Customer Privacy Notice
How we collect, use, and share the personal data of people who use the PayAttention service
| Legal entity | PayAttentionPay, Inc., a Delaware corporation |
|---|---|
| Registered office | 1111B S Governors Ave #41704, Dover, DE 19904, USA |
| Effective date | May 10, 2026 |
| Classification | Public — published at payattention.now/privacy |
| Privacy contact | ilove@payattention.now |
About this notice
This Customer Privacy Notice describes how PayAttentionPay, Inc. (“PayAttention,” “we,” “us,” or “our”) collects, uses, and shares the personal data of individuals who use the PayAttention consumer service (the “Service”) as described in the PayAttention Customer Terms. PayAttention’s registered office is at 1111B S Governors Ave #41704, Dover, DE 19904, USA.
This notice applies to personal data we collect from you directly when you use the Service, and from third parties — including the merchant whose product you are accessing through PayAttention (the “Merchant”) and advertisers whose tasks you complete. It does not apply to personal data you provide directly to a Merchant, an advertiser, or any other third party, which is governed by their respective privacy notices.
By using the Service, you acknowledge that you have read and understood this notice.
1. How to contact us about privacy
You can contact us about privacy matters at:
- Email: Ilove@payattention.now
- Mail: PayAttentionPay, Inc., 1111B S Governors Ave #41704, Dover, DE 19904, USA
Jurisdiction-specific contact and supervisory authorities are set out in Section 15.
2. Scope of this notice
This notice applies to personal data PayAttention processes about you, an individual consumer who uses the Service. It does not cover:
- personal data that a Merchant collects about you in its own product (the Merchant’s own privacy notice governs that processing);
- personal data that an advertiser collects when you complete an advertiser’s task (the advertiser’s privacy notice governs that processing);
- personal data that Stripe collects in connection with payment processing (Stripe’s privacy notice governs that processing).
Where PayAttention processes personal data on behalf of a Merchant under a Data Processing Addendum, the Merchant is the controller and that processing is governed by the Merchant’s own privacy notice and the Data Processing Addendum, not by this notice. See Section 8.
3. Personal data we collect
3.1 Information you provide to us
- Account credentials. When you authenticate with the Service, you provide a Google account identifier or a mobile phone number (used to send a one-time verification code).
- Payment method. When you attach a payment method on the PayAttention checkout, Stripe collects your card or other payment-method details and provides PayAttention with a tokenized identifier. PayAttention does not store full card numbers.
- Communications. If you contact our support team, we collect the content of your messages and related metadata.
3.2 Information from the Merchant
- Merchant-side identifier. The Merchant transmits an identifier for you (such as a RevenueCat app_user_id or the Merchant’s internal customer_id) so that PayAttention can grant or revoke access on the Merchant’s system. The Merchant may also transmit your email address.
- Subscription parameters. The Merchant transmits the product identifier and the price of the Subscription Period.
3.3 Information from advertisers
- Verification confirmation. When you complete a Task, the relevant advertiser confirms completion to PayAttention through one of our verification methods (manual review, CSV upload, webhook, or API), typically with a user identifier and proof of completion.
3.4 Information collected automatically
- Device and connection. IP address, browser type and version, operating system, device identifiers, language preference, time zone.
- Usage data. Pages viewed, actions taken on PayAttention, and timestamps.
- Cookies and similar technologies. We use cookies and similar technologies as described in our Cookie Notice, available at https://payattention.now/cookies.
- Acceptance evidence. When you accept the Customer Terms or this Privacy Notice, we record the version accepted, the timestamp, your IP address, your user agent, and your account identifier.
3.5 Special categories of personal data
We do not collect special categories of personal data (such as data revealing racial or ethnic origin, religious or political views, biometric data, or health data) in the ordinary course of providing the Service.
4. Why we use your personal data
We use your personal data for the following purposes:
| Purpose | Legal basis (GDPR / UK GDPR) | Business purpose (CCPA) |
|---|---|---|
| Provide the Service: authenticate you, attach a payment method, present and verify Tasks, grant or revoke access, process conditional charges, send service notifications | Performance of a contract (Art. 6(1)(b)) | Performing the services you requested |
| Prevent fraud and abuse (device fingerprinting, IP and network checks, behavioral signals) | Legitimate interests (Art. 6(1)(f)) — protecting the Service and other users | Detecting security incidents and preventing fraud |
| Service-related communications (period reminders, charge notices, access status) | Performance of a contract (Art. 6(1)(b)) | Performing the services you requested |
| Comply with legal obligations (tax records, anti-money-laundering, lawful requests) | Compliance with legal obligation (Art. 6(1)(c)) | Complying with law |
| Enforce these Terms and defend our rights | Legitimate interests (Art. 6(1)(f)) | Enforcing our terms |
| Respond to support inquiries; maintain audit records of acceptance | Performance of a contract; legitimate interests for audit | Performing the services you requested |
| Improve and develop the Service (analytics, aggregated metrics) | Legitimate interests (Art. 6(1)(f)) | Performing services |
We do not use your personal data for cross-context behavioral advertising. We do not sell your personal data.
