Your privacy matters to us. This policy explains what data we collect, why we collect it, and how we protect it. We collect the minimum necessary to operate the Service. We do not sell your data.
1. What We Collect
We collect a limited set of information necessary to process your order and deliver your card details. This includes: (a) your email address, used solely to deliver card details and order confirmations; (b) your order details, including the selected card denomination, cryptocurrency type, and the blockchain address we assign to your order; and (c) your transaction hash, which you optionally provide or which our system detects automatically on-chain.
We do not collect your name, physical address, date of birth, phone number, government-issued identification, or any biometric data. We do not require you to create an account. We do not collect payment card information — card details are generated and delivered without being stored on our systems. If you contact our support team, we may retain the contents of that correspondence.
2. How We Use It
We use the information we collect exclusively to: fulfill your card order, send order confirmation and card detail emails, verify blockchain payment, respond to support requests, and detect and prevent fraud or abuse. We do not use your data for advertising, profiling, or any purpose unrelated to the direct provision of the Service.
Email addresses are used only for transactional communications related to your order. We do not send marketing emails unless you have explicitly opted in. Even then, you may unsubscribe at any time using the link in any email we send. Opting out of marketing communications does not affect your receipt of transactional emails for active orders.
Hashed IP addresses are retained for up to 30 days for rate-limiting and abuse prevention purposes only. We hash IP addresses before storage to prevent re-identification. We do not use IP data to identify individual users or correlate orders across different sessions.
4. Third Parties
We share the minimum necessary data with third parties solely to operate the Service. Our card issuance partner network receives an order request (denomination and currency) in order to generate and return card details. Our transactional email provider receives your email address and card details to deliver the confirmation email. These providers are bound by data processing agreements and are prohibited from using your data for any purpose other than fulfilling our request.
We do not sell, rent, trade, or otherwise disclose your personal information to any third party for marketing or advertising purposes. We do not share data with data brokers, advertisers, or analytics platforms. Our infrastructure runs on cloud providers (including Vercel and AWS) under standard data processing addenda that comply with GDPR and applicable US privacy law.
We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to prevent imminent harm, fraud, or illegal activity. We will notify you of such disclosure to the extent permitted by law.
5. Data Retention
We retain your email address and order details for 12 months from the date of your order. This allows us to assist with any disputes, chargebacks, or support requests during that period. After 12 months, your order records are deleted from our systems. Hashed IP addresses are deleted after 30 days. Support correspondence is retained for 24 months and then deleted.
Blockchain transaction data is public and permanently recorded on the blockchain. We have no ability to delete or modify on-chain records. However, the blockchain record consists only of wallet addresses and amounts — it does not include your email address or any other personal information that we collect.
You may request deletion of your personal data at any time by contacting us at privacy@buydebitcards.com. We will process deletion requests within 14 business days, subject to any legal obligations that require us to retain certain records. We will confirm deletion in writing upon completion.
6. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data: the right to access a copy of the data we hold about you; the right to correct inaccurate data; the right to request deletion of your data; the right to restrict or object to processing; and, where applicable, the right to data portability. Residents of the European Economic Area have these rights under the GDPR. California residents have similar rights under the CCPA/CPRA.
To exercise any of these rights, email us at privacy@buydebitcards.com with the subject line "Privacy Request" and include your order ID (if applicable) and the email address used for your order. We will respond within 30 days. We may need to verify your identity before processing your request. We will not discriminate against you for exercising any of these rights.
If you believe your data has been handled improperly, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction. For EEA residents, this is your national data protection authority. We encourage you to contact us first so we can attempt to resolve any concern directly.
7. Contact
For any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact our privacy team. We are committed to resolving privacy concerns promptly and transparently.
Our response time target is 2 business days for general enquiries and 14 business days for formal data subject access requests. We do not have a physical mailing address for privacy requests at this time. All requests must be submitted by email to ensure proper tracking and response.
This Privacy Policy is incorporated into and subject to our Terms of Service. In the event of any conflict between this Policy and the Terms, the Terms shall govern.
See also our Security page for technical details on how we protect your data in transit and at rest.