This Privacy Policy explains how PAYNS, Inc., an Ohio corporation with its principal place of business at 4601A Lyman Drive, Hilliard, Ohio 43206 ("PAYNS," "we," "us," or "our"), collects, uses, discloses, and protects Personal Information when you access our public website, administrator and user portals, application programming interfaces (APIs), and related online services (collectively, the "Service").

This Policy applies to (i) visitors to our public-facing website and (ii) registered users who access the Service under an agreement with PAYNS or with a PAYNS customer (e.g., your employer).

Controller vs. Processor/Service Provider. For Personal Information in Customer Data that organizations (our customers) submit to and process through the Service (e.g., shipment identifiers, party names, addresses, and tracking events), we act as a processor/service provider and handle such data only to provide and secure the Service under our customer contracts and any applicable data processing addendum ("DPA"). For Personal Information that we collect directly from you (e.g., account, portal, support, and website analytics data), PAYNS is a controller/business.

If any term in this Policy conflicts with a signed agreement or DPA with a customer, that agreement or DPA governs to the extent of the conflict.

Personal Information (or PI) means information that identifies, relates to, describes, or could reasonably be linked with a particular individual or household. Customer Data means the data our customers and their authorized users submit to or generate within the Service. Aggregated/De‑identified Data means data that has been combined and/or de-identified so that it cannot reasonably identify an individual.

We collect the following categories of PI for the purposes listed below and retain it for the periods described in Section 10. We do not "sell" or "share" PI for cross‑context behavioral advertising, and we do not use or disclose Sensitive PI for purposes beyond those permitted by law.

• Identifiers & Contact Data: name, business email, phone, username, account IDs.
• Commercial/Service Use Data: feature usage, settings, admin actions.
• Internet/Device Data: IP address, device type, browser/OS, cookies, log files.
• Professional/Employment Data: employer, role, team/tenant association.
• Geolocation (coarse): derived from IP address for security and localization.
• Customer Data Elements: shipment references, party names/addresses, status updates (handled as processor/service provider).
• Support Content: messages, attachments you send to support.

Primary Purposes: provide and secure the Service; account administration; troubleshoot and support; analytics to improve the Service; enforce terms and prevent abuse; legal compliance.

Your Choices: see Sections 9 and 11 for access, deletion, correction, opt‑out choices and cookie controls.

• Information you provide directly: registration details; profile fields; content you submit; support tickets; survey responses.
• Customer Data (processor/service provider role): shipment/tracking information and related operational data that your organization integrates or enters. We process this solely to provide, secure, maintain, and improve the Service and related features.
• Automatically collected information: log files; IP address; device and browser metadata; session activity; diagnostic and performance data; approximate location from IP.
• Cookies and similar technologies: small files placed on your device to operate core features (authentication, security), remember preferences, and perform analytics. See Section 8 (Cookies).
• Information from third parties: carriers and logistics platforms (per your or your organization's configuration), identity providers (e.g., SSO), and service providers who help us operate the Service.
• Payment Information (if applicable): If you submit payment card details or ACH information, we use vetted payment processors to handle that data on our behalf. We do not store full payment card numbers and require our processors to maintain PCI DSS compliance. If we directly process any payment card data, we will do so in accordance with PCI DSS.

We do not intentionally collect protected health information (PHI) or sensitive government identifiers through the Service. Please do not submit such data unless you have a signed addendum explicitly permitting that processing.

Inadvertent PHI or sensitive data: Although we do not intentionally collect PHI, government identifiers, or similarly sensitive categories of data through the Service, if such information is inadvertently submitted to us, we will (i) promptly restrict access; (ii) segregate or securely delete it where deletion is feasible; and (iii) log and review the incident under our security program. Where a customer is the controller/business, we will notify the customer and follow their lawful instructions (including deletion) consistent with our DPA and applicable law.

