Privacy Policy
Last updated: 2026-05-09 Version: 1.0
Plain-English summary. Plirin is a non-custodial cryptocurrency payment platform for merchants. We collect the information needed to operate your merchant account, verify your business under anti-money-laundering law, screen wallet addresses against sanctions lists, and keep the platform secure. We do not sell your personal data, and we do not use it for advertising. We share data only with the small set of vendors listed in our Sub-Processor List and with regulators when required by law.
1. About this notice
This Privacy Policy explains how Plirin Labs ("Plirin", "we", "us", "our") collects, uses, shares, and protects personal information when you visit plirin.com or use the Plirin merchant dashboard, APIs, or hosted checkout (collectively, the "Service").
It applies to:
- Visitors to our marketing site.
- Merchants who register for an account.
- Authorized representatives, owners, and beneficial owners of merchant entities.
It does not apply to:
- Information that merchants collect about their own customers using the Service. Merchants are the controllers of their customer data; Plirin acts as a processor on the merchant's behalf and only as needed to operate the Service.
If you have questions, write to privacy@plirin.com.
2. The information we collect
2.1 Information you give us
| Category | Examples |
|---|---|
| Account credentials | Work email, password (we store only an Argon2/Bcrypt hash, never the password itself), business display name |
| Business profile | Registered legal name, business address, city, state, country, tax rate, merchant category |
| KYB submission | Country of incorporation, business registration data, declared payout wallets |
| UBO data | First name, middle name, last name, suffix, date of birth, residential address of each beneficial owner you list during KYB |
| Wallet addresses | Public blockchain addresses (Solana, Ethereum, Base, Polygon) that you submit as payout destinations |
| KYC for tier upgrade (optional) | If you opt in to the higher transaction tier, your beneficial owners complete a selfie/liveness check directly on Shufti Pro's hosted flow. Identity documents are uploaded to Shufti — Plirin never sees the raw documents. We receive only the verification result and a reference identifier. |
| Support communications | The contents of emails or messages you send to support@plirin.com, compliance@plirin.com, or legal@plirin.com |
| Customer data you enter | Names, emails, and other contact information for your own customers, processed on your behalf |
2.2 Information we collect automatically
| Category | Examples |
|---|---|
| Device and request data | IP address, user-agent string, browser type, request timestamps |
| Session data | JWT access tokens, refresh tokens stored in our database, audit-log entries (logins, password resets, admin actions, KYB events) |
| Cookies and local storage | A small number of strictly necessary cookies for session continuity; UI preferences such as theme stored in browser localStorage. We do not set advertising or analytics cookies. |
| Service telemetry | Error reports, performance metrics, and request logs needed to keep the Service reliable |
2.3 Information we receive from third parties
| Source | Examples |
|---|---|
| Shufti Pro | KYB verification result (approved, rejected, indeterminate), AML screening results (sanctions, PEP, adverse-media hits and categories), wallet screening results (OFAC and crypto sanctions hits) |
| Resend | Email delivery status (delivered, bounced, etc.) |
| Public blockchain RPCs | Confirmation status of transactions paid to your wallets. This data is already public on the blockchain. |
For the full list of vendors, what they receive, and where they are based, see our Sub-Processor List and our Data Sharing Policy.
3. How we use your information
We use the information described above to:
- Provide the Service. Create and maintain your account, generate payment requests, surface transactions, and let you manage staff, customers, products, and refunds.
- Comply with anti-money-laundering law. Verify the identity of merchant entities and beneficial owners, screen against sanctions and PEP lists, and screen payout wallets against the OFAC SDN list and other crypto-sanctions databases. These obligations come from FinCEN (31 CFR Part 1020 and 1010), OFAC, and applicable state regulators.
- Maintain the security of the platform. Detect and prevent fraud, account takeovers, abuse, and unauthorized access.
- Communicate with you. Send transactional and compliance emails (e.g., verification links, KYB status updates, wallet compliance notices, security alerts, billing). We do not send marketing emails.
- Provide support. Respond to your questions and resolve issues.
- Comply with other legal obligations. Respond to lawful subpoenas, court orders, and regulatory requests; cooperate with law-enforcement investigations under proper authority.
- Improve the Service. Diagnose bugs, evaluate performance, and make planning decisions. We use only aggregated and de-identified data for these purposes.
4. Legal bases for processing
We rely on the following legal bases under US privacy law and, where applicable, comparable foreign frameworks:
| Legal basis | Where it applies |
|---|---|
| Performance of a contract | Providing the Service you signed up for. |
| Legal obligation | KYB, AML, and OFAC screening; tax and recordkeeping requirements. |
| Legitimate interests | Securing the platform, preventing fraud, and improving the Service. |
| Consent | Where the law requires it. For example, you explicitly check a box during KYB authorizing us to share your data with our verification sub-processors, and you separately opt in if you choose to upgrade your verification tier with biometric KYC. |
5. How we share your information
We share personal data only as follows.
With our sub-processors. We use a small set of vendors to operate the Service. Each is bound by a contract requiring them to handle data only on our instructions and to protect it appropriately. The current list is published at /legal/sub-processor-list. Today this includes:
- Shufti Pro (Lithuania, EU) — KYB verification, AML screening, and wallet screening.
