Skip to content

Bitrefill Global Privacy Policy

Last Updated: 12 December 2023

We care about your privacy

As a business headquartered in Europe, we are subject to certain regulations (among which, the European General Data Protection Regulation) that require us to comply with a number of obligations regarding your data.

In this document, you can learn everything about how we use your data: that we collect it from you and your actions, that we process only what we need in order to perform what you have asked or consented to (or what the law requires us to…), that we protect with appropriate technology and that we will not share it with anyone, including law enforcement, unless we are forced to by laws and regulations.

The right to privacy is a basic human right. We will fight for yours.

0. Introduction

The “Bitrefill Group”, comprising the entities mentioned below as well as their parent companies, subsidiaries and affiliates, is committed to protecting the privacy of our Customers.

This privacy policy is issued on behalf of AIRFILL PREPAID AB, a limited company incorporated under the laws of Sweden and registration no. 559001-6035 (“Airfill”). Airfill is a data controller of the personal data collected through our websites www.bitrefill.com and www.airfill.com (“Websites”), or through our mobile application Bitrefill, available on Apple and Android app stores (“App”).

This policy also applies to the following entities, to the extent personal data is collected on transactions involving them:

  • for personal data collected in the context of the Bill Payment Services from El Salvador, Bitrefill, Sociedad Anónima de Capital Variable and with registration number 2021103271 (“Bitrefill ES”) is a joint data controller.
  • for personal data collected in the context of the Bill Payment Services from any other jurisdiction, Airfill US LLC, a Delaware company with file number 5817333 (“Airfill US”) is a joint data controller.

When creating an account, or before acquiring a Product, we will ask you to review this Policy and accept its contents before proceeding. You should read this policy in full before proceeding.

If you don't want us to collect, use or share your personal information as outlined in this Privacy Policy, or if you are under 18 years old and unsupervised by parents or legal guardians, please stop using our Websites or App.

In this policy you can find about:

  1. What personal data do we collect;
  2. Why do we process your personal data;
  3. When do we share your personal data;
  4. How do we protect your personal data;
  5. How can you exercise your data subjects rights; and
  6. How long do we keep your data?
  7. Minors
  8. International Transfers
1. What personal data do we collect?

We can collect your data directly (e.g. when you give it to us), indirectly (e.g. when someone else gives it to us) or through automated technologies (e.g. cookies).

Please find below an outline of the types of data that we may collect and how we collect it.

Data directly provided by you

Type of data

Description

Basic identification data

Email Address, Phone number

KYC customer data

Name, Address, Date of birth, Nationality, Country of residence, Gender, Government-issued identity document (e.g. passport, driver’s license, or state identification card), Social security number, Employment information (e.g. company name), Proof of residency, including visa information, Utility bills (for your billing address), Photographs and/or videos, Income/net assets/wealth verification statements, criminal offences and allegations, family members and their professional roles.

Professional data

Employer Identification Number (or comparable number issued by a government), Personal identification information for all material beneficial owners of your business, employer, and professional role.

Financial data

Tax identification number, Income/net assets/wealth verification statements

Wallet data

Wallet address, wallet provider.

Preferences data

Preferred coins, settings and preferences selected in Websites and/or App.

Transaction data

Data about the transactions made on our Websites and App, such as the amount, currency preferences, payment method, date, and/or timestamp, products purchased.

Customer Support data

Data provided by you during customer support exchanges, or in response to customer surveys.

Special categories of personal data

We may collect biometric data if, and only if, voluntarily provided by you in the context of an identification verification procedure. We do so by collecting a live selfie that is compared to the photography of the identity provided by you. We use our provider SumSub to process and store this data, and we do it to ensure that the person submitting the documents is indeed the owner of the documents, thereby increasing the level of safety and reliability of the verification. We do this with your express specific consent, given by you before the identity verification. You are also in full control of how and when the collection takes place. This data is used solely for this purpose, in the context of the anti-money laundering policy of Bitrefill.

