Compliance boundaries

ATM uses Stripe Connect for launch payment processing. Apps should not create processor sessions directly, collect KYC, hold connected account ids, or recreate ATM's processor state. ATM owns checkout and processor coordination.

Apps can receive app-scoped payment and fee data for payments they originated. They must not receive broad creator dashboard access, KYC data, bank details, processor account ids, or payments from other apps.

Creator and organizer dashboards own connected-account management, payout setup, payouts, disputes, tax surfaces, and account requirements. App dashboards may deep-link or summarize app-specific payment context, but should not expose creator financial controls.

• Collect buyer email only when needed for receipts, subscription management, or fulfillment.
• Keep shipping, attendee answers, phone numbers, and buyer messages private.
• Do not write customer PII into AT Protocol records.
• Scope app access to the app-originated payment/order context.
• Use retention jobs for private high-volume logs and checkout session data.

Stablecoin or atcash rails should fit behind the same broker/app contracts. Wallet addresses, Bridge/Privy ids, stablecoin routing, and settlement instructions stay private unless a future protocol spec explicitly requires public fields.

Support tooling should let operators inspect app id, payment id, processor health, proof slots, webhook delivery, and account link health without exposing more personal data than the support case requires.