Privacy Policy

Transparency is part of how we earn trust.

Whether you're making a payment, managing merchant accounts, or partnering with us to power transactions, we know you're trusting us with sensitive information. This policy explains how we collect, use, and share personal information when you interact with Bead. We aim to be transparent, respectful, and aligned with the expectations of the financial ecosystem of which we’re a part.

To keep things clear, here’s how we define key terms used in this policy:

• Affiliate refers to a company related to us by common ownership or control.

• “Bead”, “we”, “our”, or “us” refers to Bead Pay, Inc., the provider of the platform and Services described in this policy.

• Hosted payment page refers to a Bead-managed interface where Payors can complete a transaction on behalf of a Merchant.

• Joint marketing refers to a formal agreement between Bead and one or more Partners to promote a product or service to Merchants or Partners with whom we have a relationship.

• Merchant refers to a business that uses Bead to accept payments from customers.

• Non-affiliate refers to any company not related to us by common ownership or control.

• Partner refers to a platform provider, reseller, or other third party who helps onboard or manage Merchants through Bead’s Services.

• Payor refers to an individual who initiates a payment to a Merchant using Bead’s hosted payment pages or payment APIs.

• Personal information means any information that identifies, relates to, describes, or could reasonably be linked with an individual or household, including identifiers, account details, transactional metadata, or device-related information, as defined under applicable privacy laws.

• Platform means Bead’s website, hosted payment pages, APIs, Merchant and Partner portal, and any other digital properties where Services are provided.

• Processor refers to an entity that processes personal information on behalf of another business (the “controller”), typically under a contractual obligation.

• Services refers to the products, websites, hosted payment pages, APIs, Merchant and Partner portals, documentation, and related tools provided by Bead.

• Service Provider refers to a third-party organization authorized by Bead to perform business functions or support operations, and that is contractually restricted from using personal information for any purpose other than providing Services to Bead.

• Subprocessor refers to an authorized third-party Service Provider that processes personal information on behalf of Bead.

• User refers to anyone who interacts with our platform or Services, including Payors, Merchant representatives, and Partner organization users.

1. Introduction & Scope

This Privacy Policy describes how we,Bead (“Bead”, “we”, “us”) collect, use, and share personal information when you interact with our Services. Bead provides payment and platform Services to Merchants in partnership with regulated financial institutions, including Lead Bank, Member FDIC.

When you access certain financial Services, such as stored value accounts, transaction processing, or compliance verification, your information may also be processed by Lead Bank. Your use of those Services is subject to Lead Bank’s Privacy Policy.

This Policy applies to personal information we collect from:

• Users of our Merchant and Partner portals

• Visitors to our public website

• Payors completing transactions through our hosted payment pages

• Payors submitting claims through our refund claim pages

This Policy does not apply to information collected directly by Merchants, Partners, or other third parties who may use our Services. We encourage you to review their privacy policies separately.

Our Services are not directed to children under the age of 13 and we do not knowingly collect personal information from them.

By using our Services, you acknowledge that your personal information may be processed by Bead and its Subprocessors as described in this Privacy Policy.

1.1 Controller vs Processor

For most Merchant and platform operations, Bead acts as a service provider/processor to our sponsor bank (Lead Bank) or platform Partners; Lead Bank or the platform may be the business/controller for those activities. For Bead’s own corporate purposes (e.g., site security, fraud prevention, account administration), Bead acts as a business/controller. We share data with Lead Bank and vetted Service Providers strictly to deliver the Services and meet legal obligations.

2. Information We Collect

We collect personal information to operate our platform, process payments, support Merchant and Partner accounts, and comply with legal and regulatory obligations. The type of information we collect depends on how you interact with our Services.

