Privacy Policy

MoonPay Commerce Global Privacy Notice for End Users

This Privacy Notice explains how MoonPay Commerce, operated by Helio Fintech Limited, processes personal data when you interact with a merchant’s MoonPay Commerce Checkout Interfaces. In these scenarios, the merchant is the controller of your personal data and MoonPay Commerce acts solely as a processor on the merchant’s instructions. This Privacy Notice applies to End Users of Merchants that use MoonPay Commerce to facilitate transactions. It does not apply to business customers or Merchants. Business customers and merchants should consult MoonPay’s Global Privacy Policy available at: https://www.moonpay.com/legal/privacy_policy.

Who We Are

MoonPay Commerce is operated by Helio Fintech Limited, a wholly owned subsidiary of MoonPay Inc. Helio Fintech Limited is registered in England and Wales (company number 13836904) with its registered office at 16 Great Queen Street, Covent Garden, London, United Kingdom, WC2B 5AH. For data protection inquiries, please contact MoonPay’s Data Protection Officer at [email protected].

Definitions

The following terms are used in this Privacy Notice:

• End User means an individual who uses a Merchant’s Checkout Interfaces to purchase goods, services, or digital content from the Merchant.
• Merchant means the business customer that integrates MoonPay Commerce Checkout Interfaces and determines the purposes and means of processing End User personal data for the associated transactions.
• Checkout Interfaces means the MoonPay Commerce user interfaces that enable transactions, including the Checkout Widget embedded by a Merchant and hosted checkout pages such as Pay Links.
• Services means the MoonPay Commerce services that facilitate direct, peer‑to‑peer transactions on decentralized blockchains, as described in the MoonPay Commerce Terms of Service.
• MoonPay Group means Helio Fintech Limited, MoonPay Inc., and their affiliates.

Scope and Roles

This Privacy Notice applies when you interact with a Merchant’s Checkout Interfaces powered by MoonPay Commerce on the Merchant’s website, application, or other channel. In these circumstances, the Merchant acts as the data controller and MoonPay Commerce as the processor. The Merchant determines which personal data are collected from you and the purposes for which those data are used, including order fulfillment and customer support. MoonPay Commerce processes End User personal data only on the Merchant’s documented instructions and does not determine the purposes or essential means of processing End User data.

Personal Data Processed on the Merchant’s Instructions

The specific personal data that are processed depend on the Merchant’s configuration and integration. Typical categories that a Merchant may require MoonPay Commerce to process in order to facilitate a purchase include the following.

• Checkout data provided by you or automatically through the transaction, including wallet address, transaction amount and currency, and any other buyer or order details the Merchant requires, which may include name, email address, billing address, and shipping address.
• Transaction and blockchain data generated from the transaction, including transaction identifiers, timestamps, wallet addresses, and on‑chain confirmations required to verify payment and trigger fulfillment.
• Technical and usage data necessary to operate and secure the Checkout Interfaces, including IP address, device and browser information, product usage, and diagnostic logs.
• Support communications and related metadata associated with a Checkout session initiated with the Merchant. MoonPay Commerce does not require special categories of personal data for Checkout Interfaces and does not seek to collect such data.

How MoonPay Commerce Uses Personal Data

MoonPay Commerce uses End User personal data only on the Merchant’s documented instructions and only for purposes such as operating the Checkout Interfaces, confirming blockchain transactions, enabling order fulfillment, maintaining security and service integrity, fraud monitoring as requested by the Merchant, and providing support to the Merchant related to a Checkout session. MoonPay Commerce may generate de‑identified or aggregated operational metrics that do not identify individuals to support platform reliability and performance. MoonPay Commerce does not use End User personal data from merchant checkouts for MoonPay’s own independent marketing or profiling.

Sharing and Disclosures

MoonPay Commerce shares End User personal data only as necessary to provide the Services on the Merchant’s behalf or as required by law. Personal data processed by MoonPay Commerce may be shared as described below.

• With the Merchant that controls your personal data, including relevant order, transaction, and support details to enable fulfillment and customer service.
• With authorized sub‑processors that provide hosting, security, analytics, and customer support. These providers process personal data under written contracts that require confidentiality, security, and processing only on MoonPay Commerce’s instructions.
• With competent authorities when required to comply with applicable laws, valid legal requests, or to protect the rights, safety, and security of users, the Merchant, or the Services.
• On public blockchains. When you make a crypto payment, certain transaction data, including wallet addresses, amounts, timestamps, and transaction identifiers, are recorded on public blockchains that are not controlled by MoonPay Commerce nor the Merchant.

International Data Transfers

MoonPay Commerce is based in the United Kingdom and relies MoonPay Group infrastructure and subprocessors that may be located outside the UK. When personal data is transferred internationally, MoonPay Commerce implements appropriate safeguards, including the UK International Data Transfer Addendum, the corresponding EU Standard Contractual Clauses, or other legally recognized transfer mechanisms, together with technical and organizational measures such as encryption in transit and at rest where appropriate.

How We Protect and Store Personal Data

MoonPay Commerce maintains technical and organizational measures designed to protect personal data, including network and application security controls, encryption, access controls based on least privilege, audit logging, and workforce training. MoonPay Commerce regularly assesses and improves controls to align with industry standards.

Retention

As a processor, MoonPay Commerce retains End User personal data in accordance with the Merchant’s instructions and the applicable agreement with the Merchant. Retention supports operation of the Checkout Interfaces, order fulfillment, security, service integrity, and compliance with legal obligations and dispute resolution. When personal data is no longer required for these purposes, MoonPay Commerce deletes or anonymizes the data consistent with the Merchant’s instructions and MoonPay Commerce’s retention schedules. For specific data retention schedules applicable to your personal information please contact the Merchant for details regarding their policies.

Cookies and Similar Technologies

The Checkout Interfaces may use cookies, SDKs, and similar technologies to operate, secure, and measure the checkout experience, including to maintain session state and detect fraud. The specific technologies depend on the Merchant’s integration and your device or browser settings. For additional information about MoonPay’s use of cookies, see MoonPay’s Cookie Policy at: https://www.moonpay.com/legal/cookie_policy.

Your Privacy Rights and How to Exercise Them

Because the Merchant is the controller of your checkout data, your rights under the UK GDPR or local data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection, should be exercised directly with the Merchant. MoonPay Commerce will coordinate directly with the Merchant to provide any support that is required to fulfill the request as required by contract and applicable law. To exercise your rights, contact the Merchant that provided the Checkout Interfaces.

Legal Bases

The Merchant determines the lawful basis for processing your personal data and is responsible for providing you with the required transparency information under applicable law. MoonPay Commerce processes your personal data on the Merchant’s documented instructions under a data processing agreement that satisfies Article 28 of the UK GDPR.

Children’s Data

The Checkout Interfaces are not directed to individuals under the age of 18. If you believe that a person under the age of 18 has provided personal data in connection with a checkout, please contact the Merchant. MoonPay Commerce will assist the Merchant in taking appropriate steps.

Complaints and Contact Information

For questions about how your personal data are handled in connection with a checkout, or to exercise your data protection rights, please contact the Merchant as the data controller. You may also contact MoonPay’s Data Protection Officer at [email protected] for data protection inquiries specifically relating to MoonPay Commerce. You have the right to lodge a complaint with the UK Information Commissioner’s Office or your local data protection authority related to any data protection concerns.

Sub‑Processors

MoonPay Commerce maintains agreements with Merchants that include processor obligations required by applicable law which ensure equivalent obligations to authorized sub‑processors. MoonPay Commerce engages authorized sub-processors for essential service functions including cloud hosting and infrastructure, security and fraud monitoring, technical and product analytics, and customer support.

Changes to This Privacy Notice

MoonPay Commerce may update this Privacy Notice to reflect changes in the Services or applicable law. If changes materially affect how End User personal data are processed, MoonPay Commerce will update this notice as needed. The effective date appears at the top of this notice.