Privacy Policy

BillionCore operates a B2B API service that enables businesses to look up Bank Identification Number (BIN) data for payment processing, fraud prevention, and routing purposes. In the course of providing the Service, we process limited personal data about our customers — primarily contact and billing information.

We do not sell personal data. We do not use personal data for advertising. We do not process the payment card numbers or cardholder data that our customers submit as BIN queries — those are processed only as numerical prefixes with no personal information attached.

For the purposes of the GDPR and UK GDPR, BillionCore acts as the “data controller”for personal data collected from registered users and prospective customers. For personal data processed as part of API usage logs relating to our customers' end users, BillionCore acts as a “data processor” on behalf of the customer as data controller.

3.1 Account & Registration Data

When you create an account, we collect:

• Full name and email address
• Password (stored as a bcrypt hash — never in plaintext)
• Company name and registration number (where provided for billing and VAT purposes)
• Country and timezone (inferred from account settings)

3.2 Billing & Payment Data

Payment transactions are processed by our payment processor, Paddle. BillionCore does not store full credit card numbers, CVV codes, or bank account details. We receive and store:

• Billing address and country
• Invoice history and transaction IDs
• Payment method type (e.g., card ending in ••••1234) as provided by Paddle
• VAT / Tax ID where provided

3.3 API Usage Data

When you use the API, we automatically collect:

• BIN prefixes submitted (6–8 digits only — not personal data)
• Timestamps, HTTP status codes, and response times
• API key identifier (not the key itself after hashing)
• IP address of the originating request
• Request volume and usage counters for billing

3.4 Technical & Log Data

When you visit our website or dashboard, we may collect:

• Browser type and version, operating system
• Pages visited, referrer URL, time on page
• IP address (used for security and fraud prevention, not for persistent profiling)
• Session tokens and authentication state

3.5 Communications Data

If you contact us by email or through a support form, we retain the content of that communication and your contact details for the purpose of responding to your enquiry and maintaining support records.

3.6 Data You Do Not Submit

You must not submit full Primary Account Numbers (PANs), cardholder names, CVV/CVC codes, PIN numbers, social security numbers, national ID numbers, or any other sensitive personal data to the BillionCore API. The API is designed to accept BIN prefixes only.

• Service delivery: provisioning and managing your account, authenticating API requests, and returning BIN lookup results.
• Billing & invoicing: calculating usage charges, issuing invoices, processing payments through Paddle, and handling tax obligations.
• Security & fraud prevention: detecting and preventing abuse, unauthorised access, and violations of our Terms of Service.
• Transactional communications: sending receipts, service status notifications, billing alerts, and essential account communications. These cannot be opted out of while you hold an account.
• Product improvements: analysing aggregated, anonymised usage patterns to improve API performance, add features, and fix issues.
• Legal compliance: meeting obligations under applicable laws and regulations, responding to lawful government or court orders.
• Support: responding to your queries, troubleshooting issues, and improving customer experience.

We do not use your personal data for targeted advertising, behavioural profiling, or any form of automated decision-making that produces legal or similarly significant effects.

For individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland, we rely on the following legal bases under GDPR Article 6:

• Contract performance (Art. 6(1)(b)): processing your account data, API usage data, and billing data is necessary to provide the Service you signed up for.
• Legitimate interests (Art. 6(1)(f)): security monitoring, fraud detection, product analytics (aggregated), and sending transactional service emails. Our legitimate interests do not override your fundamental rights.
• Legal obligation (Art. 6(1)(c)): retaining invoices and financial records as required by tax and accounting laws; responding to lawful authority requests.
• Consent (Art. 6(1)(a)): where we send optional product update or marketing emails, we rely on your opt-in consent, which you may withdraw at any time.

We do not sell, rent, or trade your personal data. We share data only with the following categories of recipients:

6.1 Payment Processor

Paddle.com Market Limited acts as our Merchant of Record and processes all payment transactions on our behalf. Paddle is the data controller for cardholder data. Their privacy policy is available at paddle.com/legal/privacy.

6.2 Email Service Provider

Resend, Inc. is used to deliver transactional emails (welcome, invoices, alerts). We share your email address and name solely for this purpose. Resend processes data under a Data Processing Agreement with BillionCore.

