1 Who We Are and Who This Policy Covers
1.1 About Flash Pay
Flash Pay is a bill payment facilitation service operated by FlashFunding LLC d/b/a Flash Pay, a limited liability company registered in Texas. We coordinate vendor payment logistics for customers who wish to pay bills, rent, utilities, tuition, and professional service vendors using their existing credit cards.
1.2 Who This Policy Covers
This Privacy Policy applies to:
- All individuals who visit the Flash Pay website (flashpay.us);
- All individuals who submit a payment request through Flash Pay;
- All individuals whose information is collected in connection with identity verification;
- All individuals who communicate with Flash Pay by any channel including phone, text, email, or WhatsApp.
1.3 What This Policy Covers
This Privacy Policy explains:
- What personal information we collect and why;
- How we use, store, and protect your information;
- Who we share your information with and under what conditions;
- How long we keep your information;
- Your rights regarding your personal information;
- How to contact us with privacy questions or requests.
2 Information We Collect
2.1 Information You Provide Directly
When you submit a payment request, we collect the following categories of personal information:
| Category | Specific Data Collected | Why We Collect It |
|---|---|---|
| Identity Information | Full legal name, date of birth, last 4 of Social Security Number, government-issued photo ID (type, number, front and back image) | Identity verification, loan agreement execution, fraud prevention, chargeback defense |
| Contact Information | Home address, city, state, ZIP code, phone number (including WhatsApp), email address | Communication, loan agreement delivery, payment confirmation, legal notices |
| Payment Card Details | Card network (Visa/MC/Amex/Discover), card type (personal/business), full card number, cardholder name, expiry date, CVV, billing ZIP code, card issuing bank | Processing the credit card repayment charge via Stripe (our PCI DSS Level 1 processor) |
| Payee / Bill Details | Payee name, ABA routing number, bank account number, bill type, payment reference/memo, bill amount, invoice copy (if uploaded) | Executing the ACH payment to your payee |
| Loan & Agreement Details | Loan amount, service fee, total repayment amount, repayment due date, typed digital signature, agreement timestamp | Loan agreement execution, TILA disclosure compliance |
| Government ID Images | Front and back photo of driver's license, state ID, or passport | Identity proofing, fraud prevention, chargeback defense evidence |
2.2 Information Collected Automatically
When you access our website or submit a form, we automatically collect:
- IP address at time of access and form submission;
- Device type, operating system, and browser type and version (user-agent string);
- Geolocation data derived from IP address;
- Date, time, and timezone (UTC) of all interactions;
- Pages visited, time spent on each page, and navigation path;
- Form field completion patterns (for fraud detection purposes);
- Cookie and session identifiers (see Section 11 — Cookies).
2.3 Information From Third Parties
We may receive information about you from:
- Stripe — our payment processor — including card authorization results, AVS (address verification) results, card BIN data, and fraud scores;
- Twilio — our SMS provider — including OTP delivery confirmation and phone number verification results;
- Identity verification providers — for document authentication and fraud screening;
- Card networks (Visa, Mastercard, American Express, Discover) — in connection with chargeback disputes;
- Law enforcement or government agencies — as required by law.
2.4 Information We Do NOT Collect
WE DO NOT COLLECT OR STORE THE FOLLOWING
- Full Social Security Numbers — we collect last 4 digits only, for identity verification;
- Full credit card numbers in retrievable plain text — card numbers are tokenized by Stripe and never stored on Flash Pay's own servers;
- Bank account passwords or login credentials;
- Biometric data (fingerprints, facial recognition data, or voiceprints);
- Medical or health information;
- Information about your children under 13 — we do not knowingly collect data from minors.
3 How We Use Your Information
3.1 Primary Purposes
We use your personal information for the following primary purposes:
| Purpose | How We Use Your Data |
|---|---|
| Processing your transaction | To verify your identity, pre-authorize your card, pay your bill via ACH, charge your card as loan repayment, and deliver payment confirmation. |
| Executing the Loan Agreement | To populate the Loan Agreement with your details, capture your digital signature, and maintain the signed record. |
| TILA compliance | To calculate and disclose the APR (0%), Finance Charge ($0), Amount Financed, and Total of Payments as required by federal law. |
| Fraud prevention | To detect, prevent, and investigate fraudulent transactions, identity theft, unauthorized card use, and money laundering. |
| Chargeback defense | To compile and submit evidence packages to card issuers and networks if you or another party files a chargeback dispute. |
| Communication | To send you transaction confirmations, payment receipts, loan agreements, and responses to your inquiries. |
| Legal compliance | To comply with applicable federal and state laws, court orders, government requests, and regulatory requirements. |
| Debt collection | To collect unpaid loan amounts, service fees, and associated costs in the event of default. |
| Service improvement | To analyze usage patterns and improve the performance, security, and user experience of our service (using anonymized or aggregated data only). |
3.2 Legal Basis for Processing
We process your personal information on the following legal bases:
- Contract performance — processing is necessary to execute and perform the Loan Agreement you requested;
- Legal obligation — processing is required to comply with TILA, ECOA, BSA/AML, FDCPA, GLBA, and other applicable laws;
- Legitimate interests — fraud prevention, chargeback defense, debt collection, and service security;
- Your consent — for electronic communications, SMS verification, and data sharing disclosures you specifically agree to.
3.3 What We Do NOT Do With Your Information
WE DO NOT
- Sell your personal information to any third party — ever;
- Share your information for marketing or advertising purposes;
- Use your information to make automated decisions about credit eligibility (all decisions are made by a human);
- Send you unsolicited marketing emails or texts without your explicit consent;
- Profile you for behavioral advertising;
- Transfer your data to third countries outside the United States without appropriate safeguards.
4 How We Share Your Information
4.1 We Do Not Sell Your Information
Flash Pay does not sell, trade, rent, or otherwise transfer your personal information to third parties for commercial purposes. This applies to all categories of personal information we collect.
4.2 Authorized Sharing — Required to Provide the Service
We share your information only with the following categories of recipients, and only to the extent necessary:
| Recipient | What We Share and Why | Legal Basis |
|---|---|---|
| Stripe (Payment Processor) | Full card details and transaction amounts to process your credit card charge. Stripe is PCI DSS Level 1 certified. Subject to Stripe's Privacy Policy. | Contract performance |
| Your Payee's Bank (ACH) | Your payee's routing and account number, payment amount, and your name as the sender, to execute the ACH transfer. | Contract performance |
| Twilio (SMS Provider) | Your phone number to send SMS one-time passwords for identity verification. | Contract performance / consent |
| Card Networks & Issuers (Chargeback) | Your full transaction record, Loan Agreement, ID, IP logs, and all communication records — if a chargeback dispute is filed. You have expressly consented to this in the Terms. | Legitimate interest / consent |
| Collections Agencies | Your name, contact information, and debt details — only upon default and only to licensed, FDCPA-compliant collectors. | Legitimate interest / legal obligation |
| Law Enforcement / Government | Any information required by valid court order, subpoena, search warrant, or government request. | Legal obligation |
| Professional Advisors | Attorneys and accountants who are bound by confidentiality obligations, for legal and financial advice. | Legitimate interest |
| Business Successors | All customer data in the event of a merger, acquisition, or asset sale — with notice to you. | Legitimate interest |
4.3 Chargeback Disclosure — Special Notice
IMPORTANT: CHARGEBACK EVIDENCE DISCLOSURE
By using Flash Pay and executing a Loan Agreement, you expressly and irrevocably consent to Flash Pay disclosing ANY and ALL of the following to card issuers, card networks, and their agents in connection with any chargeback, dispute, or fraud investigation:
- Your signed Loan Agreement including your digital signature, IP address, timestamp, and device information;
- Your government-issued photo ID (front and back);
- Your full name, contact details, and home address;
- ACH payment confirmation records;
- All WhatsApp, text, and email communications between you and Flash Pay;
- Your original payment request with timestamp and geolocation;
- SMS OTP verification logs confirming your phone number;
- Any other evidence relevant to the dispute.
