This Privacy Policy outlines the principles and procedures by which PAYOTRIX, accessible via payotrix.com, collects, processes, protects, and discloses personal information. This policy is applicable to all individuals and entities who interact with PAYOTRIX, including but not limited to visitors, customers, registered merchants, service integrators, API consumers, and affiliated business partners.
This policy adheres to regulatory frameworks including the Information Technology Act, 2000 (India), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the General Data Protection Regulation (GDPR) (EU), and the California Consumer Privacy Act (CCPA) (USA), among others. PAYOTRIX implements the strictest applicable policy if jurisdictions overlap, ensuring user rights are prioritized above commercial convenience.
PAYOTRIX operates as a non-transactional, redirection-based payment aggregator dashboard and is specifically designed to avoid handling sensitive financial data. No part of PAYOTRIX collects, stores, or processes cardholder data, banking information, UPI details, CVV numbers, OTPs, or other financial credentials.
When a user initiates a payment, they are securely redirected to the official interface of integrated third-party payment processors (e.g., Stripe, PayPal, Razorpay, Cashfree). These aggregators are directly responsible for processing the payment, and all sensitive data remains within their PCI DSS-compliant infrastructure. PAYOTRIX never touches the transaction payload and does not store even tokenized or masked financial information. This architectural decision ensures maximum user privacy and minimizes legal liabilities.
While PAYOTRIX does not collect sensitive financial information, it does collect certain non-sensitive personal data for service delivery and analytics purposes. This may include:
Full name
Email address
Phone number
Business name and GSTIN, other business related documents (for merchants)
Browser and device fingerprint
IP address and location (approximate)
Login/logout time, usage sessions
Referring domains and behavior metrics
This information is strictly used for functional purposes such as user account creation, merchant verification, usage analytics, platform optimization, fraud prevention, and customer support.
All data collected by PAYOTRIX is processed in accordance with applicable legal obligations and operational requirements. For users in India, the platform operates under the provisions of the IT Act, 2000 and SPDI Rules. For users in the EU, PAYOTRIX applies GDPR’s lawful bases for processing which include:
Performance of a contract
Compliance with legal obligations
Legitimate business interests
Explicit user consent
These data processing principles are embedded in PAYOTRIX's internal protocols, including its role-based access controls, audit logs, and third-party vendor agreements.
By continuing to access and use PAYOTRIX and its services, users acknowledge and consent to the collection and processing of their personal data as per this Privacy Policy. Merchants must explicitly agree to the Terms and this policy during onboarding. Consent is considered informed, unambiguous, and revocable (as applicable by law).
For users under GDPR jurisdiction, separate opt-in consent is obtained for marketing, data sharing, or analytics. In the case of users below the age of 18, PAYOTRIX requires parental/guardian consent for account creation and related activity. Failure to provide proper consent may result in restricted access.
PAYOTRIX requires all merchants to undergo Know Your Customer (KYC) verification in compliance with financial best practices and RBI guidelines. Documents such as Aadhar card, PAN, company incorporation certificate, GST certificate, and account proof are collected during registration.
These documents are securely encrypted and stored in restricted databases with strict access policies. PAYOTRIX does not share these documents with third parties unless legally mandated or required for fraud prevention. KYC data is used solely for verification and compliance and is periodically reviewed or updated as per legal retention norms.
Every transaction initiated through PAYOTRIX is executed using a redirection model. This means the customer or payer is redirected from PAYOTRIX to the authorized payment gateway’s interface (e.g., Razorpay, PayPal) where they input payment credentials. Upon successful payment, the customer is redirected back to PAYOTRIX, where only non-sensitive metadata (transaction ID, timestamp, and success/failure status) is recorded.
This design ensures that PAYOTRIX never becomes a point of financial data interaction. The platform acts purely as a technical connector, removing any legal responsibility for payment processing, authorization, or settlement.
PAYOTRIX uses essential and functional cookies to improve user experience, manage sessions, and enable secure access. Cookies help retain login states, manage dashboard preferences, and track usage analytics. These cookies do not collect financial data or any highly sensitive personal identifiers.
Users can disable non-essential cookies via browser settings. However, disabling session cookies may affect access to dashboards and certain functionalities. PAYOTRIX may also use HTML5 Local Storage for lightweight, non-personal data caching to improve page load speed and responsiveness.
PAYOTRIX may integrate with trusted third-party service providers such as Google Analytics, reCAPTCHA, and Cloudflare, for bot detection, analytics, and infrastructure protection. These services may collect browser information, time spent on pages, mouse movement, and device data to analyze usage patterns.
