Sign upSign in

Privacy Policy

BounceCredits (MiCA-Aligned Version)

Last updated: Mar 26, 2026

1. Introduction

BounceCredits ("BounceCredits", "we", "us", or "our") is committed to protecting your personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), and relevant provisions under the Markets in Crypto-Assets Regulation (EU) 2023/1114 ("MiCA"), where applicable.

BounceCredits operates a closed-loop digital credit system.

Bounce Credits:

  • are not fiat currency,
  • are not electronic money (e-money) within the meaning of Directive 2009/110/EC,
  • are not asset-referenced tokens or e-money tokens under MiCA,
  • do not represent a claim against BounceCredits for redemption in fiat,
  • are non-transferable, non-refundable, and usable only within the BounceCredits ecosystem.

2. Data Controller

BounceCredits

[Legal Entity Name]

[Registered Address]

Email: [contact email]

BounceCredits acts as the data controller for personal data processed via the Service.

3. Nature of the Service (Regulatory Context)

Bounce Credits:

  • does not provide payment services under PSD2
  • does not issue e-money
  • does not custody or safeguard client funds
  • does not operate as a crypto-asset service provider (CASP) under MiCA

All fiat-related transactions are handled exclusively by licensed third-party providers.

BounceCredits only records:

  • issuance of prepaid digital usage rights (Bounce Credits)
  • redemption of such credits within partner services

4. Data We Collect

4.1 Identification Data

  • Email address
  • Account identifiers
  • Optional profile data (if provided)

4.2 Authentication & Security Data

  • Password hashes
  • OTP verification data
  • WebAuthn credentials
  • Security events and audit logs

4.3 Transactional Data (Credits Only)

  • Credit purchases (amount, timestamp, status)
  • Credit redemptions
  • Internal ledger records
  • NFT voucher lifecycle (mint/burn references, where applicable)

4.4 Technical Data

  • IP address
  • Device/browser metadata
  • Session data
  • Access logs

4.5 Fiat Transaction Metadata

From third-party providers we may receive:

  • Transaction status (success/failure)
  • Reference identifiers
  • Credit allocation confirmation

We never receive or store:

  • bank card details
  • bank account information
  • fiat balances

5. Purpose of Processing

We process personal data strictly for:

5.1 Service Provision

  • Account creation and authentication
  • Issuance and management of Bounce Credits
  • Processing purchase confirmations from PSPs
  • Enabling redemption with merchants

5.2 Ledger Integrity & Auditability

  • Maintaining accurate off-chain ledger records
  • Verifying on-chain mint/burn events (if applicable)
  • Ensuring consistency between systems

5.3 Security & Risk Management

  • Fraud detection
  • Abuse prevention
  • System monitoring
  • Enforcement of transaction integrity

5.4 Legal & Regulatory Compliance

  • Compliance with GDPR and applicable EU frameworks
  • Responding to regulatory or law enforcement requests

5.5 Communication

  • Transaction confirmations
  • Security alerts
  • Support interactions

6. Legal Basis (GDPR)

We rely on:

  • Contract performance (Art. 6(1)(b))
  • Legal obligation (Art. 6(1)(c))
  • Legitimate interests (Art. 6(1)(f)) — including:
    • fraud prevention
    • system security
    • service improvement
  • Consent (Art. 6(1)(a)) where required

7. Data Sharing and Roles

7.1 Payment Service Providers (PSPs)

Fiat transactions are processed by licensed PSPs acting as independent data controllers.

BounceCredits:

  • does not access or control payment credentials
  • does not participate in settlement or custody of funds

7.2 Merchants (Partners)

Merchants:

  • operate as independent controllers for their own services
  • receive only minimal transaction data, such as:
    • order reference
    • transaction status

They do not receive access to:

  • user balances
  • account credentials
  • full identity data

7.3 Infrastructure Providers

We use vetted providers for:

  • hosting
  • authentication
  • communication

All providers are bound by data processing agreements (DPAs).

7.4 Authorities

We may disclose data where required by:

  • EU law
  • national law
  • regulatory authorities

8. Data Retention

We retain data in accordance with:

  • GDPR principles (data minimization & storage limitation)
  • audit and compliance requirements

Typical retention:

  • Account data: until deletion request or inactivity threshold
  • Transaction records: retained for audit/legal purposes
  • Security logs: retained proportionally to risk

9. Data Security

We implement:

  • Encryption in transit (TLS)
  • Secure credential storage (hashed & salted)
  • Strong authentication (OTP, WebAuthn)
  • Role-based access controls
  • Audit logs for sensitive actions
  • API protections (HMAC, nonce, idempotency keys)

10. Your Rights

Under GDPR, you may:

  • Access your data
  • Rectify inaccuracies
  • Request erasure
  • Restrict processing
  • Object to processing
  • Request data portability
  • Withdraw consent

Contact: [email]