- 1. Who We Are
- 2. Information We Collect
- 3. How We Use Information
- 4. Biometric Data
- 5. How We Share Information
- 6. Data Retention
- 7. Your Privacy Rights
- 8. Security Measures
- 9. Cookies and Tracking
- 10. International Transfers
- 11. Children's Privacy
- 12. CCPA/CPRA Rights
- 13. HIPAA and Cannabis
- 14. Changes to Policy
- 15. Contact Us
1. Who We Are
OmniPay Solutions ("OmniPay," "we," "us," or "our") is a New Jersey-based cannabis payment technology company. We operate the OmniPay platform, website (omnipossolution.com and subdomains), mobile applications, and related APIs and services.
This Privacy Policy applies to personal information we collect from:
- Dispensary Customers — cannabis retail businesses using our platform;
- Consumers — end-users purchasing cannabis at our Customer dispensaries;
- Website Visitors — individuals browsing our marketing websites;
- API Developers — third-party developers integrating with our APIs.
2. Information We Collect
2.1 Information You Provide
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email, password, phone number | Authentication, communication |
| Business Information | Dispensary name, license number, EIN, DBA | KYC, compliance verification |
| Banking Information | Routing number, account number | ACH processing, settlement |
| Identity Information | Government ID, date of birth (21+ verification) | Age verification, regulatory compliance |
| Payment Information | Transaction amount, timestamp, dispensary | Payment processing, receipts |
| Communications | Support messages, survey responses | Customer service, improvement |
2.2 Information Collected Automatically
- Device Information — IP address, browser, operating system, device ID;
- Usage Data — pages visited, features used, click patterns, session duration;
- Location Data — approximate geolocation derived from IP address (used for fraud prevention);
- Cookies and Similar Technologies — see Section 9.
2.3 Information from Third Parties
- State cannabis regulators (license verification);
- Banking partners and KYC/KYB verification services;
- Risk and fraud detection services;
- METRC and state seed-to-sale tracking systems.
3. How We Use Information
We use your information for the following purposes:
- Provide the Services — process payments, generate receipts, track inventory, verify compliance;
- Account Management — authenticate users, provide support, process payments and refunds;
- Fraud Prevention — detect and prevent fraud, money laundering, and unauthorized access;
- Regulatory Compliance — METRC reporting, state tax reporting, AML/BSA compliance;
- Communications — send transaction notifications, service updates, marketing (with consent);
- Analytics and Improvement — understand platform usage, improve features, develop new services (anonymized/aggregated);
- Legal Obligations — respond to subpoenas, court orders, and regulatory inquiries.
4. Biometric Data
4.1 What We Collect
When Consumers opt-in to our patent-pending biometric payment authentication, we collect:
- Biometric Templates — mathematical representations of facial geometry or palm vein patterns;
- Authentication Logs — timestamp and success/failure status of authentication attempts.
We do NOT collect or store:
- Raw biometric images (no actual photos of your face, palm, or fingerprints);
- Biometric data without explicit consent;
- Biometric data from minors.
4.2 How We Protect Biometric Data
- On-Device Processing — biometric authentication uses WebAuthn/FIDO2 standards; raw biometrics never leave your device;
- Encryption — biometric templates are encrypted at rest with AES-256 and in transit with TLS 1.3;
- Access Controls — biometric data is accessible only to authorized personnel with MFA;
- No Third-Party Sharing — we do not share, sell, lease, or otherwise disclose biometric data to third parties except as required by law;
- Retention — biometric data is deleted within 3 years of last use or upon account closure, whichever is earlier.
4.3 Your Biometric Rights
You have the right to:
- Opt-out of biometric authentication at any time;
- Request deletion of biometric data;
- Access the categories of biometric information we hold about you;
- Receive a copy of this biometric policy in writing.