We use PI for:

• Service delivery: to register and authenticate users; provide core features; display shipment/tracking events you or your organization are authorized to view; and operate APIs and integrations.
• Security and abuse prevention: to detect, investigate, and prevent security incidents, fraud, spam, and misuse; to enforce acceptable‑use and API rate limits.
• Customer support & communications: to respond to inquiries; send operational notices (e.g., maintenance, policy updates); and administer your account.
• Improvement & analytics: to analyze how the Service is used, fix issues, and develop new features. We may create Aggregated/De‑identified Data for benchmarking and improving the Service.
• Legal compliance: to comply with law, enforce agreements, and protect rights, safety, and property.

No sale or cross‑context sharing. We do not sell PI and do not share PI for cross‑context behavioral advertising. We do not use Customer Data for advertising.

Legal bases (EEA/UK/Switzerland): contract performance; legitimate interests (e.g., securing and improving the Service); legal obligations; and, where required, consent (e.g., non‑essential cookies).

Automated decision-making: We do not engage in automated decision-making or profiling that produces legal or similarly significant effects about you. If this changes, we will provide required notices and choice.

We disclose PI only as follows:

• Service providers/Processors: vendors that host, secure, support, analyze, or otherwise help us deliver the Service under contracts restricting their use of PI.
• At your direction: carriers, platforms, or third‑party systems that you or your organization connect to the Service.
• Affiliates and corporate transactions: if we undergo a merger, acquisition, reorganization, or asset sale, PI may be transferred consistent with this Policy.
• Legal, safety, and rights: to comply with law, enforce agreements, respond to lawful requests, and protect users, PAYNS, and the public.
• Aggregated/De‑identified Data: may be disclosed for analytics and benchmarking where individuals are not identifiable.

We do not sell or share PI for cross‑context behavioral advertising and we do not permit our processors to use PI for their own marketing.

Depending on your location, you may have the right to access, correct, delete, restrict or object to processing, and export/port certain PI. California residents may also have rights to know, correct, delete, opt out of sale/share (not applicable here), and to limit use/disclosure of Sensitive PI (not applicable here). You will not be discriminated against for exercising rights.

How to exercise rights: Portability format & delivery: Where data portability applies, we will provide your Personal Information in a machine-readable format (e.g., CSV or JSON) via secure download or direct transfer to another controller where technically feasible. Email privacy@PAYNS.io or use in‑product tools where available. We may ask you to verify your identity and your relationship to a customer organization. If we process your PI as a processor/service provider for a customer, we will refer your request to that customer.

Authorized agents (California): You or your agent must provide proof of authorization and we may require you to verify your identity directly with us.

Marketing communications: You can opt out of non‑transactional emails by using the unsubscribe link in the message or contacting us.

Appeals: See Section 16 (Accessibility) for our privacy request appeals process.

We use:

• Strictly necessary cookies for login, routing, and security;
• Functional cookies to remember preferences; and
• Analytics cookies to understand usage and improve performance.

You can manage cookies through your browser settings and (where offered) our Cookie Settings tool. If you block certain cookies, some features may not function. The Service does not currently respond to Do Not Track signals.

EU/UK consent: For visitors from the EEA/UK/Switzerland, our site displays a cookie banner/consent tool that enables opt-in for non-essential cookies and allows you to change preferences at any time via Cookie Settings.

We implement commercially reasonable administrative, physical, and technical safeguards to protect PI. However, no method of transmission or storage is 100% secure. If we discover unauthorized access to Personal Information in our possession, we will notify affected parties as required by applicable law. For Ohio residents, we will provide notice in the most expedient time possible and, in any case, no later than 45 days after discovery of a qualifying breach, consistent with measures needed to determine scope and restore system integrity; we will also provide required notices to consumer reporting agencies where applicable.

We retain PI for as long as needed to provide the Service and fulfill the purposes above, then for a period required for legitimate business needs (e.g., security, fraud prevention), legal, tax, or audit requirements. When a customer terminates the Service or requests deletion, we will delete or return Customer Data within 30 days, except where retention is required by law or for legitimate business records, which we retain only as necessary and protect appropriately. Backups are routinely purged on scheduled cycles.

