Privacy Policy

This Privacy Policy describes how Aplite LLC ("Aplite," "we," "us," or "our") collects, uses, discloses, retains, and protects information obtained from individuals and businesses ("you" or "users") who access or use our platform, website, and services (collectively, the "Services"). By accessing or using our Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

Aplite operates a verified payment identity platform that assigns Universal Payment Identifiers (UPIs) to verified businesses. Given the sensitive nature of the information we handle, including identity documents, biometric data, and business financial information, we are committed to maintaining the highest standards of data protection and transparency.

1. INFORMATION WE COLLECT

1.1 Information You Provide Directly

When you register for or use our Services, we collect the following categories of information directly from you:

Account and Contact Information:

• Full legal name
• Email address
• Phone number
• Business name and legal entity type
• Business address
• Job title and role within your organization

Business Verification Information:

• Employer Identification Number (EIN) or Tax Identification Number (TIN)
• Business incorporation and registration documents

1.2 Information Collected Through Third-Party Service Providers

Certain categories of sensitive information are collected and processed on our behalf by specialized third-party service providers, as follows:

Identity Verification (via Persona Technologies, Inc.):

• Government-issued identification documents (e.g., passport, driver's license)
• Biometric data, including facial scan imagery and liveness detection data
• Date of birth
• Identity document numbers and associated government database verification results

Aplite does not directly receive, access, or store raw identity document data or biometric information. Persona collects, processes, and retains this data in accordance with its own privacy policy and data processing agreements. Aplite receives only a verification result (pass/fail) and a tokenized reference identifier.

Encrypted Financial Data (via Evervault, Inc.):

• Banking information, including account numbers and routing numbers
• Wire transfer details, including SWIFT codes and international banking identifiers

Aplite does not directly receive, view, or store raw banking credentials. All financial data is encrypted by Evervault at the point of entry before transmission to our systems. Aplite retains only encrypted tokens and does not possess decryption keys for this information.

1.3 Payment Processing Information (via Stripe, Inc.)

Subscription fees and platform payments are processed exclusively through Stripe, Inc. Users are redirected to Stripe's hosted payment interface to complete transactions. Aplite does not collect, transmit, or store payment card numbers, bank account information for billing purposes, or any financial instrument data associated with platform subscription payments.

1.4 Automatically Collected Information

When you access or use our Services, we automatically collect certain technical and usage information, including:

• IP address and approximate geographic location
• Device type, operating system, and browser information
• Pages visited, features accessed, and time spent on the platform
• Log data, including access timestamps and error reports
• Cookie and similar tracking technology data, as described in Section 8 below

2. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

Service Delivery and Operations:

• To create and manage your account and workspace
• To verify your business identity and the identities of authorized users within your organization
• To generate, issue, and maintain Universal Payment Identifiers (UPIs)
• To enable Accounts Payable teams to retrieve verified vendor payment details
• To maintain complete and immutable audit logs of platform activity

Security, Fraud Prevention, and Compliance:

• To detect, investigate, and prevent fraudulent activity, impersonation, and unauthorized access
• To cross-reference identity verification data between onboarding and UPI generation
• To flag accounts that fail identity verification checks for manual review
• To comply with applicable laws, regulations, and legal obligations

Platform Improvement and Communications:

• To analyze usage patterns and improve the functionality of our Services
• To send transactional and operational communications, including account notifications, security alerts, and audit log reports
• To respond to support inquiries and resolve disputes

3. HOW WE PROTECT YOUR INFORMATION

Aplite employs industry-leading technical and organizational security measures to protect your information, including:

• Encryption of all data in transit using Transport Layer Security (TLS) 1.3
• Encryption of all data at rest using AES-256 encryption
• Segregated encryption key management through Evervault, ensuring that Aplite personnel cannot access raw financial data
• Role-based access controls (RBAC) restricting internal access to user data on a strict need-to-know basis
• Mandatory two-factor authentication (2FA) for all platform accounts
• Comprehensive and immutable audit logging of all data access events
• Regular security assessments and vulnerability testing

