Merchant Privacy Policy

Global Merchant Privacy Policy

Paystack (“Paystack”, “Company”, “we”, “us” or “our”) offers an online payment platform that makes it easy for Merchants to accept electronic payments from their Customers. Paystack values the privacy of Merchants who use our website and all related sites, applications, Dashboard, services and tools (collectively, our “Services”). This Privacy Policy describes how we collect, use, store, share, and protect personal data from Merchants who engage with our Services.

The Services are primarily intended for and provided to businesses and other organisations (“Merchants”), and not individual consumers. Thus, we generally process personal data at the direction of and on behalf of Merchants. When we do, we do so as a service provider or a “data processor” to those Merchants, but we do not control and are not responsible for the privacy practices of those Merchants. If you are a Customer of a Paystack Merchant, you should read that Merchant’s privacy policy and direct any privacy inquiries to that Merchant.

This Privacy Policy does not apply to services that are not owned or controlled by Paystack, including third-party websites and the services of other Paystack Merchants. This Privacy Policy applies to all forms of systems, operations and processes within the Paystack environment that involve the processing of personal data. Paystack is a Stripe company; for more information about Stripe’s privacy practices, see the Stripe Privacy Policy https://stripe.com/gb/privacy.

When you use or access our Services, we collect, use, and share your personal data as explained in this Privacy Policy. Your use of our Services is also governed by our Terms of Use. If you disagree with the Terms of Use or are unable to comply with them, your account will be disabled, and you will be unable to access or use the Paystack platform. Additionally, if you close your Paystack account, you will lose access to merchant services, and we will securely store your transactional history and KYC details in compliance with all applicable laws and regulations.

1. The Information We Collect

The personal data we collect depends on how you interact with us, the services you use, and the choices you make. We may collect information from various sources and in different ways, including information you provide directly, information collected automatically, third-party data sources, and data we infer or generate from other sources.

1.1 Personal Data You Provide Directly

We collect personal data you provide to us. For example:

  • Contact information: To gain full access to our website and services, you must register for a Paystack account. When you register for an account, we collect personal data that you voluntarily provide to us to complete the Know Your Customer (KYC) process (e.g. email address, bank details, name, and telephone number).

  • Payment Information: When you make a purchase or other financial transaction, we collect your credit card numbers, financial account information, and other payment details.

  • Communications: If you contact us directly, for example with an inquiry or a support request, we may receive additional personal data about you, including your email address and the content of your communications.

    1.2 Personal Data We Collect Automatically

    • Device Information: We receive information about the device and software you use to access our Services, including internet protocol (IP) address, web browser type, operating system version, and device identifiers.

    • Usage Information: To help us understand how you use our Services, including the Demo portion of our website, and to help us improve them, we automatically receive information about your interactions with our Services. This information includes records of your transactions and information about your other activities related to our services, such as date and time of your sessions, the pages you view, links to/from any page, and time spent in a session. Some of the data we gather through the use of cookies and similar technologies is discussed below.

    • Location Information: When you use our Services, we may collect or infer your general location information. For example, your IP address may indicate your general geographic region.

      1.3 Personal Data That We Receive from Others or Infer

      • Partners: Where required to enhance your profile, we collect additional personal data about you from third parties and other identification and verification services, such as your financial institution and payment processor. We combine that data with other information we have about you.

      • Publicly available sources: Public sources of information, such as open government databases.

      • Inferences: We infer additional Personal Data from the Personal Data described above. For example, we infer the interests of our website visitors based on the web pages they view.

        When you are asked to provide personal data, you have the option to decline. You may use a web browser or operating system controls to prevent certain types of automatic data collection. However, if you choose not to provide or allow the necessary information for certain services or features, those services or features may not be available or fully functional.

        2. How We Use Personal Data

        We use the personal information we collect to:

        1. Provide you with the required services in addition to related products and services of interest

        2. Respond to your questions or requests

        3. Improve features, website content, and analyse data to develop products and services

        4. Address the inappropriate use of our website

        5. Prevent, detect and manage risk against fraud and illegal activities using internal and third party screening tools

        6. Send you marketing content, newsletters and service updates curated by Paystack; however, we will provide you with an option to unsubscribe if you do not want to hear from us

        7. Target advertisements to you based on your visits to our website

        8. Verify your identity and the information you provide in line with Paystack’s statutory obligations using internal and third party tools

        9. Maintain up-to-date records of Merchants

        10. Resolve disputes that may arise, including investigations by law enforcement or regulatory bodies

        11. Contact you to offer support with onboarding, assist with troubleshooting issues preventing transactions, or address incomplete account setups

        12. Conduct surveys to understand your needs and preferences, and to gather feedback on our services

        13. Generate insights and analytics to understand trends, optimise our operations, and enhance service delivery

        14. Any other purpose that we disclose to you in the course of providing Paystack services to you

          3. How We Share The Personal Data You Provide

          Paystack does not sell, trade or rent personal data to anyone. Further, we will not share or disclose your personal data with a third party without your permission or notice, except as necessary to provide the Services or as described in this Privacy Policy.

