Legal

Terms of Service

These Terms of Service ("Terms") govern your access to and use of the Payo platform, including the Payo SDK, dashboard, API, website, and all related services (collectively, the "Service") operated by Payo ("we", "us", or "our"). By accessing or using the Service, you agree to be bound by these Terms.

1. Definitions

• "Developer" means any individual or entity that registers for a Payo account and integrates the Payo SDK into their application.
• "End User" means any user of a Developer's application that incorporates the Payo SDK.
• "SDK" means the Payo software development kit distributed as a Swift Package or XCFramework.
• "Dashboard" means the web-based management interface at payo-sdk.com.
• "API Key" means the cryptographically signed credential issued to Developers to authenticate SDK communications.

2. Account Registration

To use the Service, you must create an account using Apple Sign-In or Google Sign-In. You are responsible for maintaining the security of your account credentials and API keys. You must not share API keys publicly or embed them in client-side code outside of the SDK's designated configuration file (Payo.plist).

3. Acceptable Use

You agree to use the Service only for lawful purposes and in accordance with these Terms. You shall not:

• Use the Service to violate any applicable law, regulation, or third-party rights
• Attempt to gain unauthorized access to the Service, other accounts, or related systems
• Reverse-engineer, decompile, or disassemble the SDK except as permitted by applicable law
• Use the Service to collect, store, or process personal data in violation of applicable privacy laws
• Interfere with or disrupt the integrity or performance of the Service
• Transmit malicious code, spam, or fraudulent transaction data
• Resell, sublicense, or redistribute the Service as a standalone product
• Circumvent rate limits, authentication mechanisms, or other security controls

4. Developer Responsibilities

As a Developer integrating the Payo SDK, you are responsible for:

• Complying with Apple's App Store Review Guidelines, including requirements for in-app purchases and subscriptions
• Providing your own privacy policy to End Users that accurately discloses the data collected by the SDK on your behalf
• Ensuring your use of subscription data complies with applicable consumer protection laws
• Maintaining accurate product configurations in App Store Connect that match your Payo dashboard settings
• Properly configuring Apple App Store Server Notifications to point to the Payo webhook endpoint

5. SDK License

The Payo SDK is provided under the MIT License. Subject to your compliance with these Terms, we grant you a non-exclusive, worldwide, royalty-free license to use the SDK in your iOS applications. This license does not extend to the Payo backend services, dashboard, or API, which are provided as a hosted service.

6. API Keys and Security

API keys are cryptographically signed and bound to a specific bundle identifier. You must:

• Keep your API keys confidential and not expose them outside of your application bundle
• Generate new API keys through the Dashboard if you suspect a key has been compromised
• Not attempt to forge, modify, or tamper with API key signatures

We reserve the right to revoke API keys that are found to be compromised or used in violation of these Terms.

7. Data Processing

When you integrate the Payo SDK, we process certain data from your End Users on your behalf as described in our Privacy Policy. You acknowledge that:

• You are the data controller for End User data processed through the SDK
• We act as a data processor on your behalf for SDK-collected data
• You are responsible for obtaining any necessary consents from End Users
• You must provide End Users with clear notice about data collection through your application's privacy policy

8. Service Availability

We strive to maintain high availability of the Service but do not guarantee uninterrupted or error-free operation. The Service is provided "as is" and "as available." We may perform maintenance, updates, or modifications that temporarily affect availability. Critical SDK functionality (purchase processing, entitlement checks) operates locally on the device and does not depend on server availability.

9. Intellectual Property

The Service, including its design, architecture, documentation, and branding, is owned by Payo and protected by intellectual property laws. The SDK source code is licensed under the MIT License. These Terms do not grant you any rights to our trademarks, logos, or brand assets except as necessary to indicate that your application uses Payo.

10. Limitation of Liability

To the maximum extent permitted by applicable law:

• The Service is provided without warranties of any kind, express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement
• We shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of revenue, data, or business opportunities
• Our total aggregate liability for any claims arising from these Terms shall not exceed the amounts paid by you to Payo in the twelve (12) months preceding the claim
• We are not responsible for Apple App Store outages, StoreKit failures, or third-party service disruptions

11. Indemnification

You agree to indemnify and hold harmless Payo and its officers, directors, employees, and agents from any claims, damages, losses, or expenses (including reasonable attorneys' fees) arising from your use of the Service, your violation of these Terms, or your violation of any third-party rights.

12. Termination

Either party may terminate this agreement at any time. You may stop using the Service and remove the SDK from your applications. We may suspend or terminate your access if you violate these Terms. Upon termination:

• Your API keys will be revoked
• Access to the Dashboard will be disabled
• Historical subscription data may be retained for a reasonable period for legal and operational purposes
• You must remove the SDK from any applications that are still distributed

13. Changes to Terms

We may update these Terms from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated Terms.

14. Governing Law

These Terms shall be governed by and construed in accordance with the laws of the United States. Any disputes arising from these Terms shall be resolved through binding arbitration in accordance with the rules of the American Arbitration Association, unless you are entitled to bring claims in small claims court.

15. Severability

If any provision of these Terms is found to be unenforceable, the remaining provisions shall continue in full force and effect.

16. Contact

For questions about these Terms, contact us through the contact form on our website or at the address provided on payo-sdk.com.

Privacy Policy

This Privacy Policy describes how Payo ("we", "us", or "our") collects, uses, and shares information when you use the Payo platform, including the SDK, Dashboard, API, and website. This policy applies to two categories of users: Developers who integrate the Payo SDK, and End Users of applications that include the Payo SDK.

1. Information We Collect

1a. From Developers (Dashboard Users)

When you create a Payo account, we collect:

• Account information: Email address, display name, and authentication provider identifier (from Apple Sign-In or Google Sign-In)
• Application configuration: Bundle identifiers, product IDs, entitlement mappings, offering configurations, and experiment settings
• Usage data: Dashboard interactions and feature usage for product improvement

When you subscribe to a paid plan, our payment processor (Stripe) collects payment information. We store only a reference to your Stripe customer ID and subscription status. We do not store credit card numbers, bank account details, or other payment instrument data.

1b. From End Users (via the SDK)

When End Users interact with an application that includes the Payo SDK, the following data may be collected and transmitted to Payo servers:

Data Type	Details	Purpose
Device Identifier	iOS identifierForVendor (a per-developer, resettable UUID)	Associate subscription events with a device; customer support lookups
Subscription Events	Transaction IDs, product IDs, purchase dates, expiration dates, subscription status	Entitlement management, subscription state tracking
SDK Events	Paywall views, purchase starts, completions, cancellations, failures	Conversion analytics for Developers
Attribution Data	Apple Search Ads attribution token (if available)	Campaign performance measurement for Developers
Experiment Assignment	A/B test variant identifier	Experiment analytics and paywall optimization

What we do NOT collect from End Users:

• Names, email addresses, or any directly identifying personal information
• Location data (precise or coarse)
• Contacts, photos, or other device content
• Browsing history or data from other applications
• Advertising identifiers (IDFA)

1c. From Apple Server-to-Server Notifications

When configured by the Developer, Apple sends subscription lifecycle notifications directly to Payo. These notifications contain:

• Notification type and subtype (e.g., subscription renewed, expired, refunded)
• Transaction identifiers and product identifiers
• Bundle identifier and environment (sandbox/production)
• The cryptographically signed notification payload

These notifications do not contain End User names, emails, or Apple IDs.

2. How We Use Information

• Provide the Service: Process subscriptions, manage entitlements, deliver configuration to the SDK, and power the Developer dashboard
• Analytics: Generate aggregate subscription metrics (MRR, churn, conversion rates) for Developers
• Experiments: Assign End Users to A/B test variants and measure conversion outcomes
• Customer Support: Enable Developers to look up subscriber records and issue manual entitlement grants
• Security: Detect and prevent fraud, abuse, and unauthorized access
• Improvement: Analyze usage patterns to improve the Service

3. How We Share Information

We do not sell personal information. We share data only in the following circumstances:

• With Developers: End User subscription data, SDK events, and attribution data are accessible to the Developer who owns the application through the Dashboard
• Service providers: We use Cloudflare for hosting and database services, Stripe for payment processing, and Apple/Google for authentication. These providers process data on our behalf under their own privacy policies
• Legal requirements: We may disclose information if required by law, legal process, or government request
• Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction

4. Data Storage and Security

• All data in transit is encrypted via TLS/HTTPS
• Authentication is handled through Apple and Google OAuth providers — we do not store passwords
• We implement industry-standard security measures to protect your data, including cryptographic authentication and signed session management

5. Data Retention

• Developer account data: Retained for the duration of your account, plus a reasonable period after deletion for legal and operational purposes
• Subscription event data: Retained for as long as the Developer maintains an active account, to support historical analytics and audit requirements
• SDK event data: Retained for analytics purposes for the duration of the Developer's account
• Attribution data: Retained for the duration of the Developer's account
• Session tokens: Expire automatically after 30 days

6. Your Rights

For Developers:

• Access, correct, or delete your account information by contacting us
• Export your subscription data through the Dashboard
• Delete your account and associated data by contacting us
• Revoke API keys at any time through the Dashboard

For End Users:

• The Developer who integrated the SDK is the data controller for your data. Contact the app developer directly to exercise your privacy rights
• You may also contact us directly at the address below, and we will work with the relevant Developer to address your request
• Device identifiers (identifierForVendor) can be reset by uninstalling and reinstalling the application

7. International Data Transfers

The Service is hosted on Cloudflare's global network. Data may be processed in the United States and other countries where Cloudflare operates infrastructure. By using the Service, you consent to the transfer of information to these locations.

8. Children's Privacy

The Payo Dashboard is not directed to children under 13. We do not knowingly collect personal information from children. The SDK itself does not collect age information from End Users. Developers who distribute applications to children are responsible for compliance with COPPA (Children's Online Privacy Protection Act) and similar regulations.

9. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

• Know what personal information is collected about you
• Request deletion of your personal information
• Opt out of the sale of personal information (we do not sell personal information)
• Not be discriminated against for exercising your privacy rights

To exercise these rights, contact us using the information below.

10. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, you have additional rights under GDPR:

• Legal basis: We process Developer data based on contract performance (providing the Service). End User data is processed based on the Developer's legitimate interest in managing subscriptions and analytics
• Rights: Access, rectification, erasure, restriction of processing, data portability, and objection
• Data protection officer: Contact us using the information below
• Supervisory authority: You have the right to lodge a complaint with your local data protection authority

11. Apple App Tracking Transparency

The Payo SDK does not use the Advertising Identifier (IDFA) and does not engage in tracking as defined by Apple's App Tracking Transparency framework. The SDK uses identifierForVendor, which does not require ATT consent. Developers are not required to show an ATT prompt solely because of the Payo SDK.

12. Third-Party Services

The Service integrates with the following third-party services, each governed by their own privacy policies:

• Cloudflare: Infrastructure hosting and database — Privacy Policy
• Stripe: Payment processing — Privacy Policy
• Apple: Sign-In with Apple, App Store Server Notifications, StoreKit — Privacy Policy
• Google: Google Sign-In — Privacy Policy

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. We encourage you to review this page periodically.

14. Contact Us

For privacy inquiries, data requests, or questions about this policy, contact us through the contact form on payo-sdk.com or email us at the address listed on our website.