2.1 Controller vs Processor

You may provide personal information directly when you use our platform, request support, or communicate with us. This may include:

• Contact information: such as name, email address, phone number, and business affiliation

• Identity and verification data: such as date of birth, government-issued identification, or tax ID numbers (e.g., SSN, EIN)

• Business details: such as business name, legal structure, beneficial ownership, location information, and supporting documentation

• Account credentials: including usernames, passwords, and authentication settings

• Payment and financial information: such as bank account numbers, wallet addresses, or refund routing details

• Transaction details and end customer information: such as transaction amount, payment method, customer name, email, phone number, and shipping and/or billing address

• Communications: such as inquiries, support requests, or correspondence with our team

2.2 Information We Collect Automatically

When you access our websites, hosted payment pages, or portals, we may automatically collect certain technical and usage data, such as:

• Device and browser information: IP address, device type, operating system, and browser version

• Usage data: page views, navigation paths, session timestamps, and interaction logs

• Transaction metadata: timestamps, currency type, transaction outcome, and reference identifiers

• Analytics data: collected on hosted payment pages to understand payment flow performance (e.g., bounce rates, abandonment, success), solely to support Merchant optimization—not for advertising or profiling

• Security and fraud signals: bot detection, traffic anomalies, or usage patterns collected to detect and prevent abuse and protect platform integrity

2.3 Information We Receive from Third Parties

We may receive additional personal information from third-party sources, including:

• Compliance and monitoring tools such as tools or platforms that support identity verification, sanctions screening, transaction risk scoring, or blockchain activity analysis

• Financial and settlement Partners such as banks and processing providers who assist with fund transfers or account verification

• Platform Partners (including resellers) such as those who help onboard or manage your relationship with Bead or submit data on your behalf

3. How We Use Your Information

We use the information we collect to operate our platform, provide Services to Merchants and Partners, and support secure and reliable payment experiences for Payors. Our use of personal information varies depending on how you interact with Bead.

We may use your information to:

• Process payments and support transaction flows by handling payment initiation, confirmation, status tracking, and error resolution

• Verify identity and conduct compliance screening for identity verification, fraud prevention, sanctions checks, and transaction monitoring

• Operate and improve our platform through analytics, error diagnostics, and performance monitoring

• Communicate with you about support requests, account notifications, and service-critical messages like transaction confirmations or platform alerts

• Support Merchants and Partners with onboarding, team access, reporting tools, and settlement functionality

• Meet legal, regulatory, and risk obligations through recordkeeping, audit trails, fraud detection, and investigations under laws such as the Bank Secrecy Act (BSA) and anti-money laundering (AML) rules.

We may also use aggregated or de-identified data for analytics, benchmarking, or internal business purposes. We do not use personal information for advertising, retargeting, or commercial behavioral profiling. We may analyze behavioral signals—such as repeated failed transactions, unusual payment patterns, or linked wallet activity—to detect fraud, improve platform security, and comply with financial laws. These measures are designed to protect Merchants, Payors, and the integrity of the Services.

4. How We Share Your Information

We only share personal information when necessary to operate our Services, comply with the law, or support our Partners. We do not sell personal information. The table below outlines how and when information may be shared, and whether you can limit that sharing:

We may share your information with Service Providers and financial Partners who support our operations—such as identity verification vendors, blockchain analytics providers, payment processors, CRM platforms, and banking Partners. These providers are contractually required to protect your data and use it only for the purposes we’ve authorized.

When we provide Services in collaboration with a regulated financial institution—such as Lead Bank, our sponsor bank—your information may also be shared with them as part of their compliance and operational responsibilities. You can find more details in Lead Bank’s Privacy Policy.

We may also collaborate with client Partners—such as platforms that manage Merchant relationships—to deliver co-branded onboarding experiences or Merchant-facing communications. While we do not market directly to Merchants working with these Partners, we may support them by providing service-related messages (such as onboarding instructions, platform notices, or service delay alerts). These communications are operational in nature and not promotional.

We do not sell your personal data, and we do not share your information for behavioral advertising, cross-context profiling, or unrelated third-party marketing.

5. Your Rights and Choices

Depending on where you live and how you interact with our Services, you may have rights under privacy laws such as the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), or other applicable data protection laws. We strive to offer transparency and reasonable choices to all users, regardless of location.

5.1 Access, Correction, and Deletion

You may have the right to:

• Access the personal information we’ve collected about you

• Correct inaccurate or incomplete information

• Request deletion of certain information, subject to legal and regulatory retention requirements

To make a request, contact us at [email protected]. Before we can act on some requests, we may need to verify your identity. We aim to respond to eligible privacy requests within 30 days and may extend where permitted. If we decline your request, you may appeal by replying to our decision email; we will review and respond with our rationale.