This disclosure is necessary for Flash Pay to defend against fraudulent chargebacks and is a condition of using the service. You waive any privacy, confidentiality, or other objection to this disclosure.
5 Data Security
5.1 Security Measures
Flash Pay implements industry-standard security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction. Our security stack includes:
| Security Layer | Standard and Details |
|---|---|
| Data in Transit | 256-bit SSL/TLS (TLS 1.2/1.3) encryption on all connections between your device and our servers. The padlock icon in your browser confirms this protection. |
| Payment Processing | Stripe — PCI DSS Level 1 certified (the highest level of payment security certification). Flash Pay never stores, sees, or has access to your full card number in plain text. |
| Data at Rest | AES-256 encryption for all stored personal data. Data is stored in access-controlled, encrypted cloud storage systems. |
| Identity Documents | Government ID images are encrypted at rest, access-controlled, and accessible only to authorized Flash Pay personnel for identity verification purposes. |
| Access Controls | Role-based access control — only authorized personnel can access customer records. All access is logged and audited. |
| SMS Verification | One-time passwords delivered via Twilio to verify phone number ownership at transaction submission. |
| Audit Trail | Every transaction generates a tamper-evident electronic record including IP address, device fingerprint, geolocation, and UTC timestamp, linked to the signed Loan Agreement. |
| SSN Handling | Last 4 digits of SSN only — stored in encrypted form. Never stored in full, never in plain text. |
5.2 No Absolute Security
While we implement robust security measures, no data transmission or storage system is 100% secure. If you believe your information with Flash Pay has been compromised, contact us immediately at Contactus@flashpayusa.com or 832-821-5944.
5.3 Data Breach Notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, Flash Pay will notify affected individuals and, where required, relevant regulatory authorities within the timeframes required by applicable law. Notification will be provided via the email address associated with your most recent transaction.
6 Data Retention
6.1 How Long We Keep Your Information
| Data Category | Retention Period | Legal Basis for Retention |
|---|---|---|
| Signed Loan Agreements | 7 years minimum | IRS / state record-keeping laws; chargeback defense (up to 18 months post-transaction); debt collection |
| Transaction records | 7 years minimum | IRS record-keeping; state financial record laws; TILA compliance |
| Identity documents (government ID images) | 7 years from transaction date | AML/BSA compliance; chargeback defense; fraud investigation |
| Communication records | 7 years from transaction date | Chargeback defense; legal proceedings; regulatory compliance |
| Audit trail (IP address, device, timestamp) | 7 years from transaction date | E-SIGN Act; chargeback defense; fraud investigation |
| Credit card details (tokenized via Stripe) | Not stored by Flash Pay in plain text | PCI DSS compliance — handled by Stripe |
| Marketing opt-in data (if any) | Until opt-out + 3 years | Regulatory compliance |
| Disputed / defaulted account data | Until debt is resolved + 7 years | Debt collection; legal proceedings |
6.2 Deletion After Retention Period
After the applicable retention period, we will securely delete or anonymize your personal information. Anonymized data (from which you cannot be identified) may be retained indefinitely for statistical and service improvement purposes.
7 Your Privacy Rights
7.1 Rights Available to All U.S. Customers
Regardless of which state you live in, you have the following rights:
| Right | What It Means |
|---|---|
| Right to Know | You can request a copy of all personal information we hold about you, including what categories we collected, why, and who we shared it with. |
| Right to Correct | You can request correction of inaccurate or incomplete personal information we hold about you. |
| Right to Delete | You can request deletion of your personal information. Note: we cannot delete data we are legally required to retain (e.g., Loan Agreements, transaction records during the 7-year retention period). |
| Right to Restrict Processing | You can request that we limit how we use your information in certain circumstances. |
| Right to Data Portability | You can request a copy of your data in a structured, commonly used, machine-readable format. |
| Right to Opt Out of Marketing | You can opt out of any promotional or marketing communications at any time by contacting us or using the unsubscribe link in any marketing email. |
| Right to Non-Discrimination | We will not discriminate against you for exercising any of these privacy rights. |
7.2 How to Exercise Your Rights
To exercise any of the rights above, contact us at:
- Email: contactus@flashpayusa.com
- Phone / WhatsApp: 832-821-5944
We will respond to all verifiable requests within 30 days. We may need to verify your identity before processing your request to ensure we are responding to the correct person. We will not charge you a fee for exercising your rights unless your request is manifestly unfounded or excessive.
