Privacy Policy

Last updated: May 22, 2026 · Applies to merchants, dashboard users, and payer data processed on behalf of merchants.

Paymesh (“Company”, “we”, “us”) respects your privacy and is committed to handling personal data responsibly. This Privacy Policy explains what information we collect, how we use and share it, how long we retain it, and what rights you may have. It applies to our websites, merchant onboarding flows, dashboards, APIs, support interactions, and related services (collectively, the “Services”). Where we process personal data on behalf of a merchant in connection with payment transactions, the merchant typically acts as the data fiduciary toward the payer, and Paymesh may act as a data processor or trusted service provider depending on context and Applicable Law.

Information We Collect

We collect information that you provide directly, that is generated through your use of the Services, and that we receive from partners and service providers. Categories include:

  • Identity and KYC data: legal name, date of birth where collected, PAN, GSTIN, incorporation documents, beneficial ownership details, authorised signatory identification, and photographs or scans submitted during onboarding.
  • Contact and account data: business email addresses, telephone numbers, registered office and operational addresses, job titles, and escalation contact lists.
  • Financial and transaction metadata: merchant identifiers, order references, amounts, currencies, payment instrument type, masked account identifiers, UPI virtual payment addresses where applicable, settlement records, refund and chargeback references, and reconciliation files. We do not store full primary account numbers or card verification values outside PCI DSS–scoped environments operated by certified partners.
  • Technical and usage data: IP address, browser type, device identifiers, API request logs, sandbox and production key usage, authentication events, and security telemetry.
  • Communications: support tickets, email correspondence, call notes where recorded with notice, and feedback submitted through forms.
  • Marketing preferences: newsletter subscriptions, webinar attendance, and campaign attribution where you opt in.

We may also receive information from PSPs, acquirers, banks, fraud prevention services, identity verification vendors, and publicly available regulatory registers to verify merchant eligibility and monitor risk.

How We Use It

We use personal data for purposes that are necessary to operate the Services, comply with law, and protect our users and the payment ecosystem. Primary purposes include onboarding and underwriting merchants; enabling payment authorization, settlement, refunds, and payouts; providing dashboards, reporting, and webhooks; detecting and preventing fraud, abuse, and security incidents; providing customer support and service communications; improving product performance through aggregated analytics; enforcing our terms and policies; and responding to legal process and regulatory requests.

Where required, we rely on consent-for example, for certain marketing communications or optional cookies. We may also process data to perform contracts with merchants, comply with legal obligations under RBI and AML frameworks, and pursue legitimate interests such as network security and product improvement, balanced against individual rights. Merchants are responsible for establishing their own lawful basis and notices when they collect payer personal data upstream of Paymesh.

Data Sharing

We share personal data only as needed to deliver the Services, meet legal requirements, or with your direction. Recipients may include PSPs, acquirers, card networks, NPCI ecosystem participants, cloud infrastructure providers, customer support tools, professional advisers, auditors, insurers, and successors in the event of a merger or acquisition subject to appropriate safeguards. We require processors to handle data under contractual confidentiality and security obligations consistent with this Policy.

We may disclose information when required by court order, regulatory directive, or lawful government request, or when we believe disclosure is necessary to protect rights, safety, and integrity of users and the public. We do not sell personal data. Aggregated or de-identified statistics that cannot reasonably identify individuals may be used for benchmarking and product insights.

Cross-border transfers, if any, occur only where permitted under Applicable Law and with appropriate safeguards such as standard contractual clauses or RBI-permitted mechanisms for categories subject to data localisation requirements.

DPDP Act 2023 Compliance

Paymesh aligns its privacy program with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and rules, notifications, and guidance issued thereunder as they become effective. Depending on your relationship with us, you may be a Data Principal, or your customers may be Data Principals while you remain the Data Fiduciary for payer-facing collection. We implement reasonable security safeguards, grievance redressal mechanisms, and data processing agreements with merchants and vendors as required.

We honour applicable Data Principal rights-including access, correction, erasure where not restricted by law, grievance escalation, and nomination of representatives-within timelines prescribed once fully operational under the DPDP framework. Where Paymesh processes data solely on a merchant’s instructions, we will assist the merchant in responding to valid requests to the extent contractually agreed and technically feasible. Our Data Protection Officer contact is listed below for privacy-specific inquiries and complaints prior to escalation to the Data Protection Board of India when constituted.

Retention

We retain personal data for as long as necessary to fulfil the purposes described in this Policy, unless a longer period is required or permitted by law. Transaction and settlement records are typically retained for periods consistent with RBI, tax, and AML record-keeping expectations, often including the settlement cycle plus additional years for disputes and audits. KYC records are retained in accordance with applicable AML directions. Technical logs may be retained for shorter rolling windows unless needed for security investigations. When retention periods expire, we delete or anonymize data using commercially reasonable methods, subject to backup latency and legal holds.

Security

We implement administrative, technical, and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit using industry-standard TLS, access controls and role segregation for production systems, monitoring and alerting for anomalous activity, secure development practices, and periodic review of vendor security posture. No method of transmission or storage is completely secure; you are responsible for safeguarding credentials on your side and promptly reporting suspected compromise to support@paymesh.in.

In the event of a personal data breach likely to affect rights of Data Principals, we will notify affected parties and authorities as required by the DPDP Act and other Applicable Law, and cooperate with merchants to meet their notification obligations toward payers where appropriate.

Cookies

Our marketing websites and dashboards may use cookies and similar technologies to maintain sessions, remember preferences, measure traffic, and improve user experience. Essential cookies are necessary for authentication and security. Optional analytics or preference cookies, where used, will be presented through consent mechanisms as required by law. You may adjust browser settings to refuse cookies, though some features may not function correctly. API integrations do not rely on browser cookies for server-to-server Transaction processing. For more detail on specific cookies, contact our privacy team or review in-product notices when available.

Your Rights

Depending on your role and Applicable Law, you may have rights to access personal data we hold about you, request correction of inaccurate data, request erasure subject to legal exceptions, withdraw consent where processing is consent-based, restrict certain processing, and lodge a grievance with us before approaching regulators. Merchants should direct payer rights requests received from their customers through their own privacy programs; Paymesh will support merchants as described in data processing terms.

To exercise rights, submit a verifiable request to the contact below. We may need to confirm identity before responding. We aim to respond within reasonable timelines aligned with regulatory expectations once fully specified under the DPDP framework.

Contact DPO

For privacy questions, Data Principal requests, or complaints regarding this Policy, contact our Data Protection Officer:

We may update this Privacy Policy from time to time. Material changes will be communicated via email or dashboard notice. Continued use of the Services after the effective date constitutes acknowledgement where permitted by law.