Privacy Policy
Last updated: July 10, 2026 · Version 1.0
This policy explains what personal data IBANforge (see Legal Notice) processes when you use ibanforge.com and api.ibanforge.com, under the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU GDPR. The short version: IBANs you submit are validated in memory and are not stored.
1. What we process, and why
| Data | Purpose | Stored? |
|---|---|---|
| IBANs submitted to the API | Validation and enrichment (performance of the service) | No. Processed in memory, never written to storage. One exception: for invalid IBANs, at most the first 12 characters (country + bank identifier — never the account part) may be retained for data-quality diagnostics. |
| Email address (free key signup) | Issuing your key, quota notifications, service messages | Yes, while your key exists. |
| Request metadata (path, status, latency, timestamp, pseudonymised IP, user-agent, key prefix) | Abuse prevention, capacity planning, the public status page | Yes, 12 months maximum, then automatically deleted. |
| Aggregated statistics (daily counts by endpoint/country — no personal data) | Product analytics, public metrics | Yes, indefinitely (anonymous). |
| Payment data | Processing card or USDC payments | Handled by Stripe / the x402 facilitator. We never see card numbers; we store the transaction reference. |
IP addresses are pseudonymised before storage: we keep only a salted hash, never the raw address.
2. Where the data lives
The API and its databases run on Railway infrastructure in the Zurich, Switzerland region. Switzerland benefits from an EU adequacy decision, and the FADP provides equivalent protection.
3. Processors we use
| Processor | Role | Location/region |
|---|---|---|
| Railway Corp. | API hosting & storage | Region: Zurich (CH) |
| Vercel Inc. | Website hosting (no API data) | Global CDN |
| Stripe Payments Europe | Card payments | EU |
| Coinbase (CDP facilitator) | x402/USDC settlement | US |
| Infomaniak Network SA | Transactional & support email | Switzerland |
| GitHub Inc. | Public source code (no customer data) | US |
Where processors are outside Switzerland/EEA, transfers rely on adequacy decisions or standard contractual clauses maintained by the processor.
4. Retention summary
- Submitted IBANs: not stored (invalid-IBAN prefixes ≤12 characters: up to 12 months as request metadata).
- Request metadata: 12 months, purged automatically.
- Key account (email): lifetime of the key; deleted on request.
- Anonymous aggregates: kept indefinitely.
5. Your rights
Under the FADP/GDPR you can request access, rectification, deletion, restriction, or a copy of your data, and object to processing. Write to support@ibanforge.com — we answer within 30 days. Deleting your email deactivates your API key. If you are in the EU/EEA you may lodge a complaint with your supervisory authority; in Switzerland, with the FDPIC.
6. Cookies and website
The website uses no advertising trackers. The dashboard uses a session cookie strictly for authentication. Locale preference is stored client-side.
7. Changes
Material changes to this policy are announced on this page and in the changelog 30 days before they take effect.
Contact: support@ibanforge.com