EazPay — Privacy Policy

1. Introduction

This Privacy Policy explains how EazPay ("Service," "we," "us") collects, uses, and protects information when you use our Telegram-based payment bot. We are committed to data minimization — we collect as little as possible, and most of your financial data lives on-chain, not on our servers.

EazPay is operated by an individual developer based in California, United States.

2. Information We Collect

Data We Store

Data	Purpose	Storage
Telegram User ID	Account identification	Server database (PostgreSQL on Railway)
Telegram Username, First Name	Display name for payments and @mention lookups	Server database
Bcrypt-hashed PIN	Authentication	Server database
2FA code (when active)	Authentication for large transactions (60s TTL)	Server database
Anti-phishing code	Shown in every bot message so you can detect impersonation	Server database (plaintext by design — user-facing)
Wallet EOA address	Link your account to your on-chain wallet	Server database
Wallet EOA private key	Operate the wallet on your behalf (custodial model — see Security)	Server database, encrypted AES-256-GCM. Encryption key stored separately in Railway env.
Transaction cache	Display history in the bot; source of truth is always on-chain	Server database

Data That Lives On-Chain (Not on Our Servers)

Wallet balances
Transaction history
Transaction amounts and recipients
Smart contract interactions

This data is publicly visible on the Tempo blockchain and is not controlled by us.

Data We Do NOT Collect

Seed phrases (EOAs are a single key — no seed exists)
Plaintext passwords or PINs (only bcrypt hashes)
Real names, email addresses, or phone numbers
Government IDs or KYC documents
IP addresses — we do not actively collect or log them. However, our infrastructure providers (Railway, Vercel) may collect IP addresses as part of their standard operations (see Section 6).
Location data
Financial account information (bank accounts, credit cards)
Biometric data

Note on private keys. We do store your wallet EOA private key in encrypted form to operate the bot on your behalf — this is part of the custodial model. If you want to take full custody of your key (and have us stop holding it), use /export to receive your key, then email security@eazpay.xyz to request deletion of your encrypted copy. A self-service /deleteaccount command is on our roadmap.

3. How We Use Your Information

We use collected data solely to:

Operate the EazPay bot and process your commands
Authenticate you via PIN and 2FA
Associate your Telegram account with your on-chain wallet
Communicate service updates or security alerts
Investigate prohibited activities or abuse

We do not use your data for advertising, profiling, or behavioral analytics.

4. Data Sharing

We do not sell, rent, or trade your personal information. Period.

We may share data only in these limited circumstances:

Legal obligation: If required by law, subpoena, or court order
Security: To investigate fraud, abuse, or threats to the Service
Service providers: Limited operational data with infrastructure providers (see Section 6), subject to their privacy policies

5. Data Retention

Account data (Telegram ID, username, hashed PIN, 2FA config) is retained while your account is active.
If you stop using EazPay, we may retain minimal data for up to 12 months for security and legal compliance purposes, after which it will be deleted.
On-chain data is permanent and immutable. We cannot delete blockchain transactions.

To request deletion of your server-side data, contact us (see Section 10).

6. Third-Party Services

EazPay relies on the following third-party services, each with their own privacy policies:

Service	Role	Privacy Policy
Telegram	Bot platform, messaging	telegram.org/privacy
Railway	Server hosting, database	railway.app/legal/privacy
Vercel	Website hosting (eazpay.xyz)	vercel.com/legal/privacy-policy
Tempo Blockchain	L1 network for transactions	Public blockchain — all data is on-chain and publicly accessible

We do not control how these services handle your data. We encourage you to review their policies.

7. Cookies & Website Tracking

The EazPay website (eazpay.xyz) may use:

Essential cookies for basic site functionality
Analytics — minimal, privacy-respecting analytics (if any)

We do not use third-party advertising cookies or cross-site tracking pixels. The Telegram bot itself does not use cookies.

8. Security

We implement reasonable security measures to protect your data:

PINs stored as bcrypt hashes (not plaintext)
2FA for additional authentication
Encrypted connections (HTTPS/TLS)
Minimal data collection reduces attack surface

However, no system is 100% secure. We cannot guarantee absolute security of your data.

9. Your Rights

For All Users

You have the right to:

Access — Request a copy of the data we hold about you
Deletion — Request deletion of your server-side data
Correction — Request correction of inaccurate data
Portability — Your on-chain data is already publicly accessible

California Residents (CCPA Rights)

Under the California Consumer Privacy Act (CCPA), California residents have additional rights:

Right to Know: You can request details about the categories and specific pieces of personal information we have collected, the sources, the business purpose, and third parties we share it with.
Right to Delete: You can request deletion of personal information we hold about you, subject to certain exceptions.
Right to Opt-Out of Sale: We do not sell your personal information. No opt-out is necessary.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, contact us using the information in Section 10. We will respond within 45 days as required by the CCPA.

We do not knowingly collect personal information from individuals under 18.

10. Contact

For privacy-related questions, data requests, or concerns:

Email: security@eazpay.xyz
Telegram: @tomajackmac
Website: eazpay.xyz

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the EazPay Telegram bot or channel. Continued use of the Service after changes constitutes acceptance of the updated policy.

By using EazPay, you acknowledge that you have read and understood this Privacy Policy.