- Amazon Web Services (United States) — encrypted document storage (S3) and key management (KMS).
- Resend (United States) — transactional email delivery.
With regulators and law enforcement. When required by valid legal process, or when we believe in good faith that disclosure is necessary to comply with the law or to protect rights, property, or safety.
With professional advisors and successors. Lawyers, accountants, auditors, and insurers under confidentiality obligations; and acquirers in connection with a merger, acquisition, or sale of assets, in which case the acquirer becomes bound by this Policy or one materially similar.
We do not:
- Sell your personal data, in any sense of the word.
- Share your personal data with marketing or advertising partners.
- Share your personal data with other merchants on the platform.
- Share your personal data with credit bureaus or data brokers.
6. How long we keep your information
| Data | Retention |
|---|---|
| Active account data | Kept while your account is open, plus up to 90 days after closure to complete final billing and reconciliation |
| KYB verification records, AML screening results, wallet screening results | 7 years from the later of the last transaction or account closure, per FinCEN 31 CFR §1010.430 |
| Transaction records | 7 years from the transaction date |
| Audit logs | 7 years |
| Refresh tokens | 14 days; rotated on use; revoked on logout or password change |
| Server logs, request telemetry | 90 days |
| Support correspondence | 3 years from last contact |
Blockchain transactions are public and immutable. We cannot delete on-chain records.
7. How we protect your information
- Passwords are hashed with Argon2 (memory-hard, industry standard).
- All traffic to and from the Service is encrypted with TLS 1.2 or higher.
- KYB documents stored in AWS S3 are encrypted at rest using AWS KMS under keys we control.
- Access tokens are short-lived (60 minutes); refresh tokens are tracked in our database and can be revoked.
- All admin and compliance-sensitive actions are recorded in a tamper-evident audit log.
- We follow least-privilege access controls and review them regularly.
No system is perfectly secure. If you believe your account has been compromised, email security@plirin.com immediately.
8. Your rights
You have rights over your personal data. The exact list depends on where you live; the rows below summarize the most common ones.
8.1 Universal rights
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Correction | Ask us to fix inaccurate information. |
| Deletion | Ask us to delete your data, subject to data we are legally required to retain (for example, AML records under FinCEN rules). |
| Portability | Request your data in a structured, machine-readable format. |
| Objection | Object to processing based on legitimate interests. |
| Withdraw consent | Where processing is based on consent, you may withdraw it at any time. This does not affect the lawfulness of prior processing. |
To exercise any of these rights, email privacy@plirin.com with the subject "Data Subject Request" and the email associated with your account. We will verify your identity before responding and will respond within the statutory timeframe (45 days for CCPA/CPRA; 30 days for most other US state laws).
8.2 California residents (CCPA / CPRA)
In addition to the universal rights above, California residents have:
| Right | What it means |
|---|---|
| Right to know | Categories of personal information collected, sources, purposes, and recipients (set out in this Policy). |
| Right to delete | Subject to legal retention. |
| Right to correct | Correct inaccurate personal information. |
| Right to opt out of "sale" or "sharing" | We do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of. |
| Right to limit use of sensitive personal information | UBO date of birth and government-issued identifiers (for example, business EIN) are sensitive personal information under CPRA. We use them only to perform KYB and AML screening as required by law and do not use them to infer characteristics about you. There is no further use to limit. |
| Right to non-discrimination | Exercising your rights will not result in different pricing or service quality. |
For reference, the CCPA categories of personal information we collect are: identifiers; commercial information; internet or other electronic network activity; professional or employment-related information; inferences drawn from the above; and the sensitive subcategories described above.
You may designate an authorized agent to exercise your rights. We will require written authorization and verification of identity.
8.3 Other US state privacy laws
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have rights similar to those above. Email privacy@plirin.com to exercise them.
8.4 Complaints
If you believe we have not handled your information appropriately, you may file a complaint with your state attorney general's office (for example, the California Privacy Protection Agency for California residents).
9. Children
The Service is for businesses, not individuals. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us personal information, email privacy@plirin.com and we will delete it.
10. International users
Plirin operates only in the United States and offers the Service only to merchants formed under US law. We do not currently target the Service to users in the EU, UK, or other jurisdictions. Some of our sub-processors (for example, Shufti Pro) are based in the EU; data sent to and from those vendors crosses borders and is protected by Standard Contractual Clauses and the contractual safeguards described in our Data Sharing Policy.
11. Cookies and similar technologies
We use cookies and browser local storage strictly for:
- Session continuity (keeping you signed in).
- Cross-site request forgery (CSRF) protection.
- Remembering UI preferences such as theme.
We do not use third-party advertising cookies or behavioral analytics that track you across sites. Because our cookies are strictly necessary for the Service, we do not present a cookie consent banner.
12. Changes to this policy
We may update this Privacy Policy. When we do, we will revise the "Last updated" date at the top. For changes that materially affect your rights, we will email the address on file at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance.
13. Contact
| Reason | |
|---|---|
| Privacy questions, data subject requests | privacy@plirin.com |
| Data Protection Officer enquiries | dpo@plirin.com (presently routed to the same team) |
| Legal notices | legal@plirin.com |
| Security disclosures | security@plirin.com |
| General support | support@plirin.com |
| Compliance and KYB | compliance@plirin.com |