Payment Security and Billing Policy

1. Introduction and Purpose

This Payment Security and Billing Policy ("Policy") describes the payment infrastructure, security standards, billing practices, and fraud prevention measures implemented by White Town LLC ("Company," "we," "us," or "our") in connection with Subscription payments for the Gostify platform at https://www.gostify.app/.

This Policy is intended to provide transparency to Customers, financial institutions, payment networks, and compliance teams regarding how payment transactions are processed, how cardholder and billing data is protected, and what controls are in place to ensure the integrity and security of all financial transactions on the Platform.

This Policy is incorporated by reference into the Gostify Terms of Service and Refund and Cancellation Policy. In the event of any conflict between this Policy and the Terms of Service with respect to billing matters, the Terms of Service shall prevail.

All Subscription fees are charged in United States Dollars (USD). White Town LLC does not accept cash, check, or wire transfer payments for standard Subscription plans. All payment processing is conducted electronically through our designated payment processor as described in Section 3.

2. Billing Model and Subscription Fees

2.1 Subscription-Based Billing

Gostify operates on a recurring monthly subscription model. Customers authorize White Town LLC and its payment processor to charge the applicable Subscription fee to the Customer\'s designated payment method on a recurring monthly basis, beginning on the date of initial activation and renewing automatically on the same calendar day each month (the "Renewal Date") until the Subscription is cancelled in accordance with the Refund and Cancellation Policy.

The current Subscription fee is $9.90 USD per month, inclusive of all platform features. Pricing is published on the Gostify website and is subject to change with thirty (30) days\' prior written notice to Customers, as described in the Terms of Service.

2.2 Authorization of Recurring Charges

By providing payment information and completing the Subscription setup process, the Customer provides explicit prior authorization for recurring monthly charges to the designated payment method. This authorization remains in effect until the Customer cancels the Subscription or revokes authorization in writing. Customers may update their payment method at any time through the account billing settings or by contacting info@gostify.app.

2.3 Billing Cycle and Invoice

Charges are applied at the beginning of each billing cycle. A billing receipt or invoice is generated and delivered by email to the Customer\'s registered email address following each successful charge. Invoices include: the billing date; the amount charged; the Subscription period covered; the last four digits of the payment card used; and the transaction reference number. Customers should retain these records for their own accounting and tax purposes.

2.4 Taxes and Additional Charges

Subscription fees are exclusive of applicable taxes, including value-added tax (VAT), goods and services tax (GST), sales tax, or similar levies. Where required by law, applicable taxes will be added to the invoice and charged to the Customer\'s payment method. White Town LLC collects and remits taxes as required by applicable US federal and state law. Customers outside the United States are responsible for determining and remitting any taxes applicable to their Subscription in their own jurisdiction.

Currency conversion fees, foreign transaction fees, or other charges imposed by the Customer\'s bank or card issuer are the sole responsibility of the Customer. White Town LLC does not control and is not responsible for such fees.

3. Payment Processor: Stripe

3.1 Role of Stripe

All payment card transactions on the Gostify platform are processed exclusively by Stripe, Inc. ("Stripe"), 510 Townsend Street, San Francisco, CA 94103, United States. Stripe is a globally recognized payment infrastructure provider serving millions of businesses worldwide. White Town LLC has selected Stripe as its exclusive payment processor based on its industry-leading security certifications, compliance infrastructure, and fraud prevention capabilities.

Stripe operates as a regulated financial technology company and is registered as a payment service provider with relevant financial regulatory authorities in applicable jurisdictions. Stripe\'s services are governed by the Stripe Services Agreement, available at https://stripe.com/legal/ssa, and Stripe\'s Privacy Policy, available at https://stripe.com/privacy.

3.2 PCI DSS Compliance

Stripe is certified as a PCI DSS Level 1 Service Provider, which is the highest level of compliance certification under the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS Level 1 certification requires an annual on-site audit by a Qualified Security Assessor (QSA) and ongoing quarterly network scans. Stripe\'s PCI DSS compliance certificate is publicly available at https://stripe.com/guides/pci-compliance.

Because all payment card data is entered directly into Stripe\'s hosted payment forms (Stripe Elements or Stripe Checkout) and transmitted directly to Stripe\'s servers, White Town LLC does not handle, process, transmit, or store full payment card numbers, CVV codes, expiration dates in unencrypted form, or any other sensitive authentication data. This architecture significantly reduces the PCI DSS scope applicable to White Town LLC\'s own systems.

