Eliopi — Payment Infrastructure · Issue 01 / 2026
Eliopi.

§ — Legal / Privacy

Privacy policy.

We keep this document short, specific, and free of legalese. It covers how Eliopi — operated by CC Golden Leaf LLC — handles personal information when you use the marketing site, the console, or the APIs.

Last updated: 14 April 2026 · Version 01 / 2026

§ 01Scope of this policy

This policy applies to the Eliopi marketing website at eliopi.com, the Eliopi console, and any Eliopi APIs or SDKs you use in production. It does not cover the sites of our customers or partners — their handling of end-customer data is governed by their own policies.

When we say “Eliopi”, “we”, or “us”, we mean CC Golden Leaf LLC, a Delaware limited liability company with its principal office in Mobile, Alabama. “You” refers to a person interacting with any of the surfaces above.

§ 02What we collect

We collect only what we need to operate the service, keep it secure, and meet our legal obligations. That breaks down into three buckets.

  • Account information. Your name, work email, company, role, and — if you enable multi-factor authentication — a device fingerprint and the secret for your authenticator.
  • Usage information. Request logs, console events, IP addresses, user-agent strings, and the approximate region derived from your IP. We retain this for service quality, fraud prevention, and security incident response.
  • Transaction metadata. For the payments we process on your behalf: amounts, currencies, timestamps, processor identifiers, and the tokens we generate. We do not store raw card numbers or CVVs outside our PCI DSS Level 1 vault.

§ 03How we use it

We use the information above to provide the service you contracted for, to monitor and improve the platform, to prevent abuse and fraud, and to meet our obligations under applicable law. We do not sell personal information, and we do not share it with advertisers for any purpose.

We may use aggregated, de-identified data — for example, an index of approval rates across a region — in research and public commentary. Nothing in that aggregate is traceable to an individual.

§ 04Lawful basis for processing

Where the GDPR or a similar regime applies, we rely on one of four bases: performance of the contract between us and you; our legitimate interests in operating and securing the service; your consent (for cookies beyond the strictly necessary set); and compliance with a legal obligation.

§ 05When we share information

We share information with sub-processors who perform work on our behalf under a written data processing agreement — cloud hosting, transactional email, helpdesk software, and the payment networks we route transactions to. A current list of sub-processors is available on request and is part of every customer's Data Processing Addendum.

We also share information when compelled by a valid legal process, when necessary to protect a person's safety, or in connection with a corporate transaction — in which case continuity of this policy is a condition of the deal.

§ 06How long we keep it

Account information is retained for the life of the account plus 36 months, unless you ask us to delete it sooner. Usage logs are kept for 13 months and then purged. Transaction metadata is retained for seven years to meet financial record-keeping obligations. Backups rotate on a 90-day cycle.

§ 07International transfers

Eliopi operates regional deployments in the United States, the European Union, and the Asia-Pacific region. Your data stays within the region you designate at onboarding. When we do transfer data across borders — for example, to route a transaction to an acquirer outside your region — we rely on Standard Contractual Clauses and, where available, adequacy decisions.

§ 08How we secure it

We operate under SOC 2 Type II, ISO 27001, and PCI DSS Level 1. Data is encrypted in transit with TLS 1.3 and at rest with AES-256. Cryptographic keys are managed by HSMs certified to FIPS 140-2 Level 3. Access to production systems is logged and reviewed quarterly; engineers use phishing-resistant hardware keys.

§ 09Your rights

Depending on where you live, you may have the right to access, correct, port, or delete personal information we hold about you, to object to or restrict certain processing, and to withdraw consent where we rely on it. Write to privacy@eliopi.com and we will respond within 30 days. We will never charge a fee for an ordinary request, and we will never retaliate for exercising a right.

§ 10Cookies and tracking

The marketing site uses a small set of first-party cookies to remember your session and aggregate traffic analytics. We do not use third-party advertising cookies or cross-site trackers. The console uses session and CSRF cookies that are strictly necessary for the service to function.

§ 11Children's data

Eliopi is a B2B product. We do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided us information, please contact us and we will delete it.

§ 12Contact and complaints

For any question about this policy, write to privacy@eliopi.com. If you are in the European Economic Area or the United Kingdom and feel we have not resolved your concern, you have the right to lodge a complaint with your local supervisory authority.

CC Golden Leaf LLC · RiverView Plaza, Suite 1200 · 63 South Royal Street · Mobile, AL 36602 · United States.

End of policy · See also Terms of Service