Privacy Policy

Last updated: April 29, 2026

1. Introduction

This Privacy Policy describes how LimaoPay ("we", "us", or "our") collects, uses, and shares personal information when you use our platform. We comply with the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.

2. Information We Collect

We collect the following categories of information:

• Account information: name, email, password (hashed), phone number, profile image
• Tax identification: SSN/EIN (US) or SIN/Business Number (Canada) — required for sellers to receive payouts
• Payment information: processed via Stripe; we store only minimal metadata (last 4 digits, card brand) for receipts
• Content data: sales pages, product descriptions, uploaded files, AI-generated copy
• Sales & transaction data: orders, refunds, payouts, buyer email/phone, IP address, user agent
• Usage data: page views, click events, feature usage (collected via PostHog with consent)
• Marketing data: Meta Pixel, Google Analytics events (collected only with marketing-cookie consent)
• Cookies: essential (auth/session), analytics, and marketing — see our cookie consent banner

3. How We Use Your Information

• To provide, maintain, and improve the platform
• To process payments and remit payouts to sellers
• To send transactional emails (receipts, magic links, alerts)
• To generate AI content for sales pages (your input → AI providers)
• To detect fraud, abuse, and policy violations
• To comply with legal obligations
• With your consent: to send marketing emails, run analytics, show relevant ads

4. Sharing with Third Parties

We share data only with the following categories of service providers, under contractual data-protection obligations:

• Stripe — payment processing, payouts, fraud detection
• Cloudinary — hosting of images, videos, and digital deliverables
• Resend — transactional email delivery
• DeepSeek, Google Gemini, OpenAI — AI text generation (your prompt is sent to one of these providers)
• PostHog — product analytics (with consent)
• Meta, Google — marketing analytics (with consent)
• Sentry — error tracking (no PII intentionally captured)

We do not sell your personal information to third parties for monetary consideration. We do not share data for cross-context behavioral advertising without your explicit consent.

5. Your Rights (CCPA / CPRA)

California residents have the following rights:

• Right to Know: request what personal information we collect, use, and share
• Right to Delete: request deletion of your personal information (subject to legal exceptions)
• Right to Correct: request correction of inaccurate data
• Right to Opt-Out: opt out of any "sale" or sharing of personal information for cross-context behavioral advertising — exercise by adjusting cookie preferences (see banner) or emailing privacy@limaopay.com
• Right to Limit: request that we limit use of sensitive personal information
• Right to Non-Discrimination: we will not discriminate against you for exercising your privacy rights

To exercise these rights, email privacy@limaopay.com. We will respond within 45 days.

Do Not Sell or Share My Personal Information

While we do not sell personal information for money, the broad definition of "sale" or "share" under California law may include sharing data with marketing platforms (e.g., Meta, Google) for advertising purposes. To opt out, decline the "Marketing" cookie category in our consent banner, or email us at privacy@limaopay.com.

6. Your Rights (PIPEDA — Canada)

Canadian residents have rights to access, correct, and request deletion of their personal information, subject to legal exceptions. Contact privacy@limaopay.com to exercise these rights. We follow PIPEDA principles of consent, limited collection, accuracy, safeguards, and accountability.

7. Data Retention

We retain personal information for as long as your account is active, plus a reasonable period thereafter for legitimate business purposes (tax compliance, fraud prevention, legal obligations). Specifically:

• Account data: until account deletion + 90 days
• Transaction records: 7 years (US/Canada tax compliance requirement)
• Audit logs: 2 years (security and fraud-prevention purposes)
• Marketing analytics: per consent, up to 2 years

8. Security

We use industry-standard security measures including TLS encryption in transit, encryption at rest for sensitive fields, hashed passwords (bcrypt), HTTP-only authentication cookies, rate limiting, and audit logging. While we strive to protect your data, no system is impenetrable. In the event of a breach, we will notify affected users and authorities as required by law.

9. Children's Privacy

LimaoPay is not intended for use by individuals under 18. We do not knowingly collect personal information from children. If you believe we have collected data from someone under 18, contact us immediately and we will delete it.

10. International Data Transfers

LimaoPay's primary data infrastructure may be located outside the United States or Canada (currently in Brazil). By using the platform, you consent to the transfer, processing, and storage of your data in these jurisdictions, subject to appropriate safeguards.

11. Government & Law Enforcement Requests

We may receive requests from public authorities (e.g., court orders or law-enforcement demands) for users' personal data. When this happens, we apply the following processes:

• Legitimacy review: we assess the validity and legal basis of each request before any disclosure.
• Challenging unlawful requests: we refuse or challenge requests we consider unlawful, abusive, or overly broad.
• Data minimization: we disclose only the minimum information strictly necessary to comply with a valid request.
• Recordkeeping: we log each request, the response provided, the legal reasoning, and the people involved.

We do not disclose data to third parties for unrelated purposes, and we prioritize data-subject rights.

12. Changes to This Policy

We may update this Privacy Policy. Material changes will be announced via in-app notification or email at least 30 days before the effective date. Continued use of the platform after the effective date constitutes acceptance.

13. Contact

Privacy questions or requests: privacy@limaopay.com

General support: support@limaopay.app