5. How We Share Information
We share personal information only as described below:
- Service Providers — cloud hosting (AWS/Azure), banking partners (Affinity Federal Credit Union and other sponsoring financial institutions), SMS providers, KYC services — all bound by confidentiality and data protection agreements;
- Regulatory Authorities — METRC, state cannabis control boards, FinCEN (for AML/BSA reporting), IRS (for tax reporting);
- Legal Requirements — to comply with subpoenas, court orders, or legal obligations;
- Business Transfers — in connection with a merger, acquisition, or sale of assets (with prior notice);
- With Your Consent — for any purpose disclosed to you at the time of collection.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account Information | Duration of account + 7 years (tax/regulatory) |
| Transaction Records | 7 years (BSA/AML requirement) |
| Biometric Templates | 3 years from last use or account closure |
| Support Communications | 3 years |
| Website Analytics | 2 years (anonymized) |
| Cookies | Session to 1 year (see Section 9) |
| Backup Data | 30 days rolling |
7. Your Privacy Rights
Depending on your location, you may have the following rights:
- Access — request a copy of your personal information;
- Correction — request correction of inaccurate information;
- Deletion — request deletion (subject to legal retention requirements);
- Portability — receive data in a structured, machine-readable format;
- Opt-Out — opt out of marketing communications and non-essential tracking;
- Restrict Processing — request we limit how we use your information;
- Object — object to processing based on legitimate interests;
- Non-Discrimination — we will not discriminate against you for exercising these rights.
To exercise these rights, email support@omnipay-solution.com. We will respond within 45 days.
8. Security Measures
We implement comprehensive security measures including:
- Encryption — AES-256 at rest, TLS 1.3 in transit;
- Access Controls — role-based access, MFA required for all staff;
- Network Security — firewalls, intrusion detection, DDoS mitigation;
- Monitoring — 24/7 security monitoring with automated alerts;
- Backups — automated backups every 6 hours with verified restorability;
- Disaster Recovery — SMS/email escalation and SOS alerts for system issues;
- Penetration Testing — regular third-party security audits;
- Incident Response — documented procedures with breach notification within 72 hours where required.
9. Cookies and Tracking
We use cookies and similar technologies for:
- Essential Cookies — authentication, security, basic functionality (cannot be disabled);
- Functional Cookies — remember preferences, language, settings;
- Analytics Cookies — understand usage patterns (anonymized);
- Marketing Cookies — only with consent; can be disabled in browser settings.
You can control cookies through your browser settings. Disabling essential cookies may prevent the Services from functioning.
10. International Transfers
OmniPay operates primarily in the United States. If you access our Services from outside the US, your information may be transferred to, stored in, and processed in the US. By using our Services, you consent to such transfers. We implement appropriate safeguards including Standard Contractual Clauses for transfers from EEA/UK jurisdictions.
11. Children's Privacy
Our Services are restricted to individuals aged 21 and over (or the state-specific minimum cannabis purchase age). We do not knowingly collect personal information from anyone under 21. If we learn we have collected information from someone under 21, we will delete it immediately.
12. California Privacy Rights (CCPA/CPRA)
California residents have additional rights under CCPA and CPRA:
- Right to Know — categories of personal information collected, sources, purposes, third parties;
- Right to Delete — deletion of personal information (subject to exceptions);
- Right to Correct — correction of inaccurate personal information;
- Right to Opt-Out of Sale/Sharing — we do not sell or share personal information for cross-context behavioral advertising;
- Right to Limit Use of Sensitive Personal Information — biometric data and financial account information are treated as sensitive;
- Right to Non-Discrimination — we will not discriminate for exercising rights.
California residents may designate an authorized agent. Verification of identity is required for all requests.
13. HIPAA and Cannabis
In states with medical cannabis programs, we may receive Protected Health Information (PHI). When acting as a Business Associate, we comply with HIPAA Security and Privacy Rules. Medical cannabis patient information is subject to the same protections as any protected health information.
14. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via:
- Email notification to registered users;
- Prominent notice on our website;
- In-app notification (where applicable).
The "Last Updated" date at the top reflects the most recent revision. Continued use after updates constitutes acceptance.
15. Contact Us
For privacy questions, requests, or concerns:
Privacy Officer
Email: support@omnipay-solution.com
Phone: +1 (732) 558-7464
Address: New Jersey, United States
Response Time: Within 45 days for all privacy requests.
This Privacy Policy is available in additional languages upon request. If there is any conflict, the English version controls.