Security incidents: See Section 9 (Security) for our data breach notification practices and timeframes required by applicable law (e.g., 45-day outer limit for Ohio residents).

We are headquartered in the United States and may process Personal Information in the U.S. and other countries. Where required, we rely on appropriate safeguards for cross-border transfers (e.g., EU Standard Contractual Clauses, supplementary measures, and—if and when certified—the EU-U.S. Data Privacy Framework (DPF) and/or UK Extension/Swiss-U.S. DPF). You may request a copy of relevant transfer safeguards by contacting us.

The Service is not directed to children under 13 and we do not knowingly collect PI from them. If we learn we have collected PI from a child under 13, we will delete it. Parents or guardians who believe their child has provided PI may contact us at privacy@PAYNS.io.

Customers (Controller/Business): You are responsible for obtaining any required notices and consents from individuals whose PI you submit to the Service and for configuring integrations lawfully. Upon request, PAYNS will execute a Data Processing Addendum consistent with applicable privacy laws. The DPA governs our processing of Customer Data, including subprocessors, security measures, and international transfers.

Service Provider/Processor commitments: We process Customer Data only to provide the Service; we do not sell or share Customer Data; we do not use Customer Data for cross‑context behavioral advertising; and we implement safeguards appropriate to the risk.

Subprocessors: We use certain subprocessors (hosting, support, analytics, security) to help provide the Service. You can request our current subprocessor list and last-updated date by emailing legal@PAYNS.io. We will provide advance notice of material changes where required.

The Service may display information from carriers and third‑party platforms or link to third‑party sites. Their privacy practices are governed by their own policies; we do not control and are not responsible for them.

We may update this Policy from time to time. Changes are effective when posted unless otherwise stated. We will provide notice of material changes (e.g., via email or in‑product notice). Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

We aim to align with WCAG 2.1 AA where commercially reasonable. If you need this Policy in an alternative format or assistance, contact accessibility@PAYNS.io.

If we deny your privacy request in whole or in part, you may appeal by emailing privacy@PAYNS.io with "Appeal of Privacy Request" in the subject line. We will review and respond within 45 days (or the time required by your jurisdiction) with a written explanation. If you remain unsatisfied, you may contact your state Attorney General or local data protection authority as applicable.

PAYNS, Inc.
4601A Lyman Drive
Hilliard, Ohio 43206
Email: privacy@PAYNS.io
Legal notices: legal@PAYNS.io

This Policy primarily covers visitors and users of the Service. Employees, job applicants, and contractors receive a separate HR privacy notice describing how we handle their Personal Information for employment-related purposes. If you are an employee, applicant, or contractor and did not receive that notice, contact hr@PAYNS.io.

• California (CPRA): No sale/share; categories collected as listed above; rights to know, delete, correct, and portability; opt‑out not applicable; appeals are available per Section 16.
• Ohio (Data Breach & Safe Harbor): We comply with Ohio's breach-notification statute (Ohio Rev. Code § 1349.19). If we have adopted a cybersecurity program that reasonably conforms to an industry-recognized framework under Ohio's Data Protection Act (Ohio Rev. Code Chapter 1354), we may be eligible for the Act's safe-harbor affirmative defense. This statement is for transparency and does not diminish your rights.
• Virginia/Colorado/Connecticut/Utah: Similar rights to access, delete, correct (where applicable), and opt out of targeted advertising and certain profiling (not applicable here). Appeals are available per Section 16; contact us at privacy@PAYNS.io.
• EEA/UK/Switzerland: Additional rights described in Section 7; If not required: We are not required to appoint an EU/UK representative or Data Protection Officer under GDPR based on our current processing activities. You may still contact us at privacy@PAYNS.io with questions.

Key cookies: session_id (strictly necessary), csrf_token (security), locale_pref (functional), app_analytics_id (analytics).

Retention: session or as otherwise configured; see in‑product Cookie Settings.