Merchant & Site Privacy Policy

1. Overview & Scope

ePayments Network ("EPN", "we", "our", or "us") is a U.S.-based payment processing platform operated by EverExpanse LLC. This Merchant & Site Privacy Policy describes how we collect, use, disclose, and protect personal and business information about:

- Merchants — Businesses and individuals who register for and use EPN's payment processing services.
- Website Visitors — Anyone who visits epayments.network or any EPN-operated subdomain.
- Contact Inquiries — Individuals who reach out via our contact form, email, or phone.
- Job Applicants — Individuals who apply for employment with EverExpanse LLC
- Newsletter & Marketing Subscribers — Individuals who sign up for EPN communications.

This policy does not cover personal information of end users (cardholders) who make payments through EPN-powered merchant checkouts. That data is governed by our separate End User Privacy Policy.

EPN's Services are designed exclusively for U.S. businesses and are governed by U.S. federal and state law.

2. Information We Collect

Merchant Account Information — When you register as a merchant, we collect business name, EIN / Tax ID, business address, ownership structure and beneficial owner details (required for Know Your Business / KYB verification), business bank account information, and government-issued identification documents for identity verification purposes under the Bank Secrecy Act (BSA) and FinCEN Customer Due Diligence (CDD) rules.

Contact & Profile Information — First and last name, job title, business email address, phone number, and mailing address provided when creating an account, submitting a contact form, or requesting a demo.

Transaction & Financial Data — Records of payment transactions processed through your merchant account, payout histories, fee invoices, chargeback records, and settlement statements. This data is retained in accordance with the Gramm-Leach-Bliley Act (GLBA) and BSA recordkeeping requirements.

Technical & Usage Data — IP address, browser type and version, operating system, device identifiers, pages visited on EPN websites, time spent on pages, referring URLs, and API request logs. Collected via server logs, cookies, and analytics tools.

Communications Data — Emails, support tickets, chat transcripts, and call records with our support, sales, or compliance teams.

Marketing Preferences — Email and communication preferences, opt-in records for newsletters and product updates, and unsubscribe records.

Job Application Data — Resume, work history, references, compensation expectations, and any other information voluntarily submitted through an employment application.

3. How We Collect Information

We collect information through the following means:

Directly From You — When you complete merchant onboarding, submit a contact or demo request form, communicate with our team, subscribe to marketing emails, or apply for a job.

Automatically — Through cookies, server logs, and analytics tools when you browse epayments.network or use the merchant dashboard. See our Cookies Policy for details.

From Third Parties — Identity verification and KYB/KYC providers (e.g., Socure, Persona), credit reporting agencies (where permitted), banking and payment network partners, fraud detection services, and publicly available business registries. We use these sources to verify your business identity, assess risk, and comply with U.S. financial regulations.

From Your Use of the Services — Transaction data, API call logs, and dashboard activity generated as you use EPN's payment processing platform.

4. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery — To onboard your merchant account, process payments, settle funds, generate reports, and provide customer support.

Identity & Compliance Verification — To verify your identity and business under the BSA, FinCEN CDD rules, and applicable anti-money laundering (AML) and Know Your Customer (KYC) regulations. We are legally required to collect and retain this information as a financial services company.

Risk & Fraud Management — To assess credit and fraud risk, monitor transactions for suspicious activity, file Suspicious Activity Reports (SARs) with FinCEN where required, and maintain compliance with card network rules (Visa, Mastercard).

Billing & Financial Reporting — To invoice fees, process payouts, issue 1099-K tax forms, and reconcile financial accounts.

Platform Improvement — To analyze product usage patterns (using aggregated, de-identified data where possible), fix bugs, and develop new features.

Marketing & Communications — To send product updates, promotional offers, and industry news where you have opted in, and service notices required for your account. All marketing emails comply with the CAN-SPAM Act and include a clear unsubscribe mechanism.

Legal & Regulatory Compliance — To respond to subpoenas, court orders, regulatory examinations by the FTC, FinCEN, or state financial regulators, and to enforce our Terms & Conditions.

Employment Processing — To evaluate job applications, conduct background checks (with consent), and manage the hiring process.

5. Sharing & Disclosure

We share your information only in the following circumstances:

Payment Network Partners — Visa, Mastercard, American Express, Discover, and our acquiring bank partners receive merchant account and transaction data as required to process payments and comply with card network rules.

Identity & Compliance Vendors — KYB/KYC verification providers, OFAC sanctions screening services, and AML monitoring tools receive the minimum merchant identity data required to fulfill compliance obligations under U.S. law.