6.3 Infrastructure Providers

Our servers are hosted on DigitalOcean. Server-level logs may contain IP addresses and request metadata. DigitalOcean is certified under applicable security frameworks and provides appropriate technical and organisational safeguards.

6.4 Legal & Regulatory Disclosures

We may disclose personal data if required by law, court order, governmental authority, or to protect our legal rights, prevent fraud, or ensure the safety of our users or the public.

6.5 Business Transfers

In the event of a merger, acquisition, or sale of substantially all of our assets, personal data may be transferred as part of that transaction. We will notify you via email or dashboard notice before your data becomes subject to a different privacy policy.

BillionCore and its sub-processors may process your data in countries outside your own, including the United States. When transferring personal data from the EEA, UK, or Switzerland to countries not recognised as providing adequate data protection, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• The UK International Data Transfer Agreement (IDTA) for transfers from the United Kingdom;
• Adequacy decisions where applicable (e.g., EU–US Data Privacy Framework where the recipient is certified).

You may request a copy of the applicable transfer safeguards by contacting us at [email protected].

After the applicable retention period, data is securely deleted or anonymised. We may retain data for longer periods where required by applicable law or where necessary to resolve disputes or enforce our agreements.

9.1 Rights Under GDPR / UK GDPR (EEA & UK Residents)

You have the following rights regarding your personal data:

• Right of access: obtain a copy of the personal data we hold about you (Art. 15 GDPR).
• Right to rectification: correct inaccurate or incomplete data (Art. 16 GDPR).
• Right to erasure: request deletion of your data where there is no legitimate legal ground for continued processing ("right to be forgotten", Art. 17 GDPR).
• Right to restriction: restrict our processing of your data in certain circumstances (Art. 18 GDPR).
• Right to data portability: receive your data in a structured, machine-readable format (Art. 20 GDPR).
• Right to object: object to processing based on legitimate interests or for direct marketing (Art. 21 GDPR).
• Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: file a complaint with your local supervisory authority. In the EU, find your authority at edpb.europa.eu. In the UK, contact the ICO at ico.org.uk.

9.2 Rights Under CCPA / CPRA (California Residents)

California residents have the right to:

• Know what personal information we collect, use, disclose, and sell (we do not sell).
• Delete personal information we have collected, subject to certain exceptions.
• Correct inaccurate personal information we hold about you.
• Opt out of sale or sharing of personal information — we do not sell or share personal information for cross-context behavioural advertising.
• Non-discrimination for exercising your CCPA rights.

To exercise any of these rights, please email [email protected] with the subject line "Privacy Rights Request". We will respond within 30 days (GDPR) or 45 days (CCPA). We may verify your identity before processing your request.

We use a minimal set of cookies strictly necessary to operate the Service. We do not use advertising trackers, third-party analytics with cross-site tracking, or fingerprinting technologies.

We do not use Google Analytics, Meta Pixel, or similar third-party tracking scripts. Our analytics (if any) are aggregated and server-side only.

Where required by law (e.g., ePrivacy Directive in the EU), non-essential cookies will only be set with your consent.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction, including:

• Encryption in transit (TLS 1.2+) for all API and dashboard traffic
• Passwords stored as bcrypt hashes with cost factor ≥ 12
• API keys hashed before storage; never logged in plaintext
• Principle of least privilege applied to all internal system access
• Regular security reviews and dependency audits

No method of transmission over the Internet or electronic storage is 100% secure. If you become aware of a security vulnerability or suspect unauthorised access to your account, please contact us immediately at [email protected].

The Service is not directed at children under 18 years of age, and we do not knowingly collect personal data from anyone under 18. If you believe that a child has provided us with personal data, please contact us at [email protected] and we will delete such data promptly.

Our website and documentation may contain links to third-party websites or services (e.g., payment processor, documentation platforms). This Privacy Policy does not apply to those sites. We are not responsible for the privacy practices of third parties and encourage you to review their privacy policies before submitting any personal data to them.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features. When we make material changes, we will:

• Update the effective date at the top of this page;
• Notify registered users by email at least 14 days before the change takes effect;
• Display a prominent notice in your dashboard.

Your continued use of the Service after the effective date of the revised Policy constitutes your acceptance of the changes. If you do not agree to the updated Policy, you must stop using the Service and close your account before the effective date.

For any questions, requests, or complaints regarding this Privacy Policy or our data practices, please contact us:

We will respond to all privacy-related requests within 30 calendar days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.