Security & GDPR

We take your customers’ data seriously.

Everything you need to know about how PayAtt protects your customers’ phone numbers, the rights they have under GDPR, and the security measures we have in place.

What we store

Company information (for you as the PayAtt customer)

✓Contact details, organisation number, invoice address.
✓Subscription, plan tier, and how you pay (card via Stripe or invoice via Fortnox).
✓Settings and brand design for your venues (logo, colours, SMS sender name).

End-customer identification

✓Mobile number (mandatory, primary identifier).
✓Timestamp and GPS coordinates where the customer first registered at the registration display. Used to tie the registration to the correct venue and stamp-card campaign.

Loyalty data

✓Stamps, rewards, and bonus events per stamp-card campaign.
✓Gift card balances, transaction history, and sender + recipient names plus the personal message if entered at purchase.

Communication history

✓Sent SMS — content, recipient numbers, delivery status, timestamp, which segment was filtered, and whether IntelliSMS was used. Retained for campaign history, a detailed breakdown of delivered vs. failed sends, tracking your usage of the monthly free SMS quota and any extra cost, and so your IntelliSMS suggestions can improve over time.

Optional profile data in the customer portal

✓Name, email, preferred language, and optionally a password — only if the customer chooses to enter any of these in their customer portal.

Customer portal usage

✓Cookie consent per customer and per portal (necessary / analytical / marketing etc.).
✓Stamp-card page views (anonymised browser and device type) with 60-day retention to understand how the portal is used and to show you how your customers are using your stamp card.

GDPR audit trail

✓Change history if a customer switches mobile number (the previous number is retained so we can answer deletion and portability requests per Articles 15 and 17).

What we do not store

✕Credit card details — Stripe handles all card data.
✕Swedish personal identity number (personnummer).
✕The end-customer’s home address.

Servers & geography

All customer data is stored within the EU/EEA, physically in Stockholm. The database is MongoDB Atlas, running in AWS region eu-north-1 (Stockholm). The rest of the infrastructure — files, media objects, and application servers — also lives in AWS eu-north-1. No US-based cloud services are used for PII.

Encryption

At rest: AES-256.
In transit: TLS 1.3.
Passwords: bcrypt with salt.
API calls: signed.

GDPR

PayAtt follows GDPR in full. Detailed rights and the legal basis live in our privacy policy.

In the customer portal an end-customer can end their membership themselves or request that we delete all their data.

Data controllership

PayAtt AB is the data controller for end-customer data. You who run the venue never see individual phone numbers or other individual PII — instead you work with overall statistics, campaign history, and smart filters that let you segment your members (e.g. "everyone who hasn't visited in 30 days"). The system then performs the send without exposing individual numbers to you. That is why you don't need a separate Data Processing Agreement with us — you are not a data processor because you never handle individual PII. We in turn have sub-processor agreements (DPAs) with our vendors (Stripe, AWS, sms-gateway, etc.) — that is where end-customer data is actually protected.

Incident reporting

If we detect a data breach we report within 72 hours per GDPR — both to you as venue owner and to the Swedish Authority for Privacy Protection (IMY).

Reporting security issues

Found a security issue? Email us at security@payatt.store — we reply within one business day. We are grateful to everyone who helps us make PayAtt safer.

Security or data-protection questions?

Reach us at info@payatt.store