Flux Payments Privacy Policy

Effective Date: October 21, 2025

Last Updated: October 21, 2025

Introduction and Scope

Flux Payments (“Flux,” “we,” “us,” or “our”) is committed to protecting the privacy of all users of our services. This Privacy Policy describes how we collect, use, store, and disclose personal information when merchants use our platform to create payment links and when consumers make payments through those links. It applies globally to all merchants and consumers (collectively, “users”) who interact with Flux’s websites, applications, and payment services, regardless of location. We operate worldwide and adhere to applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”), among others. By using Flux Payments’ services or providing personal information, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our services.

Information We Collect

Flux Payments collects personal data from two main categories of users: Merchants (who use Flux to accept payments) and Consumers (who make payments via Flux). We obtain this information through account registration, payment transactions, and automated technologies (like cookies), with explicit user consent obtained via an opt-in mechanism on the payment page.

Information from Merchants

When you sign up or operate as a merchant on Flux, we collect information necessary to create and support your merchant account and process transactions. This may include:

Business and Contact Information: Your name, business name, business type, industry, email address, phone number, physical address, and other contact details.
Identity and Verification Data: Government-issued identification numbers (such as tax ID or business registration number), copies of identification documents, and any Know-Your-Customer (KYC) information needed to verify your identity or the identity of your business owners.
Financial and Payment Information: Bank account details for settlements, routing numbers, and associated financial information needed to transfer funds to you as a merchant. If you use payment instruments for fees or payouts, we collect those account details as well.
Account Credentials and Usage Data: Username, password, and security questions for your Flux account. We also collect usage data about how you access and use our merchant dashboard or APIs (e.g., IP address, device type, browser type, access times, and pages viewed) to maintain security and improve our services.
Cookies and Tracking Technologies: When merchants visit our site or dashboard, we use cookies and similar technologies to remember preferences, authenticate sessions, and gather analytics on usage. This may include device identifiers, IP address-derived location, and browsing behavior (see Cookies and Tracking below for more detail).

Note: If, as a merchant, you provide us with personal information about your customers or other individuals (for example, by importing a customer list or emailing a payment link that includes personal data), you are responsible for ensuring that you have a lawful basis (such as consent) to share that data with us. We will handle that information in accordance with this Privacy Policy.

Information from Consumers (Payers)

When you make a payment through a Flux Payments link (for example, to purchase goods or services from a merchant), we collect certain information about you to process the transaction and protect against fraud. This may include:

Personal Identifiers and Contact Information: Your name, email address, phone number, billing address, and shipping address (if you provide these or if required by the merchant for receipt delivery or order fulfillment).
Payment Information: Credit or debit card details, including the card number, expiration date, cardholder name, and payment authentication information. We collect and store your card information securely in compliance with PCI DSS (Payment Card Industry Data Security Standard) requirements. (For security, we do not collect or store sensitive authentication data like card security codes/CVV beyond the moment of transaction authorization.) Card data may be tokenized or encrypted in our systems for ongoing use (e.g., for recurring payments).
Transaction Details: Information about the transaction you are making, such as the amount, currency, date and time of the transaction, the merchant to whom you are making a payment, and any descriptions or references associated with the payment.
Geolocation Data: We may collect your approximate geolocation at the time of payment. This can occur through your IP address (to infer a general location) or, if you permit, via the GPS or location services on your device for more precise location data. Geolocation information is used for fraud prevention (e.g., comparing your location to the billing address or known cardholder location) and to comply with regional legal requirements.
Device and Technical Information: When you access a Flux payment page, we automatically collect data about the device and browser you use. This includes your IP address, device type, operating system, browser type and version, unique device identifiers, and other technical data. We also log information about your interaction with the payment page (such as page load times, errors, and user interface interactions) for security and analytics purposes.
Cookies and Tracking Technologies: Flux uses cookies, pixel tags, and similar tracking technologies on payment pages to ensure functionality (such as keeping your session active while you enter details) and to gather analytics about how the payment page is used. For example, cookies help remember your preferences and track information like referral URLs or whether you have visited a Flux Payments page before. We and certain trusted partners (for fraud detection, analytics, and marketing) may employ these technologies to collect information about your device and browsing actions on our payment pages. You can control cookies through your browser settings and, where required by law, we will request your consent before using certain cookies (see Consent and Cookies and Tracking below).

Cookies and Tracking: In both the merchant portal and consumer payment pages, Flux utilizes cookies and similar technologies for various purposes:

Necessary cookies to enable core functionality (e.g., keeping you logged in as a merchant or remembering items in a consumer’s purchase).
Analytics cookies to understand usage patterns and improve our services.
Security cookies or scripts to help detect fraudulent behavior and protect against misuse.
Advertising cookies (on our main website or merchant pages) to personalize content and marketing, used only with appropriate consent. For instance, Flux or our advertising partners may use cookies to deliver interest-based ads about our services, as permitted by law. We do not use advertising cookies on payment pages in a way that would compromise payment security.

You have choices in managing cookies. Where required, we provide a cookie consent banner to allow you to opt-in or opt-out of certain cookies. You can also adjust browser settings to refuse cookies; however, be aware that blocking cookies might impact the functionality of our services (especially for merchants logging into accounts).

Use of Information

We use the collected information for the following purposes, in accordance with applicable legal bases (such as performing a contract, your consent, and our legitimate interests):

Providing and Facilitating Services: We use personal data to operate Flux Payments’ platform and deliver our services. For merchants, this means using your information to set up and maintain your account, allow you to create and send payment links, and communicate with you about your account and transactions. For consumers, we use your information to process payment transactions you initiate, which includes transmitting your card data to the payment networks/banks, verifying that payment details are valid, and ensuring the merchant receives confirmation of payment. We also use data to provide customer support (to both merchants and consumers), such as resolving issues, confirming transactions, or assisting with technical difficulties.
Payment Processing and Recurring Billing: Your credit card and transaction data are used to complete one-time payments and, where applicable, recurring payments or subscriptions that you have authorized. If you as a consumer opt in to a recurring billing or subscription with a merchant, Flux will securely store your payment credentials (in encrypted/token form) and charge your card at the intervals agreed. All such processing is done in compliance with PCI DSS and relevant regulations. We use your information to send you receipts or payment confirmations on behalf of merchants.
Fraud Detection and Security: We continually use personal information to monitor, detect, and prevent fraudulent or unauthorized transactions and to protect the integrity of our platform. For example, Flux may use device information, geolocation, and transaction patterns to flag suspicious activities. We also may run your data through third-party fraud detection tools or our proprietary algorithms to assess risk. If fraud is suspected, we might decline the transaction or require additional verification. We share relevant information with the involved merchant and (in some cases) with our fraud detection service providers to help make these assessments. Our use of data for fraud detection and security is a core aspect of our service and is done both to protect you and other users. For instance, we may use the information collected (like device IDs or past transaction history) for analytics, fraud detection, and security purposes.
Analytics and Service Improvement: Flux Payments uses collected data (often in aggregated or pseudonymized form) to analyze how our services are used. This helps us troubleshoot performance issues, improve the user interface, and develop new features. For example, we might analyze how many consumers abandon a payment halfway, or how merchants interact with our dashboard, in order to enhance user experience. We also use cookies and third-party analytics services to understand website traffic and marketing campaign effectiveness. Personal data is also used to generate business intelligence, such as financial reporting and customer behavior analysis, that guides our decisions and strategies (often this analysis is done on de-identified data).
Communications and Marketing: We may use your contact information to communicate with you about our services. For merchants, this includes transactional communications (e.g. account updates, security alerts, invoices) and, with your consent or as permitted by law, promotional communications. We might inform you of new Flux features, industry updates, or partner offers that could benefit your business. These marketing communications will be sent in accordance with applicable law (for example, for EU merchants, we rely on consent or soft opt-in, and for U.S. merchants, you may opt-out at any time). Consumers generally will not receive marketing emails from Flux simply for making a payment; however, if you explicitly opt-in to receive offers (for instance, a checkbox to get promotions from either the merchant or Flux), we will honor that consent. We may use and share data with marketing partners to deliver personalized offers, advertisements, or newsletters, but only where you have given consent or where otherwise lawful. (For example, if you are a merchant, we might use a third-party email platform to send you a newsletter, or we might work with advertising networks to show Flux ads on other websites based on your interaction with our site – subject to cookie consent.)
Sharing with Affiliates and Partners: If you were referred to Flux via a referral or marketing partner, or if Flux runs a joint promotion, we may use your data to administer those programs, including confirming referrals or delivering rewards. We may also suggest to you services of our affiliates or subsidiaries (companies under common ownership with Flux) if we believe they could be useful for your business, but only in compliance with direct marketing laws.
Compliance with Legal Obligations: We use personal information to comply with applicable laws and regulations. This includes anti-money laundering (AML) and “Know Your Customer” checks for merchants, record-keeping for financial and tax regulations, responding to legally binding requests from authorities, and honoring data subject rights under privacy laws. For consumers, note that Flux (as a regulated payment service in many jurisdictions) may be required to retain and report certain transaction information to financial regulators or law enforcement (for example, to detect crime or fraud). We also process data as necessary to address chargebacks, disputes, or other issues related to transactions (though note: this Privacy Policy does not cover our dispute or refund policies).
Enforcement and Protections: We may use data to enforce our Terms of Service or other agreements, to investigate potential violations, and to protect the rights and safety of Flux, our users, or the public. This includes using data to prevent spam, malware, or other security risks. If necessary, we will use personal information to pursue or defend legal actions, audits, and for insurance purposes.
Other Purposes with Consent: If we intend to use your personal information for a purpose not described in this Privacy Policy, we will obtain your consent as required. We will not use your data in new ways that are incompatible with the original purposes unless you have been informed and, if required, consented.

We base the above processing on various legal grounds. In the EEA/UK, our legal bases include: performance of a contract (for payment processing and merchant services), your consent (for example, for cookies or marketing communications, or certain data collected on the payment page as required by law), compliance with legal obligations (regulatory compliance, accounting, etc.), and our legitimate interests (fraud prevention, service improvement, and certain marketing to business customers, balanced with your rights). If you have any questions about the legal basis for a particular processing activity, please contact us (see Contact Us below).

Sharing and Disclosure of Information

We understand the importance of keeping your personal information private. Flux Payments does not sell your personal information to third parties for money. However, in the course of operating our business and providing our services, we do share personal data with certain third parties for the purposes described above. All such sharing is done under strict obligations of confidentiality, only as necessary, and in compliance with applicable law. The categories of recipients of personal data include:

Merchants (for Consumer Transactions): If you are a consumer making a payment, we share certain information about you with the merchant you are paying, to enable the merchant to fulfill your order or service. For example, a merchant will receive confirmation that you paid and may receive your name, email, or other contact information and transaction details necessary for their records or to provide you a receipt. Merchants do not receive your full card number or payment credentials from Flux (we keep those secure), but they might receive a token or reference ID, card brand, and perhaps the last four digits of the card for reconciliation purposes. Sharing this information is inherent to the service (the merchant needs to know who paid them). Merchants are independently responsible for handling any personal data we provide to them in accordance with their own privacy policies.
Our Corporate Affiliates: We may share personal information with companies that are under common ownership or control with Flux (our parent company, subsidiaries, or other companies in our corporate group). Such affiliates receive data only if necessary for the purposes described in this policy (for example, backend operations, platform development, or customer support) and will process your data in accordance with this Privacy Policy. Sharing with affiliates helps us streamline services and run our business efficiently.
Service Providers and Vendors: Flux uses a variety of third-party service providers to support our operations. We share information with these vendors only to the extent necessary for them to perform their functions on our behalf, and we contractually require them to protect it. Key examples include:

Payment Processors and Financial Institutions: Flux partners with banks or payment gateways (e.g., card networks, acquiring banks) to execute transactions. We transmit credit card data and transaction details to these parties to process payments, authenticate transactions, and settle funds. These parties may also be subject to their own legal obligations (for example, anti-fraud checks by card networks).
Fraud Detection and Security Partners: We share data with third-party fraud prevention services and identity verification providers to help us verify user identity, check for fraudulent activity, and reduce payment risks. For instance, we might share a device fingerprint, transaction pattern, or personal identifiers with a fraud detection service that analyzes the data to provide a fraud risk score. Similarly, if we use external tools for identity verification (e.g., verifying a government ID or phone number), relevant data will be shared with those providers solely for that purpose.
Analytics and Performance Tools: We use third-party analytics providers (such as Google Analytics) to collect information about the use of our websites and services. These providers set their own cookies or similar identifiers and receive usage data (e.g., page visits, IP address, device info) to provide us reports and insights. We share only pseudonymous or aggregated data with analytics providers; they do not get direct identifiers like your name or email. You can opt out of certain analytics as described in our Cookies section.
Cloud Hosting and IT Suppliers: Flux’s websites and databases may be hosted on third-party cloud servers. Therefore, personal data is stored and processed on infrastructure provided by reputable providers (e.g., AWS, Azure, or similar) who act as our data processors. We ensure such providers implement strong security measures. We also use other IT or software vendors for services like email delivery, customer support ticketing, or data backup, and your information might pass through or be stored by these systems (again under strict agreements).
Marketing and Advertising Partners: If you are a merchant or site visitor, and with your consent where required, we may share limited data with marketing partners who help us with promotional activities. This could include sharing a merchant’s email with an email marketing platform to send newsletters, or using advertising networks and social media platforms to display targeted ads for Flux (in which case we might share a hashed identifier or use cookies set by the ad network). Marketing partners who receive personal data are not allowed to use it for their own purposes beyond the agreed marketing of Flux services. (For California residents, we do not “sell” data for money, but some of this data sharing for targeted advertising might be considered “sharing” under the CPRA; see California Privacy Rights below for how to opt out.)
Professional Advisors: We may share personal information with our auditors, attorneys, insurers, and other professional advisors to obtain advice or manage business obligations. These parties are bound to confidentiality and will only use the information for the services they provide to us (such as legal counsel or accounting).

Business Transfers: If Flux Payments undergoes a business transaction such as a merger, acquisition by another company, reorganization, or sale of all or part of its assets, your personal information may be transferred as part of that deal. We will ensure that any acquiring entity is bound to respect your personal information in a manner consistent with this Privacy Policy. In the event of insolvency, bankruptcy, or receivership, personal data may also be transferred as a business asset. You will be notified via email and/or a prominent notice on our website of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal data in such an event.
Legal and Regulatory Disclosures: We may disclose personal information when required to do so by law or in response to valid requests by public authorities (e.g., a court order, subpoena, or government inquiry). We will also disclose data if we believe in good faith that such disclosure is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights, property, or safety of Flux, our users, or the public, (iii) investigate and address violations of our terms or fraud, or (iv) respond to an emergency which we believe in good faith requires us to share data to prevent harm. For example, we might share information with law enforcement agencies for fraud investigation or with tax authorities as required for reporting transactions. We also cooperate with regulators and payment networks as necessary – for instance, providing information to card networks to handle disputes or to comply with audit requirements.
With Consent: In cases where you have provided explicit consent for us to share your information with a third party not otherwise covered by the categories above, we will share it in accordance with that consent. For example, if you opt-in to a co-branded service or an offering by another company through our platform, we might share your contact information with that third party with your permission. If in the future we have a need to share your data in a new way, we will notify you and obtain consent as required.

When we share information with third parties, we require them to handle it with an appropriate level of security and to use it only for the purposes we specify. Flux remains responsible for the handling of your personal information by all parties that act on our behalf. We also never share more information than is necessary – we follow the principle of data minimization when disclosing data.

Finally, in the event that we need to publish any personal information, we will only do so with anonymization or aggregation (for example, disclosing average transaction volumes in marketing materials, which contain no personal identifiers).

Data Security

Flux Payments takes the security of your personal and financial information extremely seriously, especially given the high-risk nature of handling payment card data. We have implemented a variety of administrative, technical, and physical security measures to protect against loss, misuse, or unauthorized access to your personal data. These measures include:

PCI DSS Compliance: Flux Payments is fully compliant with the Payment Card Industry Data Security Standard (PCI DSS) for processing, transmitting, and storing credit card information. This means we adhere to rigorous requirements such as maintaining secure networks, performing regular security audits, and following strict protocols for data handling. Cardholder data is encrypted both in transit (using TLS/SSL encryption) and at rest within our systems. We never store sensitive authentication data like CVV after transaction authorization, and any stored Primary Account Number (PAN) is masked and/or encrypted according to PCI DSS guidelines. Our systems undergo regular scans and penetration testing by independent security assessors to ensure continued compliance and security.
Encryption and Pseudonymization: We use strong encryption technologies to protect personal information. All web interactions with Flux (including the entry of payment details on a payment page and merchant logins) are protected via up-to-date encryption protocols (HTTPS/TLS). Sensitive data in our databases (such as credit card numbers, personal identifiers, and passwords) is encrypted or hashed. For example, passwords are stored only in hashed form (never in plain text), and card numbers are stored in an encrypted format or replaced with tokens provided by our payment vault.
Access Controls: We employ strict access controls to limit who within our organization can access personal data. Employee and contractor access to personal information (especially card data and consumer personal info) is restricted on a need-to-know basis and protected by multi-factor authentication, where feasible. Our staff are trained on data security and privacy requirements, and we have internal policies governing the proper handling of user data. Access to highly sensitive information (like decrypted card data) is limited to a very small number of authorized personnel and only for valid purposes (e.g., fraud investigation or debugging a specific issue, and even then we strive to use masked data whenever possible).
Network and System Security: We maintain up-to-date firewall and intrusion detection systems to guard our network perimeter. Security patches and updates are applied promptly to our software and systems. We monitor our systems for possible vulnerabilities or attacks and have 24/7 intrusion detection and logging in place. All systems are configured following the principle of least privilege. We also utilize anti-malware, endpoint protection, and network segmentation to protect data stores.
Payment Page Security: The payment pages that consumers use are designed to prevent unauthorized scripts or access. We use content security policies and other measures to ensure that when you enter your card information, it is submitted securely to our servers and not intercepted. For certain transactions, we support 3-D Secure or other cardholder authentication methods as required by card networks or law, adding an extra layer of security (such as a one-time passcode from your bank).
Continuous Monitoring and Testing: Flux conducts regular security audits and assessments. We utilize third-party security firms to perform penetration testing, and we continuously monitor our infrastructure for anomalies or suspicious activities. Any security incidents are managed under a detailed incident response plan that aims to contain and remediate issues swiftly, and we will notify affected users and authorities as required by law in the event of a data breach.
Data Handling and Minimization: We avoid storing personal data that we do not need. For example, as mentioned, we do not store CVVs after processing, and we do not store copies of identity documents longer than necessary to verify identity. Paper records (if any) containing personal data are securely shredded. Electronic data disposal is done via secure deletion methods.
Vendor Security: As noted, we use third-party service providers for certain functions; we vet these providers for strong security practices. Our contracts with them include data protection clauses requiring them to safeguard your information to at least the standards we use ourselves. If any service provider cannot meet our security requirements, we do not entrust data to them.

Despite our efforts, no method of transmission over the Internet or electronic storage is 100% secure. Therefore, while we strive to protect your personal data, we cannot guarantee its absolute security. You should also play a role in keeping your data safe: for merchants, keep your account credentials confidential and use a strong, unique password; for consumers, avoid using public computers or networks when making payments, and keep your devices secure.

In the unfortunate event of a security breach that compromises your personal information, we will notify you and the appropriate authorities promptly, as required by law, and provide guidance on how you can protect yourself.

Data Retention

Flux Payments retains personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, or for other valid reasons (such as compliance with legal obligations), and in practice, certain data may be stored indefinitely. In particular, because we facilitate financial transactions, we often must maintain records for extended periods (and sometimes permanently) for auditing, dispute resolution, and fraud prevention purposes. Below we provide more details on our retention practices:

Consumer Payment Data: If you make a payment through Flux, we will retain your transaction data (including personal data associated with the payment) indefinitely by default. This indefinite retention allows us to: provide records to merchants for their accounting, assist you or the merchant with any future inquiries about the transaction, detect fraud patterns over time, and comply with financial regulations that often require lengthy retention (for example, anti-fraud and anti-money laundering laws may require records to be kept for 5+ years). Credit card information that is stored for recurring billing will be kept as long as the subscription or recurring payment arrangement remains active, and thereafter we may retain the card data (securely) to facilitate refunds, chargeback defense, or fraud investigations. If you wish for your personal data to be deleted, you may request deletion (see Data Subject Rights below), and we will remove or anonymize data that we are not required or justified to keep. Note, however, that we cannot delete transactional records that are required for legal, regulatory, or legitimate business purposes – for example, we generally must keep a record that a payment occurred (including who paid whom and the amount) to comply with accounting and financial rules.
Merchant Account Data: We retain merchant information for as long as the merchant account is active and for a significant period after an account is closed. Even if a merchant stops using Flux, we may keep their account data indefinitely in case of any legal disputes, tax compliance, or inquiries that arise later. This includes retaining contracts, communications, and transactions linked to the merchant. We also keep logs of access to our systems for security auditing. If a merchant account is terminated, we will archive the data securely and restrict any routine access to it, using it only if needed for compliance or legal purposes.
Cookies and Online Data: Cookies have varying lifespans. Session cookies (which track actions in a single visit) are deleted automatically after you close your browser. Persistent cookies (which remember you over multiple visits) will remain on your device until they expire or you delete them; our persistent cookies expire according to their purpose (for example, an analytics cookie might expire after 12 months, while a preference cookie may last a shorter time). We align cookie lifetimes with their necessity and legal guidelines. You can clear cookies from your own browser at any time.
Backup and Archived Data: It’s important to know that when we delete data from our live systems, it might still be retained in our secure backups or archives for some additional period until those backups cycle out or are destroyed. We maintain backups to ensure continuity of service and data integrity. Access to backup data is highly restricted. We also may retain aggregated or de-identified data indefinitely (information that no longer identifies an individual)armstrongteasdale.com – for example, statistical information about payment volumes or fraud rates – as this does not compromise your privacy and helps us improve our services.
Legal Hold: In addition to the above, if we are subject to a legal hold or in the midst of litigation or government investigation, we will retain any data (including personal information) that is relevant to that matter until it is resolved, even if that extends beyond our standard retention periods.

While our policy is to retain data indefinitely by default, we do periodically review the data we store. If certain information is no longer needed and no law requires us to keep it, we will either securely delete it or anonymize it. For example, if a merchant signs up but never processes any payments and later deletes their account, we may choose to purge their data after some years.

Please note that you have the right to request deletion of your personal data in certain circumstances (see Data Subject Rights). Flux will honor such requests to the extent required by law, but even after most personal data is deleted, we may keep limited information as necessary (e.g., to prove that we complied with a deletion request, or information that was created in an anonymized form).

International Data Transfers

Flux Payments is a global service provider. The personal information we collect may be transferred to and stored on servers located in countries other than your own, including the United States. Our headquarters and many of our systems are in the U.S., but we also utilize cloud providers and service partners around the world. This means your data could be processed in jurisdictions that may not have the same data protection laws as your home country.

However, regardless of where your data is processed, we protect it under the same privacy and security standards described in this policy and in compliance with applicable law. When we transfer personal data across international borders, we take the following precautions:

Adequacy and Safeguards: If you are located in the European Economic Area (EEA), United Kingdom, or another region with data transfer restrictions, we ensure that your personal data is transferred in compliance with those requirements. Typically, this means that we rely on European Commission-approved Standard Contractual Clauses (SCCs) or equivalent legal transfer mechanisms to legally authorize the transfer of personal data from the EEA/UK to countries not deemed to have “adequate” data protection laws (such as the U.S.). These SCCs contractually obligate the recipient of the data (e.g., Flux or our U.S. vendors) to protect the data to EU privacy standards. In some cases, we may also rely on an adequacy decision (if the country has been deemed by regulators to have adequate protections) or, where applicable, the new EU-U.S. Data Privacy Framework for transfers to certified U.S. organizations. We will also implement supplementary measures as needed (such as encryption in transit and at rest, and careful vetting of data access) to ensure transferred data enjoys an equivalent level of protection.
Corporate Transfers: Transfers of data within Flux’s affiliates (for example, from an EU affiliate to Flux’s U.S. operations) are governed by internal agreements that incorporate strong data protection commitments. Our employees and contractors in different countries are only allowed to access personal data if necessary and under strict controls.
User Consent in Some Cases: In certain situations, we may ask for your explicit consent to transfer your data internationally. For example, if you are a consumer on a payment page accessing from the EU and the processing (such as fraud analysis) involves sending data to a third country where neither SCCs nor other safeguards are feasible, we would inform you and obtain consent if required. Generally, however, our goal is to rely on standardized safeguards rather than consent, because we believe your rights should travel with your data without you needing to take extra steps.
Transparency: By using Flux Payments’ services or providing us with your information, you acknowledge that your information may be transferred to our facilities and those third parties with whom we share it as described in this policy, across international borders. We note that these other jurisdictions may have data protection rules different from your country, but we will strive to ensure a consistent level of protection.

If you would like more information about our international data transfers or to obtain a copy of the SCCs we use, you may contact us (see Contact Us section below).

Important: Cross-border transfers are necessary for us to provide the service (for example, a payment by a European consumer to a U.S. merchant inherently involves international data flows). We continuously monitor legal developments around international data transfer and will adapt our practices to remain compliant (e.g., if new regulations or guidelines require additional measures).

Data Subject Rights

Flux Payments respects your rights to your personal information. Depending on your location and applicable law, you may have some or all of the following rights regarding the personal data we hold about you:

Rights of Individuals in the EEA, UK, and Similar Jurisdictions (GDPR Rights)

If you are in the European Union, United Kingdom, or another jurisdiction with similar data protection laws, you have the following rights under the GDPR (and equivalent laws):

Right to Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to obtain a copy of the personal data we hold about you, as well as information about how we use and share it. This is commonly known as a Data Subject Access Request (DSAR). We will provide the requested information in a structured, commonly used format (typically electronic).
Right to Rectification: You have the right to ask us to correct or update any inaccurate or incomplete personal information we have about you. We encourage you to correct your information through your account settings (for merchants) or by contacting us for assistance. We will take reasonable steps to ensure that inaccurate data is corrected.
Right to Erasure (Right to be Forgotten): You may request that we delete your personal data. We will honor this right to the extent applicable – for example, if the data is no longer needed for the purpose it was collected, if you withdraw consent (where consent was the legal basis), or if we unlawfully processed it. Please note that this right is not absolute; sometimes we may refuse deletion if retention is legally required or permitted (for instance, we may need to keep certain transaction records for financial audits or fraud prevention, as outlined in Data Retention above). We will inform you of the reason if we cannot fulfill a deletion request in full.
Right to Restrict Processing: You have the right to request that we limit the processing of your personal data under certain circumstances. This could apply, for example, if you contest the accuracy of your data (we would restrict processing until it’s verified), or if you object to processing based on our legitimate interests. When processing is restricted, we will still store your data but will not use it except for limited reasons (like legal claims or with your consent).
Right to Data Portability: You have the right to receive certain of your personal data in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller where technically feasible. This right applies to personal data you provided to us, when processing is based on your consent or a contract and carried out by automated means. In practice, for Flux, this could mean giving you a copy of transaction records or account data that you directly provided, in a CSV or similar format, upon request.
Right to Object: You have the right to object to our processing of your personal data in some cases. You can object at any time to processing for direct marketing purposes – if you do, we will stop using your data for marketing. You can also object when we base processing on legitimate interests; in such cases, we will review your objection and unless we have compelling legitimate grounds to continue processing (or it’s needed for legal claims), we will cease the processing in question. For example, an EU consumer might object to us using their data for analytics – we would then consider if our need (improving service) is outweighed by the privacy impact on you; if it is, we’d stop or anonymize your data in analytics.
Right not to be Subject to Automated Decisions: Flux does not make any legally significant decisions about individuals solely by automated means without human involvement. However, if we did (such as automated fraud declines that have a legal effect on you), you would have the right to request human review of the decision. (For transparency: our fraud screening is automated, but if a transaction is declined, you can contact us or the merchant to have a human review it. This usually does not fall under GDPR’s strict definition of automated decision-making with legal effect, as it’s a one-off transaction decision, not a legal status, but we still provide recourse for review.)
Right to Withdraw Consent: In cases where we process your data based on your consent, you have the right to withdraw that consent at any time. For instance, if you consented to receive marketing emails from us, you can opt-out later (unsubscribe). Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it won’t affect processing of your data under other legal bases (e.g., if we have to keep records of a payment). If you withdraw consent for a service that requires it (e.g., you withdraw consent for us to store and process your card information for a recurring payment), we may be unable to continue providing that service. We will advise you if this is the case.

