Privacy Policy
Effective Date: March 9, 2026
Paena Technologies, Inc. ("Company," "we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our website, applications, and services (collectively, the "Service").
By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, do not use the Service.
1. Information We Collect
1.1 Information You Provide
| Category | Examples |
|---|---|
| Account Information | Name, email address, password, phone number |
| Profile Information | Avatar, display name, bio, preferences |
| Payment Information | Credit/debit card number, billing address (processed by our payment processor; we do not store full card numbers) |
| Communications | Messages you send to us via email, chat, or support tickets |
| User Content | Any content you create, upload, or share through the Service |
1.2 Information Collected Automatically
| Category | Examples |
|---|---|
| Device Information | IP address, browser type and version, operating system, device identifiers |
| Usage Data | Pages visited, features used, clicks, time spent, referring URL |
| Cookies & Similar Technologies | Session cookies, persistent cookies, pixels, local storage (see Section 6) |
| Log Data | Server logs including timestamps, error reports, request metadata |
1.3 Information from Third Parties
- OAuth Providers: If you sign in via Google, GitHub, or another provider, we receive your name, email, and profile picture as permitted by your settings with that provider.
- Analytics Providers: We may receive aggregated or pseudonymized usage data from analytics services.
- Business Partners: If you were referred by a partner, we may receive your name and email.
2. How We Use Your Information
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide, maintain, and improve the Service | Performance of contract |
| Create and manage your account | Performance of contract |
| Process payments and send transaction confirmations | Performance of contract |
| Send service-related communications (security alerts, updates, support) | Performance of contract / Legitimate interest |
| Respond to your requests and provide customer support | Performance of contract |
| Analyze usage trends to improve the Service | Legitimate interest |
| Detect, prevent, and address fraud, abuse, or security issues | Legitimate interest / Legal obligation |
| Comply with legal obligations | Legal obligation |
| Send marketing communications (only with your consent) | Consent |
| Enforce our Terms of Service | Legitimate interest |
We will never sell your personal information to third parties.
3. How We Share Your Information
We may share your information only in the following circumstances:
3.1 Service Providers
We share information with third-party vendors who perform services on our behalf (hosting, payment processing, analytics, email delivery, customer support). These providers are contractually obligated to use your information only as directed by us and to maintain appropriate security.
3.2 Legal Requirements
We may disclose information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
3.3 Business Transfers
In connection with a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.
3.4 With Your Consent
We may share information for any other purpose with your explicit consent.
3.5 Aggregated or De-identified Data
We may share aggregated or de-identified data that cannot reasonably be used to identify you.
4. Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Service. After account deletion, we will delete or anonymize your personal information within 90 days, except where retention is required by law (e.g., tax records, legal disputes) or for legitimate business purposes (e.g., fraud prevention).
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 90 days |
| Payment records | 7 years (tax/legal compliance) |
| Server logs | 12 months |
| Support tickets | 3 years after resolution |
| Marketing consent records | Duration of consent + 3 years |
5. Data Security
We implement industry-standard technical and organizational measures to protect your information, including:
- Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
- Access Controls: Role-based access, principle of least privilege, multi-factor authentication for staff
- Infrastructure: Hosted on SOC 2 Type II certified infrastructure
- Monitoring: Automated intrusion detection, vulnerability scanning, and logging
- Incident Response: Documented breach response plan; affected users notified within 72 hours as required by law
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
6. Cookies and Tracking Technologies
6.1 Types of Cookies We Use
| Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Authentication, security, core functionality | Session or up to 1 year |
| Functional | Remember preferences, language settings | Up to 1 year |
| Analytics | Understand usage patterns, improve the Service | Up to 2 years |
| Marketing | Only if you opt in — personalized content | Up to 1 year |
6.2 Your Cookie Choices
- Browser Settings: Most browsers let you block or delete cookies.
- Opt-Out Tools: You can opt out of Google Analytics at tools.google.com/dlpage/gaoptout.
- Do Not Track: We honor Do Not Track browser signals by disabling non-essential tracking.
Disabling cookies may limit your ability to use certain features of the Service.
7. Your Rights
7.1 All Users
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete information.
- Deletion: Request deletion of your personal information.
- Data Portability: Request your data in a structured, machine-readable format.
- Withdraw Consent: Where processing is based on consent, withdraw it at any time.
- Opt Out of Marketing: Unsubscribe from marketing emails via the link in any marketing email or by contacting us.
7.2 European Economic Area (EEA), UK, and Switzerland (GDPR/UK GDPR)
In addition to the above:
- Restriction: Request restriction of processing in certain circumstances.
- Object: Object to processing based on legitimate interests.
- Automated Decision-Making: Right not to be subject to solely automated decisions with legal effects.
- Lodge a Complaint: File a complaint with your local data protection authority.
Data Transfer: If we transfer your data outside the EEA/UK, we use Standard Contractual Clauses (SCCs) approved by the European Commission or rely on other lawful transfer mechanisms.
7.3 California Residents (CCPA/CPRA)
- Right to Know: Categories and specific pieces of personal information collected.
- Right to Delete: Request deletion of personal information.
- Right to Correct: Request correction of inaccurate information.
- Right to Opt Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Information: We do not use sensitive personal information beyond what is necessary to provide the Service.
- Non-Discrimination: We will not discriminate against you for exercising your rights.
Categories of PI collected (preceding 12 months): Identifiers, commercial information, internet/electronic activity, geolocation (approximate), and inferences.
7.4 Other U.S. State Laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, etc.)
Residents of states with comprehensive privacy laws have similar rights to access, correct, delete, and opt out. Contact us to exercise these rights.
7.5 Canadian Residents (PIPEDA)
You have the right to access, correct, and challenge the handling of your personal information. Contact our Privacy Officer at hello@payna.com.
7.6 How to Exercise Your Rights
Submit requests to hello@payna.com with the subject line "Privacy Rights Request." We will verify your identity and respond within 30 days (or as required by applicable law). You will not be charged a fee unless your request is manifestly unfounded or excessive.
8. Children's Privacy
The Service is not directed to children under 16 (or under 13 in jurisdictions where COPPA applies). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us at hello@payna.com and we will promptly delete it.
9. International Data Transfers
Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) for EEA/UK transfers
- Data Processing Agreements with all sub-processors
- Compliance with applicable cross-border transfer requirements
10. Third-Party Links
The Service may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties. We encourage you to read their privacy policies.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy with a new effective date
- Sending an email notification (for material changes)
- Displaying an in-app notice
Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy, contact us at:
Paena Technologies, Inc.
San Francisco, CA
hello@payna.com