All such integrations are done through secure APIs or embedded scripts, and each third-party is under strict contractual obligation to maintain data confidentiality and comply with relevant regulations.
PAYOTRIX records all login and logout sessions along with associated metadata including IP address, timestamp, browser type, screen resolution, and user activity (non-sensitive). This data is retained for audit, security analysis, usage tracking, and fraud detection.
Such logs are stored in tamper-resistant formats and are reviewed periodically by internal compliance officers to ensure transparency and integrity of the platform.
All user and merchant data collected by PAYOTRIX is retained only for as long as necessary to fulfill its original purpose or to meet legal/regulatory obligations. Data not associated with any active accounts may be archived or permanently deleted as per the platform’s internal retention policy.
KYC documents are retained for a minimum period required under Indian financial laws (typically 5 to 7 years) even after account deactivation, unless an early deletion request is legally acceptable.
Some data may be processed or stored outside of India, depending on the hosting infrastructure and third-party vendors (e.g., email delivery, support systems). All international transfers are made under Standard Contractual Clauses (SCC) and equivalent legal safeguards.
PAYOTRIX ensures that any cross-border data movement complies with applicable Indian export laws, GDPR Article 45/46, and includes privacy-focused contractual clauses.
Users residing in regions governed by GDPR, CCPA, or similar frameworks are entitled to specific rights including:
Right to access stored data
Right to rectify inaccuracies
Right to erasure (Right to be forgotten)
Right to restrict processing
Right to object to processing
Right to data portability
PAYOTRIX facilitates such requests within the legally permitted timeframes (typically 30 days), after validating identity and compliance impact.
Users who no longer wish to have their personal information retained or processed may withdraw consent by submitting a formal request to support@payotrix.com. Such requests may result in partial or complete account deactivation depending on the nature of retained data.
Consent withdrawal does not affect the legality of prior data processing already completed under valid consent.
Upon receiving a verified request, PAYOTRIX will permanently delete user data that is no longer required for legal or operational purposes. Data retained under statutory requirements (e.g., KYC) may not be immediately erasable. Once deleted, PAYOTRIX may notify the user via email with confirmation and a summary of erased records.
All deletions are logged internally and follow irreversible, secure-wipe protocols (e.g., multi-pass deletion algorithms) to ensure no future recovery is possible.
PAYOTRIX implements multiple layers of data security designed in accordance with global standards such as ISO 27001, SOC 2, and OWASP guidelines. All data in transit is secured using TLS 1.2 or higher encryption. All databases and application instances are hosted in firewalled cloud environments with multi-zone failover, intrusion detection systems (IDS), and multi-level access controls.
Administrative access to infrastructure is strictly limited to a small group of authorized personnel using VPN, 2FA, and SSH key-based authentication. Audit logs are maintained for all backend access and reviewed regularly to prevent misuse or policy violations.
PAYOTRIX enforces strict access segregation across its platform. Customers, merchants, and administrators are granted access only to the data and functionalities relevant to their role. For instance:
Merchants can only view and manage their own dashboards, transaction logs, and gateway settings.
Customers can only access the payment interfaces and status pages generated via merchant links.
Administrators and auditors follow strict logging and approval policies before performing any sensitive data operation.
Such design ensures zero privilege escalation risk and prevents accidental exposure or misuse of data across roles.
To improve platform performance, optimize routing, and study market behavior, PAYOTRIX may aggregate and anonymize usage data. This includes metrics like:
Number of transactions per gateway per day
Device types used during peak hours
Bounce rates or redirection drop-offs
None of this data is personally identifiable or linked back to individual users. Such aggregated reports are used for internal analytics and strategic development purposes only.
Before engaging any vendor or subprocessor, PAYOTRIX performs comprehensive due diligence, including:
Reviewing security certifications (e.g., ISO, SOC)
Assessing data handling procedures
Signing Data Processing Agreements (DPAs)
Verifying jurisdictional data laws
Subprocessors are contractually obligated to comply with PAYOTRIX’s privacy standards and may be audited or terminated if non-compliant. A maintained list of subprocessors can be shared with data controllers on request under NDA.
Registered merchants have the right to request a structured, machine-readable export of their account data. PAYOTRIX offers downloadable reports in CSV, JSON, or XML formats including:
Gateway configuration data (masked)
Redirection metadata logs
API keys and webhook logs (non-sensitive)
Merchant profile and KYC verification status
All portability requests are fulfilled within 15 business days, post KYC verification and account ownership validation.