In the course of your usage of the Bitrefill Card, we may have access to personal data related to your purchases with the card, from which special categories of personal data may be derived.

Data indirectly obtained about you

Type of data

Description

Basic information data, KYC customer data, Business and professional data, Financial data, Wallet data, Transaction data, Customer Support data

Described above. During your interactions with our affiliates, partners or service providers, you may provide them with data that may be transmitted to us for the purposes outlined below on “Why do we process your personal data”.

We may also receive data about you from a person who has submitted it for our referral program.

Publicly available data.

May include all types of data described above, if they are publicly available, as well as blockchain data, including timestamps of transactions or events, transaction IDs, digital signatures, transaction amounts, and wallet addresses unrelated to your transactions with us, as well as media reports about you).

We collect and process publicly available data about you, as necessary for the purposes outlined below on “Why do we process your personal data”.

Advertising data

We receive data from our advertising partners on your interactions with marketing and advertising content (clicks, actions, time spent, etc.).

Analytics data

We receive data from our analytic providers about your usage of the Websites and App (page clicks, actions, time spent, etc.), your age group and geographic region, as well as survey responses.

Counterparty data

We may receive data from counterparties with whom you have interacted in relation to a Product or service provided by us, about how you have interacted with them.

Transaction data

We may also receive transaction data from third-parties with whom we offer products to you with, such as the Bitrefill Card. In this case, Bitrefill will receive data on your card usage, with the sole purpose of enabling you to see that data on your account.

Data automatically obtained about you
Type of dataDescription
Device, browser and app dataOur systems collect information about your device, its operating system, and browser, along with additional features or identifiers such as plugins and the network you connect to, as well as your IP address.
Usage dataOur plugins and cookies collect information about your activities, such as what you view or click on our Sites and Apps, your usage of our Services, as well as diagnostic and troubleshooting data, which includes service-related performance details, timestamps, crash data, website performance logs, and any error messages or reports.
See below our Cookies Policy for more information.

We do not collect any special categories of personal data about you (e.g. race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic data) other than, as described above.

The nature of some services requires you to give us personal data (e.g., your phone number or e-mail to deliver a top-up or gift card). In those cases, we will only be able to provide the service if you provide us with that information, and we retain the ability to terminate your account if we no longer have the ability to process the personal data necessary to provide you with our Products.

2. Why do we process your personal data?

2.1. We use your personal data for different purposes, better stated below:

Purpose/Activity

Type of data

Lawful basis for processing including basis of legitimate interest

To open and maintain your account.

(a) Basic information data

(b) KYC customer data

(c) Professional data

(e) Biometric data

(a) Performance of a contract with you;

(b) Necessary to comply with a legal obligation;

(c) Necessary for our legitimate interests (to start an ongoing customer relationship).

(d) You expressly consent to this when you create an account.

To sell you the Products and provide you with services

(a) Basic information data

(b) KYC customer data

(c) Preferences data

(d) Wallet data

(e) Transaction data

(a) Performance of a contract with you;

(b) Necessary to comply with a legal obligation;

(c) Necessary for our legitimate interests (to conduct our business).

(d) You expressly consent to this when you create an account.

To manage the Bitrefill store

(a) Preferences data

(b) Transaction data

(c) Customer support data

(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise);

(b) Necessary to comply with a legal obligation.

(c) You expressly consent to this when you create an account.

For advertisement, data analytics and to provide recommendations

(a) Analytics data

(b) Advertising data

(c) Device, browser and app data

(d) Usage data

(e) Counterparty data

(a) Necessary for our legitimate interests (to study how users use our services and website, to develop them, to grow our business and to inform our marketing strategy). This data is not shared/sold to third parties for any purpose whatsoever.

(b) You expressly consent to this when you create an account.

To comply with internal and external policies, guidelines, rules and legislation (for example, to respond to law enforcement requests)

(a) Basic information data

(b) KYC customer data

(c) Professional data

(e) Transaction data

(f) Wallet data

(g) Financial data

(h) Publicly available data

(i) Counterparty data

(j) Device, browser and app data

(a) Necessary to comply with a legal obligation

(b) Necessary for our legitimate interests (ensure that we run a safe and credible platform)

3. When do we share your information?

3.1. General

Bitrefill works with multiple partners, providers and other third parties to enable the Products and provide Customers with the Bitrefill service. For that end, Bitrefill shares certain information with third parties, as explained below.

Our group and our team

Your data may be shared, with other entities of the Bitrefill Group if you wish to acquire Products that are sold by other entities of the group. Your data may also be accessed by our employees and people who we may hire as contractors or freelancers.

  • Airfill Prepaid AB (all data)
  • Airfill US LLC, when acquiring Products that are sold by this entity (Basic information data, KYC data, Wallet data, Financial Data, Transaction Data)
  • Bitrefill, Sociedad Anónima de Capital Variable, when acquiring Products that are sold by this entity (Basic information data, KYC data, Wallet data, Financial Data, Transaction Data)

Our third-parties

Your data may be received from, or shared with (to the extent necessary), the following entities that provide services to/with Bitrefill, among others that Bitrefill from time to time engages to provide services.

  • Slack and Clickup as online workspaces and project management (Basic information data, Wallet data, Transaction data, Customer Support data)
  • Google, for analytics, e-mail and storage (all data minus biometric data)
  • SumSub, as KYC provider (Basic information data, KYC customer data, professional data, financial data, biometric data)
  • Microsoft and Mixpanel for analytics (Basic information data, wallet data, transaction data, usage data, device, browser and app data)
  • Zendesk for customer support (Basic information data, KYC customer data, customer support data, transaction data)
  • Castle.io for fraud prevention and transaction monitoring (Basic information data, transaction data)
  • Sendgridand Customer.io for e-mail marketing (basic identity information)
  • Teamtailor for recruitment (basic identification data, professional data)
  • Meta, TikTok, Snapchat, Reddit, Quora or Twitter/X for social media advertising (advertising data, analytics data)
  • Sentry and Scalyr, for performance monitoring (basic identification data, wallet data, transaction data, usage data, device, browser and app data)
  • Rehive, for financial transactions management (basic identification data, transaction data, wallet data)
  • Striga andWallester, for the Bitrefill Card
  • Perfect Gift andSutton Bank®, for the Virtual Prepaid Visa® Card

Your third parties

Your data may be shared with your third parties, as instructed or needed by you, in order to complete the services to you. This may include your wallet providers, your e-mail provider or others you may require us to engage with.

Public authorities and regulators, professional advisors and other industry partners

Your data may be shared with regulators and law enforcement authorities as per 3.2 below, in response to legitimate requests made in the course of their activity.

Your data may also be shared, from time to time, with professional advisors such as lawyers, cybersecurity or compliance consultants, to fulfil our compliance obligations, assist us in defining adequate courses of action, and detect, investigate or prevent illicit activity in our platform.

Corporate events

Your data may be shared in the context of a corporate event such as a purchase or sale of assets or of a company, a merger or spin-off, an acquisition or reorganisation, a liquidation or a simple change of control.

3.2. Specifically: Cooperation with law enforcement

Your personal data will only be disclosed to law enforcement authorities, or other government bodies, to the extent required by laws and regulations.

Bitrefill will not ordinarily share Customer personal data unless required to do so by an appropriate legal instrument (e.g. a subpoena, a warrant, or the legal equivalent in the issuing country). Exceptional circumstances (such as a very urgent request that may save a human life, or avoid great harm) may determine a different reaction from our side, but only to the extent permitted by law.

3.3. Specifically: Bitrefill Card

Certain Products may be offered, from time to time, together with third-party providers that may require Bitrefill to process your personal data in order to provide it.

This is the case, for example, of the personal data collected in the context of the Bitrefill Card, offered together with Striga Technology OÜ and WallesterAS.

