Test Mode

Privacy Policy

Last updated: June 11, 2026

Contents

1. Information We Collect

2. How We Use Your Information

3. Third-Party Services

4. Data Retention

5. Your Rights

6. Cookies and Tracking

7. International Data Transfers

8. Children's Privacy

9. Data Security

10. Contact Us

11. Changes to This Policy

VerifyBTC ("we," "our," or "us") is operated by Digital Macchiato LLC, a Wyoming limited liability company. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Bitcoin ownership verification service at verifybitcoin.io (the "Service"). Please read this policy carefully.

Important: We never collect, store, process, or have access to your Bitcoin private keys, seed phrases, or wallet passwords. Our verification process uses only cryptographic message signatures, which do not expose or transmit private keys. Your funds remain completely under your control at all times.

1. Information We Collect

Account Information

When you create an account, we collect your email address and password (stored only as an Argon2id hash). You may optionally provide your name. If you use team features, we also store organization membership, roles, invitations, and related account settings.

Verification Data

When you create or complete a verification, we collect Bitcoin addresses, claimed amounts, challenge messages, cryptographic signatures, verification status, timestamps, balance snapshots, optional customer email, optional notes or case context, report hashes, and report storage references. This data is essential for providing our core service and audit reports. Note that any case context you provide is embedded in the cryptographic challenge message and is visible to anyone who has the verification link, so it should never contain personal data.

Usage Data

We automatically collect information about how you interact with our Service, including IP addresses, browser type and user-agent string, operating system, pages visited, request metadata, API usage counters, audit events, and timestamps. IP addresses and browser metadata are used solely for security monitoring, abuse prevention, and quota enforcement, and are deleted together with usage logs after 90 days.

Payment Information

We do not directly collect or store your payment card details. All payment processing is handled by Stripe, our PCI DSS compliant payment processor. We only receive confirmation of payment status, customer references, subscription references, and subscription details needed to manage your plan.

API and Webhook Information

If you create API keys, we store key names, status, rate limits, usage timestamps, and a hash of the API key. The raw API key is only shown when it is created or rotated. If you configure webhooks, we store the endpoint URL, selected events, signing secret, delivery history, and related timestamps.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide, maintain, and improve our Bitcoin verification services

  • Process transactions and send related notifications

  • Send verification status updates and service communications

  • Respond to your comments, questions, and support requests

  • Monitor and analyze usage trends to improve user experience

  • Detect, prevent, and address fraud, abuse, and security issues

  • Comply with legal obligations and enforce our terms of service

3. Third-Party Services

We use the following third-party services to operate our platform:

Stripe (Payment Processing)

We use Stripe to process payments securely. Stripe is PCI DSS Level 1 compliant, the highest level of certification. When you make a payment, your card details are transmitted directly to Stripe and are never stored on our servers. For more information, see Stripe's Privacy Policy.

SendGrid (Email Delivery)

We use SendGrid to send transactional emails such as verification notifications, password resets, and account updates. SendGrid receives your email address to deliver these messages. For more information, see Twilio's Privacy Policy (SendGrid's parent company).

OAuth Sign-In Providers (Optional)

If you choose to sign in with a social account, we use the OAuth services of Google, Apple, Microsoft, or GitHub. The provider shares your account identifier, email address, name, and profile picture with us, and learns that you are signing in to VerifyBTC. We never receive your provider password. These services are only used when you explicitly choose social sign-in. See Google, Apple, Microsoft, and GitHub privacy policies for details.

Sentry (Error Diagnostics, Optional)

We may use Sentry to collect application error reports so we can diagnose and fix problems. When enabled, error reports can include your account identifier and email address along with technical details about the error. Sentry data is used exclusively for debugging — never for marketing or advertising. For more information, see Sentry's Privacy Policy.

4. Data Retention

We retain your information for as long as necessary to provide our services and fulfill the purposes described in this policy:

  • Account data: Retained until you delete your account

  • Verification records and reports: Retained while your account is active and permanently deleted when you delete your account. Reports you have shared or downloaded before deletion remain valid but are no longer retrievable from us.

  • Usage logs: Retained for 90 days for security and analytics, then automatically deleted (including IP addresses and browser metadata)

  • Payment records: Retained for 7 years as required by tax and accounting laws

5. Your Rights

For All Users

You have the right to access, correct, or delete your personal information. You can do this through your account settings or by contacting us at legal@verifybitcoin.io. You can also download a complete machine-readable export of your account data at any time from your account settings.

For European Economic Area (EEA) and UK Residents (GDPR)

Under the General Data Protection Regulation, you have additional rights:

  • Right of Access: Request a copy of your personal data

  • Right to Rectification: Request correction of inaccurate data

  • Right to Erasure: Request deletion of your data ("right to be forgotten")

  • Right to Portability: Receive your data in a structured, machine-readable format

  • Right to Restrict Processing: Limit how we use your data

  • Right to Object: Object to processing based on legitimate interests

To exercise these rights, contact us at legal@verifybitcoin.io. We will respond within 30 days.

For California Residents (CCPA)

Under the California Consumer Privacy Act, you have the right to:

  • Right to Know: Request disclosure of what personal information we collect and how we use it

  • Right to Delete: Request deletion of your personal information

  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

6. Cookies and Tracking

We use cookies and similar technologies for the following purposes:

  • Essential Cookies: Required for authentication, security, and basic functionality

  • Session Cookies: Maintain your logged-in state securely (httpOnly, Secure, SameSite=Strict)

  • CSRF Tokens: Protect against cross-site request forgery attacks

We do not use advertising or marketing cookies. You can control cookies through your browser settings, but disabling essential cookies may prevent you from using our Service.

7. International Data Transfers

Your information may be transferred to and processed in the United States, where our servers are located. For transfers from the EEA or UK, we rely on Standard Contractual Clauses approved by the European Commission. By using our Service, you consent to the transfer of your information to the United States.

8. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at legal@verifybitcoin.io.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

  • Passwords are hashed using Argon2id with a unique random salt

  • Production traffic is encrypted in transit over HTTPS/TLS

  • Selected sensitive fields, including Bitcoin addresses and 2FA secrets, are encrypted at the application layer using AES-256-GCM

  • API keys and 2FA backup codes are stored as hashes, not as recoverable plaintext secrets

  • Generated reports are stored in private object storage and served through authenticated VerifyBTC download endpoints

  • Two-factor authentication (2FA) is available for all accounts

  • Account lockout after failed login attempts to prevent brute-force attacks

  • Security and admin audit logging for sensitive account and platform actions

While we strive to protect your information, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Digital Macchiato LLC

Email: legal@verifybitcoin.io

We will respond to all requests within 30 days.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

Terms of Service

Contact Us