PayLeaf Privacy Policy
Last updated: July 6, 2026
This Privacy Policy explains how PayLeaf ("PayLeaf," "we," "us," or "our") collects, uses, discloses, and protects personal information. PayLeaf is operated by Nishan Singh, an individual based in British Columbia, Canada. PayLeaf is a QR and in-person (Tap to Pay on iPhone) payment tool for Canadian small-business vendors.
We are committed to protecting your privacy in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.
Important: PayLeaf is a business tool powered by Stripe. It is not a bank, wallet, or money-transfer service. All card data and payment processing are handled securely by Stripe. PayLeaf never sees or stores full card numbers, CVV codes, Social Insurance Numbers (SIN), government ID numbers, or full bank account details.
1. Who this policy applies to
- Vendors — the business owners who create a PayLeaf account and use the app to accept payments.
- Customers— the people who pay a vendor. PayLeaf processes limited customer information on the vendor's behalf (see Section 4).
2. Information we collect from vendors
We collect only what is needed to provide the service:
Account information
- Email address (from sign-up or Apple Sign In)
- Name, where provided (e.g. via Apple Sign In on first authorization)
- Authentication is handled through Supabase; if you use Sign in with Apple, Apple may provide a name and a private relay email on first sign-in only.
Business profile
- Business name, business type, and payment slug (your public payment link)
- Business address (street, city, province, postal code) — required to enable Tap to Pay on iPhone and for payment/tax purposes
- Tax settings (province, GST/PST/HST/QST configuration)
Transaction information
- Payment amounts, taxes, dates, notes, table numbers, and payment status for sales you process
- Identifiers returned by Stripe (e.g. payment intent IDs) used to reconcile payments
Device and technical information
- Push notification token (via Expo push notifications), to send you account alerts
- Device platform (iOS)
- Location — only when required to enable and use Tap to Pay on iPhone (Apple requires location access for in-person contactless payments). Location is used at the time of a transaction as part of Apple's and Stripe's payment processing and is not used to track you.
On-device data
- Your login session and app preferences are stored securely on your device (using the device's secure storage). A biometric-unlock preference (Face ID/Touch ID) may be stored on-device; biometric data itself never leaves your device and is never accessible to PayLeaf.
3. What we do NOT collect
- We do not store full card numbers, CVV, or magnetic-stripe data — Stripe handles all card data.
- We do not store your SIN, government ID numbers, or full bank account details — identity and bank verification are handled directly by Stripe.
- We do not use third-party analytics, advertising, tracking, or attribution tools.
- We do not sell your personal information.
- We do not access your photos or store images from the camera; the camera is used only to scan QR codes.
4. Customer information (processed on the vendor's behalf)
When a customer pays a vendor, we may process, on the vendor's behalf, the customer's:
- Email address and/or name (e.g. to send a receipt)
- Payment amount and related transaction details
This information is used only to complete the transaction and provide receipts. The vendor is responsible for handling their customers' information appropriately. Card details are processed solely by Stripe and never stored by PayLeaf.
5. Why we collect and use information (purposes)
Under PIPEDA, we identify the purposes for which we collect information. We use your information to:
- Create and manage your vendor account
- Enable payment acceptance (QR and Tap to Pay on iPhone) through Stripe
- Calculate applicable Canadian taxes and generate receipts
- Display your transaction history and account balance
- Send account and payment notifications you have enabled
- Provide customer support
- Maintain the security and integrity of the service, and comply with legal obligations
We collect and use information only for these purposes, and we obtain your consent through your use of the app and acceptance of this policy and our Terms.
6. Who we share information with (service providers)
We share information only with the service providers necessary to operate PayLeaf. These providers process data on our behalf under their own privacy and security obligations:
- Stripe— payment processing, Stripe Connect payouts, and Tap to Pay on iPhone. Stripe collects and processes card data, identity, and bank information directly. See Stripe's Privacy Policy at https://stripe.com/privacy.
- Supabase — secure database and authentication hosting for your account and transaction data.
- Apple — Sign in with Apple (if you choose it) and Tap to Pay on iPhone services.
- Expo — push notification delivery (Expo push service).
We do not sell or rent personal information, and we do not share it with advertisers.
We may disclose information if required by law, regulation, legal process, or to protect the rights, safety, and security of PayLeaf, our users, or the public.
7. How we protect your information
We apply administrative, technical, and physical safeguards appropriate to the sensitivity of the information, consistent with recognized security practices:
- Encryption — data is encrypted in transit (HTTPS/TLS) and at rest on our hosting provider.
- Access controls — database access is restricted using row-level security so vendors can access only their own data; privileged operations run only on our secure servers.
- No card storage— sensitive payment credentials are handled exclusively by Stripe, keeping them out of PayLeaf's systems.
- Secure authentication— sessions are stored in your device's secure storage, with optional biometric unlock.
- Least privilege and logging — administrative access is limited, and security-relevant actions are logged for accountability.
No method of transmission or storage is completely secure, but we work to protect your information and continually improve our safeguards.
8. Data retention and deletion
- We retain your information for as long as your account is active or as needed to provide the service and meet legal, tax, and accounting obligations.
- You can delete your account at any time from within the app (Account → Delete Account). When you delete your account, we remove or de-identify your personal information, subject to any records we are legally required to retain (for example, transaction records needed for tax or regulatory purposes).
- Some information may persist in secure backups for a limited period before being overwritten.
9. Your privacy rights (PIPEDA)
You have the right to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete information
- Withdraw consent or delete your account (note this may end your ability to use the service)
- Ask questions or make a complaint about how we handle your information
To exercise these rights, contact us at the email in Section 12. We will respond within a reasonable time as required by PIPEDA. If you are not satisfied, you may contact the Office of the Privacy Commissioner of Canada (www.priv.gc.ca).
10. Children's privacy
PayLeaf is a business tool intended for use by adults operating a business. It is not directed at children, and we do not knowingly collect personal information from anyone under the age of majority in their province.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version with a new "Last updated" date, and where appropriate, notify you within the app. Your continued use of PayLeaf after changes take effect constitutes acceptance of the updated policy.
12. Contact us
If you have questions, requests, or complaints about this Privacy Policy or your personal information, contact:
Nishan Singh (PayLeaf)
Email: support@payleafpayments.ca
Location: British Columbia, Canada
This policy reflects PayLeaf's current data practices. It is provided for transparency and should be reviewed by a qualified Canadian privacy lawyer before being relied upon as a binding legal document.
