IBANforge
Mentions & contrats

Les documents contractuels sont fournis en anglais — la version anglaise fait foi.

Privacy Policy

Last updated: July 10, 2026 · Version 1.0

This policy explains what personal data IBANforge (see Legal Notice) processes when you use ibanforge.com and api.ibanforge.com, under the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU GDPR. The short version: IBANs you submit are validated in memory and are not stored.

1. What we process, and why

DataPurposeStored?
IBANs submitted to the APIValidation and enrichment (performance of the service)No. Processed in memory, never written to storage. One exception: for invalid IBANs, at most the first 12 characters (country + bank identifier — never the account part) may be retained for data-quality diagnostics.
Email address (free key signup)Issuing your key, quota notifications, service messagesYes, while your key exists.
Request metadata (path, status, latency, timestamp, pseudonymised IP, user-agent, key prefix)Abuse prevention, capacity planning, the public status pageYes, 12 months maximum, then automatically deleted.
Aggregated statistics (daily counts by endpoint/country — no personal data)Product analytics, public metricsYes, indefinitely (anonymous).
Payment dataProcessing card or USDC paymentsHandled by Stripe / the x402 facilitator. We never see card numbers; we store the transaction reference.

IP addresses are pseudonymised before storage: we keep only a salted hash, never the raw address.

2. Where the data lives

The API and its databases run on Railway infrastructure in the Zurich, Switzerland region. Switzerland benefits from an EU adequacy decision, and the FADP provides equivalent protection.

3. Processors we use

ProcessorRoleLocation/region
Railway Corp.API hosting & storageRegion: Zurich (CH)
Vercel Inc.Website hosting (no API data)Global CDN
Stripe Payments EuropeCard paymentsEU
Coinbase (CDP facilitator)x402/USDC settlementUS
Infomaniak Network SATransactional & support emailSwitzerland
GitHub Inc.Public source code (no customer data)US

Where processors are outside Switzerland/EEA, transfers rely on adequacy decisions or standard contractual clauses maintained by the processor.

4. Retention summary

  • Submitted IBANs: not stored (invalid-IBAN prefixes ≤12 characters: up to 12 months as request metadata).
  • Request metadata: 12 months, purged automatically.
  • Key account (email): lifetime of the key; deleted on request.
  • Anonymous aggregates: kept indefinitely.

5. Your rights

Under the FADP/GDPR you can request access, rectification, deletion, restriction, or a copy of your data, and object to processing. Write to support@ibanforge.com — we answer within 30 days. Deleting your email deactivates your API key. If you are in the EU/EEA you may lodge a complaint with your supervisory authority; in Switzerland, with the FDPIC.

6. Cookies and website

The website uses no advertising trackers. The dashboard uses a session cookie strictly for authentication. Locale preference is stored client-side.

7. Changes

Material changes to this policy are announced on this page and in the changelog 30 days before they take effect.

Contact: support@ibanforge.com