Last updated: May 18, 2026
Cassia ("we", "us") operates cassiapay.com — a non-custodial stablecoin payment processor. We never hold private keys or take custody of funds. Our registered contact address is [email protected].
Email address and, optionally, a business name. Collected when you register. Used to authenticate you and send transactional emails (magic-link login, invoice notifications).
The account-level xpub you connect in the Wallets section. We use it to derive unique deposit addresses for each invoice. Private keys never leave your device and are never transmitted to us.
Invoice amounts, currencies, payment statuses, and on-chain transaction references. Stored to operate the service and calculate commissions.
Standard web server logs (IP address, browser type, pages visited) retained for up to 30 days for security and debugging purposes.
An httpOnly JWT stored as a browser cookie named session. Required to keep you logged in. It contains no personal data beyond a random merchant identifier. No consent needed — it is essential to the service.
When you visit the public landing page, a consent banner is shown. If you click "Accept", Google Analytics 4 (GA4) sets cookies to measure visitor counts and traffic sources. If you click "Decline" or close the banner, no analytics cookies are set (GA4 Consent Mode v2). Your preference is stored in localStorage key cassia_cookie_consent and is not transmitted to us.
After you log in, we use PostHog (posthog.com) to understand how merchants use the dashboard — which features are used, where users drop off. Your email address is masked before being sent to PostHog (e.g. seo***@gmail.com). Session recordings are enabled with all input fields masked. Pages that display sensitive information (wallet generation, 2FA setup) are excluded from recordings.
We rely on the following third-party processors:
| Processor | Purpose | Location |
|---|---|---|
| Vilna | Address derivation from xpubs; on-chain balance indexing | EU |
| Resend | Transactional email delivery (login links) | US |
| Google Analytics | Marketing page analytics (consent-gated) | US |
| PostHog | Product analytics for logged-in merchants | US/EU |
We do not sell your data. We do not use your data for advertising.
Account and invoice data is retained for as long as your account is active and for 3 years after account closure (required for financial record-keeping). You may request deletion of personal data by emailing [email protected]. Deletion of invoice records may be limited by legal obligations.
Depending on your jurisdiction, you may have the right to access, correct, or delete personal data we hold about you, or to object to certain processing. To exercise these rights, contact [email protected]. We will respond within 30 days.
We may update this Privacy Policy from time to time. Material changes will be notified by email to registered merchants at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the current version.
Questions or requests: [email protected]