Privacy Policy
Last Modified
Please read this privacy policy carefully.
Tesser ("Tesser,” "we,” "us,” or "our") is committed to protecting your privacy. This privacy policy (“Privacy Policy”) explains how we collect, use, disclose, and safeguard personal information when you interact with Tesser's proprietary financial infrastructure platform, including all related APIs, SDKs, and dashboards (the "Platform"), and the associated support services and third-party services made available through the Platform (collectively, the provision of access to the Platform and such associated services, the "Services"), or when you visit Tesser's customer-facing website at www.tesser.xyz (the "Website").
This Privacy Policy applies to personal information that we collect and process in connection with the provision of the Services and your use of the Website. It does not apply to third-party websites, services, or applications, even if they are accessible through or integrated with the Services. With respect to the Services, personal information processed by Tesser is generally provided to us by our Customers rather than collected directly from the individuals to whom it relates. With respect to the Website, we may collect personal information directly from visitors as described in Section 1.6.
Tesser is a cross-border payments infrastructure platform that integrates the components needed to send and receive cross-border payments on blockchain rails. The Platform provides access to blockchain wallet infrastructure, compliance (KYT and AML) controls, stablecoin liquidity, treasury management, and reporting. Customers integrate with the Platform via APIs and SDKs and may also access the Platform through the dashboard. Customers incorporate the functionality of the Platform into their own platforms and applications, which are made available to End Users. End Users do not interact directly with the Platform or with Tesser. Tesser is not a bank, money services business, licensed financial institution, or payment processor and does not hold or transfer funds on Customer's or any End User's behalf.
Unless otherwise defined in this Privacy Policy, capitalized terms have the meanings given to them in our Terms of Service (“Terms”). As used in this Privacy Policy, "Personal Data" refers to information that identifies or relates to an identifiable individual; such information, to the extent uploaded or input into the Platform or otherwise made available to Tesser by Customer or an End User, constitutes "Customer Data" as defined in the Terms. In the event of any inconsistency between this Privacy Policy and the Terms regarding definitions or interpretation, the Terms will control.
1. What Information We Collect About You
1.1 Information Provided by Customers. Tesser receives personal information from its Customers in connection with the provision of the Services. Customers may supply information about individuals (including their own customers and the counterparties of their customers) via the Platform.This information may include legal first name, legal last name, physical address (street address, city, state or district, postal code, country), date of birth, and national identification numbers such as passport number, ID card number, tax identification number, or Social Security Number. Additional information or documents may be required per jurisdiction or per on-/off-ramp provider.
1.2 Financial Account and Blockchain Data. In connection with payment processing and orchestration, Tesser's APIs collect financial account information provided by Customers. For bank account-based payments, this may include bank account number or IBAN, unique sender/receiver identifiers, bank identifier code (BIC, SWIFT code, or routing number), and bank name. For blockchain-based payments, this may include blockchain wallet addresses, transaction metadata, and related on-chain data, which are used to facilitate the construction, routing, and execution of payment transactions. Tesser does not collect or store private keys or seed phrases; custody of assets and transaction signing remain with the applicable wallet infrastructure or key management system. The types of additional data we may collect or process in connection with the Services include the following:
Transaction amounts, currency pairs, and exchange rate information;
Payment status, payment direction (pay-in or pay-out), and transaction history;
Sender and receiver identification information, including legal name, address, and unique identifiers associated with each party to a transaction;
Compliance-related data, including results of sanctions screening, KYT (Know Your Transaction) checks, AML monitoring, and Travel Rule data;
Transaction metadata, including transaction hashes, block confirmations, network fees, and related on-chain data associated with supported blockchain protocols;
Payment instruction and routing data, including payment rail identifiers, intermediary institution details, and settlement information; and
Documents and records submitted or generated in connection with regulatory compliance, identity verification, or onboarding requirements, as applicable per jurisdiction or provider.
1.3 Log Files. When Customers or their authorized representatives access the Platform, or when visitors access the Website, we may automatically collect information including IP address, browser type, domain names, internet service provider (ISP), operating system, clickstream data, access times, and referring website addresses.
