⚠️ Draft — pending legal review

This document has not yet been reviewed by counsel. It is published here for review purposes only and is not the final form of this Privacy Policy.

Privacy Policy

Last updated: May 21, 2026

1. Who We Are

This Privacy Policy describes how Zaptrain ("we," "us," or "our") collects, uses, and shares information about you when you use our services, including the website at zaptrain.com, the merchant dashboard, the public REST API, the MCP integration, and any related services (collectively, the "Service").

2. Information We Collect

2.1 Information you provide directly

  • Account information: your name, email address, and authentication identifiers from sign-in providers (such as Google or GitHub).
  • Merchant profile: business name, brand color, logo, default invoice memo, and other branding details you choose to provide.
  • Customer records: names and email addresses of customers you invoice. You are responsible for ensuring you have a lawful basis to share this information with us.
  • Invoice content: line items, descriptions, amounts, currencies, and any optional notes you include.
  • Lexe wallet credentials: an encrypted copy of the client credentials you generate in your Lexe wallet. These are stored in encrypted form using authenticated encryption (AES-256-GCM) and are decrypted only as needed to generate invoices or check payment status on your behalf.
  • Support correspondence: messages you send to us via email or other channels.

2.2 Information we collect automatically

  • Usage and device data: IP address, browser type, operating system, pages viewed, referring URLs, timestamps, and similar telemetry.
  • API usage: requests made via our public API or MCP integration, including endpoint, response status, and timing.
  • Cookies and similar technologies: session cookies for authentication and operational cookies necessary to provide the Service. We do not use advertising cookies.

2.3 Information we receive from third parties

  • Lexe wallet activity: payment status updates delivered by your configured Lexe wallet via webhooks or polling.
  • Authentication providers: profile information disclosed to us when you sign in via Google, GitHub, or similar providers, in accordance with the permissions you grant.

3. How We Use Information

We use the information we collect to:

  • Provide, operate, and maintain the Service;
  • Generate Lightning invoices, track payments, and send notifications on your behalf;
  • Authenticate you and protect your account;
  • Communicate with you about your account, transactions, security, and updates;
  • Investigate and prevent fraud, abuse, security incidents, and violations of our Terms of Service;
  • Comply with applicable laws, legal process, and lawful requests from authorities;
  • Improve the Service through internal analytics; and
  • For any other purpose disclosed to you at the time of collection or with your consent.

4. Third-Party Processors

We share information with the following categories of service providers strictly to operate the Service. These providers process data on our behalf under contractual obligations of confidentiality and data protection:

  • Lexe — Lightning wallet infrastructure used to generate invoices and receive payments on your behalf.
  • Supabase — database hosting and user authentication.
  • Vercel — application hosting and content delivery.
  • Resend — transactional email delivery (invoice notifications, receipts).
  • Fly.io — sidecar service hosting.

We do not sell your personal information. We do not share your personal information with third parties for their own marketing purposes.

5. Legal Bases for Processing (EU/UK Users)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the General Data Protection Regulation (GDPR) and the UK GDPR:

  • Performance of a contract — to provide the Service you have requested;
  • Legitimate interests — to operate, secure, and improve the Service, where these interests are not overridden by your rights;
  • Legal obligation — to comply with applicable laws;
  • Consent — where we ask for and you give us explicit consent for a specific purpose.

6. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

  • Access — request a copy of the personal information we hold about you;
  • Correction — request that we correct inaccurate or incomplete information;
  • Deletion — request that we delete your personal information, subject to our legal and operational retention obligations;
  • Portability — request a machine-readable copy of certain information you provided;
  • Restriction or objection — restrict or object to certain processing;
  • Withdrawal of consent — where processing is based on consent, withdraw that consent at any time.

California residents have additional rights under the California Consumer Privacy Act, including the right to know what categories of personal information we collect, the right to delete, the right to opt-out of any "sale" or "sharing" (we do not sell or share personal information for cross-context behavioral advertising), and the right to non-discrimination for exercising these rights.

To exercise any of these rights, email privacy@zaptrain.com. We may need to verify your identity before responding.

7. Data Retention

We retain personal information for as long as your account is active or as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. When information is no longer needed, we delete or anonymize it within a reasonable period.

8. Security

We use industry-standard technical and organizational measures to protect the information we collect, including TLS in transit, authenticated encryption at rest for sensitive credentials, access controls, and audit logging. No method of transmission or storage is perfectly secure, however, and we cannot guarantee absolute security.

9. International Data Transfers

We and our service providers may process information in countries other than your own, including the United States. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses to protect data transferred internationally.

10. Children's Privacy

The Service is not directed to children under the age of 18 (or any higher age threshold required by applicable law), and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by prominent notice in the Service before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

Questions or requests about this Privacy Policy can be sent to privacy@zaptrain.com.