3.3 Stripe Security Architecture

Stripe implements the following security measures relevant to Gostify transactions:

• All payment card data is encrypted at rest and in transit within Stripe\'s infrastructure using AES-256 encryption and TLS 1.2 or higher
• Payment card numbers are tokenized upon entry; a Stripe payment method token is stored by White Town LLC in place of raw card data for the purpose of recurring billing
• Stripe employs machine learning-based fraud detection systems (Stripe Radar) that evaluate each transaction in real time against risk signals to detect and prevent unauthorized transactions
• Stripe maintains multiple ISO 27001, SOC 1 Type II, and SOC 2 Type II certifications for its payment infrastructure
• All Stripe infrastructure is hosted in secure, access-controlled data centers with 24/7 physical security monitoring

3.4 Accepted Payment Methods

Gostify accepts the following payment methods for Subscription billing, subject to availability in the Customer\'s geographic region:

• Major credit cards: Visa, Mastercard, American Express, Discover
• Major debit cards: Visa Debit, Mastercard Debit, and equivalent debit card networks where supported by Stripe
• Additional payment methods: where supported by Stripe and enabled by White Town LLC, additional local or regional payment methods may be offered. Currently available methods are displayed at checkout.

White Town LLC does not currently accept ACH bank transfers, SEPA direct debit, wire transfers, cryptocurrency, or prepaid card payments for standard monthly Subscriptions. These methods may be considered for enterprise or custom arrangements on a case-by-case basis. Contact info@gostify.app for inquiries.

4. Data That White Town LLC Does Not Store

White Town LLC explicitly confirms the following with respect to payment data storage on its own systems:

• Full payment card numbers (Primary Account Numbers / PAN) are never transmitted to, stored on, or processed by White Town LLC\'s own servers. Card data is entered directly into Stripe\'s secure hosted payment interface and processed entirely within Stripe\'s PCI-compliant environment.
• CVV / CVC security codes are never stored by White Town LLC at any point, including temporarily. Stripe processes and discards security codes in accordance with PCI DSS requirements.
• Full card expiration dates are not stored by White Town LLC. Only the expiration month and year as returned by Stripe for display purposes in the Customer\'s billing settings are retained.
• Magnetic stripe data, chip data, and PIN data from card-present transactions are not applicable to the Gostify Platform, which operates exclusively as a card-not-present online merchant.

White Town LLC\'s systems store only the following non-sensitive billing identifiers returned by Stripe following a completed transaction: the Stripe customer ID; the Stripe payment method token (a non-reversible reference that cannot be used to reconstruct card data); the last four digits of the card number for display and identification purposes; the card brand (e.g., Visa, Mastercard); the card expiration month and year; and the billing country associated with the payment method.

This data storage architecture means that a breach of White Town LLC\'s systems would not expose full cardholder data, as no such data is present in our systems. Full cardholder data resides exclusively within Stripe\'s PCI DSS Level 1 certified environment.

5. Transaction Security

5.1 Encrypted Connections

All pages of the Gostify website and platform, including checkout and account management pages, are served exclusively over HTTPS using TLS 1.2 or higher encryption. Unencrypted HTTP connections are automatically redirected to HTTPS. SSL/TLS certificates are issued by a recognized certificate authority and are monitored for validity and renewal. The Platform\'s HTTPS implementation is verified against current industry standards including HSTS (HTTP Strict Transport Security) where applicable.

5.2 Stripe Elements and Hosted Payment Pages

Payment card details are collected exclusively through Stripe\'s hosted payment components (Stripe Elements or Stripe Checkout), which are served directly from Stripe\'s servers and embedded within the Gostify checkout flow. This means that at no point does the Customer\'s card data pass through Gostify\'s own web servers or application infrastructure. The security of card data entry is governed entirely by Stripe\'s PCI DSS Level 1 certified environment.

5.3 Tokenization

Upon successful payment, Stripe returns a secure payment method token to White Town LLC\'s systems. This token is used for recurring billing and is stored in place of actual card data. Stripe tokens are non-reversible, meaning they cannot be used by any party other than White Town LLC\'s authorized Stripe account to initiate charges, and cannot be decoded to reveal the underlying card number. Token use is restricted to recurring Subscription charges authorized by the Customer.

5.4 3D Secure Authentication

Where supported by the card issuer and required by applicable regulations (including the EU Strong Customer Authentication requirements under PSD2), Stripe may trigger 3D Secure (3DS) or 3D Secure 2 (3DS2) authentication during the initial payment and on subsequent charges where required. 3D Secure adds an additional layer of authentication requiring the cardholder to verify their identity with their card issuer before a transaction is authorized. This reduces the risk of unauthorized card use and shifts fraud liability to the card issuer in applicable cases.

5.5 Fraud Prevention

Stripe Radar, Stripe\'s machine learning-based fraud detection system, evaluates every transaction processed through the Gostify Platform in real time. Stripe Radar assigns a risk score to each transaction based on signals including device fingerprinting, IP geolocation, card usage patterns, and behavioral indicators. Transactions identified as high-risk may be declined, flagged for review, or subject to additional authentication steps.

In addition to Stripe Radar, White Town LLC applies the following fraud prevention practices:

• Monitoring of account creation and Subscription activation patterns for indicators of fraudulent or abusive activity
• Review of unusual billing patterns, including multiple failed payment attempts across different cards in a short period
• Immediate account suspension in response to confirmed fraudulent activity or payment disputes indicative of unauthorized card use
• Cooperation with Stripe and relevant financial institutions in the investigation and resolution of fraud cases

6. Strong Customer Authentication and Regulatory Compliance

6.1 EU Payment Services Directive 2 (PSD2)

For Customers located in the European Economic Area or United Kingdom, payment transactions are subject to the Strong Customer Authentication (SCA) requirements under the EU Payment Services Directive 2 (PSD2) and equivalent UK regulations. SCA requires that electronic payments be authenticated using at least two independent factors from the following categories: something the Customer knows (e.g., a password or PIN); something the Customer has (e.g., a mobile device or hardware token); something the Customer is (e.g., a fingerprint or facial recognition).

Stripe\'s 3D Secure 2 implementation is designed to comply with SCA requirements. Where SCA is required, Customers may be prompted to authenticate with their card issuer during the initial Subscription setup or upon subsequent charges where required. Failure to complete SCA authentication may result in the transaction being declined by the card issuer.

6.2 Recurring Transaction Exemptions

Under PSD2, certain recurring transactions may qualify for SCA exemptions, including merchant-initiated transactions (MITs) where the Customer has provided prior authorization and the transaction amount is fixed. Stripe manages the application of available SCA exemptions for Gostify\'s recurring Subscription charges where applicable, in accordance with card network rules and applicable regulatory guidance. White Town LLC does not apply SCA exemptions unilaterally and relies on Stripe\'s compliance infrastructure for all SCA-related decisions.

6.3 US Payment Regulations

For US-based transactions, White Town LLC complies with applicable US federal and state laws governing electronic payments, including the Electronic Fund Transfer Act (EFTA) and Regulation E (for debit card transactions), applicable card network rules issued by Visa, Mastercard, American Express, and Discover, and applicable state money transmission and consumer protection laws. Recurring billing authorization practices comply with card network rules requiring clear, transparent disclosure of recurring charge terms prior to authorization.

7. Failed Payments and Account Suspension

If a Subscription renewal payment fails, the following process applies:

• White Town LLC will make up to three (3) payment retry attempts over a period of seven (7) calendar days using Stripe\'s automated retry logic, which applies intelligent timing to maximize the likelihood of successful recovery
• The Customer will receive an automated email notification following each failed attempt, with instructions to update their payment method
• During the retry period, the Customer\'s account remains active
• If all retry attempts fail, the Subscription will be suspended and access to the Platform and AI assistant will be restricted
• The Customer will receive a final email notification advising them to update their payment method to reactivate their account
• Reactivation requires settlement of the outstanding balance; no credits or refunds are provided for the suspension period

Customers can update their payment method at any time through account billing settings or by contacting info@gostify.app. White Town LLC is not responsible for failed payment attempts caused by factors outside its control, including expired cards, insufficient funds, card issuer declines, or bank-imposed transaction restrictions.

8. Refunds and Payment Reversals

Approved refunds are processed exclusively through Stripe, back to the original payment method used for the charge. Refund eligibility and procedures are governed in full by the Gostify Refund and Cancellation Policy, available at https://www.gostify.app/. The following technical notes apply to refund processing:

• Refunds are initiated by White Town LLC through the Stripe dashboard and are subject to Stripe\'s processing timelines, typically five (5) to ten (10) business days for card refunds
• Partial refunds may be issued where applicable (e.g., in cases of confirmed billing errors involving an overcharge)
• Stripe does not charge White Town LLC\'s original processing fee when a refund is processed; however, the original interchange fees are not recovered by White Town LLC
• White Town LLC does not issue refunds by bank wire, cryptocurrency, or any method other than a reversal to the original Stripe payment method, except where the original payment method is no longer available

9. Chargeback Management

A chargeback occurs when a cardholder disputes a transaction with their card issuer and the card issuer initiates a reversal of the charge. White Town LLC manages chargebacks in accordance with the following practices:

• All chargeback disputes received through Stripe are reviewed promptly and responded to within the timeframes specified by the relevant card network
• White Town LLC maintains records of Subscription authorizations, cancellation confirmations, service delivery evidence, and customer communications to support chargeback responses
• Customers who initiate chargebacks without first contacting White Town LLC to resolve the dispute in good faith may have their accounts suspended or terminated, as described in the Refund and Cancellation Policy
• Excessive chargebacks may result in additional scrutiny of the account and may be reported to Stripe as a risk signal

White Town LLC monitors its chargeback ratio in accordance with card network thresholds (Visa\'s chargeback monitoring program threshold is 0.9% of transactions; Mastercard\'s threshold is 1.0%). We take proactive steps to maintain our chargeback ratio well below these thresholds through transparent billing practices, clear cancellation procedures, and responsive customer support.

10. Customer Responsibilities

Customers are responsible for the following in connection with payment security and billing:

• Providing accurate, current, and complete billing information at the time of Subscription setup and updating it promptly when it changes
• Ensuring that the payment method provided is authorized for use and has sufficient available credit or funds to cover recurring Subscription charges
• Safeguarding their Gostify account credentials to prevent unauthorized access and unauthorized Subscription charges
• Notifying White Town LLC immediately at info@gostify.app if they become aware of unauthorized access to their account or any unauthorized charge
• Reviewing billing receipts and statements and reporting any discrepancies to White Town LLC within thirty (30) days of the charge date
• Complying with their card issuer\'s terms regarding recurring billing authorizations and notifying White Town LLC if authorization is revoked

11. Business Continuity for Payment Processing

White Town LLC monitors the operational status of Stripe\'s payment infrastructure on an ongoing basis. In the event of a Stripe service disruption that prevents Subscription payment processing, White Town LLC will: post a status notification on the Gostify website or via email; not suspend Customer accounts solely due to payment failures caused by a documented Stripe outage; and process affected payments once Stripe services are restored.

Stripe maintains a public status page at https://status.stripe.com/ providing real-time information on the availability of its payment infrastructure. Stripe\'s service level commitments and uptime guarantees are governed by the Stripe Services Agreement.

In the event that White Town LLC transitions to a different payment processor in the future, Customers will be notified at least thirty (30) days in advance and will be given the opportunity to re-authorize recurring billing under the new payment infrastructure before any charges are made.

12. Internal Security Controls for Billing Systems

White Town LLC implements the following internal controls to protect the integrity and security of its billing systems and Customer billing data:

• Access to billing administration systems and Stripe account settings is restricted to authorized personnel only, using role-based access controls and multi-factor authentication
• All administrative actions within the billing system are logged and reviewed periodically for unauthorized or anomalous activity
• API keys used to integrate with Stripe are stored securely using environment-variable management and secrets management tools; API keys are never hardcoded in source code or transmitted in plaintext
• Stripe API keys are scoped to the minimum permissions necessary for the Platform\'s billing functionality
• Stripe webhook signatures are validated for all incoming webhook events to prevent unauthorized injection of fraudulent payment events
• Billing system code and infrastructure undergo periodic security review as part of the Platform\'s overall security assessment program

13. Compliance Summary for Financial Institutions

This section provides a structured summary of payment compliance measures for the purpose of financial institution and payment network due diligence reviews:

• Payment processor: Stripe, Inc. — PCI DSS Level 1 Service Provider
• Cardholder data storage: White Town LLC does not store full PANs, CVV codes, or magnetic stripe data. Only Stripe tokens and masked card metadata are retained.
• PCI DSS scope: White Town LLC\'s systems are out of scope for PCI DSS cardholder data storage requirements due to the use of Stripe\'s hosted payment components
• Encryption in transit: TLS 1.2 or higher on all Platform pages including checkout
• Fraud prevention: Stripe Radar (machine learning fraud detection) active on all transactions
• 3D Secure: Stripe 3DS2 implemented for applicable transactions
• SCA compliance: Stripe manages PSD2 Strong Customer Authentication requirements for EU/UK transactions
• Recurring billing authorization: explicit Customer authorization obtained at Subscription setup; recorded in account creation logs
• Refund mechanism: refunds processed via Stripe to original payment method
• Chargeback management: disputes responded to through Stripe within card network timelines
• Business type: SaaS subscription platform; card-not-present transactions only; no physical goods; no cash transactions

14. Updates to This Policy

We may update this Payment Security and Billing Policy from time to time to reflect changes in our payment infrastructure, compliance obligations, or billing practices. Material changes will be communicated to Customers via email at least fourteen (14) days before the updated Policy takes effect. Your continued use of the Service after the effective date of any change constitutes acceptance of the updated Policy.

The current version of this Policy is always available at https://www.gostify.app/.

15. Contact Us

For all billing inquiries, payment security questions, or concerns related to this Policy, please contact us:

White Town LLC

75 E 3rd St, Sheridan, WY 82801, United States

Email: info@gostify.app

Website: https://www.gostify.app/

We aim to respond to all payment and billing inquiries within three (3) business days.