5. Who we share your personal data with
We share your personal data only as necessary to provide the Service or as required by law.
5.1 Service providers
We share your personal data with the service providers that help us operate the Service. They process personal data on our behalf under written agreements. The current list of sub-processors is published at https://payattention.now/subprocessors and includes Amazon Web Services (cloud infrastructure), Stripe (payment processing), RevenueCat (subscription entitlement, where used by the Merchant), Twilio (SMS delivery), Google (sign-in), Postmark (transactional email), and Sentry (error monitoring). This list is consistent with Annex 3 of our merchant Data Processing Addendum.
5.2 Merchants
We share the outcome of your PayAttention attempt (access granted, charge made, or charge failed) with the Merchant whose product you accessed, so that the Merchant can manage your account accordingly. We do not share the details of which specific Tasks you completed.
5.3 Advertisers
We share your Task-completion records with the relevant advertiser to verify completion and to enable CPA billing. The advertiser receives only the data necessary to verify completion (typically a user identifier and confirmation of the action).
5.4 Legal, compliance, and protection
We may share your personal data with law enforcement, regulators, or other authorities where required by law, court order, or as necessary to protect our rights or the rights of others.
5.5 Business transfers
If PayAttention is involved in a merger, acquisition, or sale of all or substantially all of its assets, your personal data may be transferred to the successor entity, subject to appropriate confidentiality and privacy protections.
We do not sell or share your personal data for cross-context behavioral advertising.
6. International data transfers
PayAttention is based in the United States. Some of our service providers are located in the United States, the European Union, the United Kingdom, and other countries.
If you are in the European Economic Area, the United Kingdom, the Republic of Korea, or another jurisdiction with cross-border transfer restrictions, we transfer your personal data outside your jurisdiction subject to appropriate safeguards:
- EEA: EU Commission Standard Contractual Clauses (SCCs), Module 2 (Controller-to-Processor) for transfers from us to our processors, and Module 3 (Processor-to-Processor) where applicable.
- United Kingdom: the UK International Data Transfer Addendum to the SCCs.
- Republic of Korea: where required by PIPA, we obtain your consent or rely on permitted transfer mechanisms, and we provide the disclosures required under PIPA.
To request a copy of the safeguards in place for transfers of your personal data, contact us at ilove@payattention.now.
7. How long we keep your personal data
We retain your personal data only for as long as necessary for the purposes described in this notice, subject to applicable legal retention requirements.
| Category | Retention period |
|---|---|
| Account credentials and identifiers | While your PayAttention account is active, plus up to 24 months after account closure for fraud-prevention purposes |
| Payment-method tokens | While your account is active, plus up to 90 days after closure (longer where required to resolve chargebacks or refunds) |
| Transaction records (attempts, Task completions, charges) | Seven (7) years, to satisfy US tax and accounting retention obligations |
| Acceptance records (version, timestamp, IP, user agent) | While your account is active, plus up to 7 years after account closure |
| Support communications | Up to 3 years after the last interaction |
| Application logs | Up to 90 days, except where retention is necessary for fraud or legal-compliance investigations |
When the retention period ends, we delete or anonymize the personal data, except where retention is necessary to comply with a legal obligation.
8. Roles: when PayAttention is controller and when we are processor
For most of the personal data described in this notice, PayAttention acts as an independent controller — meaning we determine the purposes and means of processing.
For certain data we process on behalf of a Merchant (for example, the Merchant-side identifier the Merchant transmits to enable access grant or revocation), the Merchant is the controller and PayAttention is the processor. Our obligations as processor are governed by the Merchant Data Processing Addendum, not by this notice.
If you wish to exercise rights over data that the Merchant controls, please contact the Merchant directly. We will assist the Merchant in responding to such requests in accordance with our Data Processing Addendum.
9. Cookies and similar technologies
The PayAttention website and checkout use cookies and similar technologies for purposes including authentication, security, abuse prevention, and limited analytics. For details and to manage your preferences, see our Cookie Notice at https://payattention.now/cookies.
10. Children
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from individuals under 18. If you believe a person under 18 has provided us personal data, please contact ilove@payattention.now and we will take appropriate action, including deletion.
11. Your rights
The rights you have depend on where you live. We do not discriminate against you for exercising your rights.
11.1 European Economic Area and United Kingdom
If you are located in the EEA or the UK, you have the following rights under the GDPR or the UK GDPR:
- Access: obtain a copy of your personal data.
- Rectification: have inaccurate personal data corrected.
