Privacy Policy

We collect only what's necessary to operate Paystream:

• Wallet address — your primary identifier. Collected when you sign in via wallet signature.

• Email address — optional. Collected if you choose to add one for notifications. Used only for transactional emails.

• Profile data — display name, bio, country code, timezone, languages, avatar image. Provided voluntarily by you.

• Contract data — contract terms, milestones, messages, and activity logs. Required for the platform to function.

• Technical logs — IP address, browser type, timestamps. Used for security and abuse prevention. Retained for 30 days.

• Cookies — a single encrypted iron-session cookie for authentication. We do not use third-party tracking, ad cookies, or analytics that share data with external parties.

We do not collect passwords, government IDs, biometrics, or financial account numbers.

We use your data to:

• •Authenticate you via Sign-In with Solana (SIWS)
• •Display your public profile to other users
• •Send transactional notifications (contract updates, payment confirmations) via email
• •Detect and prevent fraud, abuse, and spam
• •Improve the platform based on aggregate usage patterns

We do not sell your data, share it for advertising, or use it to train AI models. We never read your private messages except as required to investigate abuse reports.

Paystream uses the following sub-processors:

• Helius — Solana RPC provider. Receives on-chain read queries (wallet addresses, transaction data). Privacy policy: helius.dev/privacy.

• Resend — Email delivery. Receives your email address and notification content. Privacy policy: resend.com/privacy.

• Vercel — Hosting and edge runtime. Processes all web requests. Privacy policy: vercel.com/legal/privacy-policy.

• Neon — Serverless Postgres database. Stores all application data. Privacy policy: neon.tech/privacy.

• Vercel Blob — File storage for avatar images and deliverables. Same privacy controls as Vercel.

• Upstash Redis — Session and rate-limit storage. Privacy policy: upstash.com/trust/privacy.

All sub-processors are contractually bound to GDPR-equivalent data processing standards. We maintain a public list at paystream.io/subprocessors that is updated within 30 days of any change.

We retain your data as follows:

• •**Account data**: retained while your account is active, plus 90 days after deletion request
• •**Contract data**: retained for 7 years for legal and tax record-keeping purposes (on-chain data is permanent and not under our control)
• •**Messages**: retained for 2 years
• •**Technical logs**: 30 days
• •**Email addresses**: deleted within 30 days of account deletion

You may request deletion of your account and associated data at any time from Settings → Danger Zone. On-chain data (contract terms, transaction hashes, wallet addresses) remains permanently visible on Solana — this is by design and outside our control.

Depending on your jurisdiction, you may have the right to:

• GDPR (EEA/UK): access, rectification, erasure, restriction, portability, and objection. Lodge complaints with your national supervisory authority. Our EU representative is reachable at eu-rep@paystream.io.

• DPDP Act 2023 (India): access, correction, erasure, and grievance redressal. Contact our Data Protection Officer at dpo@paystream.io.

• PECA (Pakistan): personal data protection rights under applicable law.

• CCPA/CPRA (California): right to know, delete, correct, and opt out of sale (we do not sell data).

To exercise any right, email privacy@paystream.io or use the deletion option in Settings. We respond within 30 days. There is no fee for the first request per year.

We protect your data using:

• •HTTPS/TLS for all data in transit
• •AES-256 encryption for sensitive fields at rest
• •Iron Session with an encrypted cookie for authentication (no passwords stored)
• •Principle of least privilege for database access
• •Quarterly internal security reviews
• •Public bug bounty program at security@paystream.io

Note: on-chain contract data is public on Solana. Wallet addresses, contract amounts, and transaction hashes are permanently visible on the blockchain. This is by design and is how trustless escrow works.

Paystream operates globally. Your data may be transferred to and processed in:

• •**United States** — primary data center (Vercel, Neon)
• •**European Union** — edge regions for performance
• •**Singapore** — APAC edge region

For transfers from the EEA/UK to the US, we rely on Standard Contractual Clauses (SCCs) and additional safeguards. For transfers from India, we comply with DPDP Act 2023 cross-border transfer rules.

Paystream is not directed at children under 18. We do not knowingly collect data from anyone under 18. If we learn that a minor has created an account, we will delete it and any associated data.

If you believe a minor is using Paystream, contact privacy@paystream.io.

We may update this policy from time to time. Material changes will be:

• •Notified by email to users with email on file at least 14 days before taking effect
• •Announced on the Paystream web app
• •Logged in the change history at paystream.io/privacy/history

Your continued use of Paystream after changes constitutes acceptance.

For privacy questions or requests:

Email: privacy@paystream.io Data Protection Officer: dpo@paystream.io EU Representative: eu-rep@paystream.io Response time: within 30 days

Paystream (Echonos AI) Lahore, Pakistan