Pro
Get API Key

How we protect your data.

The infrastructure, controls, and processes that keep Bitcompare trustworthy. We publish what we do, not just what we promise.

GDPR & CCPA COMPLIANT · UPDATED APR 2026

Application security

  • API keys are stored as bcrypt hashes. We never see your secret after creation. If you lose it, you rotate it — we can’t recover it.
  • Production deploys are automated via GitHub Actions and require passing health checks before and after deployment. A rolling or replace strategy is used to avoid downtime.
  • Production servers are accessed via SSH key authentication. Keys are managed as GitHub Secrets and are not distributed outside the CI/CD pipeline.
  • Customer data is segmented by tenant at the database row level. No shared queries cross tenant boundaries.

Data we collect

We try to collect as little as possible. Specifically:

  • Account data: email, name, hashed password, billing details. Required to operate the service.
  • Usage logs: API calls, IP address, user agent, response time. Retained for 90 days for security and debugging, then deleted.
  • Aggregated analytics: endpoint popularity, error rates, geographic distribution. Personally non-identifiable; retained indefinitely.

We do not sell your data, share it with advertisers, or train AI models on your queries. We do not use third-party tracking pixels on the dashboard.

Sub-processors

We disclose every third party that processes customer data. Current list:

  • DigitalOcean — infrastructure (Singapore and New York; compute, database, object storage).
  • Stripe — payment processing.
  • Postmark — transactional email (password resets, billing notifications).
  • Cloudflare — DNS and DDoS mitigation.

We provide 30 days’ notice before adding a new sub-processor. Email security@bitcompare.net to be notified.

Incident response

Security incidents are triaged by our on-call team. Customers affected by a security incident are notified within 72 hours per GDPR Article 33, with a postmortem published once the issue is contained.

GDPR & CCPA

We operate as a data processor under GDPR and a service provider under CCPA. A standard DPA with EU SCCs is available on request and can be signed before contract.

Vulnerability disclosure

We welcome reports from security researchers. Email security@bitcompare.net with details and a proof of concept. We commit to:

  • Acknowledge within 24 hours.
  • Confirm or dispute within 5 business days.
  • Patch high/critical issues within 30 days.
  • Credit you publicly (with permission) once the fix ships.

Please don’t test against production accounts you don’t own.

Your rights

Under GDPR and CCPA, you can request a copy of your data, ask us to correct it, or ask us to delete it. Email privacy@bitcompare.net — we respond within 30 days. We don’t require you to identify yourself beyond what’s necessary to verify the request.

Contact

For security matters: security@bitcompare.net
For privacy requests: privacy@bitcompare.net
For general enquiries: info@bitcompare.net