Privacy Policy

Bank28 is operated by Bank28 Ltd. (BVI BC), a non-custodial crypto-banking application. We've designed Bank28 so that as little of your personal information as possible leaves your device. This policy explains what we collect, why, and what we don't.

This document is a draft. Final language is being reviewed by counsel before public launch. Do not rely on this version for legal advice.

The short version

Your seed phrase never leaves your device. We literally cannot see it.
Card and KYC data is processed by regulated partners (DECTA, Didit) under EU GDPR.
We do not sell your data. Ever. To anyone.
You can delete your account in-app at any time.

1. Data we collect

Account information

Email address (required for account recovery + receipts).
Phone number (optional, for 2FA).
Display name (optional).
Profile picture (optional, stored on your device).

KYC / identity (only if you order a card or use fiat rails)

Government-issued ID image, selfie, date of birth, address — collected and processed by our KYC provider Didit (Cyprus).
Bank28 receives only a verification result (pass/fail/tier), not your raw documents.

Device + technical data

Device model, OS version, app version (for crash reporting via Sentry).
Anonymous usage analytics — opt-in only, no third-party trackers.
IP address (logged for security but not retained beyond 30 days).

What we never collect

Your seed phrase, private keys, or wallet passwords.
Browsing history outside Bank28.
Contacts (we ask for permission only when you choose to send to a contact).
Camera or photo library content (used only when you actively scan or upload).

2. How we use your data

To run the service: deliver transactions, settle card spending, process deposits and withdrawals.
To meet legal duties: KYC under MiCA / 5AMLD, Travel Rule transmittals (via Notabene) for crypto transfers above regulatory thresholds.
To keep you safe: detect fraud, freeze suspicious sessions.
To improve the app: anonymous, aggregated usage analytics — opt-in only.

3. Who we share with

We share data only with the partners required to operate Bank28, under signed Data Processing Agreements:

DECTA Cyprus / TWISPAY — card issuance partner.
Didit — KYC / identity verification.
Confirmo / Coinmate — on-ramp and off-ramp.
Notabene — Travel Rule compliance.
Sentry — crash reporting.
Hetzner — backend hosting (EU data centers).

We do not sell, rent, or trade your personal data.

4. Where your data lives

All Bank28-controlled data is stored in the European Union, on Hetzner servers in Falkenstein and Helsinki. Some processors operate from other EU/EEA jurisdictions (Cyprus, Czech Republic, Estonia). We do not transfer your data outside the EEA without an adequate transfer mechanism.

5. Your rights (GDPR)

If you're in the EU/EEA, you have the right to:

Access the personal data we hold about you.
Correct inaccurate data.
Delete your account and associated data (subject to AML record-keeping obligations, which may require us to retain transaction records for up to 5 years).
Export your data in a portable format.
Object to or restrict certain processing.
Lodge a complaint with your local data protection authority.

To exercise these rights, email [email protected] or use the in-app account-deletion flow under Settings → Help → Delete account.

6. Cookies + tracking

bank28.app uses essential cookies only — no third-party advertising trackers, no Google Analytics. The Bank28 app does not use the IDFA (Apple Tracking Transparency) and does not track you across other apps or websites.

7. Children

Bank28 is not intended for users under 18. A separate Bank28 Junior product is in development for ages 6+ but ships with parental-consent flows and stricter data minimization.

8. Changes

We'll notify you in the app at least 30 days before any material change to this policy. Material changes affecting EU users will be re-consented where required.

9. Contact

Data Controller: Bank28 Ltd., BVI.
Privacy contact: [email protected]
Support: [email protected]