Privacy Notice

1. Introduction 2. Data Categories We Collect, Purposes and Legal Basis 3. Data Aggregation and Anonymization 4. Disclosure of Personal Data 5. International Data Transfers 6. Retention 7. Your Rights 8. Notice to California Residents 9. Contact Information 10. Data security 11. Amendments of our Privacy Notice

Version: 11 Feb 2026

1. Introduction

1.1 Scope of Application

This Privacy Notice informs you about the processing of personal data (as defined under the European Union (“EU”) General Data Protection Regulation (“GDPR”), including equivalent terms under applicable international data protection legislation) by the members of the IXOPAY Group listed in Section 1.3 (“IXOPAY Group” or “IXOPAY”, “we”, “us” or “our”) of the following categories of data subjects:

  • Visitors of our Websites www.ixopay.com (“Website”) and visitors of IXOPAY’s social media presence (e.g., LinkedIn, Facebook, X, “Social Media Sites”), including those who provide contact information to receive communications from us. The term “Website” comprises www.ixopay.com and any other website of IXOPAY Group that links to this Notice;

  • Business Contacts, namely representatives of current or prospective Customers, partners, and suppliers whose data we process for business relationship management (CRM) purposes;

  • Customers, organizations signing an order form for IXOPAY’s SaaS solutions ("Services") and individuals acting on their behalf; 

  • Authorized Users, namely any individuals accessing the Service under the Customer’s authority; and 

  • Applicants, namely individuals applying for a position within the IXOPAY Group.

“IXOPAY” is used as a group brand reference. The responsible entity (controller or processor) depends on the processing context and is identified in Section 1.2. Where multiple IXOPAY Group entities jointly determine purposes and means for a specific processing activity, they act as joint controllers for that activity.

1.2 General Roles 

To ensure you understand how your data is handled, we distinguish between two primary roles based on the nature of your interaction with us:

1.2.1. We act as a Data Controller for personal data regarding Visitors, Business Contacts, and Applicants. This means we determine the purposes and means of processing this data. The specific IXOPAY entity responsible for your data depends on the processing context:

  • Website & Marketing (Sole Controller): IXOPAY, Inc., 333 E Main St #396, Lehi, Utah 84043, United States, is the sole controller for the operation of the Website and the collection of data from Visitors.

  • Global Business Relationships: The IXOPAY entity that manages the relevant business relationship is the controller for Business Contact data. Where two or more IXOPAY Group entities jointly manage the relationship (for example through a shared CRM and coordinated sales, partner and customer success activities), those entities act as joint controllers for that specific processing. You can contact us at [email protected], and we will provide information on the essence of any applicable joint controller arrangement upon request.

  • Recruitment: Applicant Data is governed by our Privacy Notice for Applicants.

1.2.2. We act as a Data Processor for personal data provided by or related to Customers and Authorized Users, specifically “Service Data” that transits through or is stored on a Service such as transaction details or payment tokens. In this capacity, we process data solely on behalf of our Customers pursuant to their instructions and our Data Processing Addendum (DPA). Our role is strictly defined by the contract:

  • Contracting Entity: The specific IXOPAY entity signing the Order Form with the Customer acts as the processor on the Customer’s behalf.

  • Sub-processing: Depending on the specific Products subscribed to, other IXOPAY entities act as Sub-processors as communicated on our Subprocessors page. For example, an EU-based Customer contracting with one IXOPAY Group entity may utilize tokenization services technically delivered by another IXOPAY Group entity (acting as a sub-processor).

  • Processor boundary: We use Service Data as personal data only to provide, secure, support, and maintain the Services under the Customer’s documented instructions. We do not use Service Data as personal data for benchmarking, generalized analytics, or product development for our own purposes. Where we perform those activities, we do so only using irreversibly anonymized data as described in Section 3.

1.3 IXOPAY Group Entities
For purposes of this Privacy Notice, the “IXOPAY Group” comprises:

  • IXOPAY, Inc., a Delaware corporation, 333 E Main St #396, Lehi, Utah 84043, USA;

  • IXOPAY GmbH, FN 451099g (Commercial Court of Vienna), Vorgartenstraße 206c, A-1020 Vienna, Austria; and

  • Congrify Payment Intelligence GmbH, HRB 296561 (District Court Munich), Oskar-von-Miller-Ring 20, 80333 Munich, Germany.

