Last updated: June 2026
Privacy Policy
This policy explains what data ibanchecker.cash collects, how it is used, and your rights as a data subject. We are committed to transparency — particularly regarding IBAN data, which we never store.
1. Overview & Data Controller
ibanchecker.cash is operated by KÖYLÜ BİLGİSAYAR ELEKTRONİK GIDA İLETİŞİM SANAYİ VE TİCARET LİMİTED ŞİRKETİ (“we”, “us”, “our”), registered in İstanbul, Turkey (MERSİS: 0589045373223843). We are the Data Controller for personal data processed through this platform.
This Privacy Policy applies to all users of our website, free tools, and paid Developer API at https://ibanchecker.cash.
We comply with the EU General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act (CCPA), the Turkish Personal Data Protection Law (KVKK No. 6698), and applicable data protection laws in the UAE, Saudi Arabia, and other jurisdictions where our users are located.
2. Data We Collect
We collect only the minimum data necessary to provide the service:
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | API key delivery, account management, transactional emails | Contract (Art. 6(1)(b) GDPR) |
| API key (hashed) | Authentication and rate limiting | Contract |
| Stripe payment data | Subscription billing (Starter, Growth, Enterprise plans) | Contract |
| API request metadata | Rate limiting, abuse prevention, analytics (no IBAN content) | Legitimate interest |
| IP address (transient) | Cloudflare DDoS protection — not logged by us | Legitimate interest |
3. IBAN Data — Never Stored
Zero IBAN retention — by design.
ibanchecker.cash does notlog, store, transmit, or share any IBAN you enter — not in our database, not in our logs, not in any third-party system. Validation runs entirely in memory at Cloudflare’s edge and the result is returned immediately. No IBAN data touches persistent storage at any point.
This applies to all surfaces: the web UI, the Bulk Checker, Smart Extract, and the Developer API. API request logs record only metadata (timestamp, country code of result, response time) — never the IBAN string itself.
4. How We Use Your Data
- • Deliver and manage your API key and subscription
- • Process payments via Stripe
- • Enforce API rate limits and fair-use policies
- • Send transactional emails (API key delivery, invoices, plan changes)
- • Prevent abuse and maintain platform security
- • Aggregate, anonymized analytics to improve service performance
We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described in Section 5.
5. Data Processors (Sub-processors)
We rely on the following sub-processors, each bound by appropriate data protection agreements:
| Processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Edge hosting, CDN, DDoS protection, KV/D1 storage, Analytics Engine | Global (US HQ) |
| Stripe, Inc. | Payment processing, subscription management | US / EU |
| Resend, Inc. | Transactional email delivery (API key emails) | US |
Each sub-processor maintains their own GDPR-compliant DPA. Details are available in our full Data Processing Agreement.
7. Data Retention
| Data | Retention Period |
|---|---|
| Email address | Until account deletion request or 3 years of inactivity |
| API key (hashed) | Until account deletion or key revocation |
| Stripe billing records | 7 years (tax/legal obligation) |
| API usage counters | Rolling 13 months (for billing reconciliation) |
| IBAN validation data | Never stored — zero retention |
8. Your Rights (GDPR & UK GDPR)
Under GDPR (EU) and UK GDPR, you have the following rights:
- Access — request a copy of personal data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your account and associated data
- Portability — receive your data in a machine-readable format
- Restriction — request restricted processing in certain circumstances
- Objection — object to processing based on legitimate interest
To exercise any right, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.
9. Regional Rights
California (CCPA)
California residents have the right to know what personal data is collected, the right to delete personal data, and the right to opt out of the sale of personal data. We do not sell personal data. To exercise your rights, contact [email protected].
UAE (PDPL) and Saudi Arabia (PDPL)
Users in the UAE and Saudi Arabia have rights to access, correct, and request deletion of their personal data under applicable national data protection laws. Contact [email protected] to exercise these rights.
10. Contact
For privacy requests, data deletion, or questions about this policy:
- Email: [email protected]
- Website: https://ibanchecker.cash
We may update this policy from time to time. Material changes will be notified by email to API key holders. Continued use of the service after changes constitutes acceptance.