          • Service providers: We share personal data with vendors or agents working on our behalf for the purposes described in this policy. For example, companies we have hired to provide customer service support, to assist in protecting and securing our systems and services, or to perform sanctions screening and identity verification services may need access to personal data to provide those functions. The processing by such third parties shall be governed by a written contract with Paystack to ensure adequate protection and security measures are put in place for the protection of personal data in accordance with the terms of this Privacy Policy.

          • Financial services & payment processing: When you provide payment data, we will share payment and transactional data with banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, or other related financial services.

          • Affiliates: We enable access to personal data across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access is necessary to provide our services and operate our business.

          • Corporate transactions: Where required, we disclose personal data as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.

          • Legal and law enforcement: We may access, disclose, and preserve personal data in accordance with applicable law and when we believe it is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.

          • Security, safety, and protecting rights: We will disclose personal data if we believe it is necessary to:

            • protect our merchants and others, for example, to prevent fraud, or to help prevent the loss of life or serious injury to anyone;

            • operate and maintain the security of our services, including preventing or stopping an attack on our computer systems or networks; or

            • protect the rights or property of ourselves or others, including enforcing our agreements, terms, and policies.

          Third party analytics and advertising companies also collect personal data through our website and apps including, marketing and communications data, demographic data, content and files, geolocation data, usage data, and inferences associated with identifiers and device information (such as cookie IDs, device IDs, and IP address) as described in the Cookies section of this statement. These third party vendors may combine this data across multiple sites to improve analytics for their own purpose and others . For example, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses information at www.google.com/policies/privacy/partners.

          Please note that some of our services include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. If you provide personal data to any of these third parties, or allow us to share personal data with them, that data is governed by their privacy policies.

          Finally, we may share de-identified information in accordance with applicable law.

          The businesses and individuals you transact with on our platform maintain their own privacy policies. While our Terms of Use restrict them from using your information beyond what you have authorised, Paystack is not responsible for their data protection practices or actions. If you share your personal data directly with these third parties or permit us to share your data with them, their privacy policies will govern how they handle that information.

          4. Tracking Technologies (Cookies and Pixels)

          Cookies are small text files stored on your device when you visit a website. They enable the site to remember your actions and preferences over time. When you visit our Website (https://paystack.com/), we use cookies to remember Users and make your user experience easier. We collect information such as your IP address, device identifier, browser type, operating system, information about your website use, and data regarding network-connected hardware (e.g., a computer or mobile device) to provide customised services, content and advertising; ensure your account security is not compromised; mitigate risk; promote trust and safety on our website amongst others.

          Cookies do not typically contain any information that personally identifies a user. However, the personal information we store about You may be linked to the information stored in and obtained from Cookies.

          For more information on the specific types of cookies used on our Website, please see our Cookies Table.

          Many internet browsers are initially set up to accept cookies automatically. Unless you have adjusted your browser settings to refuse cookies, our system will issue cookies when you direct your browser to our Website. You can refuse to accept cookies by activating the appropriate settings in your browser. However, please note that disabling cookies that are strictly necessary will likely affect our Website's functionality.

          Depending on your browser, further information may be obtained via the following links:

          Additionally, we use Google and Meta Pixels to better understand how visitors engage with our website and to improve the relevance of our content and marketing efforts. For example, Meta Pixel helps us measure the effectiveness of our adverts, optimise user experiences, and refine our services based on aggregated insights.

          Pixels are not the same as cookies, but often rely on cookies to function. The Meta Pixel is a piece of JavaScript code that tracks user interactions with a website and connects those interactions to Meta ad campaigns. Google’s tracking pixel is a small, transparent image embedded in a website to track user activity, such as pages visited, to create more relevant ads for users. Paystack only uses Pixels to reach a relevant audience through targeted advertising, while respecting user privacy and complying with applicable laws. The Meta pixel is integrated with our Cookie banner script to ensure the pixel respects user cookie preferences, tracking only when the necessary consent has been obtained.

