Privacy Policy

Data Protection & Privacy Notice for InfinityBlockchain LLC

Effective Date: April 2026

1. Data Controller

The entity responsible for collecting and processing your personal data is:

InfinityBlockchain LLC

30 N Gould St STE R
Sheridan, WY 82801, United States

Email: contact@infinityblockchain.io

Website: infinityblockchain.io

Type: Limited Liability Company registered in the State of Wyoming, USA

2. Data We Collect

We collect the following categories of personal data when you register, use our platform, or interact with our services.

2.1 Account Data

Email address
Username
Password (stored as bcrypt hash — we never store plain-text passwords)
Referral code (auto-generated upon registration)
Account verification status

2.2 Profile Data

First name and last name
Phone number
Street address (including house number)
City, postal code, country, country code (ISO-2)

2.3 Business Data (B2B Customers)

Customer type (B2C / B2B)
Company name
VAT ID (validated via EU VIES system for EU businesses)
VAT validation status and timestamp
Company registration number

2.4 Payout & Financial Data

Payout method preference (bank transfer or cryptocurrency)
Bank details: bank name, account holder name, IBAN, BIC
Crypto payout details: wallet address, network, currency
Wallet balance, pending balance, total earned, total paid out
Commission history and transaction records
Order history, order status, payment method used

2.5 Security & Authentication Data

Two-factor authentication status and TOTP secret (encrypted)
Backup codes for 2FA recovery
Last login timestamp
Login IP addresses (from server logs)

2.6 KYC (Know Your Customer) Data

KYC verification status (pending, submitted, verified, rejected)
KYC documents submitted for identity verification

2.7 Referral & Affiliate Data

Parent referrer ID (who referred you)
Referral tree depth (up to 5 levels)
Pro Affiliate status

2.8 Account Status Data

Inactivity warning status and timestamp
Account deactivation timestamp
Account roles and permissions

3. How We Use Your Data

Account Management — To create and manage your account, authenticate your identity, and provide customer support.
Affiliate Program — To track referrals, calculate commissions, manage the referral tree, and process affiliate payouts.
Payment Processing — To process payments via Stripe (card) and CoinPayments (crypto), and to execute payouts to your bank account or crypto wallet.
Tax & Compliance — To validate VAT IDs for EU B2B customers, verify addresses, perform KYC checks, and fulfill legal and regulatory obligations.
Security — To protect your account with two-factor authentication, detect fraud, and monitor for suspicious activity.
Communication — To send transactional emails (verification, password reset, payout notifications, inactivity warnings).
Platform Improvement — To maintain, improve, and ensure the proper functioning of the platform.

4. Legal Basis for Processing

Where the EU General Data Protection Regulation (GDPR) applies to users who voluntarily access our services from the EU/EEA, we rely on the following legal bases:

Contract Performance (Art. 6(1)(b) GDPR) — Processing necessary to provide your account, process orders, calculate commissions, and execute payouts.
Legitimate Interest (Art. 6(1)(f) GDPR) — For platform security, fraud prevention, login monitoring, and essential cookies required for website operation.
Legal Obligation (Art. 6(1)(c) GDPR) — For tax record keeping, VAT compliance, AML obligations, and responding to lawful authority requests.
Consent (Art. 6(1)(a) GDPR) — For non-essential cookies and any optional data processing. Consent can be withdrawn at any time.

5. Cookies & Tracking

We use cookies that are necessary for platform operation. These include authentication tokens, session management, and your language preference. We do not currently use analytics or marketing cookies.

A cookie consent banner is displayed on your first visit, allowing you to accept essential cookies only or all cookies.

For a full list of cookies used, their purposes, and durations, please see our Cookie Policy.

6. Third-Party Services

We share personal data with the following third-party service providers, solely for the purposes described:

Stripe (Payment Processing)

Processes credit/debit card payments. Stripe is PCI DSS Level 1 compliant and handles all card data directly — card numbers never touch our servers. Stripe may collect device and browser data for fraud prevention.

CoinPayments (Crypto Payments)

Processes cryptocurrency payments (USDC). Transaction details and wallet addresses are shared with CoinPayments to facilitate crypto transactions.

Geoapify / Nominatim (Address Validation)

During registration, your street address, city, postal code, and country are sent to the Geoapify or Nominatim geocoding API to validate your address. No personal identifiers (name, email) are included in these requests.

VIES API (VAT Validation)

For B2B customers in the EU, the provided VAT ID is validated against the European Commission’s VIES (VAT Information Exchange System). Only the VAT ID and country code are transmitted.

SMTP Email Service

Transactional emails (account verification, password resets, payout notifications, inactivity warnings) are sent via our email service provider. Your email address and name are shared for delivery purposes.

7. International Data Transfers

Your data is stored on servers located in the United States. Our third-party service providers may also process data in other jurisdictions:

Stripe — United States (PCI DSS compliant)
CoinPayments — Cayman Islands
Geoapify / Nominatim — EU / international servers
VIES — European Commission servers (EU)

For users who voluntarily access our services from the EU/EEA, data transfers to the US are conducted under applicable legal mechanisms, including Standard Contractual Clauses (SCCs) where available from our service providers.

8. Data Security

We implement the following technical and organizational measures to protect your personal data:

Password Hashing — All passwords are hashed using bcrypt before storage. Plain-text passwords are never stored.
JWT Authentication — Access tokens expire after 24 hours; refresh tokens after 7 days. Tokens are transmitted via secure, HTTP-only cookies.
Two-Factor Authentication — Optional TOTP-based 2FA with encrypted secrets and backup codes.
HTTPS Encryption — All data in transit is encrypted using TLS/SSL.
Role-Based Access Control — Administrative access is restricted to authorized personnel with appropriate roles.
PCI DSS Compliance — Credit card data is handled exclusively by Stripe (PCI DSS Level 1). Card numbers never reach our servers.

9. Data Retention

Active Accounts — Personal data is retained for as long as your account remains active and is necessary to provide our services.
Inactive Accounts — An inactivity warning is sent after 180 days without login. Accounts are deactivated after 210 days of inactivity.
Financial Records — Transaction data, commission records, and payout history are retained for a minimum of 7 years as required by tax and financial regulations.
Server Logs — Access and error logs containing IP addresses are retained for 90 days.
Account Deletion — Upon account deletion, personal data is removed. Financial records are anonymized and retained as legally required.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. For EU/EEA users who voluntarily access our platform, these rights apply under the GDPR:

Right of Access — Request a copy of the personal data we hold about you.
Right to Rectification — Request correction of inaccurate or incomplete data. You can also update most data directly in your profile settings.
Right to Erasure — Request deletion of your personal data, subject to legal retention requirements for financial records.
Right to Restriction — Request restriction of processing in certain circumstances.
Right to Data Portability — Receive your data in a structured, commonly used, machine-readable format.
Right to Object — Object to processing based on legitimate interests.
Right to Withdraw Consent — Where processing is based on consent, you can withdraw it at any time without affecting lawfulness of prior processing.

To exercise any of these rights, contact us at contact@infinityblockchain.io. We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority in your jurisdiction.

11. Account Inactivity & Deletion

Accounts that remain inactive (no login) for 180 days will receive an inactivity warning email. If no action is taken, the account is deactivated after 210 days.

You may request complete account deletion at any time by contacting contact@infinityblockchain.io.

Upon deletion, all personal data is removed except financial transaction records, which are anonymized and retained as required by law.

12. Children’s Privacy

Our platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a user is under 18, their account will be terminated and all associated personal data deleted.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Updated versions will be posted on this page with a revised effective date.

Material changes will be communicated via email or a prominent notice on our platform. We recommend reviewing this policy periodically.

Notice: InfinityBlockchain LLC does not actively market, advertise, or target its services to individuals or entities located in the European Union (including Germany). Any access to or use of our website and services from such jurisdictions is considered unsolicited and initiated solely by the user. Nevertheless, where applicable data protection laws require it, we endeavor to respect the data subject rights outlined above.

14. Contact

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us: