Skip to content
Paylera

Data protection & DSR

Paylera processes personal data on your behalf. This page covers the controls we ship and the API surface for fulfilling data-subject requests (DSRs).

Personal data we hold

Per customer record, we may store:

  • Identifiers — email, name, phone, customer ID, your foreign keys.
  • Address — billing and (optional) shipping.
  • Financial — provider tokens (not cards), invoice history, payment history, wallet balances.
  • Tax — tax IDs (VAT, ABN, EIN), exemption certificates.
  • Behavioural — usage events you’ve posted (volume only; contents are yours to design).

Per actor (operator user) record:

  • Identifiers — email, name, role, audit-log activity.

What we don’t hold:

  • The contents of your usage events beyond what you send.
  • Your end-users’ application-level personal data (your CRM is yours).
  • Card numbers / CVV.

Sub-processors

The current list is published in the dashboard at Settings → Legal → Sub-processors, with effective dates and the categories of data each handles. Major categories:

  • AWS — primary infrastructure (compute, RDS, S3).
  • Stripe / PayPal / Adyen / Braintree — payment providers (data flows: as you’ve configured).
  • Sendgrid — transactional email delivery.
  • Datadog — observability (anonymised; PII fields scrubbed).

We give 30 days’ notice before adding a sub-processor and let you object via the dashboard.

Data residency

At tenant creation, pick a residency: us, eu, apac. Data is stored, processed, and replicated only within that region. Cross-region replication for disaster recovery happens within the residency boundary (e.g. eu-west-1eu-central-1 for the EU region).

Residency cannot be changed after tenant creation. To change, create a new tenant and migrate.

Retention policy

DataRetention
Active customer / subscription / invoice recordsWhile account is active + 7 years (financial record retention).
Soft-deleted customers30 days as recoverable, then anonymised; financial records keep the customer ID but PII is wiped.
Audit log7 years from action timestamp.
Webhook delivery logs90 days.
Application logs (per-request)30 days.
Tax documents10 years (jurisdictional minimum).

Right of access (export)

A customer’s full record is exportable on demand:

POST /v1/admin/dsr/access-requests
Idempotency-Key: <uuid>
{
  "customer_id": "cus_…",
  "format": "json"
}

The response includes a request_id. Poll GET /v1/admin/dsr/access-requests/{id} for completion (typically <60s for a typical customer; longer for large histories). The download URL is signed and 24-hour single-use.

The export includes every field Paylera stores about the customer — no filtering, no redactions. Hand it to the requester verbatim.

Right of erasure (delete)

POST /v1/admin/dsr/erasure-requests
Idempotency-Key: <uuid>
{
  "customer_id": "cus_…",
  "reason": "data_subject_request"
}

The customer is soft-deleted immediately and anonymised after 30 days:

  • Email replaced with redacted-{hash}@paylera.io.
  • Name replaced with Redacted Customer.
  • Address fields replaced with null.
  • Tax IDs deleted.
  • Metadata stripped.

What survives: customer ID, invoice history, payment history, ledger entries — financial records that you are legally required to retain (typically 7 years).

The 30-day window allows you to reconsider; before then, undelete with POST /v1/admin/customers/{id}/undelete.

A customer who has been anonymised cannot be unanonymised; the data is gone.

Right to rectification

Use PATCH /v1/customers/{id} for non-financial fields. For financial records (invoices, payments) — they cannot be edited; issue corrections via credit notes.

Right to portability

The access export (above) is in machine-readable JSON. CSV is also supported (format: "csv"). The export is structured to be re-importable into another billing system that follows similar conventions.

Audit log

Every DSR request, every operator action that touches customer data, and every privileged read (export, decryption) is recorded in the audit log:

GET /v1/admin/audit-log?subject_type=customer&subject_id=cus_…

Each entry includes actor, action, reason, timestamp, request ID, and a stable hash of affected fields. Audit log entries are immutable.

Data Processing Agreement

Standard DPA available in the dashboard at Settings → Legal → DPA. Click-accept; signed copy emailed for your records.

Breach notification

Per GDPR Art. 33, we notify affected tenants within 72 hours of becoming aware of a personal-data breach. Notification goes to the operations contact configured on the tenant; if multiple, all of them.

You’re then responsible for downstream notifications to your end-users per your jurisdiction.