An investment in knowledge pays the best interest.
Benjamin Franklin

AI Data Processing Agreement

Last updated: March 8, 2026

1. Introduction and Scope

This AI Data Processing Agreement ("AIDPA" or "Agreement") is entered into between you ("Merchant," "you," or "your") and Xoinpay ("Company," "we," "us," or "our"). This Agreement governs the processing of personal data by artificial intelligence ("AI") and machine learning ("ML") systems deployed within our payment processing, analytics, fraud detection, and business intelligence services (collectively, the "AI-Powered Services").

This Agreement supplements and is incorporated into our Terms of Service and Privacy Policy. In the event of a conflict between this Agreement and the Privacy Policy regarding AI-specific data processing, this Agreement shall prevail. This Agreement is designed to comply with the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and all applicable AI transparency and data protection regulations.

2. Definitions

  • Automated Decision-Making (ADM): Any decision made by technological means without human involvement, including decisions made using AI/ML models that produce legal or similarly significant effects.
  • Profiling: Any form of automated processing of personal data consisting of using data to evaluate, analyze, or predict aspects concerning an individual's behavior, preferences, reliability, or creditworthiness.
  • AI Model: Any machine learning model, neural network, statistical model, or algorithmic system used to process, analyze, classify, or make predictions based on personal or transaction data.
  • Training Data: Data used to develop, calibrate, train, validate, or improve AI Models.
  • Sensitive Personal Information: As defined under CCPA/CPRA, includes Social Security numbers, financial account information, precise geolocation data, biometric data, and other categories specified under Cal. Civ. Code § 1798.140(ae).
  • Consumer: Any California resident, or any individual whose data is subject to California privacy law, whose personal information is processed through our AI-Powered Services.

3. Categories of Data Processed by AI Systems

Our AI-Powered Services process the following categories of data:

3.1 Transaction Data

  • Payment amounts, currency types (fiat and cryptocurrency), and timestamps
  • Blockchain wallet addresses and on-chain transaction hashes
  • Payment method identifiers (card type, token address)
  • Transaction success/failure states and error codes
  • Settlement and reconciliation data

3.2 Merchant Operational Data

  • Sales patterns, volume trends, and revenue analytics
  • Inventory levels, product categories, and pricing data
  • Customer demographics and behavioral analytics (aggregated)
  • Operational metrics (order fulfillment, service times)

3.3 Identity and Verification Data

  • KYC/AML compliance data (government-issued identification, business registration)
  • Digital wallet signatures and cryptographic proofs
  • Device fingerprints and session metadata for fraud detection
  • IP addresses, geolocation data, and browser characteristics

3.4 Communication Data

  • Support ticket content and customer service interactions
  • Voice agent transcriptions and sentiment analysis outputs
  • Automated notification metadata and delivery analytics

4. Purposes of AI Data Processing

We process personal data through AI systems exclusively for the following purposes. We do not process personal data for purposes incompatible with those listed below without obtaining additional consent.

  • Fraud Detection and Prevention: Real-time transaction monitoring, anomaly detection, risk scoring, and pattern recognition to identify potentially fraudulent activity.
  • Payment Optimization: Intelligent routing of transactions, dynamic fee calculation, currency conversion optimization, and settlement timing.
  • Business Intelligence: Generating merchant dashboards, predictive analytics, revenue forecasting, and operational recommendations.
  • Compliance and Regulatory: Automated KYC/AML screening, sanctions list checking, transaction monitoring for regulatory reporting, and suspicious activity detection.
  • Customer Experience: AI-powered customer support (voice and text agents), personalized merchant onboarding recommendations, and service quality optimization.
  • Platform Integrity: Detecting spam, abuse, and Terms of Service violations to maintain platform security and trustworthiness.

5. Automated Decision-Making and Profiling

In accordance with the CPRA and best-practice AI governance principles, we disclose the following automated decision-making processes:

5.1 Fraud Risk Scoring

Our systems assign risk scores to transactions based on behavioral patterns, device characteristics, and historical data. Transactions exceeding defined thresholds may be automatically flagged, delayed, or declined. Risk scores are derived from ensemble models that consider velocity checks, geographic anomalies, and device reputation signals.

