Back to home

RollyPay Privacy Policy

Effective from March 1, 2026

This Privacy Policy describes what data RollyPay processes when you use rollypay.io and related services, why and on what legal basis, who we share it with, how we store it and what rights you have. By using the Service you confirm that you have read this Policy and agree to its terms.

1. Operator

RollyPay (the “operator”, “we”) is the data controller for personal data processed under this Policy. For any questions related to your data, contact support@rollypay.io.

2. Data we collect

We process only data necessary to provide the Service and perform the contract:

  • Registration: email, name, contact phone number, password (stored as a cryptographic hash).
  • Onboarding: project name, business type, website, legal details, tax ID for legal entities.
  • Payment: amounts, statuses and identifiers of payments; payment method, last 4 digits of the card (full PAN is not stored), crypto wallet address, blockchain transaction hash.
  • Technical: IP address, device type and browser, User-Agent, time and pages of interaction with the Service.
  • Cookies and session identifiers — see the dedicated section below.

3. Purposes of processing

  • User registration and authentication.
  • Merchant onboarding and integration support.
  • Processing payments and merchant settlements.
  • Anti-fraud, financial monitoring and prevention of abuse.
  • Compliance with applicable law, including Russian Federal Law No. 152-FZ on Personal Data and tax legislation.
  • Communication: payment status notifications, support replies, security incident alerts.
  • Service improvement: aggregated analytics and error debugging.

4. Legal bases

  • Performance of a contract (the public offer).
  • User consent given upon registration and acceptance of this Policy.
  • Compliance with legal obligations.
  • Legitimate interest of the operator (anti-fraud, security, defence of rights).

5. Sharing with third parties

We do not share your personal data with third parties for marketing purposes. Sharing is limited to the following cases:

  • Payment providers and acquirers — to process transactions (SBP operators, acquiring banks, crypto-payment providers). Only data necessary to execute the transaction is shared.
  • Infrastructure contractors — cloud providers, analytics and notification vendors operating under contract and bound by confidentiality.
  • Government authorities — upon lawful request.
  • Successors in case of reorganization — under the same processing terms.

Crypto operations are inherently public: when paying with USDT, BTC, ETH, TON, SOL and other networks, addresses and amounts are visible on public blockchain explorers.

6. Retention periods

  • Payment and accounting records — at least 5 years from the date of the operation, as required by law.
  • User accounts — while your account is active, plus the period needed to resolve potential disputes.
  • Technical logs — no longer than 12 months in raw form.
  • Cookies — depending on the type: session cookies are deleted when you close the tab; persistent cookies are kept until explicit deletion or expiry indicated in the cookie.

7. Security

  • Encrypted data transit (TLS 1.2+, HSTS).
  • Passwords stored as cryptographic hashes; full card numbers are not stored.
  • Two-factor authentication on critical operations (withdrawals, changes to payout details).
  • Isolation of secrets and infrastructure keys.
  • Restricted and logged staff access to user data.
  • Continuous security monitoring and incident response.

8. Cookies and tracking

  • Session cookies (including authentication tokens) — required for the dashboard and payment forms to work.
  • Functional cookies — store your settings (language, theme).
  • Analytics — Yandex Metrica for aggregated traffic statistics on the public site.

You can disable cookies in your browser settings; some Service features may then be unavailable.

9. Your rights

As a data subject you have the right to:

  • Receive information about how your data is processed.
  • Request correction or deletion of your data.
  • Withdraw consent for processing.
  • File a complaint with the competent data protection authority (Roskomnadzor in Russia).

Send requests to support@rollypay.io. We respond within 30 days.

10. Cross-border transfers

Some infrastructure (certain payment providers, blockchain networks, analytics services) may be located outside the Russian Federation. In such cases the transfer is performed where an adequate level of protection of data subject rights exists and/or with your consent.

11. Minors

The Service is not intended for individuals under 18. We do not knowingly collect data from minors. If we discover such an account, it will be deleted along with the associated data.

12. Changes to this Policy

We may update this Policy. New versions are published on this page with the effective date indicated. For material changes we will additionally notify you by email or via the dashboard.

13. Contact

Email: support@rollypay.io
Telegram support: @rollypaysupport_bot