7.3 Limitations on Deletion
We cannot delete information that we are legally required to retain, including:
- Signed Loan Agreements during the 7-year retention period;
- Transaction records required for IRS or state compliance;
- Identity documents required for AML/BSA compliance;
- Any records related to an active or potential legal dispute or debt collection matter;
- Information required to respond to a government or regulatory investigation.
8 California Residents — CCPA / CPRA Rights
8.1 Your Additional Rights Under California Law
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know — the specific categories and pieces of personal information collected about you in the past 12 months;
- Right to Know — the categories of sources from which your personal information is collected;
- Right to Know — the business or commercial purpose for collecting your personal information;
- Right to Know — the categories of third parties with whom we share your personal information;
- Right to Delete — request deletion of personal information we have collected (subject to legal retention obligations);
- Right to Correct — request correction of inaccurate personal information;
- Right to Opt Out of Sale or Sharing — Flash Pay does NOT sell or share personal information for cross-context behavioral advertising;
- Right to Limit Sensitive Personal Information — you may request we limit the use of sensitive personal information (such as SSN digits and government ID) to only what is necessary to provide the service;
- Right to Non-Retaliation — we will not penalize you for exercising any CCPA/CPRA right.
8.2 Categories of Personal Information Collected (CCPA Categories)
In the past 12 months, Flash Pay has collected the following CCPA categories of personal information:
- Identifiers (name, email, phone, address, IP address);
- Personal information categories listed in Cal. Civ. Code § 1798.80(e) (card number, SSN last 4);
- Protected classification characteristics (none — we do not collect these);
- Commercial information (transaction records, payment history);
- Internet or electronic network activity (IP address, device information, page visits);
- Geolocation data (derived from IP address at form submission);
- Sensitive personal information (government ID, SSN last 4, full card number — collected solely to provide the service).
8.3 No Sale of Personal Information
Flash Pay does not sell personal information as defined under the CCPA/CPRA. We do not share personal information with third parties for cross-context behavioral advertising.
8.4 How to Submit a California Privacy Request
California residents may submit privacy requests by:
- Emailing: contactus@flashpayusa.com with subject line "California Privacy Request";
- Calling or texting: 832-821-5944.
We will respond within 45 days (extendable by 45 additional days where necessary) and will verify your identity before processing your request.
9 Other State Privacy Rights
9.1 Virginia — VCDPA
Virginia residents have rights under the Virginia Consumer Data Protection Act (VCDPA) including rights to access, correct, delete, and obtain a copy of personal data, and to opt out of sale of personal data, targeted advertising, and profiling. Contact contactus@flashpayusa.com to exercise VCDPA rights.
9.2 Colorado — CPA
Colorado residents have rights under the Colorado Privacy Act (CPA) including rights to access, correct, delete, and data portability, and to opt out of sale and targeted advertising. Contact contactus@flashpayusa.com to exercise CPA rights.
9.3 Connecticut — CTDPA
Connecticut residents have rights under the Connecticut Data Privacy Act (CTDPA). Contact contactus@flashpayusa.com to exercise your rights.
9.4 Texas — TDPSA
Texas residents have rights under the Texas Data Privacy and Security Act (TDPSA) including rights to access, correct, delete, and obtain portability of personal data, and to opt out of sale and profiling. Contact contactus@flashpayusa.com to exercise TDPSA rights. As a Texas-based company, we take your Texas privacy rights seriously.
9.5 All Other States
Residents of states with active consumer privacy laws not specifically listed above may also have rights regarding their personal information. Contact us at contactus@flashpayusa.com and we will respond in accordance with applicable law in your state.
10 Children's Privacy
10.1 No Data Collection From Minors
Flash Pay's services are intended for individuals 18 years of age and older. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will delete that information immediately.
