Legal

Privacy Policy

Last updated: March 2026

This Privacy Policy describes how CevGate ("CevGate," "Company," "we," "us," or "our") collects, uses, shares, retains, and protects personal information in connection with the CevGate platform, website (www.cevgate.com), APIs, and related services (collectively, the "Services"). This Privacy Policy applies to our merchants ("Merchants"), their customers ("Customers"), and visitors to our website ("Visitors").

By using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, do not use the Services.

1. Our Role in Data Processing

1.1. With Respect to Merchants: CevGate collects and processes personal information from Merchants to provide the Services, manage accounts, and comply with legal obligations. In this capacity, CevGate acts as the data controller (or "business" under CCPA) for Merchant personal information.

1.2. With Respect to Merchant Customers: When a Customer makes a purchase through a Merchant's hosted checkout page, CevGate processes Customer payment information solely to transmit it to the applicable Payment Processor for transaction authorization and processing. In this capacity, CevGate acts as a data processor (or "service provider" under CCPA) on behalf of the Merchant. CevGate does NOT use Customer personal information for its own marketing, profiling, or any purpose unrelated to providing the Services to the Merchant.

1.3. CevGate Is a Technology Provider. CevGate provides software-as-a-service technology. CevGate is NOT a bank, payment processor, or financial institution. Customer payment card data submitted through the Hosted Checkout Page is transmitted directly to the applicable Payment Processor; CevGate does not store full payment card numbers on its servers.

2. Information We Collect

2.1. Information Collected from Merchants

Account and Business Information:

  • Business legal name, DBA name, and business type
  • Business address, phone number, email, and website URL
  • Employer Identification Number (EIN) or Tax ID
  • Business formation documents (as requested)
  • Industry category and product/service descriptions

Principal/Owner Information:

  • Full legal name
  • Date of birth
  • Last four digits of Social Security Number (for identity verification)
  • Residential address
  • Phone number and email address
  • Government-issued ID (as requested for enhanced verification)

Financial Information:

  • Bank account and routing numbers (for fee debiting)
  • Credit or debit card information (for subscription billing)
  • Processing history and volume (if provided during onboarding)

Transaction Data:

  • Transaction amounts, dates, times, and statuses
  • Refund and chargeback records
  • Processing volume and velocity metrics

Technical and Usage Data:

  • IP address, browser type, device information, and operating system
  • Login timestamps and session duration
  • Pages viewed and features accessed within the dashboard
  • API call logs and webhook delivery records
  • Error logs and diagnostic data

2.2. Information Collected from Customers (on behalf of Merchants)

When a Customer completes a purchase through a Merchant's CevGate-hosted checkout page, we collect:

Payment Information:

  • Credit/debit card number, expiration date, and CVV (transmitted directly to Payment Processor — NOT stored by CevGate)
  • Billing name and billing address
  • Email address (if required by Merchant's checkout configuration)
  • Phone number (if required by Merchant's checkout configuration)

Transaction Information:

  • Transaction amount
  • Transaction date and time
  • Transaction status (approved, declined, refunded)
  • Tokenized card reference (for recurring billing, if applicable)

Device and Fraud Prevention Data:

  • IP address
  • Device fingerprint
  • Browser type and version
  • Geolocation (approximate, based on IP)
  • Behavioral signals used for fraud detection (e.g., typing patterns, mouse movements)

2.3. Information Collected from Website Visitors

  • IP address
  • Browser type and operating system
  • Pages viewed and referral source
  • Cookie identifiers and similar tracking technologies (see Section 8)

2.4. Information from Third Parties

We may receive information from:

  • Payment Processors (transaction statuses, chargeback notifications)
  • Identity verification services (KYC/KYB verification results)
  • Fraud prevention services (risk scores, watchlist screening results)
  • Publicly available sources (business registration databases, sanctions lists)

3. How We Use Information

3.1. Merchant Information

We use Merchant information to:

  • Provide the Services: Onboard Merchants, configure accounts, route transactions, generate reports, and operate the CevGate Platform
  • Billing: Process subscription fees, transaction fees, and other charges
  • Identity Verification: Verify Merchant identity and business legitimacy (KYC/KYB)
  • Risk Management: Monitor for fraud, suspicious activity, and compliance with this Agreement
  • Communications: Send service-related notifications, alerts, invoices, and support responses
  • Compliance: Comply with legal obligations, including anti-money laundering (AML), know-your-customer (KYC), tax reporting, and responses to legal process
  • Platform Improvement: Analyze usage patterns to improve the platform, fix bugs, and develop new features (using aggregated or de-identified data where possible)
  • Marketing: Send marketing communications about CevGate products, features, and promotions (Merchants may opt out at any time — see Section 7)

