On this page
ClaruPay, Inc. ("ClaruPay," "we") provides payment processing services to healthcare and wellness merchants. This Privacy Policy explains what information we collect from merchants and applicants, how we use it, and the choices you have. We do not sell personal information.
1. Information We Collect
1.1 Business information
When you apply for a merchant account, we collect business legal name, DBA, entity type, state of formation, address, website, and tax identification number.
1.2 Beneficial owner information
To comply with federal "Know Your Customer" (KYC) regulations, we collect government ID, name, date of birth, address, and Social Security Number for individuals owning 25% or more of the business.
1.3 Processing data
Once your account is active we receive transaction-level data: amount, currency, timestamp, last four digits of card number, BIN, and dispute history. We do not store full card numbers , those are tokenized at our PCI-certified processor.
1.4 Usage data
Standard log data when you use our dashboard: IP address, browser, device type, pages visited, and timestamps.
1.5 Communications
Emails, chat transcripts, and recorded support calls. Recording is disclosed at the start of every call.
2. How We Use Information
- Processing applications , to underwrite your merchant account and verify identity.
- Providing services , to settle funds, process recurring charges, generate reports, and integrate with your software.
- Compliance and fraud prevention , to meet card-network and bank-secrecy obligations, monitor for fraud, and respond to law-enforcement requests with valid legal process.
- Communications , to send service notifications, respond to support requests, and (with your consent) share product updates.
3. Information Sharing
We share information only with parties that need it to provide the service to you:
- Banking partners , our acquiring bank requires merchant and transaction data to settle funds.
- Card networks , Visa, Mastercard, American Express, and Discover require limited data for compliance, monitoring, and chargeback adjudication.
- Service vendors , KYC, fraud-monitoring, identity-verification, email, and analytics vendors under contractual confidentiality and security obligations.
- Legal requirements , law enforcement and regulators in response to a valid subpoena, court order, or other lawful request.
4. Data Security
We are PCI DSS Level 1 certified, the highest tier under the card-network security standard. Card data is tokenized and never traverses our application servers in plaintext. All connections are protected with TLS 1.2+. Sensitive fields are encrypted at rest using AES-256.
Internal access is limited via role-based controls, multi-factor authentication, and quarterly access reviews. We conduct annual third-party penetration tests and continuous vulnerability scanning.
5. Your Rights
- Access , request a copy of the personal information we hold about you.
- Correction , ask us to fix inaccurate information.
- Deletion , ask us to delete information, subject to recordkeeping obligations under banking and tax law.
- Marketing opt-out , unsubscribe from marketing emails at any time. Service notifications cannot be opted out while your account is active.
Residents of California, Colorado, Virginia, and other states with comprehensive privacy laws have additional rights under those laws. Contact us using the details below to exercise any right.
6. Cookies and Tracking
Our marketing site uses first-party cookies for session management and a small number of analytics cookies (Plausible, server-side) that do not track users across sites. The merchant dashboard uses essential cookies only , we do not run advertising or social trackers inside the dashboard.
7. HIPAA Considerations
As a payment processor, ClaruPay is generally not a "covered entity" or "business associate" under HIPAA , we do not receive Protected Health Information (PHI) in the ordinary course of payment processing. The data we receive (transaction amount, card token, timestamp) is financial, not clinical.
8. Contact for Privacy Requests
Email privacy@clarupay.com. We aim to respond within 15 business days. For deletion or access requests we will verify your identity before acting on the request.