Legal & Compliance
Regulatory & AI Transparency
How PayCanary operates within regulatory frameworks and how we use artificial intelligence responsibly.
FCA exempt
Information service — Article 36 RAO
EU AI Act compliant
Limited risk — Article 50 transparency
UK GDPR compliant
Right to deletion · DPA 2018
Regulatory overview
What PayCanary is
PayCanary is a Stripe risk intelligence platform that monitors payment metrics, calculates risk scores, and provides advisory guidance to help merchants protect their accounts. We are an information service.
What PayCanary is not
PayCanary is not a financial adviser, credit rating agency, debt counsellor, insurance broker, or payment service provider. We do not manage, hold, or move money. We do not make decisions on behalf of Stripe or any financial institution.
FCA regulatory status
Exemption basis
PayCanary operates as an information service under Article 36 of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001. Our service falls outside the FCA's regulatory perimeter because we do not provide regulated financial advice, arrange deals in investments, manage client money, or act as an intermediary between customers and financial institutions.
What this means in practice
Risk scores, freeze probability estimates, and crisis action plans are informational tools — not financial advice. They are designed to help you make informed decisions about your own business. You should consult qualified legal and financial professionals before acting on any guidance provided by PayCanary.
No regulated relationship
Using PayCanary does not create a regulated advisory relationship under the Financial Services and Markets Act 2000. We have no obligation to assess your suitability for any financial product, and we do not owe you a duty of care in the regulatory sense.
EU AI Act compliance
Risk classification
PayCanary has been assessed as a LIMITED RISK AI system under the EU AI Act. We are not classified as high-risk under Annex III because our AI analyses business payment accounts — not natural persons' creditworthiness. Our system does not determine access to credit, insurance, or essential services.
Article 50 transparency
As a limited-risk system, our sole obligation is transparency under Article 50. We satisfy this through: AI self-identification in conversational interfaces, clear labelling of all AI-generated outputs, machine-readable content marking, and comprehensive disclosure in our Terms of Service.
AI transparency
How we use AI
PayCanary uses AI agents powered by Anthropic's Claude to provide risk monitoring, pattern analysis, crisis intake conversations, action plan generation, Stripe communication drafting, and Radar configuration audits. The deterministic risk score formula does not use AI — it is a transparent, reproducible calculation.
Oversight and quality controls
Crisis action plans and Stripe communications require merchant approval before sending. Risk scores use a deterministic formula, not probabilistic models. High-value cases (frozen amounts exceeding $50,000) receive additional review. PayCanary maintains the ability to intervene, modify, or override any automated output at any time.
AI-generated content labelling
All AI-generated outputs in the PayCanary dashboard and crisis response interface are labelled with "AI analysis" and a timestamp. Machine-readable data-ai-generated attributes are present on all AI output containers for automated compliance verification.
Data handling
AI agents process your data solely to provide the PayCanary service. Your data is not used to train AI models. Conversations with AI agents are logged for quality assurance and audit purposes. All data is subject to our Privacy Policy and UK GDPR protections including your right to deletion.
Technical safeguards
| Safeguard | Description |
|---|---|
| Deterministic core | Risk score formula is fully transparent and reproducible. No AI black box for the core metric. |
| Confidence thresholds | AI outputs below confidence floor are flagged for manual review before delivery. |
| Prompt injection defence | Input sanitisation on all user-facing AI interactions prevents manipulation. |
| Hallucination prevention | Agents constrained to structured outputs with source data references. |
| Audit trail | All AI decisions logged with inputs, outputs, and reasoning for accountability. |
| Tenant isolation | Strict user-level data isolation. No cross-tenant data access. |
| Cost controls | Circuit breaker pattern prevents runaway API usage. |
| Graceful degradation | System falls back to deterministic scoring if AI agents are unavailable. |
Stripe relationship
PayCanary is not affiliated with, endorsed by, or approved by Stripe, Inc. We are an independent third-party service. Stripe is a registered trademark of Stripe, Inc. Our monitoring relies on data you provide or authorise via Stripe Connect (read-only OAuth). We never create charges, modify settings, or move funds on your Stripe account.
Questions
If you have questions about our regulatory status, AI practices, or data handling, contact us at legal@paycanary.io.