Privacy Policy
Last updated: February 2026
Eine deutsche Fassung ist auf Anfrage erhältlich — hello@paywatcher.dev
1. Data Controller
masemIT e.U.
Mario Semper
Alleegasse 26, 3851 Kautzen, Austria
Email: hello@paywatcher.dev
Commercial Register: FN 661236g
VAT ID: ATU82330407
2. Data We Collect
We collect only the data necessary to provide and improve our service. Here is exactly what we collect, when, and why:
| Data | When | Legal Basis | Retention |
|---|---|---|---|
| Email address (request access) | Landing page form | Art. 6(1)(b) — pre-contractual | Until onboarding or 6 months |
| Name, company, use case (request access) | Landing page form | Art. 6(1)(b) — pre-contractual | Until onboarding or 6 months |
| Email address (login) | Magic link login | Art. 6(1)(b) — contract performance | Duration of business relationship |
| Auth session token (cookie) | After login | Art. 6(1)(b) — contract performance | Session duration (max 30 days) |
| Tenant API key (encrypted) | After onboarding | Art. 6(1)(b) — contract performance | Duration of business relationship |
| Payment data (amount, status, txHash) | API usage | Art. 6(1)(b) — contract performance | 7 years (Austrian retention law) |
| Webhook URLs | Settings configuration | Art. 6(1)(b) — contract performance | Duration of business relationship |
| IP address, browser info | Automatically on page visit | Art. 6(1)(f) — legitimate interest (security) | 30 days (server logs) |
| Analytics events (anonymized) | With consent only | Art. 6(1)(a) — consent | 26 months |
3. Legal Basis for Processing
We process your data under the following legal bases as defined by GDPR Article 6(1):
- Consent — Art. 6(1)(a): Analytics tracking. You can grant or revoke consent at any time via the cookie banner or "Cookie Settings" in the footer.
- Contract performance — Art. 6(1)(b): Login, API access, payment verification, webhook delivery — everything required to provide the service you signed up for.
- Legitimate interest — Art. 6(1)(f): Security logging (IP address, user agent) to protect our systems and detect abuse.
5. Sub-Processors
We use the following third-party services to operate PayWatcher:
| Service | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Vercel | Hosting & CDN | USA | EU Standard Contractual Clauses |
| Neon | PostgreSQL database | EU (Frankfurt) | — |
| Resend | Transactional email | USA | EU Standard Contractual Clauses |
| QStash / Upstash | Message queue & cache | EU | — |
6. Data Sharing
We do not sell, rent, or share your personal data with third parties beyond the sub-processors listed above. Your data is only used to provide and improve our service.
7. Retention Periods
- Auth tokens: Session duration (max 30 days)
- Request access data: Until onboarding is completed or 6 months, whichever comes first
- Payment verification data: 7 years (Austrian statutory retention requirement)
- Analytics data: 26 months
- Server logs: 30 days
8. Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Right of access — Request a copy of your data
- Right to rectification — Correct inaccurate data
- Right to erasure — Request deletion of your data
- Right to restriction — Limit how we process your data
- Right to data portability — Receive your data in a portable format
- Right to object — Object to processing based on legitimate interest
- Right to withdraw consent — Revoke analytics consent at any time via "Cookie Settings"
To exercise any of these rights, contact us at hello@paywatcher.dev.
You also have the right to lodge a complaint with the Austrian Data Protection Authority: dsb.gv.at
9. International Transfers
Some of our sub-processors (Vercel, Resend) are based in the USA. Data transfers to these services are safeguarded by EU Standard Contractual Clauses (SCCs), ensuring your data receives an adequate level of protection as required by GDPR.
10. Changes to This Policy
We may update this privacy policy from time to time. Changes will be published on this page with an updated "Last updated" date. We encourage you to review this page periodically.