Privacy Policy
United StatesLast updated: October 18, 2025
Notice at Collection
We collect the categories of personal information listed below for the purposes described in this Policy. We retain data as outlined under “Data Retention.” We do not collect or process sensitive personal information to infer characteristics.
| Category | Examples | Purposes | Shared With |
|---|---|---|---|
| Identifiers | Name, email, phone, postal address, device IDs, IP address. | Account setup, auth, communication, fraud/risk. | Service providers; payments Partners; analytics. |
| Financial & Transactional | Tokenized PAN, bank token, payment history, ACH return codes, chargebacks. | Process payments/payouts, reconciliation, risk/compliance. | Acquirers, sponsor banks, card networks, ACH operators, PayPal, FI partners for Zelle®. |
| Commercial info | Orders, merchant profile, pricing tier. | Provision, billing, support. | Service providers; payments Partners. |
| Internet/Network | Logs, cookies, pages viewed, device/browser data. | Security, analytics, performance, personalization. | Analytics and security vendors. |
| Geolocation (coarse) | City/region (from IP). | Fraud signals, localization. | Security vendors. |
| Inferences (limited) | Risk scores, abuse heuristics. | Fraud prevention, security. | Security vendors; payment Partners (as permitted). |
1) Scope; who we are
Incoming Transact (“we,” “our,” or “us”) provides technology to facilitate payments and payouts (cards, ACH/NACHA, PayPal, and directory-partner Zelle® flows where available). We are not a bank or money transmitter. Certain functions are provided by financial institutions and networks (“Partners”).
2) Information we collect
- Provided by you: registration, KYB/KYC docs, onboarding, support.
- Payments/transactions: tokens, order refs, ACH entries/returns, payouts, disputes, amounts, timestamps.
- Technical/usage: IP, device/browser, pages/APIs used, logs, telemetry.
- Derived: risk/fraud scores, compliance flags.
3) Sources
Directly from you; automatically via use; from Partners; service providers; or public sources where lawful.
4) Uses
- Provide/operate/improve Services and APIs.
- Authenticate and secure; prevent fraud/abuse; comply with PCI-DSS, NACHA, network rules.
- Support, incident response, service communications.
- Analytics/product development (non-sensitive).
- Legal/regulatory/tax/audit obligations.
5) Disclosure
- Processors: hosting, security, analytics, support.
- Payments Partners: acquirers, banks, card networks, ACH operators, PayPal, eligible FI partners for Zelle®.
- Business customers: for transactions you authorize with them.
- Corporate transactions and legal/safety disclosures as required.
We do not sell personal information for money, nor do we “share” personal information for cross-context behavioral advertising.
6) Cookies & online tracking
We use cookies/identifiers for essential operations, security, performance, and analytics. Manage cookies in your browser; blocking essential cookies may impact function.
7) Security
We implement administrative, technical, and physical safeguards (encryption in transit, access controls, monitoring). No method is 100% secure.
8) Data retention
We retain information as needed for Services, legal/regulatory obligations (including network/bank requirements), disputes, and enforcement.
9) Children
Not directed to children under 13; we do not knowingly collect from them.
10) Payments-specific disclosures
- ACH/NACHA: entries/returns may be shared with depository institutions and ACH operators per NACHA and law.
- Card networks: subject to network/acquirer rules; tokens/authorization data shared accordingly.
- PayPal: governed by PayPal policies; we exchange order/risk data to support the transaction.
- Zelle®: available via eligible FI partner programs; no public APIs to independent third parties.
11) U.S. state privacy rights
Residents of CA/VA/CO/CT/UT may have rights to access, delete, correct, portability, and opt out of sale/sharing/targeted advertising; limit sensitive data (we do not use sensitive data to infer traits). Exercise rights via privacy@incomingtransact.com. We verify identity/authority and do not discriminate for exercising rights. Some GLBA-regulated data may be exempt.
12) International transfers
We are U.S.-based and may transfer data to the U.S. and other countries where we and our providers operate, with safeguards where required.
13) Your choices
- Update account data in your dashboard.
- Unsubscribe from marketing; we may still send transactional emails.
- Manage cookies in your browser.
14) Third-party links
Third-party sites/services (e.g., PayPal) follow their own policies.
15) Changes
We may update this Policy; we’ll post a new “Last updated” date and additional notice where required.