1.4 Usage Data. We may collect Usage Data when Customers interact with the Services. As defined in the Terms, Usage Data means information generated from the use of the Services, which does not identify End Users, any other natural human persons, or Customer, such as technical logs, data, and learnings about Customer's or an End User's use of the Services, but excluding any identifiable Customer Data. We may use third-party service providers to help collect and analyze Usage Data, but we only share it in a de-identified form that does not reveal confidential information. We use this data to support analytics, improve system performance, troubleshoot issues, and optimize the Services.
1.5 Information from Cookies and Similar Technologies. We and our third-party partners may collect information using cookies, pixel tags, or similar technologies in connection with access to our website www.tesser.xyz. For more information on our use of cookies and your choices regarding cookies, please see Section 6 (Cookies).
1.6 Information Collected Through the Website. When you visit the Website, we may collect personal information that you voluntarily provide to us, such as your name, email address, phone number, job title, company name, and any other information you submit through contact forms, demo request forms, newsletter sign-ups, or other inquiry mechanisms available on the Website. We may also automatically collect certain information about your visit, including through cookies and similar technologies as described in Section 6.
2. How We Use Personal Data
2.1 To Provide the Services. We use personal information received from Customers to provide the Services, including to complete payment transactions. Individual identity and financial account information may be used to route and execute pay-ins and pay-outs across supported payment networks and blockchain rails. We also use this information to authenticate Customers accessing the Platform, to provide customer support, and to maintain and administer Customer accounts.
2.2 To Improve and Develop Our Products and Services. We use Usage Data to understand how Customers interact with the Services and to guide product development. This includes identifying popular features, assessing usage trends, and evaluating potential new features or integrations. We may also analyze aggregated data across our Customer base to understand overall usage patterns. When shared externally, this statistical information does not identify individual users. We may use Aggregated Data (as defined in the Terms, meaning Customer Data that has been deidentified or aggregated with other data such that the resulting data no longer reasonably identifies Customer or a specific individual) for internal reporting, analytics, operational monitoring, and product improvement, including transaction, payment, risk, and Usage Data after removal or abstraction of direct identifiers.
2.3 To Secure and Protect Our Customers and Comply with Legal Obligations. We use personal information to help prevent security incidents, verify accounts, and detect misuse of the Services. We also use individual identity and financial account information to comply with legal, regulatory, and compliance obligations, including OFAC and sanctions screening, Travel Rule compliance, and ongoing AML transaction monitoring. Log files may also be used to generate general usage statistics, improve navigation, and support compliance with regulatory requirements. We collect and log IP addresses to monitor access patterns, investigate security events, and troubleshoot issues. We may also use transaction metadata, wallet address data, and API interaction logs to monitor for anomalous or unauthorized activity within the Platform.
2.4 To Communicate with Our Customers. We use account information to communicate with Customers, which could include providing updates and other information relating to our Services and products, providing information that is requested, and responding to comments, questions, and requests. Customers may opt out of receiving promotional emails or text messages from Tesser by following the unsubscribe instructions included in those emails or text messages, or by contacting us using the contact information provided through the Services. If a Customer opts out, we may still send transactional or relationship messages, such as emails about the Customer's account or updates to our products and Services.
2.5 To Monitor and Improve Platform Performance. We may use interaction data and system metadata to monitor and improve the functions of the Services. This includes analyzing system behavior, error patterns, and performance metrics in order to support safe deployment, performance tuning, and continuous improvement of the Platform. We use this data to evaluate the quality and reliability of the Services, reduce the risk of erroneous or incomplete transaction processing, and improve overall platform reliability.
2.6 To Respond to Website Inquiries and Provide Marketing Communications. We use personal information collected through the Website to respond to inquiries, process demo requests, send newsletters or other marketing communications you have opted into, and to otherwise communicate with prospective and existing Customers. You may opt out of receiving marketing communications at any time by following the unsubscribe instructions included in those communications or by contacting us using the contact information provided below.
3. How We Share Personal Data
3.1 Service Providers. We may share Personal Data with Third Party Providers and other third-party service providers engaged to support the Services. These parties are bound by data protection obligations no less protective than those set forth in the Terms and are prohibited from using Personal Data except for the purposes for which it is shared. Our key service providers include the following:
Tesser shares Personal Data with (a) its third-party tokenization and vault provider for secure storage, tokenization, and vaulting of PII and other sensitive records, and (b) Third Party Providers, including liquidity providers, fiat off-ramps, and other payment partners, as needed to execute transactions and satisfy regulatory requirements. The categories of information shared with these providers may include date of birth, government-issued identification information, Social Security Numbers, tax IDs, bank account information, legal name, address, legal entity identifier, wallet address, account number or IBAN, and payment instruction data. Each such provider is permitted to use this information solely to perform its designated services, including secure vaulting, payment processing, compliance checks, and satisfaction of applicable legal and regulatory obligations.
Tesser may engage subcontractors to perform portions of the Services. Each subcontractor is bound by obligations no less protective than those applicable to Tesser under the Terms, and Tesser remains responsible for its obligations notwithstanding any such subcontracting.
3.2 Analytics and Marketing Providers. We may share Personal Data collected through the Website with third-party analytics and marketing service providers that assist us in analyzing Website traffic, measuring the effectiveness of our marketing campaigns, and delivering targeted communications. These providers are contractually prohibited from using Personal Data for any purpose other than providing the applicable
services to Tesser.
3.3 Compelled Disclosure. We reserve the right to use or disclose your Personal Data if required by law or if we reasonably believe that use or disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with a law, court order, or legal process. For more details on how personal information is processed, stored, and used, please refer to our Terms.
3.4 Business Transfers. In the event of a merger, acquisition, reorganization, bankruptcy, dissolution, sale of all or a portion of our assets, or similar transaction or proceeding, Personal Data held by Tesser may be among the assets transferred or disclosed in connection with due diligence. We will use reasonable efforts to direct any such transferee to use Personal Data in a manner consistent with this Privacy Policy.
4. How We Transfer Personal Data Internationally
4.1 Scope of International Transfers. Personal Data may be transferred to and processed in jurisdictions outside of your country of residence, including the United States and Singapore. Tesser's primary infrastructure is hosted in the United States. Sensitive personal information is stored through a third-party tokenization and vault provider, whose infrastructure may include servers located in the United States and other jurisdictions. Tesser personnel and contractors may be located in the United States and other countries. When we transfer Personal Data of individuals in the EEA or Switzerland to third countries, we use a variety of legal mechanisms to safeguard the transfer, including the European Commission-approved Standard Contractual Clauses. When we transfer Personal Data of individuals in the UK to third countries, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses or other approved transfer mechanisms under UK data protection law. Please contact us if you need more information about which legal mechanisms we rely on to transfer personal data internationally.
5. How We Store and Secure Personal Data
5.1 Data Storage and Security. We use a variety of security technologies and procedures to help protect Personal Data from unauthorized access, use, or disclosure. Sensitive personal information is stored using a secure tokenization and vaulting provider rather than being stored in raw form in Tesser's systems. All data is encrypted at rest and in transit, and sensitive data is never passed between internal microservices or written to logs or observability systems. Engineering team access follows the principle of least privilege, scoped strictly to what each role requires. For wallet infrastructure, raw private keys are never exposed to Tesser or its team; instead, they are generated and stored in hardware-isolated secure enclaves with multi-factor access controls, cryptographic attestation, audit trails, and backup and disaster recovery controls. Tesser does not store private keys, seed phrases, or similar cryptographic credentials, and does not take custody of assets.
5.2 Data Breach Notification. Tesser monitors security, risk, and compliance issues as part of operating the Platform and relies in part on security controls provided by key infrastructure vendors. Tesser's third-party vault provider maintains controls relating to monitoring and logging, vulnerability and breach detection, and incident response. A "Security Incident" means any unauthorized access to, acquisition of, use of, or disclosure of Customer Data. In the event of a Security Incident, we will promptly notify the affected Customer and will notify affected individuals and applicable regulatory authorities in accordance with applicable law. We will take commercially reasonable steps to mitigate the effects of any such Security Incident and to prevent future occurrences.