Service Providers — Cloud infrastructure providers (e.g., AWS), customer support platforms, email delivery services, analytics tools, and accounting software vendors who process data on our behalf under written data processing agreements that restrict their use of your data.

Financial & Tax Reporting — We may share information with the IRS and state tax authorities as required by law, including filing 1099-K forms for merchants meeting applicable thresholds under IRS regulations.

Legal Process & Law Enforcement — We may disclose information in response to a valid subpoena, court order, government investigation, or request from a U.S. federal or state regulatory authority, including FinCEN, the FTC, the CFPB, or state attorneys general.

Business Transfers — In connection with a merger, acquisition, financing, or sale of EverExpanse LLC. assets, your information may be transferred to the acquiring entity, subject to the same privacy protections described in this policy.

With Your Consent — For any other purpose with your explicit prior consent.

We do not sell, rent, or share your personal information with third parties for their own marketing purposes.

6. Data Retention

We retain your personal and business information for as long as necessary to fulfill the purposes described in this policy and to comply with U.S. legal and regulatory obligations:

Merchant Account & Transaction Records — Retained for a minimum of five (5) years following the end of the merchant relationship, as required by the Bank Secrecy Act (BSA), FinCEN regulations, and the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule.

KYB / KYC Identity Documents — Retained for five (5) years from account closure, consistent with FinCEN Customer Due Diligence (CDD) recordkeeping requirements.

Tax Records (1099-K) — Retained for a minimum of seven (7) years in accordance with IRS record retention guidance.

Support & Communications Records — Retained for three (3) years from the date of the last interaction, or as required to resolve open disputes.

Marketing & Consent Records — Opt-in and opt-out records are retained for three (3) years to demonstrate CAN-SPAM and TCPA compliance.

Job Application Data — Retained for two (2) years from the application date, or as required by applicable employment law.

When retention periods expire, data is securely deleted or anonymized in accordance with our data destruction policy.

7. Security Practices

ePayments Network is a payment technology platform that routes transactions through certified gateway partners — it does not collect, store, or process raw payment card data (card numbers, CVV, track data) on its own servers. Card data handling is performed exclusively within our gateway partners' PCI DSS certified environments.

For the merchant account information, transaction metadata, and business data that EPN does handle directly, we apply the following controls:

- Encryption — All data in transit is protected by TLS 1.2+ encryption. Merchant account data and transaction metadata at rest are encrypted using AES-256.
- Access Controls — Role-based access controls (RBAC), multi-factor authentication (MFA) for all internal systems, and least-privilege principles limit data access to authorized personnel only.
- Network Security — Web application firewalls (WAF), intrusion detection systems (IDS), and DDoS mitigation via Cloudflare protect EPN's infrastructure.
- Vendor Management — All third-party service providers with access to merchant data are subject to written security agreements and periodic security assessments.
- FTC Safeguards Rule Compliance — As a financial institution under the GLBA, EPN maintains a written information security program meeting the requirements of the FTC Safeguards Rule (16 C.F.R. Part 314), including designated security personnel, risk assessments, access controls, and a formal incident response plan.
- Breach Notification — In the event of a data breach affecting your personal information, EPN will notify you in compliance with applicable U.S. state breach notification laws (including California Civil Code § 1798.82, New York SHIELD Act, Texas Business & Commerce Code § 521, and equivalent statutes in all applicable states).

8. Your U.S. Privacy Rights

EPN operates exclusively in the United States. Depending on the state in which you reside, you may have the following rights:

Right to Know / Access — Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes, and the categories of third parties with whom we have shared it.

Right to Portability — Request a copy of your personal information in a structured, commonly used, machine-readable format.

Right to Correction — Request correction of inaccurate or incomplete personal information we hold about you.

Right to Deletion — Request deletion of your personal information. Note that we may be required to retain certain information under BSA, GLBA, IRS, and other financial regulatory requirements, even after a deletion request.

Right to Opt-Out of Sale/Sharing — EPN does not sell or share personal information as defined under the CCPA/CPRA. If this changes, we will update this policy and provide an opt-out mechanism.

Right to Limit Use of Sensitive Personal Information — California residents may direct us to limit use of sensitive personal information (e.g., government ID numbers, financial account details) to the purposes for which it was collected.

California Residents (CCPA/CPRA) — You may exercise the above rights free of charge, up to two times per 12-month period. We will not discriminate against you for exercising your rights.

Other State Residents — Residents of Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with enacted privacy legislation may exercise the equivalent rights provided under their respective state law.