If you request deletion of your data or restrict processing in ways that prevent us from meeting regulatory or operational requirements, we will be unable to continue providing the Services.

5.2 Managing Communication Preferences

You can opt out of marketing or promotional emails by clicking the unsubscribe link in the footer of any marketing email. You’ll still receive important service-related communications, such as transaction confirmations or platform notices.

Your marketing preferences are respected and stored in our communications system. If you opt out, we will continue to honor that request unless you instruct us otherwise.

5.3 Do Not Track & Global Privacy Controls

We do not sell personal information and do not share it for cross‑context behavioral advertising. If applicable in the future, we will treat a valid Global Privacy Control (GPC) signal as an opt‑out for sale/share where required by law.

5.4 Third-Party Analytics and Tracking

We use analytics tools, such as Google Analytics, to understand how users interact with our Services. These tools do not collect personal information for advertising purposes. You can opt out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-On.

On our hosted payment pages, we use analytics to help Merchants understand payment success, bounce, or error rates. This data is operational in nature and is not used to profile individuals or serve targeted content.

5.5 Data Retention

We retain personal information only as long as necessary to provide Services, comply with legal and regulatory requirements, and support security, auditing, and fraud prevention. For example:

• Transaction and compliance records are retained for at least five years to meet anti-money laundering (AML) and Bank Secrecy Act (BSA) obligations

• Account records related to Merchants and Partners are retained as long as the account is active, plus a reasonable period for audit and dispute resolution

• Support tickets and operational logs may be retained to resolve issues, prevent abuse, or maintain platform stability

If you close your account or stop using our Services, we may continue to retain some information as required by law or for legitimate business purposes.

6. State Privacy Laws

Certain U.S. states, including California, Colorado, Virginia, Utah, and Connecticut, have enacted consumer privacy laws that may provide additional rights regarding your personal information. These laws may give you the right to:

• Request access to the personal information we have collected about you

• Request deletion or correction of certain information

• Receive a portable copy of your information

• Opt out of the sale or sharing of personal information, or the use of personal information for targeted advertising or profiling

• Limit the use or disclosure of sensitive personal information

• Appeal our decision if we decline to act on your request

We do not sell personal information or share it for cross-context behavioral advertising. If you are a resident of one of these states and would like to exercise your privacy rights, you can submit a request to [email protected]. We may ask you to verify your identity before fulfilling your request.

We will not discriminate against you for exercising your rights under state privacy laws.

7. Cookies & Online Tracking

We use cookies and similar technologies to operate our platform, measure performance, and protect users. We permit only: (i) essential cookies required for core functionality (transaction integrity, session security), (ii) operational analytics on hosted payment pages to help Merchants understand completion/abandonment/errors, and (iii) security/abuse‑prevention tools. We do not permit advertising or retargeting cookies on our Services. You can manage browser preferences and opt out of Analytics where available.

7.1 How We Use Cookies

We use cookies in the following ways:

• Essential cookies: Required for the core functionality of our Services, including transaction integrity, fraud protection, and login/session security. These cookies are necessary to provide the Services, and you cannot opt out of them

• Analytics cookies: Used to understand how users interact with hosted payment pages—for example, how often transactions are completed, abandoned, or result in errors. We use Google Analytics in a strictly operational capacity to help Merchants optimize the payment experience. We do not use analytics cookies for advertising, cross-site profiling, or retargeting

• Security and abuse detection: Some cookies or passive tracking technologies may be used to detect bots, prevent brute-force attacks, or monitor for abusive behavior. These tools support the integrity and security of our Services

7.2 How to Manage Cookies

You can usually manage cookie preferences through your browser settings. Most browsers allow you to:

• Block or delete existing cookies

• Set preferences for certain types of cookies

• Receive alerts before cookies are set

To opt out of Google Analytics tracking, you can also install the Google Analytics Opt-Out Browser Add-On.

7.3 Third-Party Tracking

Some third-party Services we use—such as analytics providers, bot detection tools, or DDoS protection Services—may collect limited technical data through our interfaces. These tools help protect our platform and users, and are used solely for operational purposes. We do not permit advertising cookies or behavioral tracking technologies on our Services.