3.2. Customer Information (on behalf of Merchants)

We use Customer information exclusively to:

  • Process Transactions: Transmit payment data to the applicable Payment Processor for authorization and settlement
  • Fraud Prevention: Screen transactions for potential fraud using device fingerprinting, IP geolocation, velocity checks, and behavioral analysis
  • Dispute Resolution: Provide transaction records in response to chargebacks and disputes
  • Compliance: Comply with legal obligations, including responses to subpoenas, court orders, and regulatory inquiries

We do NOT use Customer information for CevGate's own marketing, advertising, profiling, or any purpose unrelated to providing the Services to the applicable Merchant.

3.3. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for processing are:

  • Performance of a contract: Processing necessary to provide the Services
  • Legitimate interests: Fraud prevention, security, and platform improvement
  • Legal obligation: Compliance with AML, KYC, tax, and financial regulations
  • Consent: Marketing communications (where required by law)

4. How We Share Information

We share personal information only as described below. We do NOT sell personal information.

4.1. Payment Processors

We share transaction data and Customer payment information with Payment Processors (including acquiring banks) as necessary to process Transactions. This sharing is essential to the functioning of the Services. Payment Processors process this data pursuant to their own privacy policies and terms of service.

4.2. Card Networks

We share transaction data with Card Networks (Visa, Mastercard, American Express, Discover) as required by Card Network Rules, including for fraud reporting, chargeback resolution, and compliance programs (e.g., Mastercard BRAM).

4.3. Service Providers

We share information with third-party service providers who perform services on our behalf, including:

  • Cloud hosting and infrastructure (e.g., AWS, Google Cloud)
  • Email and communication services
  • Analytics and monitoring tools
  • Identity verification and KYC/KYB providers
  • Fraud screening and risk assessment providers
  • Customer support tools

All service providers are contractually obligated to use personal information only for the purposes of providing services to CevGate and to maintain appropriate security measures.

4.4. Legal and Regulatory Disclosures

We may disclose personal information when required by law, regulation, legal process, or governmental request, including:

  • Subpoenas, court orders, or search warrants
  • Requests from law enforcement, regulatory agencies, or tax authorities
  • Anti-money laundering (AML) reporting requirements, including Suspicious Activity Reports (SARs)
  • Card Network compliance requirements
  • Applicable tax and regulatory reporting requirements

4.5. Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of CevGate's assets, personal information may be transferred to the successor entity. We will provide notice of any such transfer and any choices you may have regarding your information.

4.6. With Consent

We may share personal information with other parties when we have your explicit consent to do so.

4.7. Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify any individual for purposes including industry analysis, benchmarking, research, and marketing. Such data is not considered personal information.

5. Data Retention

5.1. Merchant Data: We retain Merchant account information and transaction records for seven (7) years following account termination, as required by financial regulations, Card Network Rules, and CevGate's internal compliance and audit requirements.

5.2. Customer Payment Data: Full payment card numbers are NOT stored by CevGate. Tokenized card references are retained for as long as necessary for recurring billing and refund processing, and deleted upon Merchant account termination (subject to the retention period in Section 5.1 for transaction records).

5.3. Fraud Prevention Data: Device fingerprints, IP addresses, and behavioral fraud signals may be retained for up to three (3) years for fraud prevention and pattern analysis.

5.4. Website Visitor Data: Cookie data and analytics data are retained in accordance with our Cookie Policy (see Section 8).

5.5. Deletion Requests: To the extent required by applicable law, you may request deletion of your personal information (see Section 7). Deletion requests are subject to our legal obligations to retain certain records, including financial records, tax records, and records required by Card Network Rules.

6. Data Security

6.1. Security Measures. We implement and maintain commercially reasonable administrative, technical, and physical security measures to protect personal information, including:

  • Encryption in transit: All data transmitted between users and the CevGate Platform is encrypted using TLS 1.2 or higher
  • Encryption at rest: Sensitive data stored on our servers is encrypted using AES-256
  • Access controls: Role-based access controls limit employee access to personal information on a need-to-know basis
  • Authentication: Multi-factor authentication is available for Merchant dashboard access
  • Monitoring: Automated security monitoring, intrusion detection, and logging
  • Vulnerability management: Regular security assessments, penetration testing, and vulnerability scanning
  • PCI DSS: The Hosted Checkout Page is designed to meet PCI DSS SAQ A compliance requirements
  • Employee training: Personnel with access to personal information receive security and privacy training

6.2. No Guarantee. While we strive to protect personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach, we will comply with applicable breach notification laws.

