Bureau of Coin ("we," "us," or "our") operates a web-based grid trading analysis tool that helps cryptocurrency traders evaluate coins and grid bot configurations. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.
By using Bureau of Coin, you agree to the practices described in this policy. If you do not agree, please discontinue use.
When you register, we collect:
Account data is managed through Supabase, our authentication provider. See Section 6 for details.
We maintain server-side sessions to keep you logged in. Session files are stored on our servers and expire automatically. We do not use persistent tracking cookies for advertising purposes. We do not respond to Do Not Track (DNT) signals because we do not engage in the cross-site tracking DNT is designed to prevent.
We collect standard server log data for each request, including IP address, browser type, timestamp, and the pages accessed. This data is used for security monitoring and debugging.
When you run a scan, we log:
We do not collect or store your exchange account credentials, private keys, portfolio balances, or trade history. Bureau of Coin connects only to public market data APIs and never accesses your exchange account.
We store configuration data associated with your account, including saved watchlists, scan preferences, and application settings. This data is tied to your account and deleted when your account is deleted.
When you subscribe to a paid plan, payment is processed by our third-party payment processor (Stripe). We do not store your credit card number, card expiration date, or CVV on our servers. We retain:
Stripe's privacy policy governs how your payment data is handled: https://stripe.com/privacy
We intend to add product analytics to understand how features are used and where users encounter friction. Analytics will not be activated until this policy has been updated to identify the specific tool and data collected, and users have been notified of the change. We intend to use privacy-respecting, open-source, or self-hosted solutions (such as Plausible or Umami) that do not sell your data or build advertising profiles.
We will not implement analytics that share personally identifiable information with third-party advertising networks.
We use the information we collect to:
We do not sell your data to third parties. We do not use your data for behavioral advertising. This refers to Bureau of Coin's own practices. Our third-party service providers have independent data practices described in their own privacy policies, which we link in Section 6.
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Scan results and coin rankings are analytical outputs provided for your own use; no automated decisions are made about you as a user.
We share data only in these circumstances:
Service Providers. We share data with vendors who help us operate the product, including Supabase (authentication and database), Stripe (payments), and Railway (hosting). When acting as our service providers, these vendors are contractually restricted from using your data outside of the specific services they provide to us. However, each vendor has its own independent data practices when interacting with you directly — we encourage you to review their privacy policies, linked in Section 6, for the full picture.
For GDPR purposes, the roles of these vendors are as follows: Supabase acts as a data processor, handling authentication data on our behalf. Stripe acts as a data processor for payment transactions, but also operates as an independent data controller for its own fraud prevention, compliance, and marketing activities. Railway provides infrastructure hosting and does not process your personal data directly.
Legal Requirements. We may disclose information if required by law, court order, or to protect the rights, property, or safety of Bureau of Coin, our users, or the public.
Business Transfers. If Bureau of Coin is acquired or merges with another entity, your data may transfer as part of that transaction. We will notify you via email or a notice on the site before that occurs.
We do not share your data with data brokers, advertisers, or analytics companies beyond what is described in Section 2.6.
When you delete your account, we will delete your account data within 30 days. Server logs generated prior to deletion may retain request-level data (including IP address) for up to 30 days as part of standard infrastructure logging, after which they are purged. Payment records required for legal compliance are retained per the schedule above regardless of account deletion.
| Service | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Authentication, session storage | supabase.com/privacy |
| Stripe | Payment processing | stripe.com/privacy |
| Railway | Hosting and deployment | railway.app/legal/privacy |
We implement reasonable technical and organizational measures to protect your data, including:
No system is completely secure. We cannot guarantee absolute security, and we are not liable for unauthorized access resulting from circumstances beyond our reasonable control, to the extent permitted by applicable law. If you discover a security vulnerability, please contact us at security@bureauofcoin.com.
In the event of a data breach that affects your personal information, we will notify you and applicable regulatory authorities as required by law, within the timeframes prescribed by applicable regulations.
Regardless of your location, you may:
To submit a request, email us at privacy@bureauofcoin.com. We may ask you to verify your identity before fulfilling your request. We will not use this verification process to make rights requests impractical. We will respond within 30 days.
Washington State Residents. The Washington My Health MY Data Act (MHMD) applies to consumer health data. Bureau of Coin does not collect consumer health data as defined by that act. Washington residents also have rights under applicable consumer protection law.
California Residents. If you are a California resident, the California Consumer Privacy Act (CCPA) may apply. We do not sell personal information. For a CCPA request, contact us at the address below.
If you are located in the EEA, UK, or Switzerland, the General Data Protection Regulation (GDPR) or equivalent law applies to our processing of your personal data.
Data Controller. Bureau of Coin, Woodinville, WA, is the data controller responsible for your personal data.
Lawful Basis for Processing. We process your personal data on the following legal bases:
International Data Transfers. Bureau of Coin is based in the United States. Your personal data is processed on infrastructure located in the US (Railway, Supabase, Stripe). These transfers are carried out under appropriate safeguards, including Standard Contractual Clauses (SCCs) where applicable. You may request details of the transfer mechanisms in place by contacting us at privacy@bureauofcoin.com.
Additional Rights for EEA/UK Users. In addition to the rights listed in Section 8, you have the right to:
We will respond to EEA/UK rights requests within 30 days. If you are unsatisfied with our response, you have the right to escalate to your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.
Bureau of Coin is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.
We may update this policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice on the site at least 14 days before the change takes effect. The "Last Updated" date at the top reflects the most recent revision.
Continued use of Bureau of Coin after the effective date of a revised policy constitutes acceptance of the changes.
Bureau of Coin
Woodinville, WA
Privacy inquiries: privacy@bureauofcoin.com
Security disclosures: security@bureauofcoin.com