          You can also prevent data collection by Meta Pixel by adjusting your preferences in our cookies banner. To opt out of Meta Pixel, log out of Facebook when not in use and adjust your “Off-Facebook Activity”. To prevent Google Pixel tracking, you can use browser and email settings to restrict external graphics and HTML emails. You can do this by blocking third-party cookies often used for tracking, activating the “Do Not Track” setting to alert websites not to track your activity, or installing browser extensions specifically designed to block trackers.

          5. How We Protect Your Information

          Paystack has established adequate technical and organisational controls to protect the integrity and confidentiality of your personal data, both in digital and physical format, whilst preventing personal data from being accidentally or deliberately compromised.

          Paystack is committed to managing your personal data in line with best practices, evidenced by our ISO/IEC 27001:2022 and ISO/IEC 27701:2019 certifications. We protect your personal data using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorised access, disclosure and alteration. We also use industry-recommended security protocols to safeguard your personal data. Other security safeguards include, but are not limited to, data encryption, firewalls, and physical access controls to our building and files and only granting access to personal data to only employees who require it to fulfil their job responsibilities.

          In compliance with the Payment Card Industry Data Security Standard (PCI DSS Requirements”), we implement access control measures, security protocols and standards including the use of encryption and firewall technologies to ensure your card information is safe and secure in our servers, additionally, we implement periodical security updates to ensure that our security infrastructures are in compliance with reasonable industry standards.

          Two factor authentication (“2FA”) is an additional layer of security we have added to your account. When 2FA is enabled, you will be required to enter a One Time Password (OTP) (which is a verification code we have sent to you for authentication purposes), each time you checkout using Paystack on a merchant’s website or platform. While we encourage you to enable this feature on every transaction, you may choose to disable the 2FA feature after your initial enrolment by clicking on the toggle button to disable. However, if you choose to disable this feature, you agree that Paystack shall not be liable for any loss or damages incurred as a result of your action.

          Personal Data Breach

          At Paystack, we take the security of personal data seriously and have implemented measures to prevent data breaches from occurring. However, in the event of a data breach, we have established procedures for reporting and managing incidents concerning personal data or practices leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. You may contact our Data Protection Officer (DPO) upon becoming aware of any breach of personal data or if your access credentials have been compromised, to enable us to take the necessary steps towards ensuring the security of your personal data or account.

          When we become aware of a data breach that affects personal data, we will notify the affected individuals and relevant authorities in accordance with applicable data protection laws and regulations. The notification will include the following information:

          • A description of the nature of the data breach, including the categories of personal data involved

          • The likely consequences of the data breach

          • The measures taken or proposed to be taken by Paystack to address the data breach, including any measures to mitigate its possible adverse effects

          We will notify affected individuals without undue delay, but no later than 72 hours after becoming aware of the data breach, unless there are exceptional circumstances that prevent us from doing so. We will also keep a record of any data breaches and provide this information to the relevant authorities upon request.

          We encourage all users and customers to take reasonable steps to protect their personal data, such as using strong passwords, regularly updating their account information, and reporting any suspicious activity to us immediately.

          6. Storage Limitation

          We will retain your information for the following periods:

          • As long as reasonably necessary for the purpose of providing our services to you

          • For the duration your account is active, and we have your permission

          • For the period needed to comply with our legal and statutory obligations

          • As needed to verify your information with a financial institution

          Paystack is statutorily obliged to retain the data you provide in order to process transactions, ensure settlements, make refunds, identify fraud and comply with applicable laws and regulatory guidelines.

          Therefore, even after closing your Paystack account, we will retain certain personal data and transaction data to comply with these obligations. Upon expiration of the applicable storage limitation periods, we will delete, erase, anonymise or pseudonymise any information we hold about you.

          This Privacy Policy also applies when we retain your Personal Information after our relationship has come to an end. We may also retain your Personal Information for the duration of any period necessary to establish, exercise or defend any legal rights and may keep Personal Information indefinitely in a de-identified format for statistical purposes, which may include, for example, statistics of how you use the Services

          7. Transfer of Personal Data

          As part of our service provision, we may rely on third-party servers located in foreign jurisdictions, which involves transferring your data to computers or servers in foreign countries. An example is Paystack’s use of AWS as a cloud storage solution, with servers in Ireland. We take steps to ensure that the data we collect under this Privacy Policy is processed and protected in accordance with the provisions of this Policy and applicable law, wherever the data is located.

