DPAY is a payment gateway aggregation platform developed and operated by DITS (Dimensions Information Technology Solutions), accessible at dpay.ly. DPAY enables merchants in Libya to accept payments from multiple payment providers through a single, unified integration.
This Privacy Policy describes how we collect, use, store, share, and protect your personal and business information when you access or use the DPAY platform, including our website, dashboard, APIs, and related services. By registering for an account, accessing any part of the DPAY platform, or using our payment processing services, you acknowledge that you have read and understood this Privacy Policy.
This policy applies to all users of the DPAY platform, including merchants, business administrators, and any individual who interacts with our services, whether through the web dashboard, API integrations, or hosted payment pages such as invoices and payment sessions.
We collect information that is necessary to provide, maintain, and improve our payment gateway services. The types of information we collect include:
Account Information
- Full name (first and last name) provided during registration
- Email address used for account authentication and communications
- Phone number for account verification and support purposes
- Password, which is stored exclusively in hashed form using bcrypt encryption and is never stored or logged in plaintext
- Account role and permission assignments within the platform
Business Information
- Company or business name as registered with the platform
- Business address and city of operation
- Company logo uploaded for branding on invoices and payment pages
- Legal and regulatory documents submitted during merchant onboarding or verification processes
- Payment gateway configuration details, including merchant identifiers and terminal IDs required for gateway connectivity
Payment Data
- Transaction amounts, currencies, and fee calculations processed through our platform
- Gateway references, transaction identifiers, and system reference numbers generated during payment processing
- Payment method used for each transaction (such as EDFali, MobiCash, OnePay, or Moamalat)
- Payment session statuses, timestamps of creation, expiration, and completion
- Invoice details including line items, customer information, and payment links
- Webhook delivery records and associated event data
Technical Data
- IP addresses from which you access the platform
- Browser type, version, and user-agent string
- Device information including operating system and screen resolution
- Access logs including timestamps of login events, API requests, and session activity
- Error logs and diagnostic data generated during platform usage
Usage Data
- Pages and sections of the dashboard visited during your sessions
- Features and tools used, including API token management, invoice creation, and payment method configuration
- Interaction patterns such as frequency of logins, number of transactions processed, and API call volumes
- Search queries and filter parameters used within the platform
We use the information we collect for the following purposes, each of which is essential to the operation and improvement of our platform:
- Process payment transactions — We transmit necessary data to connected payment gateways (Moamalat, EDFali, MobiCash, OnePay) to initiate, verify, and confirm payment sessions on your behalf.
- Maintain and secure your account — Your information is used to authenticate your identity, manage access permissions through role-based access control, and protect your account from unauthorized access.
- Provide customer support — When you contact us for assistance, we use your account and transaction data to investigate issues, resolve disputes, and respond to your inquiries effectively.
- Improve platform performance and features — Usage data and interaction patterns help us identify areas for improvement, optimize platform reliability, and develop new features that serve our merchants better.
- Comply with legal obligations and prevent fraud — We process and retain certain data to meet regulatory requirements under Libyan law, prevent fraudulent activity, and ensure the integrity of transactions processed through our platform.
- Send service-related communications — We use your email address and, where applicable, phone number to send essential notifications such as payment confirmations, security alerts, account status updates, and policy change notices. We do not send promotional or marketing emails without your explicit consent.
- Generate reports and analytics — Transaction data is aggregated to provide merchants with payment reports, balance summaries, and business insights through the dashboard.
We do not sell, rent, or trade your personal data to third parties for marketing or advertising purposes. We share information only in the following limited circumstances:
Payment Gateways
To process payments, we share the minimum required transaction data with the relevant payment gateway provider. This includes:
- Moamalat — Transaction amounts, merchant terminal identifiers, and session references required for card payment processing through the LightBox integration.
- EDFali — Customer mobile numbers and transaction amounts necessary for SOAP-based mobile wallet payment initiation and OTP verification.
- MobiCash — Customer card numbers, transaction amounts, and payment descriptions required for card-based payment sessions via the MobiCash API.
- OnePay — Customer national ID card numbers and transaction amounts needed for bank-to-bank payment processing and OTP verification.
Legal Requirements
We may disclose your information when required to comply with applicable Libyan laws, regulations, legal processes, or enforceable governmental requests. This includes responding to court orders, regulatory inquiries, or law enforcement requests where we are legally obligated to provide information.
Service Providers
We may engage trusted third-party service providers for hosting infrastructure, server maintenance, and platform analytics. All service providers are bound by contractual confidentiality obligations and are prohibited from using your data for any purpose other than providing services to DPAY.
No Sale of Personal Data
We want to be unequivocal: DPAY does not sell your personal data to any third party, under any circumstances. Your data is used solely for the purposes outlined in this policy.
We implement industry-standard security measures to protect your information from unauthorized access, alteration, disclosure, or destruction. Our security practices include:
- SSL/TLS encryption — All data transmitted between your browser or application and our servers is encrypted using TLS (Transport Layer Security), ensuring that sensitive information cannot be intercepted in transit.
- HMAC-SHA256 signature verification — Webhook payloads delivered to merchant endpoints are signed using HMAC-SHA256, allowing you to verify the authenticity and integrity of every notification received from our platform.
- Certificate-based authentication — Communications with payment gateway providers are secured using certificate-based authentication, ensuring that only authorized systems can exchange transaction data.
- Hashed passwords — All user passwords are hashed using bcrypt with appropriate cost factors before storage. We never store, log, or transmit passwords in plaintext.
- Role-based access control (RBAC) — Access to platform features and data is governed by a granular role and permission system. Users can only access resources and perform actions that their assigned role explicitly permits.
- CSRF protection — All form submissions and state-changing requests are protected against Cross-Site Request Forgery attacks using unique, per-session tokens.
- Regular security audits — We conduct periodic reviews of our codebase, infrastructure, and access controls to identify and address potential vulnerabilities proactively.
- API token security — API tokens are displayed only once at the time of creation and are stored in hashed form. Compromised tokens can be revoked immediately through the dashboard.
While we strive to protect your information using commercially reasonable measures, no method of electronic transmission or storage is completely secure. We encourage you to use strong, unique passwords and to keep your API tokens confidential.
We retain your information only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law.
- Account data — Your account information, including name, email, and associated business details, is retained for the duration of your active account. Following account deletion or deactivation, we retain this data for an additional 2 years to handle any post-closure inquiries, disputes, or legal obligations.
- Transaction records — Payment transaction data, including amounts, gateway references, timestamps, and payment statuses, is retained for a minimum of 7 years from the date of the transaction. This retention period is mandated by financial regulatory requirements applicable to payment service providers operating in Libya.
- Technical logs — Server access logs, API request logs, and error logs are retained for 90 days. After this period, logs are permanently deleted through automated processes.
- Invoice data — Invoice records and associated line items are retained alongside transaction records for the 7-year regulatory period.
You may request deletion of your personal data at any time, subject to the legal retention requirements described above. Where we are required by law to retain certain records, we will inform you of the applicable retention period and the basis for that requirement.
You have the following rights with respect to your personal data held by DPAY. To exercise any of these rights, please contact us at privacy@dpay.ly.
- Right to access — You may request a copy of the personal data we hold about you, including account information, transaction history, and any data shared with third parties on your behalf.
- Right to correction — If any of your personal information is inaccurate or incomplete, you may request that we correct or update it. You can also update most account details directly through your dashboard profile settings.
- Right to deletion — You may request that we delete your personal data from our systems. Please note that this right is subject to the data retention requirements outlined in Section 6. We will delete all data that is not subject to legal retention obligations.
- Right to data export — You may request an export of your personal data in a structured, commonly used, and machine-readable format. This includes your account information, transaction records, and any other data associated with your account.
- Right to withdraw consent — Where we process your data based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
- Right to object — You have the right to object to our processing of your personal data in certain circumstances. We will honor your objection unless we have compelling legitimate grounds that override your interests, or the processing is necessary for the establishment, exercise, or defense of legal claims.
We aim to respond to all legitimate requests within 30 calendar days. In exceptional cases where a request is particularly complex or you have made multiple requests, we may extend this period by an additional 30 days, in which case we will notify you of the extension and the reason for it.
DPAY uses a minimal set of cookies that are strictly necessary for the operation of our platform. We are committed to respecting your privacy and do not use cookies for advertising, behavioral profiling, or cross-site tracking.
- Session cookies — These cookies are used to maintain your authenticated session as you navigate the platform. They are essential for keeping you logged in and are automatically deleted when you close your browser or your session expires.
- CSRF protection tokens — We use cookies to store Cross-Site Request Forgery tokens, which are a security measure that prevents malicious websites from performing unauthorized actions on your behalf.
- Preference cookies — We may store minimal preferences such as your selected language or dashboard view settings to improve your experience.
What We Do Not Use
- We do not use third-party advertising cookies or ad networks
- We do not deploy tracking pixels, web beacons, or social media trackers
- We do not use fingerprinting techniques to identify users across sessions
- We do not share cookie data with any external analytics or advertising platforms
DPAY integrates with the following third-party payment gateway APIs to provide payment processing services:
- Moamalat — Card payment processing via the Moamalat payment network, supporting NUMO cards, Visa, Mastercard, and mobile wallets.
- EDFali — Mobile wallet payment processing through the EDFali SOAP-based payment system.
- MobiCash — Card-based payment processing via the MobiCash merchant API.
- OnePay — Bank-to-bank payment processing through the OnePay (MasrefyPay / SaharaPay / YousrPay) network.
Each of these payment gateway providers operates under its own privacy policy and data handling practices. We strongly recommend that you review the privacy policies of any payment gateway you use through our platform.
We follow a principle of data minimization when interacting with third-party gateways: we share only the information that is strictly required to initiate, process, and verify each transaction. We do not share your account credentials, dashboard usage data, or any information beyond what is necessary for payment processing.
DPAY is a business-to-business payment gateway platform designed exclusively for use by merchants and businesses. Our services are not intended for, directed at, or designed to attract individuals under the age of 18.
We do not knowingly collect, solicit, or process personal information from anyone under the age of 18. If we discover that we have inadvertently collected personal data from a minor, we will take immediate steps to delete that information from our systems and terminate any associated account.
If you are a parent or guardian and believe that a child under 18 has provided personal information to DPAY, please contact us immediately at privacy@dpay.ly so that we can take appropriate action.
We may update or modify this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes to this policy, we will update the "Last updated" date at the top of this page.
For material changes that significantly affect how we collect, use, or share your personal data, we will provide prominent notice through one or more of the following methods:
- An email notification sent to the address associated with your account
- A prominent notice displayed within the DPAY dashboard upon your next login
- A banner or notification on our website at dpay.ly
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the DPAY platform after any changes to this policy constitutes your acceptance of those changes.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please do not hesitate to contact us:
- Company — DITS — Dimensions Information Technology Solutions
- Location — Benghazi, Libya
- Email — privacy@dpay.ly
- Platform — dpay.ly
We are committed to resolving any privacy concerns promptly and transparently. For data access, correction, or deletion requests, please include your full name and the email address associated with your DPAY account so that we can verify your identity and process your request efficiently.