PAYOTRIX does not engage in automated profiling or behavioral targeting that affects user rights or legal status. However, automated logic may be used for:
Spam and bot detection
Session timeout enforcement
Transactional routing (failover logic)
Flagging suspicious behavior for review
All such systems operate within boundaries defined by fairness, transparency, and accountability under applicable laws.
PAYOTRIX does not knowingly collect or process personal data from individuals under 18 years of age. Merchants or customers identified as minors without verified guardian consent are restricted from accessing platform functionalities. If a minor account is discovered, it is disabled pending age verification or parental approval.
This measure ensures PAYOTRIX complies with India’s Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, COPPA (US), and similar laws in other jurisdictions.
To protect merchants and customers, PAYOTRIX utilizes behavioral algorithms and fraud monitoring tools to detect:
Excessive failed payment redirects
IP or session anomalies
Suspicious device fingerprinting
Inconsistent redirection parameters
When such patterns are identified, PAYOTRIX may automatically suspend activity and initiate a compliance review. Merchants are notified and required to cooperate with investigations.
PAYOTRIX captures and stores users’ IP addresses and uses third-party services to infer city-level geo-location. This helps detect potential abuse (e.g., gateway misuse from blocked countries) and improve fraud detection. Geo-location is not exact and does not use GPS or real-time tracking.
Data is stored in logs linked to session metadata and is used only for internal analytics and compliance actions.
PAYOTRIX may send emails and system alerts for purposes such as:
Login authentication and OTPs
Merchant onboarding updates
Transactional receipts or gateway status
Policy updates or system maintenance alerts
Marketing or promotional emails are opt-in only and can be unsubscribed at any time. Email addresses are stored in encrypted form, and PAYOTRIX does not share them with third parties for promotional purposes.
PAYOTRIX provides users with multiple channels for filing grievances regarding privacy, security, or data misuse. The designated Grievance Redressal Officer (GRO) responds to queries within 7 business days and aims to close complaints within 30 calendar days.
Contact details of the GRO and redressal procedures are provided on the official Grievance Redressal Policy page.
Under exceptional circumstances, PAYOTRIX may be required to disclose personal data to governmental or judicial authorities:
In response to valid legal requests such as summons, subpoenas, or court orders
For national security or law enforcement purposes
Under regulatory compliance obligations (e.g., RBI, CERT-IN)
Such disclosures are executed through proper legal channels and logged internally. Wherever possible, users are notified unless restricted by law.
For enhanced session security, PAYOTRIX may record anonymized browser fingerprints including user-agent headers, screen dimensions, language settings, and time zones. This allows the platform to detect:
Session hijacking
Unusual login patterns
Automated bots
This data is stored for session protection and is not used for advertising, profiling, or behavioral targeting.
PAYOTRIX may include links to third-party documentation (e.g., gateway terms) or embed services like captcha, analytics dashboards, or sandbox demos. Users interacting with such services are bound by their respective privacy policies. PAYOTRIX is not liable for third-party policy enforcement or changes.
All third-party integrations are reviewed periodically to ensure they meet PAYOTRIX’s compliance and security standards.
To maintain platform integrity, PAYOTRIX generates system-level logs for every access, event, and API interaction. Logs include:
User account ID
Date/time of action
Operation performed
IP and device details
Result and response codes
These logs are immutable, access-controlled, and retained as per internal audit policy for a minimum of 12 months, extendable based on regulatory requirement.
Cloud Infrastructure and Data Hosting Location
PAYOTRIX operates on enterprise-grade, security-hardened cloud environments located in India and other data protection-compliant regions such as the European Union, Singapore, or the United States. All cloud providers used by PAYOTRIX are required to adhere to ISO/IEC 27001, SOC 2 Type II, and local data protection regulations. PAYOTRIX does not host any part of its infrastructure on unverified or unsecured environments.
The platform ensures that all personally identifiable data remains within secure data centers, with regular patching, monitoring, and geographic redundancy to prevent service disruptions and data leakage.
Indian users of PAYOTRIX are protected under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which form part of the IT Act, 2000. PAYOTRIX ensures:
Informed and express consent is taken where required
Access and correction rights are honored
Grievance redressal timelines are strictly followed
Users can request data deletion subject to legal and operational obligations
These rights are enforced through PAYOTRIX's internal compliance department, and non-compliance is treated with the highest priority.
PAYOTRIX employs automated and manual systems to ensure the accuracy, completeness, and relevance of the data it stores. Merchants are encouraged to regularly review and update their account details, contact information, and KYC documentation.
