Privacy Policy

F&FPayMe ("we", "us", "our") is the operator of the F&FPayMe software platform, accessible at ffpayme.com and related subdomains. For the purposes of the GDPR, F&FPayMe acts as the data controller for personal data you provide to us when creating an account or using the Platform.

We collect the following categories of personal data:

2.1 Account Data

• Full name and email address (registration or Google OAuth).
• Password (stored as a cryptographic hash — we never see your plaintext password).
• PayPal email address (if you link a personal PayPal account).
• Profile photo (optional, if uploaded).
• Username, Discord username, Telegram username (optional).
• Preferred language and currency.

2.2 Configuration & Integration Data

• Webhook URLs and Discord webhook URLs you configure.
• API keys generated for your account (stored securely).
• Gateway customization settings (colors, logos, background images).
• Cryptocurrency wallet addresses (if provided as a Holder payout method).

2.3 Transaction & Payment Data

• Payment references, amounts, currencies, statuses, and timestamps.
• Payment metadata provided by you (e.g., customer notes, order IDs).
• Holder payout records, blockchain transaction hashes, and payout amounts.

2.4 Technical & Usage Data

• IP address and approximate geographic location (for security and fraud prevention).
• Browser type, device type, and operating system.
• Pages visited and actions taken within the Platform (access logs).
• Session identifiers and authentication tokens.

2.5 Data We Do Not Collect

• We do not collect full payment card numbers or banking credentials.
• We do not access the content of your PayPal account beyond what is received via our notification integration (payment email parsing).

We do not sell your personal data. We may share it with the following categories of third parties, strictly for the purposes described:

• Hosting & Infrastructure providers — cloud servers and database hosting on which the Platform runs.
• Email service providers — to deliver transactional emails (payment notifications, account alerts).
• Queue & cache infrastructure (Redis) — for background job processing. Data is transient and not persisted permanently.
• Holders — if you activate the Holder Network, your PayPal email, payout wallet address, and payment history relevant to the Holder are shared with your chosen Holder for operational purposes.
• Law enforcement / regulatory authorities — when required by applicable law, valid legal process, or to protect our legal rights.

All third-party processors are contractually required to handle data securely and in accordance with applicable privacy law.

• Account data is retained for the duration of your account. When you close your account, we will delete or anonymise your personal data within 90 days, unless a longer retention period is required by law.
• Payment and transaction records may be retained for up to 7 years after creation to comply with financial record-keeping obligations.
• Access logs (IP, browser) are retained for up to 12 months for security purposes.
• Support communications are retained for up to 3 years.

F&FPayMe uses the following types of cookies and local storage:

• Session cookies — strictly necessary for authentication and maintaining your session. Cannot be disabled without breaking the service.
• CSRF tokens — strictly necessary for security (preventing cross-site request forgery).
• Preference storage (localStorage) — stores your theme preference (dark/light mode) and language choice. These do not contain personal data and are stored locally on your device.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies that track you across other websites.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

To exercise any of these rights, please contact us through our support channels. We will respond within 30 days. If you believe we have not handled your data correctly, you have the right to lodge a complaint with your national data protection authority (e.g., AEPD in Spain, CNIL in France, ICO in the UK).

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include:

• Encryption of data in transit (TLS/HTTPS).
• Passwords stored as bcrypt hashes.
• API keys obscured after initial display.
• Email verification for new accounts.
• Rate limiting on authentication and API endpoints.
• Restricted access to production systems.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with applicable law (within 72 hours where required under GDPR).

Your data may be processed in countries other than your country of residence, including countries outside the EEA. Where we transfer data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or we transfer only to countries that have been deemed to provide an adequate level of protection.

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18 without parental consent, we will take steps to delete that information promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page with an updated date and, where appropriate, by email. Your continued use of the Platform after the effective date of any change constitutes acceptance of the updated policy.

For any questions, requests related to your personal data rights, or data protection concerns, please contact us through our support channels: