Payments Toolbox | Privacy Policy

Payments Toolbox Privacy Policy (January 1, 2026)

Modum Meliora LLC and it’s affiliates, dba Payments Toolbox, Florida-based U.S. business ("Payments Toolbox," "we," "us," or "our"), provides this Payments Toolbox Privacy Policy (this "Policy") to describe how we collect, use, disclose, and protect information in the United States. This Policy applies to our website located at https://www.paymentstoolbox.ai, any related subdomains, and in-app pages we control (collectively, the "Site"), and to related pre-launch sandbox, account portals, and services we make available (the "Services"). This Policy is intended for residents of the United States only. We do not target or intend to process the personal data of individuals in the European Union or the United Kingdom.

By visiting the Site or using the Services, you acknowledge this Policy. This Policy is effective as of January 1, 2026 (the "Effective Date").

Who We Are and How to Contact Us. Payments Toolbox is a U.S. payments infrastructure provider for independent software vendors and software-as-a-service platforms. For privacy questions or requests, you may contact us by email at support@paymentstoolbox.ai or by mail at 433 Central Ave, St Petersburg, FL 33701. Additional request methods are described in Section 8 of this Policy.
Scope and What This Policy Covers. This Policy applies to information collected from:

(a) visitors to the Site and our waitlist page,

(b) prospective merchants and their personnel,

(d) sandbox or pre-launch users, and

(e) recipients of our marketing communications.

This Policy does not apply to information we process strictly as a service provider or processor on behalf of our merchant clients about their end customers' transactions and accounts. Individuals who interact directly with a merchant that uses Payments Toolbox should consult that merchant's privacy policy for information about how the merchant handles their data.

Certain categories of information may be subject to additional regulatory frameworks:

(a) Gramm-Leach-Bliley Act/Bank Secrecy Act. Information processed for onboarding, underwriting, fraud prevention, and anti-money laundering, know-your-customer, or know-your-business purposes ("AML/KYC/KYB") may be subject to financial regulatory obligations of our sponsor bank(s) and other partners. Such data may be exempt from certain state privacy rights and requests.

(b) PCI. Payments Toolbox is a PCI Level 1 Service Provider.

This Policy is intended for a U.S.-only audience. The Site and Services are not intended for EU/UK data subjects.

What Personal Information We Collect. For purposes of this Policy, "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, subject to applicable law. "Sensitive Personal Information" means Personal Information that applicable law classifies as sensitive, such as government identifiers and financial account numbers.

We collect the following categories of Personal Information today in connection with our waitlist and website:

(a) Identifiers. Name, email address, company name, company website, Internet Protocol (IP) address, online identifiers (including cookies and device identifiers), and hashed contact identifiers used for advertising audiences.

(b) Commercial and business information. Account records, product interest, and business profile details provided during onboarding (such as industry and expected processing volumes).

(c) Internet or network activity. Pages viewed, clicks, referring URLs, timestamps, ad interactions, and similar data collected via cookies and similar technologies.

(d) Geolocation data. Approximate location derived from IP address. We do not collect precise GPS or Wi-Fi based location.

(e) Sensitive Personal Information (in connection with service sign-up or compliance checks). Social Security Number, driver’s license or state identification details, bank account and routing numbers, and AML/KYC/KYB documentation and verification artifacts.

Sources of Personal Information:

(a) Directly from you, including through forms, onboarding flows, and communications.

(b) Automatically through cookies, pixels, software development kits (SDKs), and similar technologies on the Site and Services.

(c) From third parties, including identity verification and KYC vendors, fraud and AML screening providers, sponsor bank and processing partners, analytics and advertising partners (such as social media ads and attribution tools), and public sources.

We do not collect precise geolocation (such as GPS or Wi-Fi triangulation).

How We Use Personal Information (Purposes). We use Personal Information for the following purposes:

(a) Service delivery and operations. To create and manage accounts; provide the Site, sandbox, and Services; and deliver customer support.

(b) Onboarding and compliance. To perform identity verification, KYC/KYB checks, AML screening, fraud risk assessment, due diligence, sanctions screening, and required reporting.

(c) Security and integrity. To detect, prevent, and investigate fraud, abuse, and security incidents; to debug; and to monitor performance and ensure the integrity of systems.

(d) Communications. To send transactional notices, product updates, marketing communications where permitted by law, and waitlist updates.

(e) Analytics and improvement. To measure usage, improve features, conduct research, and develop new products and services.

(f) Advertising and marketing. To engage in cross-context behavioral or targeted advertising and audience measurement, including with, and not limited to, partners such as social media ads and attribution tools.

(g) Legal and regulatory. To comply with laws, respond to lawful requests, exercise and defend legal claims, and enforce agreements and policies.

Sensitive Personal Information use limits. We use Sensitive Personal Information only for purposes such as onboarding, identity verification, fraud prevention, security, account servicing, and regulatory compliance, and not for advertising or for profiling for marketing.

Cookies and Similar Technologies. We use cookies and similar technologies on the Site and in certain parts of the Services:

(a) Strictly necessary cookies. These are required for core functionality such as security, network management, and accessibility.

(b) Analytics cookies. These help measure usage and improve site performance and features.

Cross-context behavioral advertising. We and our partners may collect identifiers (such as cookies or hashed emails) and internet activity across nonaffiliated websites or services to infer preferences and provide targeted ads. In some states, this may constitute "sharing" of Personal Information.

User controls:

(a) We provide a cookie banner and a preferences center that allow you to manage non-essential cookies.

(b) We honor Global Privacy Control ("GPC") signals transmitted by browsers and extensions. When we receive a recognized GPC signal, we treat it as a request to opt out of sale or sharing for the browser or device on which the signal is sent.

(c) You can use browser or device-level controls to delete or block cookies. Opt-outs typically apply to the specific browser and device and may not persist if you clear cookies.

Our Role: Business vs. Service Provider/Processor. We act in different roles depending on context:

(a) Business/controller. We act as a "business" or "controller" for website interactions, marketing, sales outreach, account administrator data, the waitlist, and our direct relationships with prospective or current merchant personnel.

(b) Service provider/processor. We act as a "service provider" or "processor" for Personal Information processed on behalf of merchant clients about their end customers' transactions and accounts, and our use of such information is limited by merchant contracts and documented instructions.

Sponsor bank relationship. We operate with and under sponsor bank(s) and work with payment processors, acquiring banks, card networks, and similar partners. Certain onboarding and transaction-related data may be shared with these partners to meet banking and regulatory requirements. Merchants remain responsible for providing appropriate privacy notices to their end users.

When and How We Share Personal Information. We disclose Personal Information as follows:

(a) Service providers and contractors. To hosting and cloud providers, infrastructure and data storage vendors, email and communication providers, customer support tools, identity verification/KYC vendors, AML/fraud screening providers, and other operational vendors who process information on our behalf under contractual restrictions.

(b) Advertising and analytics partners. To social media ads and attribution tools for targeted advertising, audience measurement, and campaign performance.

(c) Financial ecosystem partners. To sponsor bank(s), payment processors, acquiring banks, card networks, and similar partners necessary to provide the Services.

(d) Professional advisors. To auditors, legal counsel, and accountants under confidentiality obligations.

(e) Government and law enforcement. To comply with legal obligations, to respond to lawful requests, to prevent fraud, or to protect rights, property, or safety.

(f) Corporate transactions. In connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality and, where required, notice.

Sale/sharing statements:

(a) We do not sell Personal Information for money.

(b) We may "share" Personal Information for cross-context behavioral advertising. Categories potentially shared for this purpose include identifiers (such as cookies, device identifiers, and possibly hashed emails), internet or network activity, and coarse location derived from IP address.

12-month lookback disclosure. In the past 12 months:

(a) Shared for advertising: identifiers (cookies, device IDs, possibly hashed emails), internet or network activity, and IP-based coarse location with advertising and analytics partners.

(b) Disclosed for business purposes: identifiers, commercial and business information, Sensitive Personal Information (for KYC/KYB/AML and compliance), and internet or network activity to service providers, sponsor bank and processing partners, fraud/AML vendors, and professional advisors.

Your Privacy Choices and Rights. Choices for advertising and cookies:

(a) You may email us at support@paymentstoolbox.ai.

(b) We recognize GPC signals as an opt-out of sale/sharing for the browser or device where the signal is present.

Right to limit Sensitive Personal Information. You may email us at support@paymentstoolbox.ai to request that we use Sensitive Personal Information only for purposes permitted by law (such as to perform the Services, for security and integrity, and to comply with legal obligations) and not for additional uses.

Subject to applicable state law, U.S. Residents may have the following rights:

(a) Know/access. To request a summary or copies of Personal Information we have collected and details about sources, purposes, and disclosures.

(b) Delete. To request deletion of Personal Information, subject to legal and regulatory exceptions (including AML/KYC recordkeeping).

(d) Opt out. To opt out of sale, sharing, targeted advertising, and certain profiling where applicable.

(e) Portability. To request a portable copy of certain Personal Information.

(f) Appeal. To appeal if we deny a request; we will explain our reasons and how to submit an appeal, and respond within applicable timelines.

(g) Non-discrimination. We will not discriminate against you for exercising your rights.

How to exercise rights:

(a) Email: support@paymentstoolbox.ai.

(b) Mail: 433 Central Ave, St Petersburg, FL 33701.

We currently offer at least two submission methods (email and mail).

Verification process:

(a) We will take reasonable steps to verify your identity, which may include matching your email address or requesting additional information related to your account or organization.

(b) For requests involving Sensitive Personal Information or deletion, we may require heightened verification.

(c) Authorized agents must provide signed authorization from the consumer and we may require verification of the consumer's identity directly.

Timelines. We will respond within 45 days where required by law, and may extend once for an additional 45 days where permitted, informing you of the reason and extension period. State-specific timelines and requirements are further described in Section 14.

Limits and exceptions. We may deny or limit a request where permitted by law, including to comply with regulatory recordkeeping (such as AML/KYC obligations), to protect security and integrity, to exercise or defend legal claims, for free speech or research, or for internal uses reasonably aligned with your expectations.

Notice at Collection. At or before the point of collection, we provide the following notice:

(a) Categories collected. Identifiers; commercial and business information; internet or network activity; IP-based geolocation (coarse location only); and, where applicable for onboarding and compliance, Sensitive Personal Information (such as SSN, government ID, and bank account/routing numbers).

(b) Purposes. Service delivery and operations; onboarding and compliance; security and integrity; communications; analytics and improvement; advertising and marketing; and legal and regulatory compliance, as described in Section 4.

(c) Sale/sharing. We do not sell Personal Information for money. We may share identifiers and internet activity (and coarse IP-based location) for cross-context behavioral advertising. We do not share Sensitive Personal Information for advertising.

(d) Retention. See Section 10 for our retention schedule.

(e) Links. The full Policy is available via this "Privacy Policy" link.

10. Data Retention. We retain Personal Information for the periods below, unless a longer period is required or permitted by law, contract, or for legitimate business needs:

(a) Site analytics and advertising identifiers: 13 months.

(b) Merchant onboarding/KYC/KYB/AML records and compliance logs: 7 years (or longer if required by law).

(d) Support tickets and general correspondence: 2 years.

(e) Security logs and incident records: 24 months (or longer as needed for investigations).

At the end of the applicable retention period, we will delete or de-identify information in accordance with our policies, unless retention is extended due to legal holds, regulatory requirements, dispute resolution, fraud investigations, or to protect security and integrity.

11. Security. We implement administrative, technical, and physical safeguards appropriate for a payments platform, including access controls, encryption in transit and at rest where appropriate, network and application security measures, logging and monitoring, workforce training, and vendor due diligence. We maintain PCI DSS-compliant practices and are a PCI Level 1 Service Provider. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

12. Automated Tools, Profiling, and Human Review. We use automated tools, including artificial intelligence and machine learning, to assist with risk assessment, onboarding, fraud detection, and operations. We do not make solely automated decisions that produce legal or similarly significant effects on individuals; such decisions include human review. Where state law provides a right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects, you may submit such a request using the methods in Section 8. You may also request more information about our use of automated tools or appeal a related decision using the appeals process described in Section 8.

13. Children's Privacy. The Site and Services are intended for business users and are not directed to children. We do not knowingly collect information from children under 13. Accounts are not intended for minors under 18. If you are a parent or guardian and believe a child has provided us with Personal Information, please contact us at support@paymentstoolbox.ai so we can delete the information.

14. State-Specific Disclosures.

14.1. California.

(a) We do not sell Personal Information for money. We "share" Personal Information for cross-context behavioral advertising, including identifiers and internet activity (and coarse IP-based location), with advertising and analytics partners.

(b) We honor GPC signals as an opt-out mechanism.

(c) You may submit requests via email and mail as listed in Section 8. We verify and respond consistent with Section 8 and applicable law. You may appeal a denial within the timelines described in Section 8.

(d) We will not discriminate against you for exercising your rights.

(e) In the prior 12 months, we collected and disclosed categories as described in Sections 3 and 7. We will publish metrics if required by law in the future.

14.2. Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Montana, Tennessee, Texas, Delaware, Oregon, and Other Applicable State Laws. Residents of these states may have rights to access, correct, delete, and obtain a portable copy of Personal Information, and to opt out of targeted advertising, sale, and certain profiling, as described in Section 8. We will respond within 45 days (with a permitted extension) and provide an appeals process; appeals will be responded to within 45 days, including a written explanation of our decision and any further recourse where required.

14.3. Nevada. We do not sell covered information as defined under Nevada law. If our practices change, Nevada residents may submit an opt-out request using the methods in Section 8.

14.4. Florida. We are based in Florida. To the extent the Florida Digital Bill of Rights or similar laws apply, the rights and opt-out mechanisms described in this Policy (including Do Not Sell or Share, GPC recognition, and Limit Sensitive Personal Information) are available. Where not legally required, we voluntarily extend comparable controls described in this Policy.

15. De-Identified and Aggregated Information. We may create de-identified data by removing or masking direct identifiers and by taking reasonable measures to prevent re-identification. We commit to maintain and use de-identified data without attempting to re-identify it, except as permitted for testing, research, or security measures. We may use aggregated information for analytics, benchmarking, and product improvement.

16. Third-Party Links and Services. The Site may include links to third-party websites or services (such as LinkedIn or other social media sites). Their data collection and use are governed by their own privacy policies. We encourage you to review third-party privacy notices.

17. International Audience. The Site and Services target U.S. users, and we do not intentionally process EU/UK personal data. If non-U.S. residents interact with the Site, their data will be handled under this Policy, but EU/UK-specific rights do not apply. If our operations expand internationally, a different policy will govern those activities.

18. Changes to This Policy. We may update this Policy from time to time. We will post the updated Policy on the Site with the updated posting date at the top. For material changes, we will provide additional notice, such as a Site banner or email to account contacts, where appropriate. Effective Date: January 1, 2026.

19. How to Contact Us. You may contact us with questions or requests at support@paymentstoolbox.ai or by mail at 433 Central Ave, St Petersburg, FL 33701. Upon request, we will provide this Policy in an alternative format or otherwise provide reasonable assistance for individuals with disabilities.