Skip to main content
FinMIFinMI

Privacy Policy

Last updated: April 29, 2026

1. Introduction

This Privacy Policy describes how uPayments LLC ("we," "us," or "our"), operating under the product name FinMI ("Financial Merchant Intelligence"), collects, uses, and shares information when you use our website, dashboard, APIs, and related services (collectively, the "Services"). This policy applies to merchants who use FinMI to manage their payment operations and to website visitors. It does not apply to a merchant's end customers, whose information is governed by the merchant's own privacy policy.

You must be at least 18 years old to use the Services. By continuing to use the Services, you accept this Policy. If you disagree with any term, please discontinue use immediately. Questions about this Policy can be sent to legal@finmi.io.

2. Information We Collect

We collect the following categories of information:

  • Account information. Name, email address, phone number, business name, and credentials you provide when registering.
  • Merchant configuration. Branding, payment-form settings, invoice templates, customer records, and integration credentials you choose to connect (for example, your NMI gateway API key, encrypted at rest with AES-256-GCM).
  • Transaction metadata. Records of payments, refunds, disputes, subscriptions, and dunning sequences that flow through your connected gateways. Full card numbers and CVVs are tokenized by NMI and never stored on FinMI servers.
  • Usage and device data. Logs, IP address, browser/device type, geographical location at the city level, button clicks, page views, and session activity, used for security, debugging, and product analytics.
  • Cookies and similar technologies. Strictly-necessary session cookies, fraud-detection cookies, and, where enabled, product-analytics cookies (PostHog) that respect Do-Not-Track signals.
  • Communications. Messages you send to support, contact-form submissions, sales inquiries, and email open/click metadata where measurable.
  • Information from third parties. Data from your authorized integrations (CRMs you connect, your gateway, your acquiring bank statements you import) and data we receive from service providers helping us deliver the Services.

3. How We Use Your Information

We use information to:

  • Provide, maintain, and improve the Services.
  • Process payments through your connected gateway(s) and reconcile transactions, refunds, and chargebacks.
  • Detect, prevent, and respond to fraud, abuse, and security incidents, including velocity-based risk scoring.
  • Send service announcements, billing notifications, security alerts, and respond to support requests.
  • Send marketing communications about FinMI features and offerings, where you have consented or as permitted by law (you may opt out at any time).
  • Comply with legal obligations and enforce our Terms of Service.
  • Aggregate and anonymize information to produce non-personally-identifiable analytics and benchmarks.

4. Information Sharing

We do not sell your personal information. We share information only with the following categories of recipients:

  • Payment gateway (NMI). Card data is transmitted directly to NMI's PCI-DSS Level 1 certified gateway for authorization and settlement.
  • Infrastructure providers. Vercel (application hosting), Supabase (database and storage), Upstash (rate-limit cache), Resend (transactional email), Inngest (background workers), Anthropic (AI features), Cloudflare (DNS/edge).
  • Analytics. PostHog for product analytics, with personally-identifiable fields scrubbed before transmission.
  • Integrations you enable. Third-party tools you choose to connect (for example, GoHighLevel CRM) only receive data you explicitly authorize.
  • Professional advisors. Auditors, attorneys, and consultants under appropriate confidentiality obligations.
  • Legal and safety. When required by valid legal process, to enforce our Terms, or to protect rights, property, or safety.
  • Business transfers. In connection with a merger, acquisition, or asset sale, with notice to affected users.

5. Sub-Processors

A current list of sub-processors that handle personal information on our behalf is maintained internally and available on request to merchants who have signed a Data Processing Addendum (DPA). We require sub-processors to maintain appropriate technical and organizational measures, restrict use of personal data to providing services to us, and cooperate with audit requirements where applicable. We will provide reasonable advance notice of any material change to our sub-processor list to merchants who have requested it.

6. Data Security

Card data flows through NMI's PCI-DSS Level 1 certified gateway and is tokenized; FinMI never stores raw card numbers or CVV values. We encrypt sensitive credentials at rest using AES-256-GCM, transmit data over TLS 1.2 or higher, scope database access with role-based permissions and tenant isolation, audit administrative access, run regular dependency and security reviews, and require multi-factor authentication for users handling payment configuration. No system is perfectly secure; if we discover a breach affecting your information, we will notify you in accordance with applicable law.

7. Data Retention

We retain account information and transaction records for as long as your account is active and for a period of up to seven (7) years thereafter to comply with financial-recordkeeping obligations. Audit logs and security records are retained for a shorter window appropriate to their purpose. You may request deletion of your account at any time; certain records may be retained where law requires (for example, anti-money-laundering, tax, or financial-records statutes).

8. Your Rights and Choices

Depending on where you reside, you may have rights to access, correct, delete, port, or limit the use of your personal information, including under the California Consumer Privacy Act (CCPA/CPRA) and the EU/UK General Data Protection Regulation (GDPR). To exercise these rights, email us at legal@finmi.io. We will not retaliate against you for exercising any of these rights.

You may also opt out of non-essential analytics cookies in your browser. We do not process or respond to "Do Not Track" signals at this time, but the default analytics cookie respects them. You may unsubscribe from marketing emails using the link in any marketing message.

9. Notice at Collection — California Residents

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides specific rights to California residents regarding personal information.

  • Right to know / right to access. California residents may request that we disclose the categories and specific pieces of personal information collected, used, disclosed, or sold over the past 12 months.
  • Right to deletion. California residents may request that we delete personal information we have collected and retained, subject to statutory exceptions (including financial-records obligations).
  • Right to correct. California residents may request correction of inaccurate personal information.
  • Right to opt out of sale or sharing. We do not and will not sell consumer personal information; we do not share personal information for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information. We use sensitive personal information only for the purposes permitted by the CCPA without additional disclosure.
  • Right to non-discrimination. California residents may not be discriminated against for exercising CCPA rights.

To exercise your rights, contact legal@finmi.io. We may verify your identity before responding. You may make verifiable consumer requests up to twice within any 12-month period at no charge.

10. Other State Notices

Vermont residents. We will not disclose information about your creditworthiness to our affiliates and will not disclose personal information to nonaffiliated third parties for marketing unless Vermont law permits otherwise or you authorize us in writing.

Nevada residents. Under Nevada law, you have the right to direct us not to sell certain covered information. We do not sell covered information; you may submit a verified request related to this right by emailing legal@finmi.io.

Other state privacy laws. If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or another state with a comprehensive privacy law, you may have rights similar to those under the CCPA. Contact us at legal@finmi.io to exercise any such right.

11. Electronic Communications

By using the Services and providing contact information, you agree that we may communicate with you electronically (email, in-app messages, SMS where you have opted in) about your account, the Services, our products, and security matters. You may withdraw consent to non-essential electronic communications by following unsubscribe instructions in the message; some operational and security communications cannot be opted out of while you maintain an active account.

12. International Transfers

The Services are operated from the United States. If you access the Services from outside the United States, your information will be transferred to, processed in, and stored in the United States. By using the Services you consent to that transfer. Where required by law, we rely on appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers from the EU/UK.

13. Children

The Services are not directed at individuals under 16. We do not knowingly collect information from children under 16. If you believe a child has provided information to us, contact us so we can delete it.

14. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated by email or through the dashboard and will become effective when posted. The "Last updated" date at the top reflects the most recent revision. Continued use of the Services after a change constitutes acceptance of the updated Policy.

15. Contact Us

Questions about this Privacy Policy? Email legal@finmi.io.

uPayments LLC
Attention: Privacy
Albuquerque, NM, United States