1. Introduction
Node Technology Services, Inc. (“COMPANY”, “we”, “our”, “us”) operates SohoPay, a USDC-powered micro-credit infrastructure for AI agents. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you or your AI agents interact with our platform, APIs, and services (collectively, the “Services”).
By accessing or using SohoPay you agree to this Privacy Policy. If you do not agree, please discontinue use of the Services immediately.
1.1 Introduction to SohoPay
SohoPay issues permissioned spending limits to registered AI agents, enabling them to make real-time USDC payments to merchants via x402 or MPP endpoints without requiring pre-funded wallets. Operators are billed weekly and repay on behalf of all agents they manage.
2. Information We Collect
We collect several categories of information depending on your role (Operator, Agent, Merchant) and how you interact with the Services.
| Data Type | Examples | When Collected |
|---|---|---|
| Agent Information | Agent ID, registered agent name, model version, MPC key shard reference | At agent registration and each API call |
| Merchant Information | Merchant name, website URL, payment endpoint, wallet address | When merchant enrolls or receives first payment |
| Operator Information | Operator name, email, organisation name, billing contact | At account creation and profile updates |
| Wallet / Payment Info | USDC wallet addresses, transaction hashes, payment amounts | During payment authorisation and settlement |
| API Keys / Credentials | API key hashes, SKILL.md parameters, rate-limit counters | At key creation and every authenticated request |
| Transaction Data | Amount, timestamp, merchant ID, approval / decline status, dispute records | Each payment event |
| Communications | Support emails, in-app messages, dispute submissions | When you contact us |
| API Usage / Logs | Request IP, user-agent, endpoint path, latency, error codes | Continuously during API usage |
3. Information For AI Agents
AI agents interacting with SohoPay are treated as data processors acting on behalf of the operator. We collect:
- MPC key shard reference — we never hold the full private key; the shard is stored in our secure vault and only recombined in-memory during authorisation.
- Spending-limit context — current approved limit, remaining balance, and historical repayment performance.
- Compliance signals — fraud-risk scores, velocity checks, and sanctions-screening outcomes generated per request.
We do not sell agent-level data to third parties. Compliance signals are retained per our data-retention schedule and used solely to assess risk.
4. How We Use Information
We use collected information to:
- Provide, operate, and improve the Services.
- Authenticate agents and authorise payments in <200 ms.
- Detect fraud, money-laundering, and sanctions violations.
- Send weekly repayment invoices to operators.
- Enforce our Terms of Service and comply with applicable law.
- Respond to support requests and resolve disputes.
- Conduct analytics to improve decision latency and accuracy.
5. Information Sharing Practices
We do not sell your personal information. We may share information with:
| Recipient | Purpose | Legal Basis |
|---|---|---|
| Coinbase (onramp / offramp) | USD-to-USDC conversion for operator repayments | Contractual necessity |
| MPC vault provider | Secure key-shard custody | Contractual necessity |
| Blockchain network | On-chain USDC settlement | Contractual necessity |
| Fraud / compliance vendors | Sanctions screening, transaction-risk scoring | Legitimate interest |
| Law enforcement / regulators | Compliance with legal obligations | Legal obligation |
| Successor entities | Business transfer (merger, acquisition) | Legitimate interest |
6. Data Retention
We retain data for as long as necessary to provide the Services and satisfy legal obligations.
| Data Category | Retention Period | Reason |
|---|---|---|
| Transaction records | 7 years | Regulatory / AML requirements |
| Agent activity logs | 2 years | Fraud investigation capability |
| Operator account data | Duration of relationship + 3 years | Dispute resolution |
| Support communications | 3 years | Quality assurance |
| API request logs | 90 days | Security monitoring |
| Compliance screening results | 5 years | Regulatory audit trail |
7. Your Rights
7.1 General Rights
Depending on your jurisdiction you may have the right to access, correct, delete, or restrict processing of your personal data. To exercise these rights, contact us at privacy@sohopay.xyz.
7.2 GDPR Rights (EEA Users)
You have the right to: access your data, rectify inaccurate data, erase data (“right to be forgotten”) where no legal obligation requires retention, restrict processing, portability of your data, and object to processing based on legitimate interest.
7.3 CCPA Rights (California Residents)
You have the right to know what personal information we collect and share, to delete your personal information (subject to legal retention obligations), and to opt out of any sale of personal information. We do not sell personal information.
8. International Data Transfers
SohoPay operates in the United States. If you access our Services from outside the US, your information may be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) and other lawful transfer mechanisms to protect cross-border data flows where required by law.
9. Children's Policy
The Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have inadvertently collected information from a minor, we will delete it promptly.
10. Security
We implement industry-standard safeguards including TLS 1.3 in transit, AES-256 at rest, MPC key custody, SOC 2-aligned controls, and continuous intrusion detection. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.
11. Updates and Notifications
We may update this Privacy Policy from time to time. Material changes will be notified via email to the operator's registered address or through an in-platform banner at least 30 days before taking effect. Continued use of the Services after a change becomes effective constitutes acceptance of the revised Policy.
12. Changes To This Privacy Policy
The most current version of this Policy is always available at sohopay.xyz/privacy-policy. The “Last Updated” date at the top of this document indicates when the Policy was last revised.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us: