Privacy Policy

1. Introduction

American Crypto Card, operated by Starial Private Limited (CIN registered, Jabalpur, Madhya Pradesh, India), is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, store, and protect your data when you use our custodial USDT/USDC wallet and Visa card services.

This policy is compliant with the Digital Personal Data Protection Act, 2023 (DPDP Act), Information Technology Act, 2000, General Data Protection Regulation (GDPR), and applicable data protection laws across all jurisdictions we operate in.

2. Information We Collect

Identity Data:

• Full legal name, date of birth, nationality
• Government-issued identity documents (Aadhaar, PAN, Passport) collected during KYC verification via DigiLocker (Indian users) or Sumsub (non-Indian users)
• Only the last 4 digits of Aadhaar are stored; full Aadhaar numbers are never retained
• Selfie/liveness check images (processed and deleted within 24 hours of verification)

Contact Data:

• Email address, phone number (used for OTP verification via Firebase)
• Mailing address (for physical card delivery)

Financial Data:

• Wallet addresses (TRON, Polygon)
• Transaction history, account balances, card transaction records
• UPI ID, bank account details (for fiat payout via Transak)

Technical Data:

• IP addresses, device identifiers, browser type
• Firebase Cloud Messaging tokens (for push notifications)
• Usage logs, session data, API access logs

3. How We Use Your Information

• Account creation and identity verification (KYC/AML compliance)
• Processing transactions: deposits, withdrawals, card payments, P2P transfers, bill payments
• Security: fraud detection, AML screening against 400+ sanctions lists, suspicious activity monitoring
• Communication: transaction alerts, security notifications, service updates via SMS (Twilio), email (SendGrid), and push notifications
• Compliance: regulatory reporting, audit trails, STR/SAR generation as required by FIU-IND
• Service improvement: analytics, performance monitoring, bug resolution

4. Legal Basis for Processing

• Consent: You provide explicit consent during account creation and KYC initiation
• Contractual necessity: Processing required to provide wallet, card, and payment services
• Legal obligation: AML/CFT compliance, tax reporting (1% TDS on crypto withdrawals), FIU-IND reporting
• Legitimate interest: Fraud prevention, platform security, service improvement

5. Data Storage and Security

• All data stored on AWS infrastructure with AES-256 encryption at rest
• Data in transit protected by TLS 1.3
• Wallet private keys secured via AWS KMS (Hardware Security Module backed)
• Database credentials rotated regularly; PII encrypted with envelope encryption
• Access controls enforced via role-based permissions (RBAC)
• All API calls logged with immutable audit trail

6. Data Sharing

We do not sell your personal data. We share data only with:

• M2P Fintech: Card issuance partner (card details, transaction data)
• Transak: Fiat on-ramp/off-ramp provider (identity verification, payout details)
• DigiLocker / Sumsub: KYC verification providers (identity documents)
• Chainalysis: Blockchain analytics for AML screening (wallet addresses only)
• Firebase / Twilio / SendGrid: Authentication and notification delivery
• Law enforcement: When required by valid legal process or court order
• FIU-IND: Suspicious transaction reports as mandated by PMLA

7. Data Retention

• Active accounts: Data retained while account is active
• Closed accounts: KYC and transaction data retained for 5 years post-closure (PMLA requirement)
• KYC documents: Retained for 5 years after account closure as per FIU-IND guidelines
• Server logs: Retained for 90 days, then purged
• Notification history: Auto-deleted after 90 days (read notifications cleaned daily at 3 AM)

8. Your Rights

Under DPDP Act 2023 and GDPR, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion, subject to regulatory retention requirements
• Portability: Receive your data in a machine-readable format
• Withdraw consent: Withdraw consent for non-essential processing
• Grievance redressal: File complaints with our Data Protection Officer

9. Cookies and Tracking

• Strictly Necessary: Session management, CSRF protection, security tokens
• Functional: Language preferences, UI settings
• Analytics: Anonymous usage statistics (can be opted out)
• No third-party advertising cookies are used

10. Children's Privacy

American Crypto Card services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we discover that a minor has provided personal data, we will delete it immediately.

11. International Data Transfers

Your data may be processed in jurisdictions outside India, including the United States (AWS), for infrastructure and service delivery purposes. All transfers are protected by appropriate safeguards including Standard Contractual Clauses (SCCs) and encryption.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and in-app notification at least 30 days before taking effect. Continued use of our services after the effective date constitutes acceptance.