Privacy Policy

At Tilt Pay, your privacy matters to us. This policy explains how we collect, use,
and protect your information when you visit our mobile app and website.

Your privacy matters to us. Tilt Pay is built around a core principle of minimal data collection: we only collect what is strictly necessary to provide the Service. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR). Please read it carefully.

1. Identity of the Data Controller

The data controller responsible for your personal data is:

Tilt Pay is a trademark of Elliot Boyer, a sole proprietorship.

9 Rue des Colonnes, 75002 Paris, France

Email: contact@tilt-pay.com

Website: https://tilt-pay.com

For all privacy-related requests, inquiries, or complaints, you may contact us directly at contact@tilt-pay.com. We will respond within thirty (30) calendar days.

2. Scope of This Policy

This Privacy Policy applies to:

  • The Tilt Pay mobile application for iOS and Android (the "App");

  • The Tilt Pay website located at tilt-pay.com (the "Website");

  • All related services, features, and functionality (collectively, the "Service").

This Policy does not apply to third-party services accessed through Tilt Pay, such as Circle (wallet infrastructure), Noah (KYC and on/off-ramp), or Twilio (SMS/WhatsApp verification). Each of these third parties operates under its own privacy policy, referenced in Section 7 of this document.

3. Personal Data We Collect

3.1 Privacy-by-Design Approach

Tilt Pay is designed to minimize personal data collection. A standard Tilt Pay account requires only your mobile phone number — nothing else. No name, no email address, no date of birth, no government-issued ID. Additional data is only collected when you choose to use optional features (on/off-ramp) or when required by law (Merchant KYC threshold).

3.2 Data We Do NOT Collect

To be explicit, Tilt Pay does NOT collect or store:

  • Your name or surname (standard accounts);

  • Your email address;

  • Your date of birth (standard accounts);

  • Your private keys or wallet seed phrase — these remain exclusively on your device;

  • Payment content, transaction descriptions, or any message attached to a payment;

  • Any marketing or behavioral profile.

4. How We Use Your Personal Data

4.1 To Provide and Operate the Service

We use your mobile phone number to create and authenticate your account, and to enable you to send and receive payments, view your wallet balance, and use all Service features. We use transaction data to record your payment history within the app.

4.2 To Verify Your Identity

When you create an account, we send a one-time verification code (OTP) to your mobile phone number via SMS or WhatsApp, using our partner Twilio. This is the only instance in which your phone number is shared with a third party for verification purposes. The OTP is not stored after verification.

4.3 To Comply with Legal Obligations

When you exceed the Merchant User threshold (USD $1,000 received via Tap-to-Pay in any rolling 30-day period), we are required by applicable anti-money laundering (AML) and know-your-customer (KYC) regulations to collect and verify your identity. We retain this data for a minimum of five (5) years as required by EU Directive 2015/849 (AMLD5).

4.4 To Improve the Website

We use Google Analytics on tilt-pay.com to understand how visitors interact with our website (pages visited, session duration, device type). Google Analytics is configured to anonymize IP addresses. We do not collect any personally identifiable information through the website, and we do not use this data to build individual profiles.

4.5 To Maintain Service Reliability

We retain technical logs (error reports, app crash data) for up to ninety (90) days solely for the purpose of diagnosing and resolving technical issues.

4.6 What We Never Do with Your Data

Tilt Pay does NOT:

  • Sell your personal data to any third party;

  • Use your data for advertising or marketing purposes;

  • Send you marketing emails, SMS messages, or push notifications of a promotional nature;

  • Share your data with advertisers or data brokers;

  • Use your data to train machine learning models;

  • Profile you for automated decision-making that produces legal or similarly significant effects.

5. Legal Basis for Processing (GDPR)

We process your personal data only when we have a valid legal basis under the GDPR:

Contract Performance (Article 6(1)(b)): Processing your phone number and transaction data is necessary to provide the Service you requested and agreed to use.

Legal Obligation (Article 6(1)(c)): Processing identity data for Merchant KYC is required to comply with EU anti-money laundering directives and applicable financial regulations.