5.2 Merchant Verification

AI models are used to screen merchant applications for compliance with underwriting criteria, regulatory requirements, and risk appetite. These models may influence, but do not solely determine, approval or denial decisions — a human reviewer participates in final determinations for all merchant account decisions.

5.3 Dynamic Fee Calculation

Processing fees may be influenced by AI-driven risk assessments, volume predictions, and market conditions. Fee structures are governed by your merchant agreement and are subject to the disclosed fee schedule.

5.4 Right to Human Review

You have the right to request human review of any automated decision that produces legal or similarly significant effects. To request human review, contact us at the address provided in Section 16. We will respond to such requests within fifteen (15) business days.

6. Algorithmic Transparency

We commit to meaningful transparency regarding our AI systems:

  • Model Documentation: We maintain internal documentation describing the logic, training methodology, and intended outputs of each AI model deployed in production.
  • Impact Assessments: We conduct regular algorithmic impact assessments to evaluate our AI systems for accuracy, bias, fairness, and disparate impact across protected classes.
  • Output Explainability: For decisions that significantly affect merchants or consumers, we can provide a meaningful explanation of the principal factors that led to the decision.
  • Audit Trails: All AI-driven decisions that affect transaction processing, account status, or financial outcomes are logged with sufficient detail to reconstruct the reasoning process.

7. Consumer Rights Under California Law

Consistent with the CCPA and CPRA, consumers and merchants have the following rights with respect to AI data processing:

  • Right to Know: You may request disclosure of the categories of personal information used in AI processing, the purposes for such processing, and the categories of third parties with whom AI-derived insights are shared (Cal. Civ. Code § 1798.110).
  • Right to Delete: You may request deletion of personal information used in AI processing, subject to legal retention requirements for financial records and regulatory compliance (Cal. Civ. Code § 1798.105).
  • Right to Correct: You may request correction of inaccurate personal information that is used as input to AI models (Cal. Civ. Code § 1798.106).
  • Right to Opt-Out of Automated Decision-Making: You may opt out of profiling and automated decision-making technologies that produce legal or similarly significant effects (Cal. Civ. Code § 1798.185(a)(16)).
  • Right to Limit Use of Sensitive Personal Information: You may limit the use of sensitive personal information to that which is necessary to perform the services (Cal. Civ. Code § 1798.121).
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

8. Right to Opt-Out

You may opt out of certain AI data processing activities while continuing to use our core payment services. Opting out may result in the following limitations:

  • Predictive analytics and business intelligence features may be unavailable
  • AI-powered customer support features may revert to manual support queues
  • Personalized recommendations and operational insights may not be generated

Note: You may not opt out of AI processing required for fraud detection, regulatory compliance, or platform security, as these uses are necessary for the performance of the contract and compliance with legal obligations.

To exercise your opt-out rights, submit a verifiable request through the contact details in Section 16. We will process your request within forty-five (45) calendar days.

9. AI Training Data Practices

We are committed to responsible AI training practices:

  • No Direct PII in Training: Personal information is de-identified, aggregated, or pseudonymized before use as Training Data. Raw personal data is not used to train general-purpose AI models.
  • Merchant Data Isolation: Each merchant's data is logically isolated within our multi-tenant architecture. AI models trained on aggregate platform data do not leak individual merchant information.
  • Opt-Out of Training: You may request that your data not be used for AI model training or improvement purposes. This does not affect real-time inference (e.g., fraud detection) on your transactions.
  • No Sale of AI-Derived Insights: We do not sell, rent, or trade AI-derived insights, predictions, or profiles to third parties for their own commercial purposes.