5.3 Retention of Personal Data. We retain Personal Data for as long as needed to provide the Services, comply with applicable legal, regulatory,compliance, tax, accounting, and recordkeeping obligations, resolve disputes, and enforce our agreements. Personal Data collected through the Website (such as contact form submissions and marketing opt-in records) is retained for as long as necessary to fulfill the purpose for which it was collected, or until you request its deletion, subject to any applicable legal or regulatory retention requirements. When we have no ongoing legitimate business need to process your Personal Data, we will delete, destroy, or otherwise securely dispose of it, including by removing the information from active systems and requiring deletion or destruction of retained copies where appropriate, subject to backup retention, legal holds, and other legal or operational requirements. Upon termination or expiration of the Terms, data, including transaction history and account records, will be
made available for export in accordance with the provisions set forth in the Terms.
6. Cookies
6.1 Cookies. Technologies such as cookies may be used by Tesser and our analytics or service providers (as applicable) in connection with the Website. Cookies are used to remember you and to collect information about how you interact with the Website. If you have an account with the
Services, we may link this Usage Data with other information. You may have the option to either accept or refuse these cookies. If you choose to refuse, you may not be able to use some portions of the Website.
6.2 What Are Cookies? Cookies are small text files sent to your browser when you visit a website. They allow the site to recognize your device and remember your preferences on future visits. Cookies may store settings or other data to support functionality and improve your experience. Cookies
set by us are called first-party cookies, while cookies set by other parties, such as analytics or content providers, are called third-party cookies.
6.3 Why Do We Use Cookies? We use first party and third party cookies for several reasons. Some cookies are required for technical reasons in order for the Website to operate, and we refer to these as "essential" or "strictly necessary" cookies. Other cookies also enable us to track and target the
interests of our users to enhance the experience on the Website. This data is used to analyze trends, administer the Website, monitor how visitors navigate around the Website, and to gather demographic information about our user base as a whole.
6.4 What Types of Cookies Do We Use and How Do We Use Them? We use several types of cookies to support and improve the Website. Essential cookies are required to deliver the services available through the Website. Performance and functionality cookies enhance the user experience but are not strictly necessary for the Website to function. We also use analytics and customization cookies, which help us understand how users interact with the Website and allow us to tailor content based on those interactions. These cookies may operate in aggregate form or be used to personalize your experience..
7. Your Privacy Rights and Choices
7.1 Access, Correction or Deletion. Because personal information is generally provided to Tesser by Customers rather than collected directly from individuals, Tesser does not provide a direct consumer-facing interface for individuals to access, review, correct, or delete personal information. To the extent access, correction, or deletion requests are received, Tesser reviews and handles them in coordination with the relevant Customer and subject to applicable legal, regulatory, compliance, and recordkeeping requirements. You may submit such requests using the contact information provided below.
7.2 Objection, Restriction, and Portability. Subject to applicable law, you may have the right to object to our processing of your Personal Data, request that we restrict processing of your Personal Data, or request portability of your Personal Data. The availability of these rights depends on the jurisdiction in which you reside and the applicable legal framework. If you are located in the EEA or UK, please refer to Section 8 for further details regarding these rights under applicable data protection laws.
7.3 Withdraw Consent. Where we have collected and processed your Personal Data with your consent, you may withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your
Personal Data conducted in reliance on lawful processing grounds other than consent. If you are located in the EEA or UK, please refer to Section 8 for further details regarding the exercise of this right under applicable data protection laws.
7.4 Complaint. You have the right to complain to a data protection authority about our collection and use of your Personal Data. If you are located in the EEA or UK, you have the right to lodge a complaint with the supervisory authority in the member state or jurisdiction in which you reside or in which an alleged infringement of data protection law has occurred. To exercise any of these rights, please submit a request using the contact form or support channel on our Website, or by contacting us using the information provided in Section 11.
Please note that to protect personal information, we may verify your identity by a method appropriate to the type of request you are making. Depending on where you reside, you may be entitled to empower an “authorized agent” to submit requests on your behalf. We will require authorized agents to confirm their identity and authority, in accordance with applicable laws. Requests may also be coordinated with the relevant Customer through which personal information was provided to Tesser.
We will respond to your request to change, correct, or delete your data within a reasonable timeframe and notify you of the action we have taken. In some instances, your rights may be limited, such as where fulfilling your request would impair the rights of others, our ability to provide a service you have requested, or our ability to comply with our legal obligations and enforce our legal rights.
