Last updated: June 6, 2026

Privacy Policy

VendaVault holds your card and identity data inside a controlled, encrypted environment. This page explains what we collect, why, how we protect it, and the rights you have over it under the Jamaica Data Protection Act, 2020.

Operator of record: A Caribbean Development-focused fintech partnership between Nomal Online Business Services Ltd. and HopSync Technologies LLC, headquartered in Montego Bay, Jamaica and McLean, Virginia, USA. Operating the VendaVault service at vault.vendapay.net.
Data Protection Officer: support@hopsync.us
Customer support: support@vendapay.net

1. What we collect

To operate VendaVault we collect three categories of information:

  • Identity — your full name, email, phone number, and government-issued ID for KYC verification (national ID, passport, or driver's licence) plus a selfie for liveness check.
  • Payment instruments — when you save a card, we capture the full card number, expiry, and security code inside a PCI-scoped vault. The card number is never exposed to merchants or any system outside the vault.
  • Transaction metadata — amounts, merchants, timestamps, and decline reasons for each charge you make through VendaVault. This includes IP address, device fingerprint, and a user-agent fingerprint used to bind your session.

2. How we protect it

  • Encryption at rest. Every PII field is encrypted with a per-customer 256-bit data encryption key (DEK), itself wrapped with our master KEK. The DEK is unique to your account; nothing else.
  • Encryption in transit. All connections use HTTPS with modern cipher suites. All API calls between VendaPay and VendaVault are HMAC-signed with a 60-second clock-skew window — replay attacks are rejected.
  • PCI scope isolation. Card numbers are only handled inside the vault layer. Merchants charge a token (vpay_tok_xxxxx); they never see, store, or transmit your card number.
  • Dual-approval audit access. Even VendaVault staff cannot view your name, email, phone, or KYC documents without (a) a documented regulatory inquiry initiated by an authorised admin AND (b) a separate confirmation by the investigating authority via a one-time link. Every PII field accessed is permanently audit-logged.

3. Why we collect each category

  • Identity — to satisfy KYC obligations under the Jamaica Proceeds of Crime Act and applicable Bank of Jamaica anti-money-laundering guidelines.
  • Payment instruments — to authorise transactions on your behalf without exposing your card to merchants.
  • Transaction metadata — to maintain a transaction history, support dispute resolution, and feed our AML monitoring engine (sanctions, PEP, adverse-media screening).

4. Who we share data with

We share data narrowly and only as required to operate the service:

  • Card networks and gateways (Visa, Mastercard, PowerTranz) for transaction authorisation.
  • KYC and AML providers for identity verification and sanctions screening. Phase A uses development-grade verification; production providers will be disclosed here when finalised.
  • Bill Express agent network for cash deposit reconciliation (Phase B).
  • Law enforcement and regulators only with a lawful instrument and only via our dual-approval audit process described above.

We do not sell your data, share it with advertisers, or use it for any purpose unrelated to operating VendaVault.

5. Your rights under the Jamaica Data Protection Act 2020

  • Right of access. You can request a copy of all data we hold on you.
  • Right to correction. You can request that inaccurate data be updated.
  • Right to erasure (subject to AML and tax retention obligations).
  • Right to object to processing for purposes unrelated to operating the service.
  • Right to lodge a complaint with the Office of the Information Commissioner of Jamaica.

Exercise any of these rights by emailing support@hopsync.us.

6. Retention

We retain transaction records, KYC documents, and AML screening results for the minimum period required under Caribbean financial-services regulation (typically seven years from the date of the last transaction). After that period the records are securely destroyed.

7. Cookies and sessions

VendaVault uses only essential session cookies. We do not use third-party analytics, advertising trackers, or fingerprinting beyond what is needed to bind your active session to your device.

8. Changes to this policy

Material changes will be emailed to you. The current version date is shown at the top of this page.

9. Contact

Customer support: support@vendapay.net
Data Protection Officer (HopSync Technologies LLC): support@hopsync.us