10. Third-Party AI Sub-Processors

We may engage third-party AI service providers ("Sub-Processors") to deliver certain AI-Powered Services. All Sub-Processors are bound by data processing agreements that require:

  • Processing only in accordance with our documented instructions
  • Implementation of appropriate technical and organizational security measures
  • Compliance with all applicable data protection and AI governance regulations
  • Prohibition on using merchant or consumer data for the Sub-Processor's own model training without explicit consent
  • Prompt notification of any data breach, model failure, or AI incident

Current categories of AI Sub-Processors include: cloud infrastructure providers, payment fraud detection services, natural language processing providers, and blockchain analytics services. A current list of Sub-Processors is available upon written request.

11. Cross-Border Data Transfers

AI processing may involve the transfer of data to servers located outside of California or the United States. Where such transfers occur, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses or equivalent mechanisms approved by applicable data protection authorities
  • Encryption of data in transit and at rest using industry-standard protocols (AES-256, TLS 1.3)
  • Access controls limiting data access to authorized personnel on a need-to-know basis
  • Data residency options for merchants requiring data to remain within specific jurisdictions

12. Data Retention and Deletion

Data processed by AI systems is retained in accordance with the following schedule:

  • Transaction Data: Retained for a minimum of seven (7) years for regulatory compliance (AML/BSA requirements).
  • AI Model Outputs: Risk scores, predictions, and classifications are retained for three (3) years or the duration of the merchant relationship, whichever is longer.
  • Training Data: De-identified training datasets are retained for the useful life of the associated AI model, plus two (2) years for audit purposes.
  • Audit Logs: AI decision logs are retained for five (5) years to support regulatory inquiries and internal audits.

Upon account termination, we will delete or de-identify personal data used in AI processing within ninety (90) calendar days, except where retention is required by law. You may request early deletion subject to regulatory constraints.

13. Security Safeguards

We implement comprehensive security measures to protect data processed by AI systems:

  • Model Security: AI models are protected against adversarial attacks, data poisoning, and model extraction through input validation, anomaly detection, and access controls.
  • Infrastructure Security: AI workloads run in isolated environments with network segmentation, encrypted storage, and multi-factor authentication for all administrative access.
  • Data Minimization: AI models are designed to use the minimum amount of personal data necessary to achieve the stated purpose.
  • Regular Testing: Penetration testing, red-team exercises, and vulnerability assessments are conducted at least annually on AI infrastructure.
  • Bias Monitoring: Continuous monitoring of AI outputs for statistical bias, fairness violations, and unintended discrimination across demographic groups.

14. AI Incident Response

In the event of an AI-specific incident (including model failure, biased output discovery, data breach affecting AI systems, or unauthorized access to AI-derived insights), we will:

  • Notify affected merchants within seventy-two (72) hours of discovery
  • Immediately suspend the affected AI model or system pending investigation
  • Conduct a root cause analysis and implement corrective measures
  • Report to applicable regulatory authorities as required by law
  • Provide a written incident report to affected parties within thirty (30) days

15. Children's Data

Our AI-Powered Services are not directed at individuals under the age of 18. We do not knowingly use AI systems to process personal data of minors. If we discover that AI models have processed data attributable to a minor, we will promptly delete such data and retrain affected models as necessary.

16. Amendments

We may update this Agreement to reflect changes in our AI practices, applicable law, or regulatory guidance. Material changes will be communicated at least thirty (30) days in advance via email or through the merchant dashboard. Continued use of AI-Powered Services following notice constitutes acceptance of the updated terms. If you do not agree to the changes, you may terminate your use of AI-Powered Services.

17. Governing Law and Dispute Resolution

This Agreement shall be governed by and construed in accordance with the laws of the State of California, United States, including the CCPA and CPRA as amended. Any dispute arising under this Agreement shall be subject to the dispute resolution provisions set forth in our Terms of Service. For AI-specific complaints, you may also contact the California Privacy Protection Agency (CPPA) or the California Attorney General's office.

18. Contact Information

For questions, concerns, or requests related to AI data processing, including exercising your rights under this Agreement, please contact us at:

Xoinpay

AI Data Processing Inquiries

Email: legal@basalthq.com

Website: https://basalthq.com

Xoinpay