We collect personal data depending on how you interact with us, whether you are a Visitor, a Business Contact, or a Customer or Authorized Users utilizing our Services. Accordingly, personal data is obtained (a) directly from you, when you interact with our Website, AI Assistant, or Sales teams or otherwise communicate with us; (b) automatically via technical logs and tracking technologies through our Websites and Social Media Sites (e.g., cookies, usage logs); or (c) from third parties, such as referrals or public sources, each as set forth below.

2.1 Visitors and Business Contacts 

When you interact with our Website, subscribe for a newsletter, register for a demo, or manage your commercial account with us, we process:

  • Identity & Contact Data: Name, username, business email address, phone number, job title, company name, and physical business address.

  • Credentials: Passwords and similar security information used for authentication and account access to the IXOPAY Experience Portal.

  • Commercial Data: Information about the Services you have purchased or inquired about, billing details, VAT numbers, and your communication preferences.

  • Technical Usage Data: IP address, browser type and version, operating system, referral URLs, device information and other server log file information as well as interaction logs (e.g., pages visited, time spent, clickstream data, see “Cookies & Tracking Technologies” below, analytics of reading habits in newsletters). 

  • Risk & Compliance Sources: We may receive information from third-party risk providers (e.g., sanction lists, credit reference agencies) to assist in Know Your Customer KYC obligations and fraud prevention.

  • Sales Intelligence: We may combine information entered on an IXOPAY sales submission form with information we receive from third-party sales intelligence platform vendors (e.g., LinkedIn, ZoomInfo) to enhance our ability to market our Services to prospective customers and to verify the identity of business contacts.

This data processing is necessary for the performance of a contract (for example, to administer an account, respond to inquiries, provide requested materials) or to take steps prior to entering into a contract. 

For email marketing (where required) or Tracking Technologies, we process data if we have your consent to do so (which consent can be withdrawn at any time via our Cookie Settings or by unsubscribing).

If necessary, we process your data on the basis of our or of third parties’ legitimate interests,  including including global account and relationship management, B2B direct marketing where permitted and internal administration within IXOPAY Group as well as information security and fraud prevention, compliance, and the establishment, exercise, or defence of legal claims.

Where we obtain Business Contact data from third parties (for example professional networks or sales intelligence providers), we use it for the legitimate interest of B2B relationship management, verification, and marketing. For example, we may combine information entered on an IXOPAY contact form with information we receive from professional networks or sales intelligence providers. You can object at any time as described below.

2.2 Data Processed via Services

In the course of providing our Services, we process data on behalf of and under the instructions of our Customers. While the exact scope is determined by the Customer’s integration and configuration of our Services, this typically includes name, email address, and other contact details, financial & payment instrument data (in accordance with PCI DSS requirements), transaction details (e.g., amount, currency, timestamp, Merchant ID), technical transaction data (e.g., acquirer response codes, 3-D Secure authentication data), and risk & fraud signals (e.g., frequency of transactions, IP geolocation, and shipping/billing address mismatches used for fraud detection), technical logs and diagnostics for support and debugging.

We operate these processing activities as a processor. Consequently, only our Customers, but not we, establish the purpose and legal basis for the processing.

2.3 Cookies & Tracking Technologies

We use cookies and other information-gathering technologies for a variety of purposes, such as providing us with information about how you interact with our Websites, ensuring the security of our services, and assisting us in our marketing efforts.

2.3.1. Managing Your Preferences: You may view a complete list of cookies and change your cookie preferences at any time by using the “Cookie Settings” link in the banner displayed when you first visit or via the gear icon in the bottom left corner of our Website.

Our Cookie Settings tool allows you to manage consent for the following categories:

  • Essential: These technologies are required to activate the core functionality of our service (e.g., security, network management, and accessibility). You cannot opt out of these.

  • Functional: These technologies enable us to analyze usage behavior (e.g., visitor behavior, duration) in order to measure and improve performance.

  • Marketing: These technologies are used by advertisers to serve ads that are relevant to your interests.