4. DISCLOSURE OF YOUR INFORMATION

4.1 Service Providers

We disclose certain user information to the following third-party service providers solely for the purpose of delivering our Services:

• Persona Technologies, Inc. — Identity verification services
• Evervault, Inc. — Data encryption and security infrastructure
• Stripe, Inc. — Payment processing for platform subscriptions

Each of these providers is bound by contractual data processing agreements and applicable data protection laws. We do not authorize these providers to use your information for any purpose other than providing services to Aplite.

4.2 Legal Obligations

We may disclose your information to law enforcement agencies, regulatory authorities, or other third parties where required to do so by applicable law, court order, or governmental regulation, or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Aplite, our users, or the public.

4.3 No Sale of Personal Information

Aplite does not sell, rent, trade, or otherwise transfer your personal information to third parties for commercial or marketing purposes. We will never monetize your data.

5. DATA RETENTION

We retain your information for the following periods:

• Account and contact information: Duration of your account plus seven (7) years following account termination
• Identity verification records and audit logs: Seven (7) years from the date of verification or account termination, whichever is later, in compliance with financial recordkeeping obligations
• Encrypted banking data tokens: Duration of your account plus seven (7) years following account termination
• Usage and log data: Two (2) years from collection

Following the applicable retention period, we will securely delete or anonymize your information. Note that certain information may be retained longer where required by law, regulation, or legitimate legal proceedings.

6. YOUR RIGHTS AND CHOICES

Subject to applicable law, you may have the following rights with respect to your personal information:

• Right of Access: You may request a copy of the personal information we hold about you
• Right to Correction: You may request correction of inaccurate or incomplete information
• Right to Deletion: You may request deletion of your personal information, subject to our legal retention obligations
• Right to Data Portability: You may request that we provide your information in a structured, machine-readable format
• Right to Restrict Processing: You may request that we restrict certain processing activities

To exercise any of these rights, please contact us at legal@aplite.com. We will respond to verified requests within thirty (30) days. Please note that certain rights may be subject to limitations where retention is required by applicable law.

7. GDPR AND CCPA COMPLIANCE

7.1 European Union and United Kingdom Users (GDPR)

If you are located in the European Union or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) or UK GDPR, including the right to lodge a complaint with your local data protection authority. Our lawful bases for processing include performance of a contract, compliance with legal obligations, and legitimate interests in fraud prevention and platform security.

7.2 California Residents (CCPA/CPRA)

California residents have the right to know what personal information we collect and how it is used, the right to delete their personal information, the right to opt out of the sale of personal information (Aplite does not sell personal information), and the right to non-discrimination for exercising their privacy rights.

8. COOKIES AND TRACKING TECHNOLOGIES

Aplite uses cookies and similar tracking technologies to operate and improve our Services. The types of cookies we use include:

• Essential Cookies: Required for the operation of our platform, including authentication and session management
• Analytics Cookies: Used to understand how users interact with our platform and identify areas for improvement
• Security Cookies: Used to detect and prevent fraudulent activity and unauthorized access

You may configure your browser settings to refuse cookies or to alert you when cookies are being set. Please note that disabling certain cookies may affect the functionality of our Services.

9. CHILDREN'S PRIVACY

Our Services are intended exclusively for business use by individuals who are eighteen (18) years of age or older. We do not knowingly collect personal information from individuals under the age of eighteen. If we become aware that we have inadvertently collected information from a minor, we will promptly delete such information.

10. CHANGES TO THIS PRIVACY POLICY

We reserve the right to modify this Privacy Policy at any time. If we make material changes, we will provide notice through the platform and/or via email to your registered address at least thirty (30) days prior to the changes taking effect. Your continued use of our Services following the effective date of any modifications constitutes your acceptance of the updated Privacy Policy.

11. CONTACT INFORMATION

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: