Privacy Policy
Effective Date: May 19, 2026
ShotPay is preparing for public launch. This Privacy Policy is published in advance of that launch and may be updated prior to launch as final regulatory review concludes. Questions about ShotPay’s privacy practices may be directed to [email protected].
This Privacy Policy describes how ShotPay Inc. (“ShotPay,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when you use our website, mobile-responsive web application, embeddable merchant widget, customer dashboard, and BNPL and Layaway financial services (collectively, the “Services”). This Policy is designed to comply with the Gramm-Leach-Bliley Act (GLBA), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Fair Credit Reporting Act (FCRA), state data-breach notification laws, the Children’s Online Privacy Protection Act (COPPA), and the privacy laws of every U.S. state in which we operate.
1. INTRODUCTION
ShotPay Inc. is the data controller for personal information collected through the Services. Our principal address is New Braunfels, Texas. You can contact our Privacy Officer at [email protected] with any questions about this Policy.
This Policy applies to information we collect through the Services and through your interactions with our customer support, marketing, and other channels. It does not apply to information that merchants or third parties collect about you when you visit their websites or services, even if those services integrate with ShotPay.
2. INFORMATION WE COLLECT
The categories of personal information we collect about you depend on how you interact with the Services. We collect the following categories:
2.1 Personal Identifiers
Full name, mailing address, email address, telephone number, date of birth.
Social Security Number (full or last 4 digits, depending on regulatory requirement).
Government-issued identification (driver's license, passport, state ID) — collected through our identity-verification vendor.
Biometric identifiers (facial-recognition match data, ID photo) — held by our verification vendor; ShotPay receives only the verification result.
2.2 Financial Information
Bank account number and routing number (for ACH debits).
Debit or credit card number, expiration date, and CVV — tokenized through our payment processor. ShotPay never stores raw card numbers; we comply with PCI-DSS SAQ-A.
Transaction history with ShotPay (loan applications, payments, balances, fees).
Income or employment information, if collected during underwriting.
2.3 Credit Information
Credit score obtained from consumer reporting agencies (through our designated credit-reporting vendor).
Consumer-report data (tradelines, public records, inquiry history) — held briefly during underwriting.
Our internal credit-decision outputs (risk-tier assignment, approval status, counteroffer terms).
2.4 Device and Usage Information
IP address, browser type, device fingerprint, operating system, mobile-device identifiers.
Pages visited, items viewed, time spent on Services, navigation paths.
Cookies and similar tracking technologies (see Section 8).
Geolocation, if you permit your browser or device to share it.
2.5 Behavioral Information
Marketing preferences and communication-channel choices.
Customer service interactions (call recordings where consented, email correspondence, chat transcripts).
Survey responses and product feedback.
2.6 Firearm-Related Information
Firearms-Specific Data Collection
Because ShotPay operates in the firearms vertical, we may also collect:
The FFL holder through which a firearm transfer occurs.
Categorical purchase data (firearm vs. accessory vs. ammunition) — but not the make, model, or serial number of any individual firearm.
State of residence and destination FFL state, used to determine state-rules eligibility.
Background-check result (pass/fail/delay) as reported to us by the merchant FFL.
We do not collect or retain the specific make, model, or serial number of firearms you purchase, consistent with state firearms-purchase-privacy statutes.
3. How We Use Your Information
We use the personal information we collect for the following purposes:
To provide our financial services: evaluate loan applications, make credit decisions, originate and service loans and layaway agreements, process payments, manage your account.
To verify your identity: comply with Customer Identification Program (CIP), Know Your Customer (KYC), and Bank Secrecy Act / Anti-Money Laundering (BSA/AML) requirements.
To prevent fraud: conduct transaction monitoring, screen against OFAC and other government watchlists, investigate suspicious activity.
To comply with legal obligations: respond to subpoenas and court orders, cooperate with regulatory examinations, retain records required by law.
To collect amounts owed: contact you about past-due payments and engage in-house or third-party collection efforts.
To improve the Services: conduct analytics, test new product features, perform A/B testing (using anonymized or pseudonymized data wherever possible).
For marketing: send you promotional messages about ShotPay products and offers (only with your opt-in consent, except for transactional messages).
For credit reporting: we do not report Pay-in-4 or Layaway activity to consumer reporting agencies at launch. We may furnish information for accounts in default or collections (see Customer Loan Agreement §8).
4. How We Share Your Information
We share personal information only as described in this Policy. We do not sell your personal information for monetary consideration. We share information with the following categories of recipients:
- A. Merchants. Limited transaction-related information (your name, transaction amount, completion status) is shared with the merchant where you make a purchase, so the merchant can fulfill your order.
- B. Bank partners. When ShotPay enters into a bank-partner arrangement, we will share credit-decision information, account information, and transaction data with the partner bank so it can originate the loan. (No bank partner at launch.)
- C. Payment processors. We share payment-method details with our payment processors so they can debit your authorized payment methods.
- D. Consumer reporting agencies. We share information when we obtain a credit report at the time of your application, and we may furnish information to consumer reporting agencies for accounts in default or collections.
- E. Identity-verification vendors. We share identity-related information with our identity-verification vendor for CIP/KYC verification.
- F. Fraud-prevention vendors. We share relevant information with fraud-detection vendors permitted under FCRA §1681b(a)(3)(F)(i).
- G. Collection agencies and legal counsel. When an account becomes delinquent and collection efforts begin, we may share information with our collection partners and outside counsel.
