Privacy Policy

Last updated: February 1, 2026

Bank of Bali is built on a privacy-first foundation. We collect the absolute minimum data needed to operate, and never sell, rent, or share your data with advertisers.

1. What we collect

Account data: email address (for login + password reset), display name, language preference, theme preference, hashed password (bcrypt), 2FA secret if enabled.

Wallet data: public Monero addresses, encrypted wallet files. We never store your seed phrase or private keys in any human-readable form.

Transaction metadata: swap and on-ramp records (asset, amount, timestamp, status). These are required to show your history and process payouts.

Regional tag (signup only): at signup, we resolve your IP to a city + country via ipapi.co. We store only the resolved city/country, never the raw IP. This is used (a) to power the anonymized activity feed on the landing page and (b) for high-level regional analytics. It is never linked to your transactions in any user-identifiable way.

No analytics: we do not run Google Analytics, Facebook Pixel, Mixpanel, or any third-party tracking.

2. What we don't collect

  • Government ID, passport, address proof (no KYC at the platform level)
  • IP address logs beyond the rolling 24-hour rate-limit window
  • Device fingerprints or advertising IDs
  • Third-party tracking cookies
  • Browsing behaviour outside our application

3. Third-party services

To deliver fiat on-ramp and crypto swaps, we route transactions through ChangeNOW (and its providers like Guardarian, Mercuryo). When you initiate such a transaction, the relevant amount, source/destination addresses, and fiat method are shared with the partner.

Email delivery: transactional emails (welcome, password reset, login alerts, 2FA) are sent via Zoho Mail. We do not send marketing email and do not share your email with any third party for promotion.

IP geolocation: at signup only, your IP is resolved via ipapi.co to a coarse city/country tag. The raw IP is not stored.

These partners may apply their own KYC requirements and are governed by their own privacy policies.

4. Cookies

We use only essential cookies:

  • access_token — encrypted JWT for your login session (8 hours)
  • refresh_token — to renew your session (7 days)

No tracking cookies. No marketing cookies. No third-party cookies.

5. Security

Passwords are hashed with bcrypt (cost factor 12). Wallet files are encrypted with a server-side master key + per-user salt. Database access is restricted to internal services only, behind a private network perimeter.

2FA is available via TOTP (Google Authenticator, Authy, 1Password, etc.) and we strongly recommend enabling it.

6. Your rights (GDPR / CCPA)

You have the right to:

  • Access the data we hold about you
  • Correct any inaccuracies
  • Delete your account and associated data (note: blockchain transactions cannot be erased from the public ledger)
  • Export your transaction history (CSV available in Settings)
  • Opt out of any (currently zero) marketing communications

To exercise any of these rights, email privacy@bankofbali.com.

7. Data retention

Transaction history: retained for 7 years (regulatory minimum). Account data: retained while your account is active, plus 30 days after deletion to handle disputes.

Failed login attempts: 24 hours.

8. Children

The Service is not directed at children under 18 and we do not knowingly collect data from minors.

9. International data transfers

Our infrastructure is hosted in multiple regions for redundancy. By using the Service you consent to your data being processed in countries outside your residence, including Indonesia, Singapore, and the European Union.

10. Updates

We will notify you of material changes via email and an in-app banner. Last revised: February 1, 2026.

11. Contact

Privacy questions: privacy@bankofbali.com
Data Protection Officer: dpo@bankofbali.com

Follow Bank of Bali

© 2026 Bank of Bali · Non-custodial · Built on Monero

Made with Emergent