2.3.2. Browser Settings & Opt-Outs: In addition to exercising cookie choices through our Cookie Settings, you can generally control cookies through your browser settings or deactivate cookies via Your Online Choices. If you use an opt-out mechanism, your browser may store an “opt-out cookie” to remember your choice. Note that this process does not remove the opt-out cookie; it must remain on your device for the opt out to work successfully, recognizing your opt-out. You will need to repeat this process on each internet browser you use and if you delete all cookie data from your device. 

Some functions of our Website require processing of “Essential” cookies to function properly, which is based on our legitimate interests. Information via “Functional” and “Marketing” cookies and tracking technologies is only collected when and for as long as we have your consent.

2.4 Social Media

We operate Social Media Sites to communicate with Customers and prospects. For details (including platform-specific roles, page insights arrangements, and how to exercise rights), see our separate Social Media Sites Privacy Notice.

2.5 AI Assistant

We provide an AI Assistant on our Website (including on adapters.ixopay.com) to help you retrieve information about supported Payment Methods and Capabilities of Payment Service Providers. When you use the AI Assistant, we process your prompt and technical connection data. Your prompt is transmitted to our processor OpenAI (OpenAI LLC, San Francisco, USA) to generate a response. IXOPAY and OpenAI do not use your prompts for model training. Input Restriction: Please do not enter any personal data (such as names, email addresses, or account details) or confidential business information into the AI Assistant.

We process this data based on our legitimate interest in providing efficient information retrieval for marketing and documentation purposes.

3. Data Aggregation and Anonymization

To improve security, stability, performance, and support of the Services, we process Service Data under Customer instructions (processor activity).

Separately, we may irreversibly anonymize Service Data so that it can no longer be linked to an identified or identifiable natural person and cannot reasonably be re-identified. After anonymization, the resulting data is no longer personal data and may be used by the IXOPAY Group entities for legitimate business purposes such as benchmarking, analytics,  product development and machine learning. 

We do not use Service Data as personal data to develop, train, or fine-tune generative AI models. Where we use machine learning on Service Data as personal data, it is solely to support service delivery (for example fraud scoring, anomaly detection, or routing optimization) and remains within Customer instructions. We may also use irreversibly anonymized data for machine learning as described above.

4. Disclosure of Personal Data

We disclose personal data only where necessary for the purposes described in this Privacy Notice:

4.1. Within the IXOPAY Group: We share personal data within IXOPAY Group on a strict need-to-know basis for internal administration, global account management, Website operation, recruitment (as applicable per our Privacy Notice for Applicants), and to provide, secure, support, and maintain the Services. Where an IXOPAY Group entity processes Service Data, it does so as (sub-)processor under the Customer’s instructions and the DPA.

4.2. Service providers: We use (sub-)processors that support our operations, such as hosting and IT providers, security providers, customer support tools, CRM and communication platforms, and providers of cookie and tracking technologies (see Section 2.3). For the Website’s AI Assistant, we use OpenAI as a processor as described in Section 2.5. These recipients are contractually bound to process personal data only pursuant to our instructions and in compliance with applicable confidentiality, data protection, and security measures. Where a recipient acts as our processor, it may process personal data only to provide services to us and not for its own purposes.

4.3. Legal and protection purposes: We disclose personal data to public authorities or other third parties where required by law, regulation, or a valid legal process, or where necessary to establish, exercise, or defend legal claims, or to protect our rights and the security of our systems.

4.4. Corporate transactions: We may disclose personal data in connection with an actual or proposed merger, acquisition, sale of assets, financing, change in control, insolvency, or reorganization of all or part of our business. In that case, we disclose personal data only to the extent necessary, subject to appropriate confidentiality and security measures, and (where required) subject to applicable legal obligations.

5. International Data Transfers

Where personal data is transferred to recipients in countries outside the European Economic Area (EEA) and not subject to an adequacy decision of the European Commission, we implement appropriate safeguards (in particular EU Standard Contractual Clauses and the UK Addendum, plus supplementary measures where required). If you have any questions about or need further information concerning the relevant safeguards, please contact us at [email protected].

6. Retention

We store your personal data for no longer than is necessary for the purposes for which the personal data are processed. Depending on the respective legal basis this generally means

  • for as long as it is required to perform our contractual obligations; 

  • when processed based on legitimate interest, for as long as they are not overridden by the interests or fundamental rights and freedoms of the data subject; 

  • when processed based on consent, for as long as the consent is not withdrawn and the purposes are not fulfilled; or

  • for as long as necessary to comply with statutory provisions, particularly according to legal retention periods (which is typically 7 years).