To exercise any of these rights, please contact us (see Contact Us below). We will respond to legitimate requests as soon as possible and in any event within the timeframes required by law (GDPR requires generally within one month, extendable in complex cases). We may need to verify your identity before fulfilling a request (to ensure we don’t give your data to someone else), and may ask for specific information to help us confirm identity and locate your data. There is no fee for exercising your rights, unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request (we will explain our reasoning in such cases). If you are unsatisfied with our response to a privacy rights request, you have the right to lodge a complaint with your local data protection supervisory authority (for example, an EU citizen can complain to their country’s Data Protection Authority, and a UK citizen to the Information Commissioner’s Office). We encourage you to contact us first so we have the opportunity to address your concerns.

Rights of California Residents (CCPA/CPRA Rights)

If you are a resident of California, you have specific privacy rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These include:

Right to Know: You have the right to request that we disclose what personal information we have collected about you in the past 12 months, including the categories of personal information, the sources of that information, the business or commercial purposes for collecting (or selling/sharing) it, the categories of third parties with whom we shared it, and the specific pieces of personal information we have about you. Much of this information is provided in this Privacy Policy. Upon a verifiable request, we will provide you with a report detailing the personal information we have collected about you in a readily usable format, covering the 12 months preceding your request (or from January 1, 2023 forward, whichever is shorter, as required by law).
Right to Delete: You have the right to request deletion of personal information we have collected from you and retained, subject to certain exceptions. Once we receive and confirm a verifiable consumer deletion request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. Please note that we may deny deletion requests if retaining the information is necessary for us or our service providers to complete a transaction you requested, detect security incidents, comply with legal obligations, exercise or defend legal claims, or for certain other internal and lawful uses (the CCPA outlines specific exceptions). In a payment context, for example, we might not delete transaction records that are needed for auditing or fraud prevention, even if you request it, as allowed by law.
Right to Correct: California residents have the right to request that we correct inaccurate personal information we maintain about you. Upon verifying the accuracy of the new information you provide, we will correct our records.
Right to Opt-Out of Sale or Sharing: The CCPA gives you the right to opt-out of the “sale” of your personal information. Although Flux Payments does not sell personal data for money, we do share certain information with third parties for advertising and analytics which could be considered a “sale” or “sharing” under California law (for instance, if an advertising partner can use a cookie to recognize you across different services, that might be deemed a “share” for cross-context behavioral advertising). California law interprets “sale” broadly to include any exchange of personal data for valuable consideration. To the extent Flux engages in any activity that falls under “sale” or “sharing,” you have the right to direct us to stop. You can exercise this right by using the “Do Not Sell or Share My Personal Information” link on our website (if applicable) or by contacting us as described below. If you opt-out, we will, as required by law, refrain from selling or sharing your covered personal data. If we ever launched a program that does involve a sale of data (which we do not currently do), we would provide a clear opt-in for that.
Right to Limit Use of Sensitive Personal Information: Under CPRA, you have the right to limit our use of “Sensitive Personal Information” (SPI) if we use it for purposes beyond those allowed by law. Flux’s collection of SPI may include things like precise geolocation and full credit card numbers. However, we only use such sensitive data for necessary business purposes (e.g., processing your payment, fraud prevention) and not to infer characteristics about you or for secondary purposes. Therefore, the right to limit SPI use is not applicable to our practices, as we do not use sensitive data for purposes that trigger this right. If that changes, we will implement a “Limit Use of Sensitive Info” mechanism.
Right of Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means we will not deny you goods or services, charge you different prices, or provide a different level of service just because you exercised your privacy rights. (However, please note that if a deletion request means we can no longer provide something – e.g., if you ask us to delete your data, we can’t then verify you for a payment – that’s a consequence of the deletion, not discrimination. Also, the CCPA allows businesses to offer financial incentives in exchange for data – but we do not currently offer such programs.)

Exercising California Rights: If you are a California resident and wish to exercise any of the above rights, you (or an authorized agent acting on your behalf) can submit a request to us by emailing support@fluxpayments.com with the subject line “CCPA Request” or by calling our toll-free number (when available) or via the web form linked on our website’s “Do Not Sell” page. Please provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information (or their authorized representative), which may include verifying control of the email or phone number associated with your account or transaction with us. We will only use the personal information provided in a request to verify the requestor’s identity or authority. We aim to respond to verifiable requests within 45 days as required by CCPA (or notify you if we need an extension). For requests to opt-out of sale/sharing, we will comply as soon as feasibly possible. If you have an account with us (merchants), we may require you to make the request through your account to verify identity.

For California Shine the Light (Civil Code § 1798.83): Flux Payments does not share personal information of customers with third parties for their direct marketing purposes without either obtaining your consent or providing you the ability to opt-out. California residents may request certain information about our disclosure of personal information to third parties for their direct marketing purposes during the prior calendar year. To make such a request, please contact us as described below.

If you are a resident of other U.S. states with similar laws (such as Virginia, Colorado, Connecticut, or Utah, etc.), please know that we will also honor your rights under those state laws. They generally align with the rights described above (access, deletion, correction, opt-out of sale/targeted ads). You may contact us to exercise those rights, and we will process your request in accordance with applicable state law.

Consent and User Choices

We require users to provide consent in certain scenarios to ensure compliance and transparency. Here is how we obtain and rely on consent, and the choices you can make:

Consent on Payment Page: When a consumer makes a payment through a Flux Payments link, we present an opt-in mechanism on the payment page for key privacy consents. For example, you may see a checkbox or a statement such as “By checking this box and proceeding, I agree to the Flux Payments Privacy Policy and consent to the processing of my data for payment and fraud prevention purposes.” You will need to explicitly agree (opt-in) before we collect or process your personal data beyond what is strictly necessary to complete the transaction. This ensures that, particularly in jurisdictions like the EU, we have your clear consent to process and retain your information (such as storing your card for recurring use, capturing cookies, or using your data for fraud analysis). If you do not consent, you should not complete the payment; the merchant may provide alternative payment methods if you prefer not to use Flux.
Merchant Onboarding Consent: When merchants sign up for an account, they consent to the collection and processing of their data as described in this Privacy Policy (typically via agreeing to our Terms of Service and this Privacy Policy). Merchants also may be presented with specific consents during onboarding, such as consent for us to perform credit or background checks if relevant, or to receive marketing communications. By actively creating an account and providing information, merchants are indicating their agreement to this Privacy Policy.
Marketing Communications: As noted, we obtain consent (or rely on permissible opt-out mechanisms) before sending marketing emails or texts. For example, at account creation a merchant might tick a box to “receive updates and offers.” If you consent, we will use your contact info for that purpose until you unsubscribe. You have the choice to opt-out at any time by clicking “unsubscribe” in any promotional email, or adjusting your preferences in your account settings, or contacting us. We will process opt-outs promptly and in accordance with law. Transactional or service messages (like payment receipts, important account notices, security alerts) may be sent even if you opt out of marketing, as they are not promotional.
Cookies Consent: For non-essential cookies (like analytics or advertising cookies), we will obtain consent via our cookie banner for users in jurisdictions that require it (e.g., EU). You have the choice to accept or reject such cookies. Even after accepting, you can always change your mind by clearing cookies or using our website’s cookie preference center (if available) to withdraw consent. Declining certain cookies might affect your experience, but it will not prevent you from using core features.
Withdrawals of Consent: If at any time you wish to withdraw a consent you have given (for example, you no longer want us to store your card details for future transactions, or you don’t want your location data used), you can contact us to do so. We will honor withdrawals of consent and stop the processing in question, except where we have another legal basis to continue (for example, if you withdraw consent for recurring billing, we will stop future billing, but we might still need to retain the past transaction record). Withdrawing consent for certain processing may mean we cannot provide certain services. We will inform you if that is the case (e.g., if you withdraw consent for fraud screening, we might not be able to allow transactions without that, and thus service might be discontinued).
Refusal of Consent: You also have the right to refuse consent when it is asked. For instance, you can refuse to consent to marketing or certain data uses. This may mean we collect less data. In most cases, refusing consent will not negatively affect you – you can still use the service for its main purpose (like making a payment) if the consent was for an optional use. If consent is required for something fundamental (like storing your card for a recurring purchase), then refusing means that particular feature won’t be available to you.

Flux believes in clear and plain language disclosure of consent. We strive to make our requests for consent obvious and separate from other terms. Whenever consent is our legal basis for processing, we ensure it is informed and freely given: we explain what data we want and why, and you are able to say yes or no. We do not use pre-ticked boxes or vague wording. If you have any questions about a consent you gave or were asked to give, please contact us.

Changes to this Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. If we make material changes (significant changes) to how we collect or use your personal information, we will notify you in advance by appropriate means. This may include:

Posting a prominent notice on our website or within your merchant dashboard about the upcoming changes;
Updating the “Last Updated” date at the top of this Policy (so please check back periodically); and/or
For major changes, we might also email registered merchants or, when relevant, consumers who have provided an email in a recent transaction, to inform you of the changes.

Your continued use of Flux Payments services after any changes to this Privacy Policy signifies your acceptance of the updated terms, to the extent permitted by law. However, if required by law (for example, if we plan to process your data for a new purpose that requires consent), we will obtain your consent before materially new uses of personal data.

We encourage you to review this Privacy Policy whenever you use our services to stay informed about our data practices and the ways you can protect your privacy.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please do not hesitate to contact us:

Email: support@fluxpayments.com
Postal Address: Flux Payments – Privacy Officer
1234 Flux Lane, Suite 100
Tampa, FL 33601, USA

(Please include “Privacy Inquiry” in the subject line of written communications for faster routing.)

Data Protection Officer (DPO): We have appointed a Data Protection Officer to oversee our compliance with GDPR and other privacy laws. You may reach our DPO at support@fluxpayments.com or by mail at the address above, Attn: Data Protection Officer.

We will respond to inquiries as soon as possible, generally within 30 days. For requests to exercise data subject rights, please see the instructions in the Data Subject Rights section above.

Thank you for trusting Flux Payments with your transactions. We value your privacy and security, and we are committed to safeguarding your personal information in every aspect of our service.