The joint data controllers for personal data connected with this product, which may include Basic information data, KYC customer data, Business and professional data, Financial data, Wallet data, Transaction data, and Customer Support data, are Striga Technology OÜ and Wallester AS.

As a rule, Bitrefill processes such data only upon the instructions of Striga Technology OÜ and Wallester AS and acts as a data processor. This includes, specifically, data on the purchases you make with the Bitrefill Card. This information is passed to Bitrefill from the joint data controllers for the sole purpose of showing it to you on your transaction history and is not processed for any other purpose.

However, Bitrefill also acts as a data controller with respect to some of the data processed in connection with the Bitrefill Cards, e.g., where Bitrefill processes personal data that is not processed by third-party data controllers (such as the password of your account) or where Bitrefill processes personal data for the functions entirely handled by Bitrefill (such as customer support, or to provide you with account management tools).

These are the relevant details for the processing of data in the context of the Bitrefill Card:

Purposes

  1. To provide the Bitrefill Card according to the Terms and Conditions;

  1. To monitor and store cardholder transactions in accordance with requirements provided for in the rules, procedures, laws and regulations that are designed to prevent money laundering crimes.

Categories of Personal Data

(a) Basic information data

(b) KYC customer data

(c) Professional data

(e) Transaction data

(f) Wallet data

(g) Financial data

(h) Publicly available data

(i) Counterparty data

(j) Device, browser and app data

(k) Counterparty data (including your transaction history with the Bitrefill Card)

Categories of data subjects

Potential and/or existing Customers (natural persons).

Processing operations

Ordering and issuing Bitrefill Cards by using Personal Data received from the Data Controllers; the provision of payment services as a, or on behalf of a, payment institution; behaviour factor generation with respect to the transactions with Cards and the return of such information (reports) to the Data Controller, according to the Agreement; keeping Personal Data as long as it is necessary to fulfil the objectives of the Agreement, or other agreements to be concluded between the Parties or fulfilling its obligations under the applicable law; improvement of the product and development of new tools related thereto.

Location of processing operations

Wallester AS, registration number 11812882, address F.R Kreutzwaldi 4, 10120 Tallinn, Estonia;

Striga Technology OÜ, registration number  16298772, address at Sepapaja 6, Tallinn, EE 11415;

Airfill Prepaid AB, registration number 559001-6035, address at Mailbox 2333, 111 75 Stockholm, Sweden

Retention requirements

As long as it is necessary to fulfil the objectives of the Bitrefill Card agreements, concluded or to be concluded with you, or fulfilling their obligations under the applicable law.

3.3. Specifically: the US Visa Card

Another product offered together with third-party providers that may require access to information collected by Bitrefill from you in order to provide is the US Visa Card, which is issued by Sutton Bank®, Member FDIC, pursuant to a license from Visa U.S.A. Inc, and fulfilled by Perfect Gift, LLC.

In relation to this product, Bitrefill collects the data identified below, but does not have access to any of the information related to how you spend the funds in the card.

These are the relevant details for the processing of data in the context of the US Visa Card:

Purposes

  1. To verify your eligibility to purchase the Product according to the Terms and Conditions;

  1. To comply with requirements provided for in the rules, procedures, laws and regulations that are designed to prevent money laundering crimes.

Categories of Personal Data

(a) Basic information data

(b) KYC customer data

(c) Professional data

(e) Transaction data

(f) Wallet data

(g) Financial data

(h) Publicly available data

(i) Counterparty data

(j) Device, browser and app data

Categories of data subjects

Potential and/or existing Customers (natural persons).

Processing operations

Verifying your details and ordering and delivering US Visa Cards by using Personal Data collected by Bitrefill; keeping Personal Data as long as it is necessary to fulfil the objectives of the Agreement, or other agreements to be concluded between the Parties or fulfilling its obligations under the applicable law.

