BchainPay logoBchainPay
Legal

Privacy Policy

Effective January 1, 2026

This Privacy Policy explains how BchainPay, Inc. (“BchainPay,” “we”) collects, uses and protects personal data when you use our website, dashboard and API (the “Services”).

1. Who is the controller?

BchainPay, Inc. is the data controller for personal data of merchants and visitors to our website. For payment data we process on behalf of merchants, BchainPay acts as the data processor and the merchant is the controller. See our Data Processing Addendum for those terms.

2. What we collect

  • Account data: name, email, hashed password, organization name, role, sign-in timestamps and IP.
  • API usage: request paths, status codes, latency, IPs, idempotency keys and request IDs (no request bodies are retained beyond debugging windows).
  • On-chain data you submit: withdrawal addresses, chain identifiers, requested amounts. This data is, by nature, public on the relevant blockchains once a transaction is submitted.
  • KYC / compliance data (when production access is enabled): legal name, DOB, address, government ID images, beneficial ownership information, and screening results.
  • Communications: support emails and messages you send us.
  • Cookies: see our Cookie Policy. We do not use marketing or cross-site tracking cookies.

3. Why we use it

  • To provide, secure and improve the Services;
  • To authenticate users and prevent fraud, abuse and AML/CTF risks;
  • To meet legal, tax and accounting obligations;
  • To respond to support requests and send service-related notices;
  • With your opt-in, to send product updates.

4. Legal bases (EEA / UK)

  • Contract — to deliver the Services you signed up for;
  • Legal obligation — for AML/CTF, tax and accounting;
  • Legitimate interests — for security, fraud prevention and product improvement;
  • Consent — for optional marketing emails (you can withdraw at any time).

5. Sub-processors

We rely on a small number of vetted sub-processors to operate the Services. The current list is maintained in our Data Processing Addendum and includes infrastructure, database, email and observability providers. We give merchants advance notice of new sub-processors via email and the website.

6. International transfers

Some sub-processors are located outside your country. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

7. Retention

  • Account data: while your account is active, plus 12 months;
  • Audit logs and security events: up to 24 months;
  • KYC / compliance records: as required by law (typically 5 years after account closure);
  • On-chain transaction data: indefinitely (it lives on public chains).

8. Your rights

Subject to applicable law (including the GDPR and CCPA), you have the right to access, correct, delete or port your personal data, to object to or restrict processing, and to withdraw consent. To exercise these rights, email privacy@bchainpay.com. You also have the right to lodge a complaint with your local data protection authority.

9. Security

We use industry-standard technical and organizational measures including TLS in transit, AES-256 encryption at rest, hardware-backed key custody, role-based access, signed webhooks (HMAC-SHA256), and comprehensive audit logging. No system is perfectly secure; please report vulnerabilities to security@bchainpay.com.

10. Children

The Services are not directed at individuals under 18 and we do not knowingly collect personal data from them.

11. Changes

We may update this Policy and will post the updated version with a new “Effective” date. Material changes will be notified by email.

12. Contact

Email privacy@bchainpay.com for any privacy question or to exercise your rights.

This document is provided as a template starting point and is not legal advice. Engage qualified counsel before relying on it for a live business.