Privacy Notice

Effective: 2026-05-20 · Last updated: 2026-05-20

        Short version: We never store your Binance API key or secret in plaintext on disk. We do not use cookies, analytics, or trackers. We collect only the minimum technical data needed to operate the conversion service.
    

1. Who is the controller?

[Operator legal entity placeholder — Czech s.r.o., to be filled once registered]. For privacy enquiries, contact info@bnfcrconvert.com.

2. What data we collect

Category	Field	Stored?	Retention
API credentials	Binance API key	SHA-256 hash, first 16 hex chars only	Indefinite (used to bind invoices to user)
API credentials	Binance API secret	In RAM only, max 20 minutes; never on disk	≤ 20 minutes
Invoice	invoice_id, conversion_amount, fee_amount, fee_address, fee_chain, asset, chain, status, timestamps, txid	SQLite database	Indefinite (tax evidence)
Conversion result	BNFCR spent, BNB received, error	SQLite database	Indefinite (tax evidence)
Server logs	IP address, request line, user-agent, status code	System logs	90 days
Contact form	Email, message (if/when you contact us)	Forwarded to operator inbox; no separate retention	Per operator inbox policy

3. What data we do NOT collect

Your real name, postal address, phone number, date of birth, or national ID
Your Binance account balance beyond what is needed for the conversion itself
Your bank account details, card details, or fiat payment data
Cookies, browser fingerprints, or analytics events. The site uses no tracking technologies.
Cross-site tracking. There is no integration with Google Analytics, Facebook Pixel, or similar.

4. Why we collect it (legal basis)

API key hash + invoice records: contract performance (GDPR Art. 6(1)(b)) — required to execute the conversion you requested.
Fee ledger + conversion ledger + tax fields: legal obligation (GDPR Art. 6(1)(c)) — Czech accounting and tax law requires us to retain records of fees received.
Server logs: legitimate interest (GDPR Art. 6(1)(f)) — security, abuse prevention, and incident response.
Contact form messages: legitimate interest (GDPR Art. 6(1)(f)) — responding to your enquiry.

5. Third parties

We share data with the following third parties strictly as needed to operate the Service:

Binance — your API key and secret are sent directly from your browser session through our server to Binance to execute the swap on your account. We act only as a relay; the operation occurs on your own Binance account.
Bybit — we query Bybit's deposit-history API to verify your fee payment. We send no personal data; only the deposit address, asset, chain, and timestamp window. Bybit returns deposits to our deposit address, not yours.
DigitalOcean — infrastructure provider for the server. They have access to encrypted-at-rest disk and inbound traffic logs.
Forpsi — registrar of bnfcrconvert.com and email forwarding service for support@ and info@. They process incoming email to forward to the operator's inbox.
Let's Encrypt — TLS certificate issuance for HTTPS. No personal data shared.

We do not sell data. We do not share data for advertising. We do not transfer data outside the EEA other than what is intrinsic to the public Binance / Bybit / blockchain APIs you interact with.

6. Your rights (GDPR)

Right of access (Art. 15): you can request a copy of all data we hold about you
Right to rectification (Art. 16): correction of inaccurate data
Right to erasure (Art. 17): deletion, subject to overriding legal obligations (tax records must be retained for the period required by Czech accounting law)
Right to restriction (Art. 18)
Right to data portability (Art. 20): export in a structured machine-readable format
Right to object (Art. 21): especially for processing based on legitimate interest
Right to lodge a complaint with the Czech supervisory authority (Úřad pro ochranu osobních údajů, uoou.cz)

To exercise any of these rights, contact info@bnfcrconvert.com. We will respond within 30 days.

7. Data security

HTTPS (TLS 1.2+) on all traffic via Let's Encrypt
API secrets stored only in RAM with a 20-minute TTL, never written to disk in plaintext
API keys hashed before persistence (SHA-256 truncated to 16 hex chars)
Server access restricted to operator personnel via SSH key authentication
No cookies, no localStorage, no third-party scripts

No method of transmission or storage is 100% secure. You assume the risk of any breach.

8. Children

The Service is not directed at and not available to anyone under 18 years of age. We do not knowingly collect data from anyone under 18.

9. Changes

This notice may be updated by publishing a new version at this URL. The "Last updated" date will reflect the change. Material changes will be highlighted on the homepage for at least 14 days.

10. Contact

Privacy enquiries and GDPR rights requests: info@bnfcrconvert.com

Other support: support@bnfcrconvert.com

← Back to converter