Back to Home

Privacy Policy

Last Updated: April 3, 2026

At APPAYS ("we," "us," or "our"), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at appays.ai, our dashboard application, and our AgentWallet Chrome Extension (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of our Services.

1. Information We Collect

We collect only the minimum information necessary to provide our Services:

  • Account Information: Your name and email address when you register an account.
  • Agent Card Policy Data: Budget limits, spending caps, department labels, and limit types you configure for your virtual agent cards. This information is stored on our servers to power the authorization layer.
  • Transaction Records: When an agent card is authorized, we log the merchant name, amount, timestamp, and authorization result for your records and fraud monitoring.
  • Usage Data: Non-identifiable technical data (e.g., browser type, general app interactions) to monitor performance and improve our Services.
  • Authentication Tokens: We use HTTP-only JWT cookies to maintain your session securely. These are never accessible to JavaScript running on the page.

We do not collect, store, or have access to real credit card numbers, CVVs, expiry dates, or any raw financial credentials. We operate on a Zero-Knowledge Credential Architecture — your sensitive payment credentials never touch our servers.

2. How We Use Your Information

Your information is used strictly to:

  • Provide, maintain, and improve the APPAYS Services.
  • Authenticate your identity and maintain your session securely.
  • Enforce the spending policies you define on your agent cards.
  • Communicate with you regarding service updates, security alerts, and support requests.
  • Detect, prevent, and respond to fraud, abuse, and security incidents.

We do not use your data for advertising, sell it to third parties, or use it to build behavioral profiles.

3. Chrome Extension — Permissions & Data Use

The AgentWallet Chrome Extension requests the following permissions, each used only for its stated purpose:

  • storage — To save your encrypted vault locally in your browser. The encryption key is derived from your PIN and is never transmitted to our servers.
  • activeTab — To inject credentials into the active payment form only when you explicitly trigger the action. We do not read or monitor page content passively.
  • scripting — Required to perform the credential injection into form fields on trigger.
  • notifications — To alert you when an injection succeeds or fails.
  • webNavigation — To detect when you navigate to a payment page and auto-trigger authorized injections.
  • Host permissions (https://*/) — Required for the SSE relay connection to receive real-time authorization events and to inject credentials on payment pages. We do not read, record, or transmit the content of any pages you visit.

The extension communicates only with appays.ai via an encrypted SSE (Server-Sent Events) channel. It does not communicate with any other third-party server.

Your browsing history is never collected, stored, or transmitted.

4. Third-Party Services

We use the following trusted infrastructure providers, each bound by their own privacy commitments:

  • Stripe — For subscription billing ($1/month). Stripe processes your payment card independently and under their own Privacy Policy. We receive only a subscription status signal; we never see your full card number.
  • Cloudflare Workers — Our serverless infrastructure. Requests are processed at the edge with no persistent logging of personal data.
  • Neon (PostgreSQL) — Encrypted database storage for account data and card policies. Data is encrypted at rest.

5. Data Retention

We retain your account data for as long as your account is active. Transaction logs are retained for 12 months for fraud monitoring purposes. You may request deletion of your account and all associated data at any time by contacting us (see Section 7).

6. Data Security

We implement multiple layers of security including HMAC-SHA256 card identifiers, PBKDF2 password hashing, HTTP-only JWT authentication cookies, TLS encryption in transit, and AES-GCM encrypted local vaults in the browser extension. No method of transmission over the Internet is 100% secure, but we apply industry best practices to protect your information.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your account and associated data.
  • Withdraw consent for optional data processing.

To exercise any of these rights, contact us at support@appays.ai.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by displaying a prominent notice in the dashboard. The "Last Updated" date at the top of this page reflects the most recent revision.

9. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us at:

support@appays.ai

APPAYS — appays.ai