Privacy Policy

Last updated: June 16, 2026

MerchantPro is committed to protecting your personal data and financial transaction history. This statement details how we collect, process, and retain your data when interacting with our platform.

1. Biometric Credentials (Passkeys)

MerchantPro **never** reads, uploads, or stores your biometric inputs (TouchID or FaceID). Authentication challenges are resolved directly within your device's Secure Enclave or TPM hardware module using the WebAuthn API. The browser only returns a cryptographic credential signature used to verify transactions on-chain.

2. Cookies & Session Storage

We use secure session cookies containing `httpOnly` and `sameSite: strict` attributes to persist your session identity (`merchantpro_credential_id` and `merchantpro_msca_address`). These flags prevent client-side JavaScript access, mitigating Cross-Site Scripting (XSS) risks.

3. Ledger Data (On-Chain History)

All disbursements, payments, and swaps are publicly committed to public ledgers (Arc Network, Base Sepolia, Solana Devnet). On-chain transaction records are immutable and do not fall under our database retention rules.

4. Policy Modifications

We reserve the right to amend this Privacy Policy to reflect changing technical patterns or legal compliance updates. The latest version will always be accessible here.