Payintelli

PI RESEARCH LABS PVT. LTD.

PayIntelli Privacy Policy

Version 1.0 · Effective: May 2026 · Last reviewed: May 2026

This Privacy Policy explains how PayIntelli, developed and operated by PiResearch Labs Pvt. Ltd. collects, uses, stores, and shares personal data when you use our SaaS platform. It applies to merchants, authorised representatives, and individual users who access our services.

PayIntelli (Product of PiResearch Labs)

P.N.2, S.N.101/A, Hydershahkote, Golconda, Hyderabad – 500091, Telangana, India

Privacy enquiries: legal@payintelli.com

Data subject rights: legal@payintelli.com

Data / security matters: security@payintelli.com

1. Who We Are and How to Contact Us

PiResearch Labs Pvt. Ltd. (“we”, “us”, or “PayIntelli”) is a payment orchestration and intelligence company incorporated in India (CIN: U46512TS2025PTC201529), with its registered address at Hyderabad, Telangana, India.

We operate the PayIntelli payment orchestration and intelligence platform , which enables businesses (merchants) to accept and process online payments from their customers. In doing so, we act as a data processor on behalf of our merchant clients and, in some circumstances, as a data controller in our own right for data we collect directly.

If you have any questions about this Privacy Policy or how we handle your personal data and for data subject rights requests please contact us at legal@payintelli.com. For security or data breach concerns, contact security@payintelli.com.

Data protection queries are also handled by our Security and Compliance team. You can reach us at legal@payintelli.com or security@payintelli.com depending on the nature of your enquiry

2. Who This Policy Applies To

This Privacy Policy applies to the following groups of people:

  • Merchants and business customers who register for and use the PayIntelli platform under a Master Services Agreement.
  • Authorised representatives and employees of merchant businesses who access our platform on their employer’s behalf.
  • Individual sole traders and freelancers who use our services directly.
  • Visitors to our website and anyone who contacts us directly.

3. What Data We Collect and Why

We collect and process personal data across the following activities. For each, we explain what we collect, why we collect it, and the legal basis under which we do so.

3.1 Merchant Onboarding and Account Management

When a business registers to use PayIntelli, we collect the following information to create and manage their account, verify their identity for anti-money laundering (AML) and know-your-customer (KYC) purposes, and maintain the customer relationship.

DATA COLLECTEDPURPOSELEGAL BASIS
Full name, email address, phone numberAccount creation and communicationsContract (Art. 6(1)(b))
Business addressAccount verification and invoicingContract (Art. 6(1)(b))
Passport scans, national ID cardsAML/KYC identity verificationLegal obligation (Art. 6(1)(c))
Proof of address (utility bills)AML/KYC address verificationLegal obligation (Art. 6(1)(c))
Business registration documentsKYB verification for corporate accountsLegal obligation (Art. 6(1)(c))
Customer support notesAccount management and dispute resolutionLegitimate interest (Art. 6(1)(f))

Identity documents (passports, national IDs, proof of address) are stored securely in encrypted storage and retained for seven (7) years following account closure, as required by applicable AML and counter-terrorism financing regulations. Standard account data is retained for three (3) years after account closure for contractual dispute resolution purposes, after which it is securely deleted.

We do not perform biometric analysis, facial recognition, or automated biometric matching on identity documents. Documents are processed for identity verification purposes only.

3.2 Payment Transaction Processing

When a payment is processed through the PayIntelli platform, we handle payment metadata on behalf of our merchant clients. We do not store full card numbers (PANs), CVV codes, or CVC verification results. All sensitive card data is handled by a certified third-party card tokenisation provider, which tokenises card data before it reaches our systems.

DATA COLLECTEDPURPOSELEGAL BASISRETENTION
Cardholder name, card brand, BIN (first 6 digits), last 4 digits, expiry dateTransaction processing and identificationContract (Art. 6(1)(b))7 years
PSP TokenPayment reference without storing card dataContract (Art. 6(1)(b))7 years
Transaction amount, currency, payment methodFinancial records and settlementContract + Legal obligation7 years
Fraud score, fraud engine decisionFraud detection and preventionLegitimate interest (Art. 6(1)(f))7 years
Authorisation codes, decline codes, ARNDispute resolution and reconciliationContract (Art. 6(1)(b))7 years
3DS data, SCA/PSD2 exemption dataStrong Customer Authentication complianceLegal obligation (PSD2)7 years
Customer IP addressFraud preventionLegitimate interest (Art. 6(1)(f))90 days, then anonymised
User agent / device informationFraud preventionLegitimate interest (Art. 6(1)(f))90 days, then anonymised
Device fingerprint (hashed)Repeat fraud detectionLegitimate interest (Art. 6(1)(f))7 years
FX rate snapshot, processing fee, interchange detailsFinancial audit and settlementContract + Legal obligation7 years

We do not store CVV codes, CVC verification results, or full card numbers at any point. Our architecture is designed so that raw card data never enters our systems. IP addresses and user agent strings are automatically anonymised after 90 days via an automated process that replaces them with ‘0.0.0.0’ and ‘ANONYMIZED’ respectively.

3.3 Fraud Detection and Risk Management

We operate an automated fraud detection system (Pi Shield) that analyses transaction data in real time to identify and prevent fraudulent activity. This is described in more detail in Section 4 below, as it involves automated decision-making.

The data used for fraud detection includes customer IP addresses, device fingerprints, transaction patterns, amounts, frequency, and merchant history. We have conducted a Legitimate Interest Assessment (LIA) confirming that fraud detection is a necessary and proportionate processing activity that is expected by both merchants and their customers. Fraud data is retained for seven (7) years for model improvement and regulatory inquiry purposes.

3.4 Marketing and Communications

We send two types of communications:

  • Transactional emails — service updates, payment receipts, and account notifications. These are sent on the basis of contract performance and legitimate interest and do not require separate consent.
  • Marketing emails — product announcements and promotional communications. These are sent only to individuals who have given explicit consent (opt-in). You can withdraw consent at any time by clicking the unsubscribe link in any marketing email.

We implement double opt-in for marketing emails and maintain a suppression list to ensure we never contact individuals who have unsubscribed. Consent records are retained indefinitely to demonstrate compliance. Suppression list records are retained indefinitely to honour opt-out requests.

3.5 Website and Platform Usage

When you visit our website or use our platform, we may collect certain technical and usage information automatically. This data is used to maintain the security, availability, and performance of our services and is processed on the basis of our legitimate interest in operating a reliable and secure platform. For further information about our use of cookies and similar tracking technologies, please see Section 9

4. Automated Decision-Making and Fraud Scoring

Our fraud detection system (Pi Shield) makes automated decisions about payment transactions without human review in certain circumstances. We are required to inform you of this under GDPR Article 22.

How Our Fraud Scoring Works

Every transaction processed through PayIntelli is assigned a fraud risk score by our machine learning model, which is trained on historical transaction patterns.

Your Rights Regarding Automated Decisions

If a transaction is blocked by our automated fraud system and you believe this was in error, you have the right to:

  • Request that the decision is reviewed by a member of our fraud team (human intervention).
  • Express your point of view regarding the decision.
  • Request an explanation of the general factors that contributed to the decision (we provide general factors but do not disclose the full model, as this would undermine fraud prevention effectiveness).
  • Contest the decision if you believe it was made in error.

To exercise these rights, please contact your merchant (the business you were transacting with) in the first instance, as they are the data controller responsible for your transaction. Alternatively, you may contact us directly at legal@payintelli.com.

Our fraud models do not use special category data (such as race, religion, or health data) and are subject to quarterly bias testing to prevent discriminatory outcomes.

5. Who We Share Your Data With

We do not sell personal data. We share data only where necessary to deliver our services or as required by applicable law.

Recipients of personal data include providers of cloud infrastructure and hosting services; certified payment security and card tokenisation services; AI-powered analytics and processing services; card schemes and acquiring banks for the purposes of transaction processing and dispute resolution; and regulatory, law enforcement, or supervisory authorities where disclosure is required by law.

All third-party service providers with whom we share personal data are bound by data processing agreements imposing data protection obligations no less stringent than those we accept under our own client agreements. A full list of our sub-processors is available upon request at legal@payintelli.com.

6. International Data Transfers

Our primary production infrastructure is hosted within the European Economic Area. Where personal data is processed by service providers located outside the EEA, we rely on appropriate transfer mechanisms as recognised under GDPR Chapter V, including adequacy decisions and Standard Contractual Clauses where applicable. You may request further information about our international transfer arrangements by contacting legal@payintelli.com.

7. How Long We Keep Your Data

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Retention periods vary depending on the category of data and the legal basis for processing like financial and transaction records are generally retained for seven years in accordance with applicable tax and financial regulations, while standard account data is retained for a shorter period following account closure. Where legal retention obligations prevent full deletion, we pseudonymise data so that it can no longer be attributed to an identifiable individual. Our full Data Retention Policy is available upon request at legal@payintelli.com.

8. Your Rights Under GDPR

If you are located in the European Economic Area or the United Kingdom, you have the following rights regarding your personal data. We will respond to all requests within thirty (30) days. For complex requests, we may extend this to sixty (60) days, in which case we will notify you.

To exercise any of these rights, please contact legal@payintelli.com. We may ask you to verify your identity before processing your request.

Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you and information about how we use it. We will provide this in JSON format via a secure portal within 30 days. The scope of your access request covers account data, address data, tokenised payment instrument data, transaction records, and dispute records.

Right to Rectification (Article 16)

You have the right to ask us to correct inaccurate personal data. You can update your name, email address, phone number, and address directly in your account settings or by contacting us. Financial records (transaction data) are immutable for audit integrity and cannot be amended, but we can add a note to clarify any inaccuracy.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data. We will assess your request against our legal retention obligations. Where no legal obligation requires us to retain data, we will delete it from our systems. Where financial record-keeping or AML obligations apply, we will pseudonymise your data — replacing identifying information with anonymous identifiers — and delete your KYC documents upon expiry of the mandatory retention period.

Please note that machine learning models trained on historical data cannot be “un-trained” after a deletion request. However, because we pseudonymise data before model training, your personal data cannot be re-identified from any trained model.

Right to Data Portability (Article 20)

You have the right to receive personal data you have provided to us in a structured, machine-readable format (JSON or CSV), and to transmit that data to another service. This right applies to data you have directly provided — such as your name, email, and address — but not to data we have derived or generated (such as fraud scores).

Right to Object (Article 21)

You have the right to object to processing carried out on the basis of legitimate interest, including our fraud detection processing. We will assess your objection and determine whether our legitimate interest overrides your rights. You may also object to receiving marketing communications at any time by clicking the unsubscribe link in any email.

Right to Restrict Processing (Article 18)

You have the right to request that we restrict processing of your personal data in certain circumstances — for example, while a dispute about accuracy is being resolved. Where processing is restricted, we will store your data but not actively use it.

Right Not to Be Subject to Automated Decisions (Article 22)

You have the right to request human review of any decision made solely by automated means that significantly affects you — including our fraud scoring system. See Section 4 for further details on how to exercise this right.

9. Cookies and Tracking

Our platform and website use cookies and similar tracking technologies to ensure the security and functionality of our services. We use the following categories of cookies:

CATEGORYPURPOSECONSENT REQUIRED?
Strictly necessarySession management, security, authentication, fraud prevention signalsNo — essential for the service to function
FunctionalRemembering your preferences and settingsYes
AnalyticsUnderstanding how the platform is used to improve our serviceYes
MarketingPromotional tracking (where applicable)Yes

You can manage your cookie preferences through our cookie consent tool, which is presented when you first visit our website. You may withdraw consent for non-essential cookies at any time through your browser settings or by contacting us. Withdrawing consent will not affect the lawfulness of processing carried out before withdrawal.

10. Machine Learning and Model Training

We train and improve our fraud detection models using historical transaction data. Before any data is used for model training, it is pseudonymised — user identifiers are replaced with randomly generated tokens so that the training data cannot be attributed to identifiable individuals.

Our models are trained exclusively on internal pseudonymised data. Training data is stored in a separate, access-controlled storage distinct from our production systems.

We maintain version logs of all model training runs so that we can identify which data versions were used to train each model. Our models do not use special category data (such as race, religion, or health information) and are subject to quarterly bias testing.

Training datasets are retained for three (3) years for model reproducibility purposes. Trained model files are retained for five (5) years as part of our regulatory audit trail.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance. When we make material changes, we will notify you by email (where we hold your email address) and by posting an updated version on our website with a revised effective date. We encourage you to review this policy periodically.

Continued use of our services after a policy update constitutes acceptance of the revised terms, to the extent permitted by applicable law.

12. How to Make a Complaint

If you have a concern about how we handle your personal data and are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority.

As PiResearch Labs Pvt. Ltd. is incorporated in India, our primary regulatory contact for data protection matters is the emerging framework under India’s Digital Personal Data Protection Act 2023. For EU and EEA data subjects, the relevant supervisory authority is the data protection authority in your country of residence. For UK data subjects, the relevant authority is the Information Commissioner’s Office (ICO).

JURISDICTIONSUPERVISORY AUTHORITYCONTACT
NetherlandsAutoriteit Persoonsgegevens (AP)autoriteitpersoonsgegevens.nl
United KingdomInformation Commissioner’s Office (ICO)ico.org.uk
IrelandData Protection Commission (DPC)dataprotection.ie
GermanyBundesdatenschutzbeauftragter (BfDI)bfdi.bund.de
Other EU member statesYour national data protection authorityedpb.europa.eu/about-edpb/about-edpb/members

We encourage you to contact us first at legal@payintelli.com before escalating to a supervisory authority. We are committed to resolving any concerns promptly and transparently.

— End of Privacy Policy —

PiResearch Labs Pvt. Ltd. | legal@payintelli.com

Version 1.0 · © 2026 PiResearch Labs Pvt. Ltd. All rights reserved.