How to Submit a Request — Email privacy@epayments.network with subject line "Privacy Rights Request" and include your name, email address on file, and the specific right you wish to exercise. We will verify your identity before processing the request and respond within 45 days (with a single 45-day extension where permitted).

9. Marketing Communications

Email Marketing (CAN-SPAM Act) — When you provide your email address during registration or sign up for our newsletter, we may send you product updates, promotional offers, and industry news. Every marketing email includes:

- A clear identification that the message is a commercial communication from EPN
- Our physical mailing address
- A functional, one-click unsubscribe link

We honor all unsubscribe requests within ten (10) business days as required by the CAN-SPAM Act (15 U.S.C. § 7701 et seq.). To unsubscribe, click the link in any email or contact us at privacy@epayments.network .

SMS / Text Messaging (TCPA) — If you provide a mobile number and consent to SMS communications, we may send you account alerts and service notifications. We obtain prior express written consent before sending any marketing text messages, in compliance with the Telephone Consumer Protection Act (TCPA, 47 U.S.C. § 227). You can opt out at any time by replying STOP to any SMS message.

Transactional Communications — Service-related notifications (e.g., settlement confirmations, security alerts, compliance notices) are sent regardless of your marketing preferences, as they are necessary for your account.

10. Children's Privacy (COPPA)

EPN's merchant services are intended for businesses and adults aged 18 and older. We do not knowingly collect personal information from children under the age of 13, consistent with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.). If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information promptly. If you believe a child has submitted personal information to EPN, please contact us at privacy@epayments.network .

11. Gramm-Leach-Bliley Act (GLBA) Notice

As a provider of financial services, EPN is subject to the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) and the FTC's Privacy Rule and Safeguards Rule. This policy serves as EPN's required GLBA privacy notice to merchant customers.

What We Collect — We collect nonpublic personal information (NPI) including financial account numbers, tax identification numbers, and transaction histories, as described in Section 2.

What We Disclose — We share NPI only as permitted by the GLBA and described in Section 5 — including with service providers under joint marketing or data processing agreements, and as required by law. We do not disclose NPI to unaffiliated third parties for their own marketing purposes.

Your Opt-Out Rights — The GLBA provides limited opt-out rights where we share NPI with unaffiliated third parties outside the permitted exceptions. EPN does not engage in such sharing, so no opt-out action is necessary. If this changes, we will provide notice and opt-out instructions.

Safeguards — EPN maintains a written information security program meeting the requirements of the FTC Safeguards Rule (16 C.F.R. Part 314), which includes risk assessments, access controls, encryption, and incident response procedures.

12. Third-Party Links & Services

EPN's website and marketing materials may contain links to third-party websites, tools, or resources (such as industry news sites, partner portals, or payment network documentation). These third-party sites operate independently and are not governed by this Privacy Policy. We are not responsible for the content, privacy practices, or data handling of external sites. We encourage you to review the privacy policy of any third-party site before sharing your information.

13. Data Processing Location

EPN is headquartered and operates entirely within the United States. All personal and business information we collect is stored and processed on servers located in the United States, primarily on AWS infrastructure in U.S. regions. Our Services are available exclusively to U.S.-domiciled businesses, and our data practices are governed by U.S. federal and state law.

If you are a non-U.S. resident interacting with our website or inquiring about our services, please be aware that any information you submit will be processed in the United States, where data protection laws differ from those in your country. By submitting information to EPN, you consent to this transfer and processing.

14. Changes to This Policy

We may update this Merchant & Site Privacy Policy from time to time to reflect changes in our data practices, applicable U.S. law, or our business operations. For material changes, we will provide at least thirty (30) days' advance notice by email to the address associated with your merchant account, or via a prominent notice on our website. Non-material clarifications may be made without prior notice. The updated policy will be effective as of the revised "Effective Date" displayed at the top of this page. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

15. Contact Us

For privacy-related questions, rights requests, or concerns regarding this policy, contact our Privacy Team:

Privacy Email: privacy@epayments.network
Legal / Compliance Email: legal@epayments.network
Mailing Address: ePayments Network — Privacy, EverExpanse LLC, 2201 Double Creek Dr Suite 3001, Round Rock, Austin, Texas, USA - 78664

California Residents — If you are a California resident and believe your CCPA/CPRA rights have not been adequately addressed, you may file a complaint with the California Privacy Protection Agency (CPPA) at cppa.ca.gov.

Other State Residents — Residents of other states may contact their respective state attorney general's office if they believe their privacy rights under applicable state law have been violated.