16) Disputes
Disputes about this Policy are subject to the arbitration and class-action waiver in our Terms of Use.
17) Contact
Incoming Transact
209 TANGLEWOOD DR NE, DALTON, GA
Privacy: privacy@incomingtransact.com • Support: support@incomingtransact.com
Website: incomingtransact.com
Template aligns with common U.S. standards (CPRA and other state laws) for B2B payments platforms. Verify against your actual data flows/cookies/partners with counsel.
Do Not Sell or Share My Personal Information
Under California law (CPRA) and similar U.S. state laws, you may opt out of sale or sharing of personal information for cross-context behavioral advertising. Incoming Transact does not sell personal information for money and does not share for cross-context behavioral advertising. However, we provide this control as an added assurance.
When ON, we record your choice, restrict any non-essential ad tracking, and honor supported opt-out signals.
How this works
- We set
opt_out_ads=truein a cookie (2 years) and localStorage; we check it on each visit. - We avoid loading or restrict any non-essential ad/retargeting scripts (if present in the future).
- We honor legally recognized browser-level opt-out signals where applicable.
Data Processing Addendum (DPA)
This DPA forms part of the commercial agreement between Incoming Transact (“Processor”) and the customer entity identified in the order or services agreement (“Controller”). It governs Processor’s handling of personal data on behalf of Controller in connection with the Services.
1) Roles & scope
Controller determines the purposes and means of processing; Processor processes personal data on Controller’s documented instructions, including to provide the Services, subject to the Agreement and this DPA.
2) Compliance & confidentiality
Processor will ensure personnel are bound by confidentiality and receive appropriate training.
3) Security
Processor maintains appropriate technical and organizational measures (TOMs) designed to protect personal data, including access controls, encryption in transit, logging/monitoring, and vulnerability management, considering the nature of processing and risks.
4) Subprocessors
Controller authorizes Processor to engage subprocessors (e.g., hosting, security, payments Partners) as reasonably necessary to provide the Services. Processor will impose data protection terms on subprocessors no less protective than this DPA and will remain responsible for their performance. Upon request, Processor will provide a current list and a mechanism for updates/objections where contractually required.
5) Assistance
Taking into account the nature of processing, Processor will assist Controller by appropriate technical and organizational measures, insofar as possible, to respond to data subject requests and to comply with security, breach notification, impact assessments, and consultations with authorities.
6) Breach notification
Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Controller data, providing information reasonably available for Controller to meet legal obligations.
7) Data transfers
Processor may process personal data in the United States and other jurisdictions where it or its subprocessors operate. Where required, Processor will implement appropriate safeguards for international transfers.
8) Return/Deletion
Upon termination or at Controller’s written request, Processor will delete or return personal data, unless retention is required by law or by network/banking obligations.
9) Audits
On reasonable notice, and no more than once annually (except following a security incident), Processor will make available information necessary to demonstrate compliance and will cooperate with Controller’s reasonable audit requests, which may include independent third-party reports (e.g., SOC/ISO) and written responses.
10) Liability
Liability limits, exclusions, and caps in the Agreement apply to this DPA.
11) Order of precedence
If there is a conflict between this DPA and the Agreement, this DPA will control to the extent of the conflict regarding data protection obligations.
Annex A — Subject matter & duration
- Subject matter: Processing personal data to provide payment technology Services (dashboards, APIs, reporting).
- Duration: Term of the Agreement plus any legally required retention.
- Nature/Purpose: Hosting, transmission, storage, fraud/risk screening, reconciliation.
- Types of data: Identifiers, business contact details, transaction metadata; limited financial tokens (no raw PAN storage by Processor if using tokenization/hosted fields); logs.
- Data subjects: Controller’s customers, payors/payees, authorized users, and staff.
Annex B — Technical & Organizational Measures (summary)
- Access control, SSO/MFA for administrative access; least privilege.
- Encryption in transit (TLS 1.2+); key management via reputable KMS.
- Network segmentation; firewalling; anti-DDoS/CDN where applicable.
- Logging/monitoring; vulnerability scanning; risk assessments.
- Secure SDLC; change management; code reviews and secrets hygiene.
- Incident response playbooks; breach notification procedures.
- Business continuity/disaster recovery planning and testing.
For signature, incorporate this DPA by reference in your order form or master agreement, or export this page/PDF for countersignature.