Data that is outdated, duplicated, or incorrect is flagged and purged from live databases following confirmation. Regular reconciliation with gateway metadata is also conducted to ensure consistency in logs and reports.
PAYOTRIX maintains a robust Business Continuity and Disaster Recovery (BC/DR) framework. This includes:
Daily offsite encrypted backups
Automated failover systems
Scheduled data restoration drills
Hot-swap-ready environments to minimize downtime
In the event of any infrastructure or cyber event, PAYOTRIX guarantees a maximum 24-hour RTO (Recovery Time Objective) and <15-minute RPO (Recovery Point Objective) for user data continuity.
Every data element collected by PAYOTRIX follows a predefined lifecycle:
Collection → Validation → Encryption → Storage → Archiving/Deletion
Data is archived after inactivity periods or account closure and then permanently deleted based on retention policies, legal requirements, and compliance timelines.
Obsolete KYC data, session logs, and redundant records are removed periodically through a controlled data destruction process involving overwriting and purge mechanisms.
All data stored or transmitted by PAYOTRIX is protected using advanced encryption standards:
TLS 1.2+ for transit
AES-256 for rest
SHA-256 for hashing non-reversible identifiers
JWT for API tokens and session authorization
KYC files are additionally stored using encrypted object storage solutions with time-based expiring access URLs. System passwords and admin credentials are hashed using adaptive algorithms like bcrypt.
When a user or merchant chooses to terminate their PAYOTRIX account, the following occurs:
Login credentials and access keys are revoked
Linked third-party gateway authorizations are de-registered
Non-regulatory data is purged within 30 days
Audit logs and compliance metadata are archived securely for up to 5 years
This process is irreversible once executed and users are notified upon completion.
In case of a data breach or attempted intrusion, PAYOTRIX follows a well-defined Incident Response Plan:
Real-time alert detection
Containment of breach vector
Investigation with timestamped logs
Regulatory authority notification (e.g., CERT-IN)
User notification within 72 hours
Root cause analysis and platform hardening
All incidents are documented in the Security Event Register and escalated to the Data Protection Officer (DPO) immediately.
Any third-party vendor, tool, or payment gateway integrated with PAYOTRIX is evaluated for:
GDPR and IT Act compliance
Incident management practices
Transparent audit trails
End-user data rights mechanisms
PAYOTRIX ensures that all contracts with such vendors include data protection addendums, non-disclosure agreements, and legally binding SLA clauses for data misuse or breach.
Currently, PAYOTRIX does not respond to browser-based “Do Not Track (DNT)” requests, as there is no standardized method of implementation accepted globally. However, the platform does not track user behavior across third-party websites or engage in cross-site profiling.
Users may still control cookie and tracking preferences using their browser settings or by contacting PAYOTRIX support.
All PAYOTRIX administrator and merchant dashboards enforce multi-factor authentication (MFA) and secure token-based session management. Sessions auto-expire after a predefined period of inactivity.
Other measures include:
Device verification via OTP
IP/session-based throttling
Token revocation on logout or compromise detection
These steps minimize the risk of account hijacking or unauthorized access.
Before launching new features, PAYOTRIX conducts a Privacy Impact Assessment to evaluate:
Nature of data involved
Risk to data subjects
Purpose and legal basis
Retention and sharing implications
Necessary adjustments are made to architecture, logging, or user prompts based on the outcome of the PIA to maintain compliance and user safety.
Developers or businesses using the PAYOTRIX API must agree to additional data protection and usage terms defined in the Developer API Agreement. API access is:
Token-limited and IP-restricted
Subject to rate limits
Audited for abuse
Any misuse or violation leads to access termination and potential legal action under Indian cybercrime laws.
PAYOTRIX undergoes quarterly internal audits to ensure that data is being handled strictly per this policy. These audits review:
Access logs
Admin role assignments
KYC and data retention timelines
Security patches and vulnerabilities
Legal disclosures and user requests handling
Audit reports are submitted to senior management and used to refine internal data governance.
Users with concerns regarding their personal data may contact PAYOTRIX’s Data Protection Officer (DPO) or the Grievance Redressal Officer (GRO) at:
Email: support@payotrix.com
Complaints will be acknowledged within 7 business days and investigated thoroughly. If unresolved, users may approach the concerned data protection authority or court of law as per jurisdiction.
PAYOTRIX reserves the right to amend, update, or modify this Privacy Policy at any time without prior notification. Such changes may reflect legal updates, technology changes, feature enhancements, or evolving business practices.
Users are advised to review this policy periodically. Continued usage of PAYOTRIX services post any policy changes shall imply acceptance of the updated policy.
