Shifra

Privacy Policy

Last updated: May 19, 2026

1. Introduction

Shifra (“we”) is committed to respecting the privacy of Users of shifra.to. This Privacy Policy describes what personal data is collected, for what purposes, on what legal basis, to whom it may be transmitted and what rights you have, in particular under the EU General Data Protection Regulation (GDPR — Regulation 2016/679).

2. Data Controller

The data controller is the publisher of Shifra, reachable at: privacy@shifra.to.

3. Data Collected

We collect the following categories of data:

  • Account data (optional): email address, hashed password, role (user / affiliate), 2FA settings. Collected only if the User creates an account.
  • Transaction data: crypto addresses entered (send and receive), amounts, currencies, order ID, status, timestamps, blockchain transaction hashes. Blockchain transactions are by nature public.
  • Technical data: IP address, browser type, language, operating system, pages visited, referrer, session data. Used for security, fraud prevention and aggregated statistics.
  • Affiliate data: referrer ID, clicks, conversions, commissions, chosen payout address.
  • Communications: content of emails or messages sent to support.

4. Purposes and Legal Basis

PurposeLegal basis
Provision of the swap ServicePerformance of a contract
Account and affiliate managementPerformance of a contract
Fraud prevention, AML, securityLegitimate interest / legal obligation
Anonymized audience statisticsLegitimate interest
Support and ticket handlingLegitimate interest
Marketing communicationsConsent (opt-in)

5. Recipients of Data

Your data may be transmitted to the following categories of recipients:

  • Liquidity partners (third-party aggregators and exchanges executing the swap): strictly the data necessary for execution (addresses, amounts, currencies).
  • Hosting and infrastructure (Vercel, managed Postgres) — technical data required for operation.
  • Transactional email tools (confirmations, password resets).
  • Competent authorities upon duly motivated legal request.

6. Cookies and Trackers

The Site uses the following types of cookies:

  • Strictly necessary cookies: session, security, preferences (language, currency, theme). No consent required.
  • Audience-measurement cookies: aggregated and anonymized statistics. Subject to consent when they enable individual tracking.
  • Advertising cookies (if any): only after explicit consent via the dedicated banner.

7. Retention Period

  • Account data: while the account is active, then 12 months after deletion.
  • Transaction data: 5 years (anti-money-laundering legal obligations).
  • Technical and security logs: maximum 12 months.
  • Affiliate data: program duration + 3 years for accounting obligations.
  • Marketing data: until consent is withdrawn, and no more than 3 years of inactivity.

8. Security

We implement reasonable technical and organizational measures to protect your data: TLS encryption, hashed passwords (bcrypt), two-factor authentication (2FA), restricted access, regular backups, internal audits. No method of transmission or storage is, however, 100% secure.

9. Your Rights

Under the GDPR and equivalent laws, you have the following rights:

  • Right of access to your data.
  • Right to rectification.
  • Right to erasure (“right to be forgotten”) within legal limits.
  • Right to restriction and objection to processing.
  • Right to data portability.
  • Right to withdraw your consent at any time.
  • Right to set post-mortem directives regarding your data.
  • Right to lodge a complaint with a supervisory authority (in France: the CNIL, cnil.fr).

10. Transfers Outside the EU

Some of our technical providers may be located outside the European Economic Area. In such cases, transfers are governed by the European Commission's Standard Contractual Clauses or by any other appropriate safeguard provided by the GDPR.

11. Minors

The Service is not intended for persons under 18. No data concerning minors is knowingly collected.

12. Changes

This Policy may be updated. The last-modified date is shown at the top of the page. In case of substantial changes, Users with an account will be informed by email or via an on-site notification.

13. Contact

For any question regarding the protection of your data: privacy@shifra.to