Privacy Policy

Last updated: April 27, 2026

Plain-English summary: we collect what we need to run the Service, never sell your data, and let you delete your account at any time. Card data goes straight to Square — it never touches our servers.

1. Who We Are

SugarPay.io ("SugarPay", "we", "us") is the controller of personal data we collect through the Service. Our contact for privacy matters is privacy@sugarpay.io.

2. Information We Collect

2.1 Information you provide

  • Account info: name, email, business name, password hash, plan.
  • Billing info: for paid plans, we collect billing address and a tokenized card reference. Full card numbers are stored by our PCI-certified payment-card vendor, not us.
  • Support content: messages you send to support, feedback, survey responses.

2.2 Information from Square

When you connect Square, we receive (with your consent and based on the OAuth scopes you grant): your Square merchant ID, locations, catalog items, customer records, invoices, orders, and payout metadata. We do not receive full card numbers, CVV, or PIN data — those remain with Square.

2.3 Information collected automatically

  • Device, browser type, IP address, time zone, and referrer.
  • Usage analytics (pages viewed, features used, errors).
  • Cookies and similar technologies — see our Cookie Policy.

3. How We Use Information

  • To provide, maintain, and improve the Service.
  • To process transactions and send transactional emails (invoices, receipts, account notices).
  • To prevent fraud, abuse, and security incidents.
  • To respond to support requests and communicate with you.
  • To send marketing emails (only if you opt in — you can unsubscribe anytime).
  • To comply with legal obligations and enforce our Terms.

4. Legal Bases (EEA / UK Users)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR/UK GDPR: contract performance (to provide the Service), legitimate interests (to secure and improve the Service), consent (for marketing and non-essential cookies — withdrawable at any time), and legal obligation (to keep records required by law).

5. How We Share Information

We do not sell or rent your personal data. We share it only:

  • With Square, to operate the integration you authorized.
  • With service providers (hosting, email delivery, analytics, customer support) who are bound by contractual confidentiality and data-protection obligations.
  • For legal reasons: to comply with law, respond to lawful requests, enforce our rights, or protect users.
  • Business transfers: in a merger, acquisition, or sale of assets, with notice to you.
  • With your consent for any other purpose.

6. International Transfers

We are based in the United States. Your data may be transferred to and processed in countries other than the one in which you reside. Where required, we use appropriate safeguards such as Standard Contractual Clauses.

7. Data Retention

We retain personal data for as long as your account is active and for a reasonable period afterward to comply with legal obligations (e.g., tax and audit), resolve disputes, and enforce our agreements. After that, data is deleted or anonymized.

8. Your Rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data (right to erasure).
  • Object to or restrict certain processing.
  • Receive a portable copy of your data.
  • Withdraw consent for processing based on consent.
  • Lodge a complaint with a supervisory authority.

To exercise these rights, email privacy@sugarpay.io. We will respond within the time required by applicable law.

8.1 California Residents (CCPA/CPRA)

California residents have rights to know, delete, correct, and opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising.

9. Children

The Service is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe a child has given us personal data, contact us and we will delete it.

10. Security

We use industry-standard administrative, technical, and physical safeguards including TLS 1.2+ in transit, encryption at rest, principle-of-least-privilege access controls, and regular security review. No system is 100% secure, and we cannot guarantee absolute security.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by email or in-product before they take effect.

12. Contact

Privacy questions, requests, or concerns: privacy@sugarpay.io.