy and your wallet provider.
  • Card numbers, bank account numbers, or tax-return data. Strimz does not handle traditional payment rails.
  • Government-ID images for the Free / Starter tiers (live-mode unlocks via self-attested KYB + 2FA).

How we use it

We process your data to:

  • Authenticate you and route requests to the correct merchant account.
  • Settle and reconcile on-chain payments to your payout wallet.
  • Send transactional email (account verification, recovery emails, daily digests, security alerts, invoice receipts).
  • Detect and prevent abuse (rate-limit enforcement, leaked-key scanning).
  • Comply with legal obligations and respond to lawful requests.

Data sharing

We share data only with infrastructure providers necessary to operate the Service:

  • Privy. Identity, embedded wallets, 2FA.
  • Resend. Transactional email delivery.
  • Cloudflare. Bot protection (Turnstile) on signup and checkout.
  • Render + Vercel. Application hosting.
  • Circle. CCTP V2 attestation API for cross-chain routing (only the source-chain transaction hash is shared, no personal data).
  • TRM Labs / Elliptic. Wallet sanctions screening when the compliance integration is enabled (wallet address only).

We do not sell your data. We will disclose data when legally compelled (court order, subpoena), and we will notify you of any such request unless prohibited by law.

Retention

We retain merchant data for as long as your account is active and for up to seven (7) years after closure to satisfy tax and accounting obligations. Webhook delivery logs are retained for ninety (90) days. On-chain data is, by nature of public blockchains, permanent.

Your rights

Depending on where you are located, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion (subject to legal retention obligations).
  • Export your data in a machine-readable format.
  • Object to or restrict certain processing.
  • Withdraw consent for marketing communications at any time.

Exercise any of these by emailing privacy@strimz.finance. We respond to all requests within thirty (30) days.

Children

The Service is not directed at individuals under sixteen (16). We do not knowingly collect personal data from minors. If we learn we have, we will delete it.

International transfers

Our infrastructure providers operate globally. Where personal data is transferred outside the UK or EEA, we rely on Standard Contractual Clauses or equivalent safeguards.

Security

We use TLS in transit, encryption at rest for our managed databases, and per-merchant data partitioning. API keys and webhook signing secrets are stored only as SHA-256 hashes; secrets are returned exactly once at creation time and cannot be recovered. We follow a responsible disclosure policy at security@strimz.finance.

Contact

Strimz Labs Ltd., 20 Chancery Lane, London EC4A 1LF, United Kingdom.
privacy@strimz.finance for any privacy-related question.


Questions about this document? Email legal@strimz.finance.