Location of processing operations

Airfill US LLC, 651 N Broad St, Suite 206, Middletown, New Castle, DE, 19709, USA

Perfect Gift LLC, 495 Mansfield Avenue Pittsburgh PA 15205, USA

Sutton Bank, 1 South Main St. PO Box 505. Attica, OH 44807, USA

Retention requirements

As long as it is necessary to fulfil the objectives of the Bitrefill Card agreements, concluded or to be concluded with you, or fulfilling their obligations under the applicable law.

4. How do we protect your personal data?

We are committed to protecting the privacy and confidentiality of your personal data. Access to your data is limited only to authorized Bitrefill officers, employees, contractors or others who may require access to it in order to perform the services requested by you.

More specifically, we have implemented the following security measures:

  • Staff dedicated to cyber and physical security, that designs, implements and provides oversight to our information security program;
  • The use of specialized technology such as host-based security tools, network defence monitors, and intrusion detection systems;
  • Testing of the security and operability of products and services before they are introduced to the Internet, as well as ongoing scanning for publicly known vulnerabilities in the technology;
  • Internal and external reviews of our Internet website and services;
  • Monitoring of our systems infrastructure to detect weaknesses and potential intrusions;
  • Implementing controls to identify, authenticate and authorize access to various systems or sites;
  • Protecting information during transmission through various means including, where appropriate, encryption; and
  • Providing Bitrefill personnel with relevant training and continually updating our security practices in light of new risks and developments in technology.

4.1. Specifically: your password

Customers are responsible for ensuring that their password is not shared or accessed by any other person, as well as for keeping their devices safe.

Bitrefill highly recommends its customers to use the 2FA (two-factor authentication) feature made available to them.

We have in place the following security measures for your password:

To ensure the safety of your password, we have implemented a series of security measures.

Our password strength validator checks for a minimum length, as well as the presence of uppercase and lowercase letters, numbers, and special characters. By hashing passwords, we ensure that even if a potential breach occurs, actual passwords will remain undisclosed.

To further protect your account, we confirm the password reset token before allowing a password change. Finally, we notify users whenever their password is changed to ensure they are aware of any unauthorized modifications.

5. How can you exercise your data subject rights?

Under certain circumstances, you have the following rights under the data protection laws in relation to your personal data:

  • Right to access, correct or erase your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it, correct any inaccuracies or request (to the extent permitted by law) the deletion of your data.
  • Object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation that makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

    • If you want us to establish the data's accuracy.
    • Where our use of the data is unlawful but you do not want us to erase it.
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
    • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you or to a third party.
  • Withdraw consent at any time where we are relying on consent to process your personal data.

If you wish to exercise any of the rights set out above, please contact us in writing to support@bitrefill.com.

Please note that when applicable exceptions apply, some or all of these rights may not be enforceable. This will be the case, for example, if we have reason to suspect you may have been using our platform for unlawful purposes. In these cases, we can either refuse to, for example, erase your personal data and transactions record, or agree to do it within a certain reasonable time period that would allow us to confirm or waive our suspicions.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is unreasonable, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

6. How long do we keep your personal data?

We will keep your personal data for the time needed to fulfil the purpose for which it was collected, be it selling you Products, complying with legal obligations, or protecting ours, yours or other’s interests.

If you have an account with us, we will keep your data collected in relation to your account activity for as long as the account exists.

We will keep information that is collected and processed for compliance purposes (namely information connected with ongoing investigations, or processed in the context of our anti-money laundering policy), for a minimum of 5 years, in accordance with applicable legislation and our internal money laundering process. This includes basic information data, KYC customer data, financial data, transaction data, and certain device, browser and app data. We keep this information regardless of your request to delete it, if you have purchased Products that require KYC or if you have exhibit suspicious behaviour in your dealings with Bitrefill.

We will keep information that is relevant for tax purposes for a minimum of 7 years.

We will keep information about your application for a job at Bitrefill until the moment we fill out the position, and unless you authorize us to keep that information further for consideration for new job openings, we will delete it and you will need to resubmit it again if you want to reapply.