- H. Service providers. We share information with vendors that support our operations (hosting, customer support, analytics) under written confidentiality agreements. Our key service providers include our hosting, database, SMS, and email service vendors, each operating under written confidentiality agreements.
- I. Regulators and law enforcement. We disclose information when required by law, court order, subpoena, regulatory examination, or to protect rights, property, or safety.
- J. Affiliates. We share information with affiliates of ShotPay (currently none) as permitted by GLBA.
- K. Corporate transactions. If ShotPay is acquired, merged, or sells substantially all of its assets, customer information may transfer to the successor entity as part of the transaction.
5.1 California (CCPA/CPRA)
If you are a California resident, you have the following rights, subject to exceptions for GLBA-covered financial information and for our ongoing servicing of your loan or layaway account:
Right to know what personal information we collect, use, and share.
Right to delete personal information, subject to GLBA, FCRA, and other exceptions for active financial-services accounts.
Right to correct inaccurate personal information.
For marketing: send you promotional messages about ShotPay products and offers (only with your opt-in consent, except for transactional messages).
Right to opt out of sale or sharing (we do not sell personal information; "sharing" under CPRA includes cross-context targeted advertising).
Right to limit use of sensitive personal information (SSN, financial account info, biometrics, geolocation).
Right of non-discrimination — we will not deny services or charge different prices for exercising these rights.
To exercise these rights, contact us at [email protected]. We will respond within 45 days as required by CCPA.
5.2 Other State Privacy Laws
Similar rights are available to residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa, Tennessee, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Rhode Island, and other states with consumer privacy laws. Each state’s rights and exceptions vary slightly. We honor Global Privacy Control (GPC) signals as required by California and Colorado.
6. Data Security
We implement reasonable administrative, technical, and physical safeguards to protect personal information, consistent with the GLBA Safeguards Rule (16 CFR §314). These include:
Encryption of personal information in transit (TLS 1.2+) and at rest (managed encryption through our hosting providers).
Role-based access controls and authentication for our employees and contractors.
Periodic security training and background checks for personnel with access to customer data.
Vendor due-diligence and contractual data-protection requirements (our key vendors maintain SOC 2 Type II reports).
Incident-response procedures and continuous security monitoring.
7. Marketing Communications
We may send you marketing communications about ShotPay products, promotions, and offers only if you have opted in. You may opt out of marketing emails at any time by clicking “unsubscribe” at the bottom of any marketing email. You may opt out of marketing SMS by replying STOP to any marketing text message. Opting out of marketing communications does not affect transactional communications (payment reminders, account notifications, fraud alerts), which are required to service your account. See our TCPA Consent for additional detail.
8. Cookies and Tracking Technologies
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the Effective Date. Your continued use of the Services following such changes constitutes your acceptance.
Strictly necessary cookies: required for the Services to function (login, session, security).
Analytics cookies: we use analytics tools that do not share data with third-party advertisers.
Advertising cookies: we do not currently use third-party advertising cookies (no Meta Pixel, no Google Ads pixel).
Our cookie banner allows you to manage cookie preferences. We honor Global Privacy Control (GPC) signals from your browser. California and Colorado residents may exercise their right to opt out of sale or sharing through our cookie banner or by emailing [email protected].
9. Children’s Privacy
ShotPay does not knowingly collect personal information from children under 13. Our Services are intended for adults 18 years of age or older (21+ for firearm purchases). If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information. If you believe we have collected such information, contact us at [email protected].
10. International Users
ShotPay Services are intended for use by United States residents only. If you access our Services from outside the United States, you do so at your own risk. We do not represent that the Services are appropriate or available for use in other locations. We do not target European Union or United Kingdom residents, and our Services are not subject to the General Data Protection Regulation (GDPR) or the UK GDPR. If we expand internationally in the future, we will update this Policy and notify users.
11. Data Retention
We retain personal information for different periods depending on the type of information and applicable legal requirements:
Active loan or layaway accounts: for the duration of the account plus 7 years after closure (consistent with IRS recordkeeping requirements).
Declined applications: 25 months, as required by ECOA §1002.12(b).
Adverse-action notices: 25 months, as required by ECOA §1002.12(b).
BSA/AML records (CIP/KYC): 5 years post-account-closure, as required by 31 CFR §1020.410.
OFAC screening records: 5 years, per OFAC recordkeeping requirements.
Marketing opt-out records: indefinitely, to ensure we honor your opt-out permanently (CAN-SPAM and TCPA).
Firearm-related categorical data: retention varies by state; see Section 2.6 for details.
12. Your Choices and Controls
You can manage your privacy and data through the following channels:
Update your profile information through your customer dashboard.
Manage your payment methods through your customer dashboard.
Opt out of marketing emails (click "unsubscribe") and SMS (reply STOP).
Submit a state-rights request (right to know, delete, correct, opt out) by emailing [email protected].
Dispute inaccurate information furnished to consumer reporting agencies under FCRA §1681i.
Close your account (subject to the limitations described in our Consumer Terms of Service §13).
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email and by posting a notice on our website at least 30 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy. We may prompt you for re-acknowledgment of material changes through your customer dashboard.
14. Contact Us
For questions about this Privacy Policy or to exercise your privacy rights:
ShotPay, Inc.
Attn: Privacy Officer
1156 Post Oak Dr Canyon Lake, TX 78133
Email: [email protected]
Phone: (844)SHOTPAY
California residents: For CCPA/CPRA requests, contact us at the address above or use our state-rights request portal.