Privacy Policy

This Privacy Policy explains how BanksRates Ltd. (“banks-rates.com”, “we”, “us”), as data controller, collects, uses, discloses and protects personal data when you use the website banks-rates.com, the API at api.banks-rates.com, the developer console at console.banks-rates.com and related services (together, the “Service”). Our Terms of Service govern your use of the Service.

1. Who we are and how to contact us

Controller: BanksRates Ltd. (Poland). A full postal address is available on request. For any privacy question or to exercise your rights, contact contacts@banks-rates.com.

2. Data we collect

2.1 Information collected automatically (all visitors)

• Network and request data. When you use the Service, our infrastructure provider (Cloudflare) processes your IP address and standard request information (such as the URL requested, HTTP method, referrer, user-agent, approximate location derived from your IP, and the Cloudflare data centre that served the request). We use your IP address to apply rate limits, prevent abuse and secure the Service.
• Service analytics. We record aggregated request telemetry (for example the API endpoint called, response status, response time, approximate country, and the bank or currency parameters of a lookup) to operate, secure and improve the Service.

2.2 Cookies and similar technologies

• Strictly necessary (Console only). When you sign in to the Console we set a session cookie (br_session) and short-lived cookies used during sign-in and for CSRF protection. These are required for authentication and cannot be switched off if you use the Console.
• Analytics. The website uses Google Analytics (measurement ID G-VYHZ528CLT), which sets cookies (such as _ga) and collects usage and device information to help us understand how the website is used.
• Advertising. The website displays ads via Google AdSense (publisher ca-pub-5348898783489621). Google and its partners may set cookies and use advertising identifiers to serve and measure ads, including, where permitted, personalised ads.

Where required by law (for example in the EEA and UK), non-essential analytics and advertising cookies are used only with your consent, which you can give or withdraw. See Section 6 for how to control cookies.

2.3 Account and developer data (Console users)

• Identity. When you sign in with Google, GitHub, Telegram or LinkedIn, we receive from that provider a unique identifier for your account and, where available, your name and verified email address. When you sign in by email, we process the email address you provide.
• Account record. We store your account (an internal identifier, your email and name where provided, your linked sign-in methods, your account type and plan).
• API keys. When you create an API key we show the secret once and store only a cryptographic hash of it plus a short non-secret prefix for display; we cannot recover the secret. We record a key’s name, plan and the time it was last used.
• Email sign-in tokens. For email sign-in we store a hashed, single-use, short-lived token associated with your email address.

We do not collect special categories of personal data, and we do not ask for or store passwords.

3. Why we use your data and our legal bases

Where the EU/UK GDPR applies, we rely on the following legal bases:

• Performance of a contract — to create and operate your account, authenticate you, issue and validate API keys, and provide the Service you request.
• Legitimate interests — to secure the Service, apply rate limits, prevent fraud and abuse, maintain logs, and understand and improve usage (balanced against your rights).
• Consent — for non-essential analytics and advertising cookies where consent is required; you may withdraw consent at any time.
• Legal obligation — to comply with applicable law and respond to lawful requests.

4. Sharing and processors

We do not sell your personal data. We share data only as follows:

• Cloudflare, Inc. — hosting, content delivery, database (D1), request telemetry and security, acting as our processor.
• Identity providers (Google, GitHub, Telegram, LinkedIn) — only when you choose to sign in with them; they provide us with the profile data described above and process your interaction under their own privacy policies.
• Email delivery provider — to send sign-in links to the address you provide.
• Google — analytics (Google Analytics) and advertising (Google AdSense), acting as a third party / processor as applicable.
• Authorities and advisers — where required by law, to enforce our Terms, or to protect our rights, users or the public.

5. International transfers

Our providers (including Cloudflare and Google) operate globally, so your data may be processed in countries outside your own, including the United States. Where personal data is transferred out of the EEA or UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and equivalent mechanisms.

6. Your cookie and advertising choices

• You can control or delete cookies through your browser settings.
• You can opt out of Google Analytics with Google’s browser add-on.
• You can manage ad personalisation in your Google Ads settings and learn more at Google’s advertising page.

7. Data retention

We keep account data for as long as your account exists and as needed to provide the Service. Email sign-in tokens expire within minutes; API key records are kept until you revoke or delete the key or your account. Operational logs and analytics are kept for a limited period and then deleted or aggregated. When you delete your account, we delete or anonymise the associated personal data, except where we must retain it to comply with legal obligations or resolve disputes.

8. Your rights

Depending on where you live, you may have the right to access, correct, delete, restrict or object to the processing of your personal data, to data portability, and to withdraw consent. To exercise any right, contact contacts@banks-rates.com. If you are in the EEA or UK, you also have the right to lodge a complaint with your local data-protection supervisory authority.

If you are a California resident, you have the right to know, access and delete your personal information and to not be discriminated against for exercising your rights. We do not sell or “share” personal information as those terms are defined under California law.

9. Security

We use measures designed to protect personal data, including TLS in transit, passwordless authentication, signed session tokens, and storing API keys and sign-in tokens only as cryptographic hashes. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Children

The Service is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version here and change the “Last updated” date. Material changes will be highlighted where appropriate.

12. Contact

For any question about this policy or your personal data, contact contacts@banks-rates.com.