Privacy Policy

Digipae is a mobile payments and digital identity application operated by Ceivis LLC, a Missouri limited liability company ("Ceivis," "Digipae," "we," "us," or "our"). Our registered address is 11628 Old Ballas Rd Ste 345, St. Louis, MO 63141.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Digipae mobile application, our websites at digipae.com, our business dashboard, our application programming interfaces (APIs), and related services (collectively, the "Service").

By using Digipae, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service. This policy applies to consumers and to individuals who use the Service on behalf of a business (for example, business owners and authorized team members).

2.1 Information You Provide Directly

• Account information: Mobile phone number, full name, email address, date of birth, and home address
• Identity verification data: Government-issued ID (driver's license, passport, state ID), Social Security Number (or last 4 digits), and a selfie/facial image submitted for identity verification (see Section 3)
• Financial information: Bank account details (via Plaid), debit/credit card numbers (tokenized via Stripe), payment history, wallet balance, payout destinations, and transaction records
• Business information (merchants): Legal business name, EIN/tax identification, beneficial ownership information, business address, and authorized representative details collected to comply with our customer due diligence obligations
• Communications: Support tickets, messages, call records, and feedback you send to us
• Profile information: Username, payment-link preferences, and notification settings

2.2 Information Collected Automatically

• Device information: Device type, operating system, unique device identifiers, and push notification tokens
• Usage data: Screens visited, features used, transaction timestamps, and session duration
• Location data: Approximate location (city/region level) for fraud detection — we do not collect precise GPS location
• Log and diagnostic data: IP address, crash data, and performance data collected via our error-monitoring provider
• Cookies and similar technologies on our websites and dashboard (see Section 6)

2.3 Information from Third Parties

• Identity verification & screening: Verification results, document authenticity signals, and watchlist/sanctions screening data from our identity-verification provider (Socure Inc.)
• Bank account connectivity: Account ownership, account/routing numbers, balances, and transaction data you authorize us to access through Plaid Inc.
• Payment processing: Payment status, card verification, and fraud signals from Stripe Inc.
• Authentication: Phone number verification via Firebase (Google LLC)

2.4 Sensitive Personal Information

Digipae collects certain categories of sensitive personal information including government identification numbers, financial account details, precise account credentials, and biometric data used for identity verification. We collect this data only as necessary to provide the Service and to comply with legal obligations. We do not use or disclose sensitive personal information for advertising, marketing, or for purposes other than those permitted under applicable law.

3.1 What We Collect and Why

To verify your identity, prevent fraud, and comply with federal Know-Your-Customer (KYC) and Anti-Money-Laundering (AML) obligations, we collect a photograph of your face (a "selfie") and may generate a biometric identifier or biometric information from that image and from your government-issued ID — such as a facial geometry scan used to confirm that the person presenting the ID is its rightful holder ("Biometric Data"). This processing is performed by our identity-verification provider (Socure) on our behalf.

3.2 Your Consent

Before we collect Biometric Data, the app presents a consent screen disclosing that Biometric Data is being collected, the specific purpose, and the length of time it will be stored and used. We collect, store, and use your Biometric Data only after you provide informed written consent (including electronic consent) through that screen. You are not required to consent, but identity verification cannot be completed without it, and the Service cannot be provided without identity verification.

3.3 Retention & Destruction Schedule

We retain Biometric Data only as long as reasonably necessary to fulfill the purpose for which it was collected, and we permanently destroy it on the earlier of: (a) when the initial purpose for collection has been satisfied; or (b) within three (3) years of your last interaction with the Service — except where a longer period is required to comply with our legal, regulatory, or recordkeeping obligations (for example, retention of the verification record itself, separate from the underlying biometric template).

3.4 No Sale and Limited Disclosure

We do not sell, lease, trade, or otherwise profit from your Biometric Data, and we do not disclose it except: to our identity-verification provider to perform the verification; as required by law, subpoena, or warrant; or with your express consent.

We do not sell your personal information. We do not use your personal data for targeted or cross-context behavioral advertising. We do not share your financial information for marketing purposes.

As a financial institution under the Gramm-Leach-Bliley Act, we provide the following notice describing what we do with your nonpublic personal information. This notice is provided when you open an account and annually thereafter where required.

To limit the sharing we describe as "Limited" above, email privacy@digipae.com. If you are a new customer, we can begin sharing your information 30 days from the date we sent this notice; you can contact us at any time to limit our sharing.

Our websites and business dashboard use cookies and similar technologies. The Digipae mobile app does not use third-party advertising cookies.

• Strictly necessary: Required for sign-in, session security, and fraud prevention. These cannot be disabled.
• Functional: Remember preferences such as theme and language.
• Analytics: Help us understand aggregate, de-identified usage to improve the Service.

You can control cookies through your browser settings. We honor opt-out preference signals, including the Global Privacy Control (GPC), as a valid request to opt out of any "sale" or "sharing" of personal information in jurisdictions that recognize such signals. We do not currently use cookies for cross-context behavioral advertising.

We share your personal information only in the following circumstances:

7.1 Service Providers (Sub-Processors)

We engage trusted third parties to operate the Service. All service providers are bound by data-processing agreements and must protect your data to the standard required by this policy and applicable law.

Plaid: When you link a bank account, you authorize Plaid to access account information from your financial institution on your behalf. Plaid's handling of your data is governed by Plaid's own end-user privacy policy, available at plaid.com/legal.

7.2 Legal & Regulatory Requirements

We may disclose your information when required or permitted by law, including:

• Compliance with the Bank Secrecy Act (BSA) and Anti-Money-Laundering (AML) regulations
• Suspicious Activity Reports (SARs) filed with FinCEN, which by law we cannot disclose to you
• Currency Transaction Reports (CTRs) for qualifying transactions over $10,000
• Responses to valid court orders, subpoenas, warrants, or government requests
• OFAC sanctions screening and reporting obligations
• State money-transmission regulators and examinations

7.3 Business Transfers

In a merger, acquisition, financing, or sale of assets, your data may be transferred. We will notify you via email or prominent in-app notice before your data becomes subject to a different privacy policy.

7.4 With Your Consent

We may share your information for other purposes with your explicit consent, which you may withdraw at any time.

We use automated processes to verify identities, score transactions for fraud risk, and enforce transaction limits. These automated decisions can result in a transaction being delayed, declined, held for review, or an account being restricted, in order to protect you and the Service and to meet our legal obligations.

Where required by applicable law, you have the right to request information about the logic involved and to request human review of a decision that produces a legal or similarly significant effect. To request review, contact privacy@digipae.com. Note that certain anti-fraud and AML determinations cannot be overridden where doing so would conflict with our legal obligations.

We maintain an information security program with administrative, technical, and physical safeguards, including:

• Encryption at rest: Data stored in our database is encrypted using AES-256
• Encryption in transit: All communications use TLS 1.2 or higher
• Authentication: SMS one-time-passcode and device-bound sessions
• Payment security: Card data is handled by Stripe (PCI DSS Level 1) — we never store raw card numbers
• Transaction authorization: Payments require a PIN or biometric confirmation
• Access controls: Role-based access limits employee access to your data
• Audit logs: Sensitive operations are logged for security review
• Rate limiting: Sensitive endpoints are rate-limited to prevent abuse

9.1 Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you and applicable regulatory authorities as required by law, without unreasonable delay. Notification will be provided via email to your registered address and/or in-app notice.

10.1 Retention Periods

10.2 Account Deletion

You may request deletion of your account at any time through:

• In-app: Profile → Settings → Delete Account
• Email: privacy@digipae.com with subject "Account Deletion Request"
• Web: digipae.com/support

Upon a valid request, we remove your personal data from active systems within 30 days. However, certain transaction and identity records must be retained as required by federal financial regulations (BSA, AML) and state money-transmission law. Retained data is isolated from active systems and accessed only for compliance purposes.

Depending on your state of residence, you may have some or all of the following rights under comprehensive state privacy laws (including those in California, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and other states with laws in effect):

• Right to know / access: Confirm whether we process your personal information and request a copy
• Right to correct: Request correction of inaccurate personal information
• Right to delete: Request deletion (subject to legal exceptions, such as required financial recordkeeping)
• Right to portability: Obtain a copy of your data in a portable, machine-readable format
• Right to opt out: Opt out of the sale of personal information, targeted advertising, and certain profiling (we do not sell data or use it for targeted advertising)
• Right to limit sensitive data: Limit use of sensitive personal information to what is necessary to provide the Service
• Right against discrimination: We will not discriminate against you for exercising your rights

11.1 How to Submit a Request

Submit a request by emailing privacy@digipae.com or through digipae.com/support. We will verify your identity before acting on your request and will respond within the timeframe required by your state's law (generally 45 days, extendable once where permitted). An authorized agent may submit a request on your behalf with proof of authorization.

11.2 Right to Appeal

If we decline your request and your state provides an appeal right (for example, Virginia, Colorado, Connecticut, Texas, Oregon, and Montana), you may appeal by replying to our decision or emailing privacy@digipae.com with the subject "Privacy Appeal." We will respond to your appeal within the period required by law. If your appeal is denied, you may contact your state Attorney General.

11.3 GLBA-Regulated Data

Personal information we collect and process subject to the GLBA may be exempt from certain state privacy-law requests. Where an exemption applies, we will still honor your rights to the extent the law requires.

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights. Note that personal information collected, processed, or disclosed under the GLBA is exempt from the CCPA; the rights below apply to information not covered by that exemption.

12.1 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories:

• Identifiers (name, email, phone, IP address, device ID)
• Financial information (bank account via Plaid, card data via Stripe)
• Sensitive personal information (government ID, SSN, biometric data)
• Commercial information (transaction history, payment records)
• Internet activity (app/website usage, diagnostic logs)
• Geolocation data (approximate location for fraud detection)

12.2 Your California Rights

• Right to Know, Delete, and Correct your personal information (subject to legal exceptions)
• Right to Opt-Out of sale or sharing (we do not sell or share for cross-context behavioral advertising)
• Right to Limit Use of Sensitive Personal Information beyond necessary service purposes
• Right to Non-Discrimination for exercising your rights

12.3 Submitting a Request

Submit a verifiable consumer request at privacy@digipae.com or digipae.com/support. We respond within 45 days. California residents may designate an authorized agent with written proof of authorization. We also honor Global Privacy Control (GPC) signals.

We send text messages for one-time passcodes, account security alerts, and transaction-related notices. By providing your mobile number and using the Service, you consent to receive these messages, which are necessary to operate your account.

• Message frequency varies based on your account activity.
• Message and data rates may apply depending on your mobile carrier plan.
• Opt-out: Reply STOP to non-essential messages to unsubscribe; reply HELP for help. Note that disabling security and transaction messages may limit or prevent use of the Service.
• Carriers are not liable for delayed or undelivered messages.

We do not share mobile information with third parties or affiliates for their marketing or promotional purposes. Phone numbers are shared only with our messaging service providers to deliver the messages described above.

Digipae is not directed to anyone under 18. We do not knowingly collect personal information from anyone under 18. Age is verified during identity onboarding; users who cannot verify they are 18 or older are not permitted to use the Service. If you believe a minor has provided us information, contact privacy@digipae.com and we will delete it promptly.

Digipae is intended for use only in the United States, and our services are operated from the United States. We do not knowingly offer the Service to users outside the United States. If you access the Service from outside the United States, you understand that your information will be processed in the United States, where data-protection laws may differ from those in your jurisdiction.

We may update this Privacy Policy to reflect changes in our practices or applicable law. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Send an in-app notification to active users
• Send an email notification for significant changes
• Obtain your renewed consent where required by law

Continued use of the Service after changes become effective constitutes acceptance of the updated policy.

For privacy questions, requests, or concerns, contact us:

We aim to respond to privacy requests within 45 days. For urgent security concerns, email security@digipae.com directly.