6.3. Merchant Responsibility. Merchants are responsible for maintaining the security of their own systems, including their CevGate account credentials, API keys, and any systems that interact with the CevGate Platform.

7. Your Rights and Choices

7.1. All Users

  • Access: You may request access to the personal information we hold about you
  • Correction: You may request correction of inaccurate personal information
  • Marketing opt-out: You may opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email or contacting us at support@cevgate.com
  • Account deletion: Merchants may request account deletion by contacting us, subject to our data retention obligations

7.2. California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties with whom we share personal information.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, transaction completion, fraud prevention).
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do NOT sell or share (for cross-context behavioral advertising) personal information. No opt-out is necessary.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
  • Authorized Agent: You may designate an authorized agent to submit requests on your behalf, subject to identity verification.

To submit a CCPA request, contact us at support@cevgate.com. We will verify your identity before processing any request and respond within 45 days (extendable by an additional 45 days with notice).

CCPA Disclosures:

Category of PI Collected Sources Business Purpose Shared With
Identifiers (name, email, phone, address) Directly from you Account creation, billing, communications Payment Processors, service providers
Financial information (bank account, card info) Directly from you Billing, fee collection Payment Processors
Commercial information (transaction records) Generated through use Service delivery, reporting, compliance Payment Processors, Card Networks
Internet/electronic activity (IP, device, usage) Automatically collected Security, fraud prevention, analytics Service providers
Professional/employment info (business type, role) Directly from you Onboarding, account eligibility review Payment Processors
Sensitive PI (SSN last 4, government ID) Directly from you Identity verification (KYC) Identity verification providers

7.3. Other U.S. State Privacy Laws

If you are a resident of Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, or Virginia, you may have similar rights under your state's privacy law, including the right to access, delete, and correct your personal information, and the right to opt out of targeted advertising (if applicable). Contact us at support@cevgate.com to exercise your rights.

7.4. EEA, UK, and Switzerland Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following additional rights:

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure (Article 17 GDPR), subject to legal retention obligations
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to object to processing based on legitimate interests (Article 21 GDPR)
  • Right to withdraw consent at any time where processing is based on consent
  • Right to lodge a complaint with your local data protection authority

To exercise these rights, contact us at support@cevgate.com.

International Transfers: If you are located outside the United States, your personal information may be transferred to and processed in the United States. We implement appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) where required.

8. Cookies and Tracking Technologies

8.1. Types of Cookies

Cookie Type Purpose Duration
Strictly Necessary Authentication, security, load balancing Session
Functional User preferences, language settings Up to 1 year
Analytics Platform usage, performance monitoring Up to 2 years
Marketing Email campaign tracking, attribution Up to 1 year

8.2. Third-Party Analytics: We may use analytics services such as Google Analytics, Mixpanel, or similar tools to analyze platform usage. These services may use cookies and similar technologies to collect and analyze usage data. You can opt out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-on.

8.3. Do Not Track: Our website does not currently respond to "Do Not Track" browser signals. However, you can control cookies through your browser settings.

8.4. Cookie Management: You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Services.

9. Children's Privacy

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe a child under 18 has provided personal information to us, contact us at support@cevgate.com.

10. Third-Party Links and Services

The Services may contain links to third-party websites, applications, or services, including Payment Processor dashboards and platforms. This Privacy Policy does not apply to third-party services. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify Merchants of material changes by email and/or by posting a notice on the CevGate website at least thirty (30) days before the effective date of the changes. Your continued use of the Services after the effective date constitutes acceptance of the updated Privacy Policy. The "Last Updated" date at the top of this Privacy Policy indicates when it was most recently revised.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint, contact us at:

CevGate
Email: support@cevgate.com

For CCPA-specific requests: support@cevgate.com
For GDPR-specific requests: support@cevgate.com

13. Supplemental Notices

13.1. Notice to Payment Processor Customers

If you are a customer making a purchase from a Merchant that uses CevGate's hosted checkout page, please note:

  • CevGate provides the checkout technology on behalf of the Merchant
  • Your purchase relationship is with the Merchant, not with CevGate
  • CevGate processes your payment information solely to transmit it to the Payment Processor for transaction processing
  • CevGate does NOT store your full credit/debit card number
  • For questions about your order, refunds, or products, contact the Merchant directly
  • For questions about how the Merchant uses your data, review the Merchant's privacy policy

13.2. Notice to California Residents — Financial Privacy

CevGate may be subject to the California Financial Information Privacy Act (CalFIPA). Pursuant to CalFIPA, we will not share your nonpublic personal financial information with nonaffiliated third parties, except as permitted by law (e.g., to process transactions, prevent fraud, or comply with legal requirements).