Privacy Policy

Short and honest: what we collect, why, and how we protect it. We build the platform around privacy — and collect as little data as possible.

Effective 17/04/2026
Version v1.0

1. About this document

This document explains what data we collect when you use the Bumaga Service platform, why we collect it, how long we keep it, and what rights you have over it.

We build the platform as a privacy-focused tool: we collect the minimum necessary, we don't track behaviour, we don't share data with marketing networks, and we don't sell it to third parties.

This policy isn't a legal formality. It's a description of what we actually do. If you find a discrepancy between this document and how the platform works — please tell us.

2. Who processes your data

The data controller is Bumaga Intelligence Solutions Ltd., a company incorporated under the laws of Saint Kitts and Nevis.

For any questions related to data processing, contact us via the email address listed in the "Contact" section.

3. What we collect

We only collect information that is necessary for the platform to operate and to provide services. The list is exhaustive:

3.1. At registration

  • Login (username) — you choose it yourself and use it to sign in. It's displayed on the platform during deals and in public listings.
  • Password hash — we don't store the password itself and can't recover it.
  • Hashes of the secret words / seed phrase generated at registration. We don't see or store the words/phrase themselves — they are shown to you once at registration. Recovery works via hash comparison.

3.2. While using services

  • Balance history — top-up and spend operations used to pay for services.
  • Service usage history — what was ordered and at what price.
  • For payments — the crypto-wallet address from which the payment was received (visible to the OxaPay processor at the moment of transaction).
  • For SMS activation — the temporary virtual number and operation status (whether a code was received).
  • For proxy usage — the IP of the issued proxy and the fact that usage has started.

3.3. Technical data

  • Access logs — IP address, request time, URL of the requested page. Used only for security and incident investigation.
  • Cookies for platform operation — described separately in the "Cookies" section.

4. What we don't collect

To be crystal clear, here's what we don't do:

  • We don't collect email addresses. Registration is only via login, password and a seed phrase that you never disclose to anyone.
  • We don't track your behaviour on the platform (which pages you visited, what you viewed, how long you stayed).
  • We don't collect browser fingerprints, device parameters or User-Agent data beyond standard access logs.
  • We don't request or store your real name, address, phone number or ID documents.
  • We don't use third-party analytics systems (Google Analytics, Yandex Metrika or similar).
  • We don't share data with advertising networks and don't use it for targeting.
  • We don't sell data to third parties.

Data minimisation is an architectural principle of the platform, not a marketing slogan. If a service works without a particular type of data — we don't ask for it.

5. Why we collect this data

Each type of data is collected only for a specific purpose:

  • Login and password hash — for authentication and to distinguish accounts.
  • Seed phrase hash — to recover account access if the password is lost.
  • Balance and service history — so you can see your operations and we can correctly deliver services and handle disputes.
  • Service operational data (payer's crypto address, proxy IP, SMS status) — for the technical operation of the specific service.
  • Access logs — for protection against attacks, incident investigation and compliance with our legal obligations.

We don't use your data for marketing, profiling or any other purposes unrelated to running the platform.

6. Cookies

We only use strictly necessary cookies — the platform cannot function without them. We don't use advertising or tracking cookies.

Cookies list

  • Session cookie — stores your authentication state. Deleted on logout or session expiry.
  • CSRF token — protects against cross-site request forgery attacks. Lasts for the duration of the session.
  • bumaga_lang — remembers your chosen interface language. Lifetime: 1 year.

Managing cookies

You can delete cookies via your browser settings, but this will end your session and require you to sign in again.

7. Analytics

We only keep aggregated internal statistics: total user count and page visit counts. This data is not linked to specific users and cannot be used to identify individual behaviour.

External analytics systems (Google Analytics, Yandex Metrika or any other trackers) are not used on the platform.

8. Third parties

To deliver certain services we use technical subcontractors. They process only the minimum information required to perform a specific operation — they have no access to your profile, balance or history on the platform.

Categories of subcontractors

  • Payment processors — see only the fact of a payment and the payer's crypto-wallet address. They don't know who on the platform made the payment, what they bought or what their balance is.
  • SMS providers — see only a request for a virtual number for a specific service. They don't know who ordered the number.
  • Proxy suppliers — provide IP addresses. They don't know who is using them.
  • Hosting provider — physically hosts the servers. Has no access to the contents of the database.

We don't share your login, your history of operations on the platform, or any information beyond what is necessary for a specific technical operation.

We don't share your data with marketing companies, data brokers, advertising networks or for any purposes unrelated to the operation of services.

9. Data retention

Different types of data are kept for different periods:

  • Account data (login, password hash, seed phrase hashes) — while the account is active.
  • Balance and service history — while the account is active. Required for dispute handling and proper accounting.
  • Access logs — 90 days, then automatically deleted.
  • Service operational data (SMS numbers, proxy IPs) — the lifetime of the specific operation plus the minimum necessary time for support.

10. Your rights

You have the following rights in relation to your data:

10.1. Access to your data

You can request information about what data we hold on you. Basic information is available directly in your personal cabinet (login, balance, operation history). For further requests — via the support email in the "Contact" section.

10.2. Correction

If profile data is inaccurate, you can correct it in personal cabinet settings or via support.

10.3. Account deletion

You can delete your account via the corresponding function in your personal cabinet. Upon deletion:

  • Login, password hash and seed phrase hashes — deleted completely.
  • Operation history linked to completed deals and financial accounting — anonymised: the connection to your account is lost, but the record itself is retained in an anonymised form.
  • Access logs — deleted on the general schedule (90 days).

After deletion, account recovery is impossible — we have no email or any other contact to identify you as the owner. If you want to return, you'll need to create a new account.

10.4. Account recovery

Account access can only be recovered via the seed phrase and secret words you received at registration. Since we don't collect email and don't store the secret words themselves (only their hashes), no other way to prove account ownership exists.

Keep your seed phrase in a safe place. If it's lost, account recovery is impossible — even the platform's administration cannot help you.

10.5. Objection and complaint

You can object to the processing of your data or file a complaint with the supervisory authority in your country if you believe your rights have been violated.

11. Security

We take reasonable technical and organisational measures to protect your data:

  • Passwords and secret words are stored as cryptographic hashes. Recovering the original values is impossible even for us — we can only compare hashes.
  • Connection to the platform is protected by TLS encryption.
  • Database access is limited to a narrow group of technical administrators and is logged.
  • Sensitive database fields are additionally encrypted.

No system can guarantee 100% protection. In the event of a security incident, we will promptly notify affected users and take action to mitigate consequences.

The weakest security point is the compromise of your password or seed phrase. Keep them separately, in a safe place, and don't share them with anyone.

12. International data transfers

Legally, the company operating the platform is registered in Saint Kitts and Nevis. Servers may be physically located in other jurisdictions (in countries with strong privacy legislation).

When using technical subcontractors (see "Third parties"), data may be processed in their jurisdictions. We choose subcontractors based on the level of data protection they provide.

13. Changes to this policy

We may update this policy as the platform evolves. We'll notify you on the platform at least 7 days before significant changes take effect.

The date of last update is shown in the document header. The current version is always available on this page.

14. Contact us

For any questions related to data processing and your rights:

Email

info@bumagaservice.cc

Support

Ticket system in your personal cabinet

Related documents
Document About
Document Terms of Service
Document Acceptable Use Policy