Privacy Policy

1) Scope

This policy explains how we collect, use, share, and protect personal data when you visit our sites, join the waitlist, contact support, enroll, or use Handshake at participating merchants.

2) Data we collect

A. You provide

• Identity & contact (name, email, phone, country)
• Account settings (consent choices, Royalties opt-in)
• Support interactions (messages and, where permitted, call recordings)

B. Identity verification (KYC) — mandatory for enrollment

• Data: document images/metadata for passport or government-issued ID, issuing country, expiry; liveness/selfie where required by law; match results; sanctions/PEP screening outcome; audit logs.
• Purpose: verify eligibility, bind payments to the true bearer, prevent fraud, and meet AML/CTF and sanctions obligations.
• Storage: KYC records are stored separately from checkout verification signals and are not used for marketing.

C. Handshake verification signals (at POS)

To verify that a payment request comes from the true bearer, Handshake processes a minimal set of identity and safety signals during checkout.

• No raw media storage for checkout. We do not store raw face images or raw voice recordings on production systems for the checkout flow.
• Privacy-preserving templates. Where necessary, we may process derived, irreversible templates and cryptographic proofs to confirm the true bearer. Templates are encrypted and retained only as needed to operate the service and meet legal obligations.
• Alternative checks. Non-biometric checks (e.g., device/cryptographic and contextual safety signals) may be used to complete the handshake.
• Duress & safety. We may process safety signals (e.g., anomaly scores or merchant safety codes) to help detect indicators of duress and enable precautionary lockouts (see Terms).

D. Transaction & device data

• Merchant, date/time, items/amounts, receipt metadata, refund/dispute status
• Device/network data (browser/OS, IP, general location, cookies/IDs)
• Usage and performance metrics (pages visited, interactions, crash logs)

3) How we use data

• Provide and secure Handshake (bearer verification, permissioning, receipts)
• Operate websites, waitlist, and support
• Reduce fraud and abuse; investigate incidents
• Improve products (analytics; de-identified/aggregated insights)
• Meet legal, compliance, and reporting obligations

4) Royalties (opt-in)

If you opt in, we may derive de-identified and/or aggregated insights from your transactions for analytics and product development (including a phase-two relevance engine). Royalties are promised but may be fractional and insignificant. You retain authorship of your personal data. You may revoke consent at any time; revocation stops future processing for Royalties and future accruals.

5) Supplier & advertiser programs (opt-in, authorship-based)

With your explicit opt-in (separate from core payments), suppliers or brands may:

• Bid to reach merchants directly (adwords-style)
• Request demographic-based or purchase-based segments
• Query localized, real-time product trends (e.g., a shoe style) at aggregated levels

Revenue distribution: Where such programs run, revenue is distributed to the authors involved per program rules. We share only what is necessary, favor aggregated or de-identified data, and prohibit repurposing for unrelated uses. You may opt out at any time.

6) Legal bases (where applicable)

• Performance of a contract (operate Handshake)
• Legitimate interests (security, fraud prevention, service improvement)
• Consent (POS “pay by name” processing, remembered consent, Royalties, supplier/advertiser programs, certain analytics/biometrics)
• Legal obligation (KYC/CTF, sanctions screening, record retention)

7) Sharing your data

• Merchants (receipts, refunds, disputes for your transactions)
• Service providers (cloud, security, communications) under contract and confidentiality
• Verification/compliance partners (KYC, sanctions/PEP) under contract
• Law enforcement/regulators where legally required or to protect rights

We do not sell personal data for third parties’ independent use. With your opt-in, we may facilitate on-platform sponsored interactions as described above and distribute resulting revenue to authors.

8) International transfers

We may transfer data to the United States and other countries with appropriate safeguards (e.g., standard contractual clauses where required).

9) Retention

We keep data only as long as necessary for the purposes above, then delete or de-identify it. KYC records are retained for the period required by applicable law. Templates used for checkout are kept for the minimum period necessary to operate the service and comply with law; upon account deletion or consent withdrawal, remaining templates are deleted or de-identified within defined windows.

10) Your rights

Depending on your region, you may have rights to access, correct, delete, restrict, or port your data; object or opt out; and withdraw consent. Submit requests to hello@nsatech.llc. We will verify your identity before fulfilling requests.

11) Children

The Services are not directed to children under 16. We do not knowingly collect personal data from children under applicable ages.

12) Security

We use administrative, technical, and physical safeguards appropriate to the risk, including encryption in transit and at rest, device locking, duress detection, precautionary lockouts, and layered verification. No system is perfectly secure.

13) Cookies & similar technologies

We use necessary cookies for core function and optional analytics which you can control via settings.

14) Changes

We may update this policy. The “Effective date” and “Last updated” dates indicate the version. Material changes will be highlighted.

15) Contact