If you request us to delete your personal data, we will comply with that request to the extent possible. In certain circumstances, we may be forced by tax, anti-money laundering or other compliance regulations and policies, to keep your data despite of your request. We will inform you of that circumstance.

7. Minors

Our website and services are not intended for children under 16 years of age.

We do not knowingly collect personal information from children under 16. If you are under 16, do not use or provide any information to us without parental consent. If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information.

8. International transfers

To enable our platform and services, we may need to transfer and process your personal data in countries outside the EEA, where Bitrefill is based. Although we strive to ensure that your personal data remains within the EEA whenever possible, certain third-party providers are located abroad and therefore in certain circumstances transferring your personal data internationally is unavoidable.

When that happens, we rely on adequacy decisions from the European Commission, whenever possible, and on the European Commission’s Standard Contractual Clauses to enable the transfer of data to third countries.

We also rely on exemptions provided by the GDPR (article 49), for example in order to share personal information when requested by law enforcement authorities, or to connect with our suppliers in order to fulfil your order.

9. Miscellaneous

9.1 If you have questions about this Privacy Policy and how we handle your data, please send an email to support@bitrefill.com with your question.

9.2. As our platform evolves, we may need to modify our Privacy Policy from time to time. Those changes will be made in this page, and when significant, we will inform you.

If you wish to contact us for any matter related with the Bitrefill Global Privacy Policy or with how we process your personal data, please contact us at support@bitrefill.com.

10. Cookies Policy

This policy relates to the website www.bitrefill.com, owned by AIRFILL PREPAID AB, a limited company incorporated under the laws of Sweden and registration no. 559001-6035 (“Bitrefill”), and explains how it deploys cookies and what options do you have to control them (the “Cookie Policy”).

10.1. What are “cookies”?

Cookies are very small pieces of data, stored in text files on your computer or other device when websites are loaded in a browser. They are used mainly to “remember” you and your preferences. In many sites, they ensure a consistent and efficient experience for visitors, and perform essential functions such as allowing users to register and remain logged in. Cookies can be set by the site that you are visiting (known as “first party cookies”), or by third parties, such as those who serve content or provide advertising or analytics services on the website (“third party cookies”). Websites may also contain other similar technologies such as “web beacons” or “pixels.” These are typically small transparent images that provide us with statistics, for similar purposes as cookies. They are often used in conjunction with cookies, though they are not stored on your computer in the same way. As a result, if you disable cookies, web beacons may still load, but their functionality will be restricted. For the purposes of this policy, we will use “cookies” as also including “web beacons” or “pixels”.

10.2. What cookies does this website use?

The website uses third-party performance cookies. Through these cookies, we do not collect nor process any of your data: we just enable the collection and processing of such data by third-parties. Performance cookies collect information on how users interact with our website, including number of visitors, time spent, as well as other analytical data. We use these details to improve how our website function and to understand how users interact with it, and also to improve our advertising strategies. We may use the following cookies:

AMP_TOKENGoogle Universal AnalyticsThis cookie name is associated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service.
_gaThis cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
__cfduidCloudFlareCookie assoiated with sites using CloudFlare, used to speed up page load times. According to CloudFlare it is used to override any security restrictions based on the IP address the visitor is coming from. It does not contain any user identification information.
__fdpFacebookUsed by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers

Also, following the consent you provide for the use of the abovementioned cookies, we deploy a single cookie for the single purpose of remembering such consent.

10.3. How can you control the use of cookies in this website?

A “cookie notice” appeared when you accessed our website, requesting your consent for the use of cookies. Your consent should be free, explicit, unambiguous and properly informed by this Cookie Policy. When you consent in this manner, we place advertising cookies on your browser. If you do not provide consent, we will not deploy any cookies in your browser. If you do provide consent, you can opt-out at any time by clicking here. By doing so, you won’t share information with our analytics tool about events or actions that happen after the opt-out.

10.4. Contact Us

If you have any questions about our use of cookies or other related questions, please refer to our Privacy Policy. For any further questions, please contact us at help.bitrefill.com.