          At Paystack, we take the security of personal data seriously. When personal data needs to be transferred to a country outside of where a Merchant is based, we implement adequate measures to ensure the data remains secure. We comply with all relevant data protection regulations and guidelines to ensure that personal data is always protected. Specifically, we use contractual terms to ensure that the personal data is adequately protected or that the country to which the data is being transferred has adequate data protection laws in place. We take additional measures to ensure that the country to which the data is being transferred meets our standards for data protection. In all instances, we ensure we have a mechanism to facilitate the data transfer and comply with our requirements under the laws of the countries we operate.

          Should you wish to transfer your personal data to a country deemed to have inadequate data protection laws, Paystack will take all necessary steps to ensure that it is transferred under relevant, appropriate safeguards, and where relevant, with your informed consent, and that you are made aware of the risks associated with such a transfer. In all instances, Paystack will ensure that personal data is transmitted safely and securely. Details of the protection provided when your data is transferred abroad, as well as the basis for such transfers, will be provided to you upon request.

          8. Grounds for Processing of Personal Information

          Processing of personal data by Paystack shall be lawful if at least one of the following applies:

          • The Data Subject (Merchant or Merchant representative) has given consent to the processing of their personal data for one or more specific purposes;

          • The processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;

          • Processing is necessary for compliance with a legal obligation to which Paystack is subject;

          • Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;

          • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official public mandate vested in Paystack; and

          • Processing is necessary for the purposes of the legitimate interests pursued by Paystack or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data

          9. Choices and Rights

          Merchants with personal data held by Paystack are entitled to the following rights:

          • Right to request and access any Personal Information collected and stored by Paystack. This right allows you to request a copy of the personal information that Paystack holds about you. To exercise this right, you can submit a request to the Data Protection Officer (DPO) or to our Data Subject Rights Team at [email protected];

          • Right to be informed regarding their personal data and any automated decision-making, including profiling. You have the right to object to the processing of your personal information, and to exercise this right, you can submit a request to the DPO or our Data Subject Rights Team;

          • Right to be informed about appropriate safeguards in place where data is transferred abroad;

          • Right to request data undergoing automated decision making is moved to another Controller in a structured electronic commonly used format (data portability);

          • Right to request rectification and modification of personal data which Paystack keeps;

          • Right to request the deletion of their data;

          • Right to revoke consent;

          • Right to object to direct marketing, and to request that Paystack restrict the processing of their information

          • Right to restrict processing or object to the processing of personal data;

          • Absolute Right to object to direct marketing; and

          • Right to submit a complaint to a Supervisory Authority in your country.

          Your request will be reviewed and answered by Paystack’s Data Protection Officer within a 30-day period upon receipt of the request. You may review your account settings and update your personal data directly or by contacting us.

          10. Policy Violations

          Our Services are all directed to people who are at least 18 years old or older.

          We do not knowingly collect any “personal information” (as defined by applicable Data Protection Laws) from anyone under 18 years of age without valid parental consent. If we become aware that we have collected such personal information without parental consent, we will take reasonable steps to delete it as soon as possible.

          We also comply with other age restrictions and requirements in accordance with applicable local laws.

          11. Changes to This Privacy Policy

          We may need to update, modify or amend our Privacy Policy as our technology evolves and as required by law. If we materially change the ways in which we use or share personal data previously collected from you through our Services, we will provide notice or obtain consent regarding such changes as may be required by law. The Privacy Policy will apply from the effective date provided on our website.

          12. Changes to This Privacy Policy

          Any violation of this Privacy Policy should be brought to the attention of the Data Protection Officer (details below) for appropriate sanctioning and treatment.

          12. Contact Paystack’s Data Protection Officer (DPO)

          If you have any questions relating to this Privacy Policy, complaints, or would like to find out more about exercising your data privacy rights, please reach out to our DPO via email at [email protected].

          Effective Date: Friday, Jul 18, 2025

          Why Paystack

          Pricing

          Customers

          Learn

          Developers

          Community

          Support

          About

          Contact

          Lagos

          San Francisco

          • 354 Oyster Point Blvd.,
            South San Francisco,
            CA 94080
            United States

          Cape Town

          • Unit 6, 22fifty Building 1,
            32 Jamieson Street,
            Cape Town 8000
            South Africa

          Accra

          • VIVO Place,
            A2 Cantonments City Street,
            Cantonments,
            Accra, Ghana

          Dubai

          • Office 338,
            Building 16,
            Dubai Internet City, Dubai,
            United Arab Emirates

          Nairobi

          • The Pavilion (1st Floor)
            Lower Kabete Road, Westlands
            Nairobi, Kenya

          Abidjan

          • AfricaWorks,
            Rue du 7 décembre,
            Zone 4/C,
            Abidjan, Côte d'Ivoire