How we protect your data

Everything you send us travels over an encrypted connection (TLS 1.2 or higher), and the data that matters most is encrypted again while it sits at rest.

Concretely:

• Sensitive identifiers (tax ID / SSN, date of birth, bank account and routing numbers), uploaded ID documents, and biometric or liveness media are encrypted at rest with AES-256-GCM, using a dedicated PII key kept separate from our general platform key.
• Government-ID images and biometric media are stored in a private Cloudflare R2 bucket that is never public and is streamed only through authenticated endpoints.
• Passwords are hashed with bcrypt. Internal access to KYC documents is gated behind hardware-backed passkey two-factor authentication.
• Your IP address is masked before we store it, and emails are redacted in our logs, so we hold less of your personal data than we technically could.
• We enforce CSRF protection, constant-time comparison of secrets, rate limiting, and brute-force protection across the platform.
• File uploads are validated by their actual byte signature, not just their name, so a malicious file cannot pose as an image.

When you apply for SellStein Payments, anti-money-laundering law and the card networks require us to verify who you are before we can move money for you. For that we collect:

• Your legal name, date of birth, and address
• A government tax identifier (SSN, EIN, or local equivalent)
• Images of a government-issued ID document
• For some flows, a short selfie or liveness video to confirm you match your ID
• Your bank account and routing numbers, so we can pay you out

Your data lives on Cloudflare infrastructure (Workers, the D1 database, and R2 object storage). ID documents and biometric media are isolated in a private R2 bucket that is never publicly reachable; the only way to retrieve them is through an authenticated internal endpoint.

Sensitive fields are encrypted before they touch the database, with a key dedicated to this data alone, so a copy of the raw database is not a copy of your tax ID or bank details.

We keep the circle as small as the job allows:

• Our payment processors, Fiserv and NMI, receive your identity and financial data so they can board your merchant account, run required compliance checks, and settle your funds.
• Identity verification itself, matching your selfie to your ID and checking for spoofing, runs in-house on Cloudflare Workers AI. Your ID and biometric media do not go to a separate identity-verification vendor.
• Infrastructure (Cloudflare) and transactional email (SendGrid) process data strictly to run the service.
• We never sell your data, and we never use it to train AI models. The full list lives on our Sub-Processors page.

We hold verification data only as long as the law and our processors require, then delete it:

• KYC and identity record fields are kept while your account is active and deleted from our systems when you close your account. Our payment processors (Fiserv and NMI) may retain identity and transaction records for as long as anti-money-laundering law requires.
• Raw government-ID images and biometric/liveness media: automatically deleted 12 months after the verification decision, and immediately upon account deletion.
• General account data: deleted 30 days after account closure.

You stay in control of your data:

• Access and export the personal data we hold about you.
• Correct anything that is wrong.
• Request deletion — when you close your account we erase your KYC records and uploaded documents from our systems, except for records our payment processors must keep to meet anti-money-laundering obligations.
• If you are in the EU/EEA or UK, you have the full set of GDPR rights, and you can complain to your local data protection authority. Email privacy@sellstein.com to exercise any of these.
• If a breach ever affects your data, we will notify the relevant parties within 72 hours, in line with GDPR Article 33.

Trust is built by what you admit, not just what you claim. So, plainly:

• We are not yet SOC 2 or PCI DSS Level 1 certified ourselves. Raw card data is handled by our PCI-DSS-compliant processors (Fiserv, NMI) and is never stored on our servers.
• Our security testing is currently run internally: an ongoing program where we attack our own systems across authentication, access control, injection, and payment integrity. An independent third-party audit is on our roadmap, not behind us.

We would rather tell you this up front than let you discover it later. As these change, this page changes with them.