Skip to main content
Legal

Privacy Policy

Effective May 23, 2026. For questions, contact risk@veyragate.com.

This Privacy Policy describes how Josh Petro LLC (“Veyra,” “we,” or “us”) collects, uses, discloses, and protects personal information when you visit our websites, contact us about our payments platform, apply to process payments through us, or otherwise interact with our services.

We act as both a controller (for our marketing, sales, and prospect interactions) and a processor (for payments-related data we handle on behalf of merchants and acquiring partners). This Policy explains both roles.

Information we collect

Information you provide directly

When you contact us, request a sales conversation, or apply for a merchant account, we collect information you submit, which may include your name, business name and registered address, beneficial-owner identity information, contact details, processing history, bank-account details, government-issued identifiers required for KYC and KYB, and any materials you upload during application review.

Information collected automatically

Our websites collect standard log data — IP address, user-agent string, referring URL, pages viewed, and timestamps — to operate the site, prevent abuse, and analyze aggregate traffic patterns. We use Vercel Analytics for privacy-respecting traffic measurement; this does not place tracking cookies on your device for cross-site identification.

Information from third parties

As part of underwriting and ongoing risk monitoring, we obtain information from identity-verification vendors, business-registry providers, sanctions and adverse-media screening services, our acquiring and processing partners, and risk-intelligence providers. Where applicable, we also receive consumer-reporting information consistent with permissible-purpose requirements.

How we use information

  • To evaluate merchant applications and make underwriting decisions.
  • To detect fraud, monitor risk, and meet our anti-money-laundering obligations.
  • To provide, operate, and improve our payments platform and the dashboards used by merchants and our internal operations and risk teams.
  • To respond to support requests and communicate about your account or application.
  • To comply with legal, regulatory, card-network, and acquirer obligations, including record retention, sanctions screening, and reporting.
  • To enforce our agreements and protect the rights, safety, and property of users and the platform.

Legal bases (for users in jurisdictions that require them)

Where applicable, our legal bases for processing include performance of a contract, compliance with a legal obligation, our legitimate interests in operating a safe and compliant payments platform, and your consent where required.

How we share information

We share personal information with:

  • Acquiring and processing partners — to process card transactions and settle funds.
  • Compliance vendors — including identity-verification, KYB, sanctions-screening, and adverse-media providers.
  • Risk and analytics providers — for transaction monitoring and fraud detection.
  • Service providers — including cloud-infrastructure, analytics, customer-support, and email-delivery vendors operating under contract.
  • Authorities and law-enforcement — when legally required, including in response to subpoenas, court orders, suspicious-activity reporting obligations, or to protect the rights and safety of others.
  • Successors — in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality obligations.

We do not sell personal information.

Vendors and subprocessors

We rely on a small set of vetted vendors to provide regulated parts of the payments flow. Sensitive payment instrument data — primary account numbers (PAN), card verification values (CVC), and bank routing and account numbers — lives only inside our PCI-certified vault provider and never on Veyra servers, logs, or backups. The key vendors are:

  • Plaid Inc.(San Francisco, CA) — bank-account verification. Customers who pay via the bank-account lane authenticate directly with their financial institution through Plaid. Plaid returns verified routing and account numbers to Veyra; Veyra never sees the customer’s online-banking credentials. Plaid’s consumer privacy statement is available at plaid.com/legal/#consumers.
  • Stripe, Inc. (San Francisco, CA) — card processing and money movement.Card transactions are processed within Stripe’s PCI DSS Level 1 certifiedenvironment. Stripe’s privacy policy is available at stripe.com/privacy.
  • Basis Theory, Inc.(Austin, TX) — PCI-certified token vault. Card PAN and CVC, as well as bank routing and account numbers, are tokenized at the point of collection and stored exclusively inside Basis Theory’s vault; Veyra holds only opaque tokens and non-sensitive metadata (last four digits, brand, country, funding type, fingerprint). Basis Theory’s privacy policy is available at basistheory.com/privacy.

Data retention

We retain personal information for the period necessary to fulfill the purposes described in this Policy and to satisfy legal, regulatory, card-network, tax, accounting, and recordkeeping requirements. Application records, transaction data, and risk-event logs are typically retained for at least seven years following the end of the relationship, consistent with industry standards. Diagnostic raw webhook archives are retained for approximately 90 days; risk-decision logs (non-blocked outcomes) are retained for approximately one year. The full retention schedule is documented internally and available on request.

Cookies and similar technologies

We use a small number of cookies to operate this site. Necessary cookies (session, authentication, CSRF) are always set. Analytics and marketing cookies are only set after you opt in via the consent banner shown on your first visit. You can change your decision at any time by clearing the "veyra_cookie_consent_v1"key in your browser’s storage, which re-presents the banner.

Security

We maintain administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. Our control plane operates against a SOC 2 program currently in progress. Card data is processed within a PCI DSS Level 1 certified environment and does not traverse our infrastructure unencrypted. No method of transmission or storage is perfectly secure; we encourage you to use strong, unique credentials and notify us promptly of any suspected compromise.

Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal information, and to object to certain processing. Where applicable, residents of California, the EEA, the UK, and other jurisdictions can exercise these rights by contacting us at risk@veyragate.com. We will respond within the timeframe required by applicable law.

International transfers

Personal information may be processed in the United States and other jurisdictions where we, our affiliates, or our service providers operate. Where required, we use appropriate safeguards — including standard contractual clauses — to govern cross-border transfers.

Children

Our services are intended for businesses and adults. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, please contact us at risk@veyragate.com.

Changes to this Policy

We may update this Policy from time to time. The “Effective” date above will be revised when we do. Material changes will be communicated through our platform or by email to active customers.

Contact us

Josh Petro LLC
risk@veyragate.com