Key retention periods are:

  • Server log files: up to 15 days.

  • AI Assistant chat transcripts: up to 30 days.

  • Newsletter/marketing data: until you unsubscribe or withdraw consent.

  • Account and commercial records: for the duration of the relationship and then as required by statutory retention rules.

7. Your Rights

7.1. Rights & Submission Process: Depending on applicable law (including the GDPR), you have the right to: 

  • Access your personal data; 

  • Correct inaccurate or incomplete personal data; 

  • Erase your personal data; 

  • Restrict our processing of your personal data, 

  • Receive a copy of certain personal data you provided to us in a portable format (data portability);

  • Object to processing based on our or third parties’ legitimate interests, in which case we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing. You can object to direct marketing at any time, and we will stop processing your data for that purpose immediately;

  • Withdraw consent at any time, where we rely on consent (e.g., see Section 2.3), with effect for the future; and

  • not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you. Currently, we do not engage in such processing for our own controller purposes. Within the Services, fraud/risk scoring can exist under Customer instructions.

To exercise your rights, contact us at [email protected]. To help us process your request, please include: your name, your business email address, your company name, and a clear description of the right you want to exercise. Before we complete a data subject rights request, we need to verify that the request comes from the person whose personal data is at issue. If you submit a request on behalf of another individual, we may request proof of authorization and/or verification by the data subject, as required by applicable law.

7.2. Appeals & Supervisory Authority Complaints: If you live in a jurisdiction that provides an appeal right for denied rights requests, you can appeal our decision by replying to the email that informs you of the denial or by sending an appeal request to [email protected] with the subject line “Appeal”. We respond to appeals within the timeframe required by applicable law.

If you are in the EEA, the UK, or Switzerland, you also have the right to lodge a complaint with a supervisory authority.

7.3. Requests relating to Service Data: If your request relates to Service Data processed through the Services (where we act as a processor under a Customer’s instructions), the Customer controls the purposes and legal basis for that processing. We will (where appropriate) forward your request to the relevant Customer or ask you to contact the Customer directly.

8. Notice to California Residents

This section applies only to California residents for purposes of compliance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the “California Privacy Laws”). In the previous twelve (12) month period, we have collected, used, and shared certain personal data of California consumers solely for business purposes and strictly in the manner described within this Privacy Notice. California consumers have the right to request access, correction, and deletion to and of their personal data, opt out of the sale of their personal data, opt out of the sharing of their personal data, and not be discriminated against for exercising the rights afforded to them under California privacy laws. In the event of such a request from a California consumer, we will provide all relevant information about our collection, use, and sharing of your personal data.

All requests should include appropriate information to allow us to verify your identity, such as your name, email address, and company name. If we cannot verify your identity, we may request information to allow us to complete the validation process. Personal data provided to us for the purpose of identifying you will be used solely for that purpose.

We do not sell personal data of any California consumers and we do not discriminate against California consumers for exercising their privacy rights.

9. Contact Information

If you have questions regarding this Privacy Notice, or wish to exercise any of the data protection rights outlined above, contact us at [email protected]

Postal addresses of IXOPAY Group entities are listed in Section 1.3.

For processing activities where IXOPAY, Inc. is subject to the GDPR, IXOPAY GmbH acts as EU representative: Vorgartenstraße 206c, A-1020 Vienna, Austria; [email protected]

10. Data security

Information security is critical to our business. We implement appropriate technical and organisational security measures as outlined on our Art 32 GDPR TOMs page, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons pursuant to Art 32 GDPR and other applicable Data Protection Laws.

For further information on how we ensure that we maintain appropriate technical and organizational measures, please see our Security & Trust page.

11. Amendments of our Privacy Notice

We will amend our Privacy Notice as necessary to reflect changes to the legal landscape as well as the development of our Services and the internet. Amendments will be published on our Website, so you should visit this Privacy Notice regularly to stay informed about the current status.

The Future is Agentic.
Are You Ready?

As commerce shifts from clicks to agents, your infrastructure must be protocol-agnostic. IXOPAY acts as the neutral trust layer, orchestrating identity and value across the fragmenting landscape of AI agent protocols.

Contact Sales