MeowSolutions Payments
legal · 01

Privacy Policy

Обновлено · 2026-05-21

This Privacy Policy explains how MeowSolutions Payments ("we", "us", "the operator") processes personal data of users of the payment gateway located at this domain ("the Service"). The Service complies with the EU General Data Protection Regulation (Regulation (EU) 2016/679 — "GDPR"), the UK Data Protection Act 2018, and the Russian Federal Law № 152-FZ "On Personal Data" dated 27 July 2006.

1. Data controller and contact

The data controller is MeowSolutions Payments. Any questions, access requests, deletion requests or complaints may be addressed to commerce@meowsolutions.limited.

2. Categories of personal data we process

  • Transaction data: payment identifier, amount, currency, merchant reference, payment status, timestamps.
  • Payment method data: the truncated card number (BIN and last 4 digits), card brand, expiry month/year, masked phone number, wallet email, cryptocurrency address.
  • Technical data: IP address, user-agent string, locale, device fingerprint hash, referrer URL.
  • Communications data: messages you send to support and our replies.

We never store the full primary account number (PAN), CVV / CVV2 / CVC2, or any other authentication code. Card data is transmitted to certified acquiring partners over TLS in compliance with PCI-DSS Level 1.

3. Purposes and legal basis (GDPR Art. 6)

  • Performance of a contract (Art. 6(1)(b)): processing payments, generating invoices, returning funds, delivering webhooks to the merchant.
  • Legal obligation (Art. 6(1)(c)): anti-money-laundering ("AML"), counter-terrorism financing ("CTF"), fraud prevention, tax reporting.
  • Legitimate interest (Art. 6(1)(f)): securing the Service, debugging incidents, statistical analysis in aggregated form.
  • Consent (Art. 6(1)(a)): only where explicit consent is offered (e.g. an optional cookie).

4. Legal basis under Russian law (152-FZ)

For residents of the Russian Federation, the processing is performed on the legal grounds set out in Art. 6(1)(2) (execution of the agreement to which the data subject is a party) and Art. 6(1)(5) (performance of functions assigned by federal law) of 152-FZ. Primary databases that contain personal data of Russian residents are localised on servers physically located within the territory of the Russian Federation in accordance with Art. 18(5) of 152-FZ.

5. Recipients and sub-processors

We share personal data on a strict need-to-know basis with:

  • Acquiring banks and card networks (Visa, Mastercard, MIR) to authorise card transactions;
  • The Faster Payments System (SBP) operator for incoming Russian instant transfers;
  • PayPal Holdings, Inc. (USA) and PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg);
  • Blockchain node providers strictly for on-chain transaction lookup (no wallet keys are shared);
  • Hosting, monitoring and customer-support vendors bound by contractual processing agreements (GDPR Art. 28).

6. International transfers

Where personal data is transferred outside the EEA / UK / Russia, the transfer is governed by the Standard Contractual Clauses (Decision (EU) 2021/914) or by an equivalent legal mechanism. For Russian residents we obtain explicit consent for cross-border transfer in accordance with Art. 12 of 152-FZ when no adequacy decision applies.

7. Retention

  • Transaction records: 5 years from the date of the transaction, in line with anti-money-laundering law.
  • Communication records: 2 years from the last interaction.
  • Server logs: 90 days, after which they are aggregated or deleted.
  • Cancelled or expired payment intents without successful capture: 30 days.

8. Your rights

Subject to applicable law you have the right to:

  • access, rectify, restrict or erase your personal data;
  • port your data to another controller in a structured machine-readable format;
  • object to processing based on legitimate interest;
  • withdraw any consent you have previously given;
  • lodge a complaint with your supervisory authority (in Russia — Roskomnadzor; in the EU — your national DPA).

To exercise these rights, write to commerce@meowsolutions.limited from the email address you used during the transaction, or include the payment identifier so we can locate your record.

9. Cookies

The payment page itself does not use third-party advertising cookies. We use a single first-party functional cookie to maintain the payment session and to mitigate CSRF. This cookie is set only after the user lands on the checkout and is destroyed when the payment session ends.

10. Security

We apply administrative, technical and physical safeguards including TLS 1.3, hardware-backed key storage, IP allow-listing for merchant APIs, signed webhooks (HMAC-SHA256), strict separation of card-data environments (CDE) from general infrastructure, and continuous monitoring. Despite these measures, no transmission over the internet is ever absolutely secure; users are encouraged to keep their devices up to date and to never share payment confirmation codes with anyone.

11. Changes

We may amend this Policy. The current version is always available on this page; significant changes will be published with at least 14 days notice prior to becoming effective.