8. Data Security & Retention

We take data security seriously and implement safeguards to protect personal information collected through our platform. These protections apply to all users, including Partners, Merchants, and Payors.

8.1 How We Protect Your Information

We use a combination of administrative, technical, and physical safeguards to protect personal data from unauthorized access, misuse, or loss. These include:

• Encryption: Sensitive data is encrypted in transit and at rest.

• Access controls: Personal information is restricted to authorized personnel based on business need

• Authentication & session management: We use multi-factor authentication (MFA), timeouts, and session controls to protect account access

• Monitoring & testing: We conduct regular audits, vulnerability assessments, and system monitoring to detect and respond to potential risks

• Behavioral monitoring: We may analyze transaction patterns—such as repeated failures, inconsistent identity signals, or unusual wallet activity—to detect fraud or misuse

While no system is completely immune to risk, we are working toward SOC 2 Type I certification and take reasonable steps to maintain a secure environment that meets our legal, regulatory, and contractual responsibilities.

8.2 How Long We Keep Your Information

We retain personal information only as long as necessary to provide our Services, meet legal or regulatory requirements, resolve disputes, and maintain business continuity and platform integrity. Examples include:

• Transaction and compliance records: Retained for at least five years under anti-money laundering (AML), Bank Secrecy Act (BSA), and similar financial regulations

• Merchant and Partner account data: Retained for the life of the account and a reasonable period thereafter to support audits, risk management, and legal defense

• Support messages and diagnostic logs: Retained as needed for service continuity, issue resolution, and abuse prevention

• Behavioral or fraud monitoring data: Retained to meet compliance and risk scoring obligations, in accordance with our internal policies

• Blockchain transaction history and monitoring data: Retained according to regulatory obligations and internal risk assessment policies

If you close your account or stop using our Services, we may still retain certain information as required by law or for internal recordkeeping, risk management, or audit purposes. Retention periods may be adjusted based on legal requirements or valid data subject requests.

9. International Users & Data Transfers

Our Services are primarily designed for the United States. If your information is processed outside your home country (for example, by an infrastructure or compliance vendor), we use appropriate safeguards such as data‑processing agreements and, where applicable, Standard Contractual Clauses (SCCs).

10. Third-Party Services

We work with trusted third-party providers to support the operation, security, and performance of our platform. These providers help us deliver core functionality such as identity verification, payment processing, compliance monitoring, customer support, and infrastructure hosting.

When you use our Services, your personal information may be shared with or processed by these third parties under contractual agreements that limit their use of your data to the purposes we’ve authorized. These providers are required to maintain appropriate safeguards and to comply with applicable privacy and data security standards.

We may also engage subprocessors—specialized Service Providers that process personal information strictly on our behalf to support specific operational needs. Subprocessors do not use your information for their own purposes and are bound by the same data protection obligations that apply to our other Service Providers. A list of our active subprocessors can be found at bead.xyz/legal/subprocessors. You may contact us at [email protected] if you have questions or concerns about our use of Subprocessors.

Examples of third-party relationships include:

• Regulated banking partners to support account-level compliance, settlement, and risk oversight

• Compliance and risk tools for identity verification, sanctions screening, transaction monitoring, and fraud detection

• Infrastructure and hosting providers for secure data storage and system reliability

• CRM, contract execution, and communication platforms to manage Merchant and Partner relationships

• Analytics and diagnostic tools to understand platform performance, detect bugs, and improve the user experience

Some of these providers may be located outside the United States or may process data internationally as part of their infrastructure operations. We do not allow third parties to use your personal information for their own marketing or profiling purposes without our instruction.

11. Updates & Contact Information

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or business practices. If we make material changes, we’ll notify you through our platform or by other appropriate means. We encourage you to review this policy periodically.

Continued use of our Services after an update constitutes your acknowledgment of the revised policy. Additional rights may apply under other state privacy laws, and we will update this policy as needed to reflect evolving legal requirements.

If you have questions, concerns, or requests related to this Privacy Policy or your personal information, you can contact us at:

Bead, Inc. 8 The Green #11345 Dover, DE 19901 [email protected]