We may make changes to this Privacy Policy from time to time. If you are a Customer, your continued use of the Services following the posting of any updated Privacy Policy constitutes your acceptance of such updated Privacy Policy. If you are a visitor to the Website, your continued use of the Website following the posting of any updated Privacy Policy constitutes your acceptance of such updated Privacy Policy.
8 EEA or UK Rights.
8.1 Additional Data Subject Rights. If you are located in the European Economic Area (EEA) or the United Kingdom (UK), you have the following rights under applicable data protection laws, which may be exercised by contacting us at privacy@tesser.xyz: (a) the right to access the Personal Data we hold about you; (b) the right to rectification of inaccurate or incomplete Personal Data; (c) the right to erasure of your Personal Data in certain circumstances; (d) the right to restrict the processing of your Personal Data; (e) the right to object to the processing of your Personal Data, including where processing is based on legitimate interests; (f) the right to data portability, allowing you to obtain and reuse your Personal Data across different services; and (g) the right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out prior to such withdrawal. These rights are subject to applicable legal limitations and may be coordinated with the relevant Customer through which Personal Data was provided to Tesser. You also have the right to lodge a complaint with a supervisory authority in the EEA member state or UK jurisdiction in which you reside or in which an alleged infringement of data protection law has occurred.
8.2 Legal Bases for Processing. If you are located in the EEA or UK, we are required to inform you of the legal basis for processing your Personal Data. The legal bases on which we rely for each category of processing are as follows: (a) Contractual Necessity (Article 6(1)(b) GDPR): We process Personal Data as necessary for the performance of our contractual obligations to Customers, including to provide the Services, complete payment transactions, authenticate access to the Platform, and maintain Customer accounts (see Section 2.1). (b) Legal Obligation (Article 6(1)(c) GDPR): We process Personal Data where necessary to comply with applicable legal, regulatory, and compliance obligations, including OFAC and sanctions screening, Travel Rule compliance, AML transaction monitoring, and responding to lawful requests from public authorities (see Section 2.3). (c) Legitimate Interests (Article 6(1)(f) GDPR): We process Personal Data where necessary for our legitimate interests or those of a third party, provided such interests are not overridden by your rights and freedoms. Our legitimate interests include: (i) improving and developing our products and Services, including analyzing Usage Data and aggregated data to identify usage trends and evaluate potential features (see Section 2.2); (ii) detecting, preventing, and investigating security incidents, fraud, and misuse of the Services (see Section 2.3); (iii) communicating with Customers regarding updates, information, and responses to inquiries relating to the Services (see Section 2.4); and (iv) monitoring and improving Platform performance, including analyzing system behavior, error patterns, and performance metrics (see Section 2.5). (d) Consent (Article 6(1)(a) GDPR): Where we rely on consent as the legal basis for processing, you may withdraw your consent at any time in accordance with Section 7.3 of this Privacy Policy. We rely on consent for (i) the use of non-essential cookies and similar technologies (see Section 6), and (ii) the sending of marketing communications to Website visitors who have opted in to receive such communications (see Section 2.6). Where we process Personal Data on the basis of legitimate interests, you have the right to object to such processing in accordance with Section 7.2 of this Privacy Policy.
9. California Privacy Rights
9.1 CCPA Applicability. As Tesser does not currently meet the thresholds established by the California Consumer Privacy Act (the “CCPA”), the CCPA does not apply to your use of the Services. In the event that Tesser does meet the thresholds established by the CCPA in the future, this section will be updated accordingly.
10. Other Important Privacy Information
10.1 We Never Sell Personal Data. We will never sell your Personal Data to any third party.
10.2 Information About Children. The Services are not intended for or directed at children under 18, and we do not knowingly or intentionally collect Personal Data about children under 18. Tesser provides infrastructure and software services to business Customers, and the Platform is intended for use only by authorized representatives of those Customers. If you believe that we have collected Personal Data about a child under 18, please contact us at privacy@tesser.xyz so that we may delete the information.
11. Contact Us
11.1 If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: Tesser Payments Inc.,
205 Hudson St., Ste 700, New York, NY 10013; Email: privacy@tesser.xyz. You may also submit inquiries through the contact form available on the Website.