10.2 If You Believe We Have a Child's Information
If you believe we have collected information from a child under 13, contact us immediately at contactus@flashpayusa.com. We will investigate and delete the information promptly.
11 Cookies and Tracking Technologies
11.1 Cookies We Use
Our website uses the following types of cookies and tracking technologies:
- Essential cookies — required for the website to function (session management, form security tokens). Cannot be disabled.
- Analytics cookies — help us understand how visitors use our website (page views, time on site, navigation paths). Used with anonymized data only.
- Security cookies — used for fraud detection and bot prevention.
We do not use advertising cookies, third-party marketing cookies, or behavioral tracking cookies.
11.2 Cookie Control
You can control cookies through your browser settings. Disabling essential cookies may prevent some parts of our website from functioning correctly. Disabling analytics cookies will not affect your ability to use the service.
11.3 Do Not Track
Our website currently does not respond to "Do Not Track" signals from browsers. However, we do not engage in the cross-site tracking that Do Not Track signals are designed to prevent.
12 Third-Party Links and Services
12.1 Third-Party Websites
Our website may contain links to third-party websites. This Privacy Policy does not apply to those websites. We are not responsible for the privacy practices of third-party websites and encourage you to read their privacy policies.
12.2 Third-Party Service Providers
We use the following third-party services in connection with Flash Pay. Each has its own privacy policy:
| Provider | Service | Data They Receive |
|---|---|---|
| Stripe | Credit card payment processing (PCI DSS Level 1) | Card details, transaction amount, billing ZIP |
| Twilio | SMS one-time password delivery | Phone number, OTP code |
| Cloud Storage Provider (AWS/GCP) | Encrypted data storage | Encrypted transaction records and documents |
| Card Networks | Chargeback dispute resolution | Signed agreement, ID, IP logs, payment records (upon dispute only) |
13 Financial Privacy — Gramm-Leach-Bliley Act (GLBA)
13.1 GLBA Notice
Federal law gives customers the right to limit some but not all sharing of personal financial information. Federal law also requires us to tell you how we collect, share, and protect your personal financial information. This notice complies with the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6801 et seq., and its implementing regulations.
| Reasons We Can Share Your Financial Information | Does Flash Pay Share? | Can You Limit This? |
|---|---|---|
| For our everyday business purposes — such as to process your transactions and report to credit bureaus | Yes | No |
| For our marketing purposes — to offer our products and services to you | No | We don't share |
| For joint marketing with other financial companies | No | We don't share |
| For our affiliates' everyday business purposes — information about your transactions and experiences | No | We don't share |
| For our affiliates to market to you | No | We don't share |
| For nonaffiliates to market to you | No | We don't share |
14 Updates to This Privacy Policy
14.1 Right to Update
Flash Pay reserves the right to update this Privacy Policy at any time. When we make material changes, we will post the updated policy on our website with a revised effective date and, where required by law, provide direct notice to affected customers.
14.2 Your Responsibility
We encourage you to review this Privacy Policy periodically. Continued use of Flash Pay's service after the effective date of any update constitutes acceptance of the updated Privacy Policy.
15 Contact Us
For any privacy questions, requests, or concerns, contact us:
| Legal Entity | FlashFunding LLC d/b/a Flash Pay |
|---|---|
| Brand Name | Flash Pay |
| Privacy Officer | Available via email (role is not separately designated at this stage) |
| contactus@flashpayusa.com | |
| Phone / WhatsApp | 832-821-5944 |
| Address | 8 The Green STE A, Dover, DE 19901 USA |
| Response Time | Within 30 days for all privacy requests (45 days for CCPA) |
| To exercise rights | Email with subject: Your Right — e.g., "Right to Know Request" |
⚡ Your Privacy Matters to Us
Flash Pay is a small, personal service built on trust. Every person who uses Flash Pay shares sensitive financial and identity information with us. We take that responsibility seriously. We collect the minimum data necessary, protect it with industry-standard security, and use it only to serve you and comply with the law. We never sell it. We never share it for marketing. If you have any concern at all about how we handle your information, please reach out — we will respond personally and promptly.
