Privacy Policy

Effective Date: October 24, 2025

1. Introduction

Crosspay ("we," "our," or "us") provides a cross-platform in-app purchase infrastructure SDK and related services (the "Service"). We value the privacy of the developers who use our Service ("Customers") and the end-users of their applications ("End Users").

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use the Crosspay SDK.

2. Information We Collect

2.1 Information from Developers (Customers)

When you register for a Crosspay account, we act as a Data Controller and collect:

  • Identity Data: Name, email address, GitHub username, or organization name.
  • Billing Data: Credit card details (processed securely via Stripe) and billing address for SaaS fees.
  • Technical Data: API keys, organization settings, and IP addresses used to access the dashboard.

2.2 Information from End Users

When a Customer integrates the Crosspay SDK into their application, we act as a Data Processor. We collect data necessary to validate receipts and manage entitlements:

  • Transaction Data: Purchase receipts, transaction IDs, product IDs, and purchase timestamps from app stores (Apple App Store, Google Play, Stripe, Microsoft Store, etc.).
  • Device Data: Generalized device model, operating system version, and platform (e.g., "iOS 17.0", "Windows 11") to ensure SDK compatibility.
  • App User IDs: The unique identifier generated by the Customer to link a specific user to an entitlement.
  • Usage Data: Anonymized interactions with paywalls (if A/B testing is enabled).

Important: We do not collect or store End Users' raw credit card numbers or banking credentials. These are handled exclusively by the underlying platform providers (Apple, Google, Stripe, etc.).

3. How We Use Your Information

We use the collected data for the following purposes based on the associated legal bases (GDPR Art. 6):

  • Service Provision (Contractual Necessity): To validate purchase receipts, calculate taxes, sync entitlements across devices, and serve remote configuration.
  • Analytics (Legitimate Interest): To provide Customers with dashboards showing Monthly Recurring Revenue (MRR), churn, and retention cohorts.
  • Infrastructure Monitoring (Legitimate Interest): To detect fraud, debug SDK errors, and ensure the uptime of our API.
  • Communication (Consent/Legitimate Interest): To send Customers technical notices, updates, and security alerts.

4. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (like web beacons and tags) to track the activity on our Service and hold certain information.

  • Essential Cookies: Necessary for the dashboard to function (e.g., session management).
  • Analytics Cookies: We use tools like PostHog to understand how developers navigate our documentation and dashboard. You can opt-out of these via your browser settings.

5. Data Sharing and Sub-Processors

We do not sell data. We share data only with third-party service providers ("Sub-Processors") necessary to run our infrastructure:

  • Hosting: AWS / Vercel (Cloud Infrastructure)
  • Database: Supabase / PlanetScale (Data Storage)
  • Payments: Stripe (For billing Crosspay fees)
  • Analytics: PostHog / Mixpanel (For dashboard analytics)

We may also disclose information if required by law, such as to comply with a subpoena or similar legal process.

6. International Data Transfers

Crosspay operates globally. Information we collect may be transferred to, stored, and processed in the United States or any other country in which we or our affiliates or processors maintain facilities. We utilize Standard Contractual Clauses (SCCs) to ensure data transferred from the EEA/UK remains protected in compliance with GDPR.

7. Your Data Rights

For Developers (Customers)

You can access, update, or delete your account information directly from the Crosspay Dashboard. If you wish to delete your organization, please contact support.

For End Users

Since Crosspay is a Data Processor, End Users seeking to access, correct, or delete their data should contact the application developer (our Customer) directly. We provide API endpoints to allow Customers to delete End User data programmatically upon request.

California Residents (CCPA)

We do not "sell" personal information as defined by the CCPA. You have the right to request disclosure of data collection and deletion practices.

8. Children's Privacy

Our Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us so that we can take necessary actions.

9. Security

We implement industry-standard security measures, including encryption in transit (TLS 1.3) and encryption at rest (AES-256), to protect your data. However, no method of transmission over the Internet is 100% secure.

10. Data Retention

We retain transaction data for as long as the Customer's account is active to ensure continued access to entitlements (e.g., restoring a "Lifetime" purchase made 3 years ago). If a Customer deletes their account, we delete all associated End User data within 30 days.

11. Contact Us

If you have questions about this Privacy Policy, please contact our Data Protection Officer at:

Email: privacy@crosspay.dev
Address: 1875 Mission St Ste 103 # 180, San Francisco, CA 94103