How CeletelPay collects, uses and protects personal information — including biometric palm templates.
CeletelPay is the payment hardware division of Celetel (“CeletelPay”, “we”, “us”). This policy explains what data we collect, how we use it, and the rights you have in relation to it. It applies to our website, smart POS terminals (Vega P1, Nova N3, Lyra Q2, Orion T8), SDKs, and related cloud services.
Business contact data. When you submit a sales enquiry, request a demo or subscribe to our newsletter, we collect your name, work email, phone number, company and role.
Device telemetry. Our terminals send diagnostic data (firmware version, uptime, battery health, error codes, aggregated transaction counts) so we can maintain fleets and deliver updates. Telemetry does not include cardholder data or biometric templates.
Biometric templates. When a shopper enrols a palm at a merchant who uses CeletelPay, the terminal generates a one-way encrypted template (approximately 2 KB) from the near-infrared image of their vein pattern. The raw image is never stored, transmitted or persisted. The template cannot be reversed into an image and is encrypted with a per-merchant key.
Website analytics. We use privacy-preserving analytics (anonymised IP, aggregated event counts) to understand which pages are read. See our Cookie Policy for details.
We use personal information to respond to enquiries, deliver and service our products, send occasional product updates you have opted into, and comply with legal obligations. We do not sell personal data, and we do not use biometric templates for any purpose beyond authenticating the specific person at the specific merchant they enrolled with.
We rely on legitimate interest for business-to-business communications and product telemetry, contract performance for delivering services a customer has ordered, consent for marketing communications and non-essential cookies, and legal obligation for tax, accounting and fraud-prevention records.
We share data with sub-processors that help us operate (cloud hosting, email delivery, payment clearing networks, certification labs). Every sub-processor is bound by a written data-processing agreement. Where data is transferred outside the EEA or UK, we rely on Standard Contractual Clauses or an equivalent safeguard.
Business contact data is retained for the duration of our commercial relationship plus seven years for accounting purposes. Device telemetry is retained for 24 months. Biometric templates are retained until the shopper revokes enrolment, at which point they are deleted from the merchant device and any hosted vault within 30 days.
Under GDPR, UK GDPR, CCPA and India’s DPDP Act, you have the right to access, correct, delete or port your personal data, and to object to processing or withdraw consent. Biometric enrolment is always revocable from the merchant app or in person at the merchant counter. To exercise any right, email privacy@celetel.io.
Our terminals are certified to PCI-PTS v6 and EMV L1/L2. Biometric templates are encrypted at rest with AES-256 and in transit with TLS 1.3. Secure-element key material never leaves the tamper-active enclosure. Security incidents affecting personal data are notified to the relevant supervisory authority within 72 hours where required.
Our products are not directed at children under 16 and we do not knowingly collect data from them.
We may update this policy from time to time. The effective date is shown at the top of the page. Material changes will be announced on our website and, where appropriate, by email to affected customers.
CeletelPay, Noida, Uttar Pradesh 201301, India. Data Protection Officer: privacy@celetel.io.
Effective April 2026 · © CeletelPay, a Celetel brand