Legitimate Interests (Article 6(1)(f)): We process anonymized website analytics data and technical logs to maintain, improve, and secure the Service. These interests are balanced against your privacy rights given the anonymized nature of the data.

Consent (Article 6(1)(a)): Where we rely on consent (e.g., for non-essential cookies on the website), we will request your explicit consent before processing and you may withdraw it at any time.

6. Data Storage, Security, and Retention

6.1 Where Your Data Is Stored

Your personal data is stored on servers operated by Hetzner Online GmbH, headquartered in Germany (European Union). All data storage takes place within the European Economic Area (EEA). Tilt Pay does not transfer personal data outside the EEA except as described in Section 7 (Third-Party Sub-processors).

6.2 Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration, including:

  • Encryption in transit (TLS 1.2 or higher) for all data communications between the App and our servers;

  • Encryption at rest for stored personal data;

  • Access controls limiting data access to authorized personnel only;

  • Regular security reviews and vulnerability assessments;

  • Non-custodial wallet architecture: your private keys and funds never leave your device.

However, no system is entirely immune to security risks. You are responsible for maintaining the security of your device and account credentials.

6.3 Retention Periods

We retain personal data only for as long as necessary for the purposes for which it was collected, and in accordance with applicable law:

  • Account data (phone number, transaction history): 3 years from the date of account closure or last activity, whichever is later.

  • Merchant KYC data: 5 years from the date of collection, as required by AML regulations.

  • Phone verification OTPs: deleted immediately upon successful verification or expiration.

  • Website analytics data: 26 months (Google Analytics standard retention).

  • Technical logs: 90 days.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymized. You may request earlier deletion subject to the conditions in Section 9.

7. Third-Party Sub-Processors and Data Sharing

We share personal data with the following third parties only to the extent necessary to provide the Service. We do not sell, rent, or trade your personal data.

7.1 Twilio (Phone Verification)

Purpose: Delivery of one-time verification codes (OTP) via SMS or WhatsApp at account creation.

Data shared: Your mobile phone number.

Location: United States (Twilio Inc.). Data transfers are covered by Standard Contractual Clauses (SCCs) under GDPR.

Privacy Policy: https://www.twilio.com/en-us/legal/privacy

7.2 Circle (Wallet Infrastructure)

Purpose: Non-custodial wallet infrastructure on the Solana blockchain.

Data shared: Wallet addresses and transaction data (publicly visible on the Solana blockchain). No personal identifiers are shared with Circle by default.

Privacy Policy: https://www.circle.com/legal/privacy-policy

7.3 Noah (On/Off-Ramp & KYC)

Purpose: Fiat-to-digital currency conversion via IBAN, and KYC identity verification for this feature.

Data shared: Identity documents, name, and other KYC data — only if you choose to use the on/off-ramp feature. This data is processed exclusively by Noah and is subject to Noah's own privacy policy.

Privacy Policy: https://noah.com (consult Noah's current privacy documentation)

7.4 Google Analytics (Website Only)

Purpose: Website usage analytics on tilt-pay.com.

Data shared: Anonymized behavioral data (pages visited, session duration, device/browser type). IP addresses are anonymized. No personal data from the App is shared with Google Analytics.

Location: United States (Google LLC). Data transfers are covered by Google's Data Processing Addendum and Standard Contractual Clauses.

Privacy Policy: https://policies.google.com/privacy

7.5 Hetzner (Hosting Infrastructure)

Purpose: Cloud server hosting for Tilt Pay's backend infrastructure.

Data shared: All data stored on Tilt Pay servers is hosted at Hetzner data centers in Germany (EU). Hetzner acts as a data processor under a Data Processing Agreement.

Privacy Policy: https://www.hetzner.com/legal/privacy-policy

7.6 Legal Disclosures

We may disclose your personal data to public authorities, law enforcement agencies, or regulatory bodies when required to do so by applicable law, court order, or binding regulatory request. Where legally permitted, we will notify you of such a request.

8. Cookies and Tracking Technologies

8.1 Website (tilt-pay.com)

We use cookies and similar tracking technologies on tilt-pay.com solely for analytics purposes through Google Analytics. We do not use advertising cookies, retargeting pixels, or any cookies that track you across other websites.

When you first visit tilt-pay.com, we will request your consent to place non-essential cookies (analytics cookies). You may:

  • Accept all cookies;

  • Reject non-essential cookies (the website will remain fully functional);

  • Withdraw consent at any time by clearing cookies in your browser settings.

The following cookie categories are used:

Strictly Necessary Cookies: Set by Tilt Pay for session management and security. These cannot be disabled. Duration: session.

Analytics Cookies (Google Analytics): Used to collect anonymized statistics on website usage. Require your consent. Duration: up to 26 months.

8.2 Mobile Application

The Tilt Pay mobile application does not use cookies. The App does not track your behavior across third-party apps or websites.

9. Your Rights Under the GDPR

As a data subject under the GDPR, you have the following rights with respect to your personal data. To exercise any of these rights, please contact us at contact@tilt-pay.com. We will respond within thirty (30) calendar days.

Right of Access (Article 15): You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data.

Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data we hold about you.

Right to Erasure (Article 17): You have the right to request deletion of your personal data. Note that we may retain certain data where required by law (e.g., Merchant KYC data retained for 5 years under AML regulations) or where necessary for the establishment, exercise, or defense of legal claims.

Right to Restriction of Processing (Article 18): You may request that we restrict processing of your personal data in certain circumstances, such as while you contest the accuracy of the data.

Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.

Right to Object (Article 21): You have the right to object to processing based on our legitimate interests. We will cease such processing unless we demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent (Article 7(3)): Where processing is based on consent (e.g., analytics cookies), you may withdraw your consent at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint: You have the right to lodge a complaint with the relevant supervisory authority. In France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL), accessible at www.cnil.fr.

10. Minors

The Service is not directed to persons under the age of legal majority in their country of residence (18 years in most jurisdictions). We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor, we will promptly delete it. If you believe we have collected data from a minor, please contact us at contact@tilt-pay.com.

11. Blockchain Data and Public Transactions

Transactions processed through the Tilt Pay Service are recorded on the Solana public blockchain. This is an inherent characteristic of blockchain technology. By using the Service, you acknowledge and accept that:

  • Transaction data (wallet addresses, amounts, timestamps, and transaction hashes) is permanently and publicly recorded on the Solana blockchain;

  • Tilt Pay has no ability to delete, modify, or restrict access to data recorded on a public blockchain;

  • Your right to erasure (Article 17 GDPR) cannot apply to data recorded on the Solana blockchain, as it is technically impossible for any party to alter or delete blockchain records;

  • All BLE (Bluetooth Low Energy) communication for Tap-to-Pay occurs entirely on-device between two devices. No proximity, location, or BLE metadata is transmitted to Tilt Pay's servers at any time.

12. International Data Transfers

Your personal data is stored primarily within the European Economic Area (EEA) on Hetzner servers in Germany. Where we transfer data outside the EEA (specifically for phone verification via Twilio, headquartered in the United States, and website analytics via Google Analytics), we ensure that appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;

  • Adequacy decisions where applicable;

  • Data Processing Agreements with all sub-processors.

You may request a copy of the applicable transfer safeguards by contacting us at contact@tilt-pay.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Effective Date" at the top of this document;

  • Post a notice within the App;

  • Where feasible, notify you via the contact method associated with your account.

Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the changes. We encourage you to review this Policy periodically.

14. Contact and Complaints

For all privacy-related questions, requests to exercise your rights, or concerns about our data practices, please contact:

Tilt Pay — Privacy Team

9 Rue des Colonnes, 75002 Paris, France

Email: contact@tilt-pay.com

Website: https://tilt-pay.com

We aim to respond to all requests within thirty (30) calendar days. If you are not satisfied with our response, you have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés):

CNIL

3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France

Website: https://www.cnil.fr

Phone: +33 1 53 73 22 22

Tilt Pay

Product

Features

Pricing

FAQ

Ressources

Blog

Our vision

Roadmap

Team

Company

Contact

Careers

Privacy Policy

Terms of use

Tilt Pay. All right reserved. © 2026