- Erasure: request deletion in certain circumstances.
- Restriction: ask us to limit processing in certain circumstances.
- Portability: receive your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller.
- Objection: object to processing based on our legitimate interests, including profiling for fraud-prevention purposes; we will balance our interests against your rights and freedoms.
- Withdraw consent: where processing is based on consent, you may withdraw at any time without affecting prior processing.
- Lodge a complaint with your local supervisory authority. Our lead supervisory authority for EEA matters is the Irish Data Protection Commission.
To exercise these rights, contact us at ilove@payattention.now. We will respond within one (1) month of receipt of your request. We may extend this period by an additional two (2) months for complex requests, with notice to you.
11.2 California residents
If you are a California resident, you have the following rights under the CCPA, as amended by the CPRA: the right to know, to delete, to correct, to opt out of sale or sharing (we do not sell or share), to limit use of sensitive personal information (we do not use it beyond providing the Service), and to non-discrimination. To exercise these rights, contact us at ilove@payattention.now; we will verify your identity before responding.
Categories of personal information collected and disclosed by PayAttention in the 12 months preceding the Effective Date are summarized below.
| CCPA category | Collected / Disclosed |
|---|---|
| Identifiers (name, email, account identifier, IP address, device identifier) | Collected. Disclosed to service providers and to Merchants for access management. |
| Customer records (account credentials, payment-method tokens) | Collected. Disclosed to service providers. |
| Commercial information (Task selections and completions, charges) | Collected. Disclosed to service providers, Merchants, and Advertisers (for verification). |
| Internet or electronic network activity (page views, actions on PayAttention) | Collected. Disclosed to service providers. |
| Geolocation (approximate, derived from IP) | Collected. Disclosed to service providers. |
| Inferences (fraud-risk signals) | Collected for fraud prevention. Not disclosed except to service providers acting on our behalf. |
PayAttention did not sell or share any personal information in the 12 months preceding the Effective Date, as those terms are defined by the CCPA. You may designate an authorized agent to make a request on your behalf; we will require written authorization signed by you and may verify the request directly with you.
11.3 Korean residents
If you are a resident of the Republic of Korea, you have the following rights under the Personal Information Protection Act (PIPA): to be notified of processing, to access your personal information, to request correction or deletion, to request suspension of processing, and to withdraw consent. To exercise these rights, contact us at ilove@payattention.now.
Our person in charge of personal-information protection for PIPA purposes is: Andrei Monastyrskiy, Founder, ilove@payattention.now. PIPA-required disclosures are set out in this notice as follows: purposes (Section 4), items collected (Section 3), retention and use period (Section 7), destruction method (Section 7), third-party provision (Section 5), entrustment/outsourcing (Section 5.1), and cross-border transfer (Section 6). If you have a complaint about our PIPA compliance, you may also contact the Personal Information Protection Commission of the Republic of Korea at https://www.pipc.go.kr.
11.4 Other jurisdictions
If applicable law in your jurisdiction provides you with privacy rights similar to those above, you may exercise them by contacting ilove@payattention.now.
12. Automated decision-making and profiling
We use automated systems for fraud prevention, including device fingerprinting, IP and network checks, and behavioral signals. These systems may flag attempts as suspicious for human review. We do not use solely-automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 of the GDPR; suspicious activity is reviewed by a human before any consequential action is taken on your account.
13. Security
We use technical and organizational measures designed to protect your personal data. These include encryption in transit (TLS) and at rest, access controls based on least privilege, multi-factor authentication for administrative access, logging and monitoring, vendor management, and personnel training. A summary of our information-security program is available to partners and on reasonable request at ilove@payattention.now. No system is perfectly secure. If you have a security concern, please contact ilove@payattention.now.
14. Changes to this notice
We may update this notice from time to time. Material changes will be communicated by email and by posting an updated version with a new Effective Date. The Effective Date at the top of this notice indicates when it was last updated. Previous versions are available on request.
15. Contact and supervisory authorities
For any question, or to exercise your rights, contact us at iove@payattention.now or by mail at: PayAttentionPay, Inc., 1111B S Governors Ave #41704, Dover, DE 19904, USA.
You may also contact the supervisory authority in your jurisdiction:
- EEA: any national data protection authority. Our lead supervisory authority is the Irish Data Protection Commission, https://www.dataprotection.ie.
- United Kingdom: Information Commissioner’s Office, https://ico.org.uk.
- California: California Attorney General, https://oag.ca.gov; California Privacy Protection Agency, https://cppa.ca.gov.
- Republic of Korea: Personal Information Protection Commission, https://www.pipc.go.kr.
Issued by PayAttentionPay, Inc., a Delaware corporation. Registered office: 1111B S Governors Ave #41704, Dover, DE 19904, USA. EIN: 35-2959981.