Privacy Policy

We collect information you provide directly when you create an account and use the platform:

• Account information: Email address, username, password (securely hashed, never stored in plain text).
• Profile information: Bio, avatar, country, timezone, Discord username, and other social links you choose to add.
• Trade history: Records of your listings, trades, offers, and reputation entries.
• Messages: Communications sent through the platform's messaging system.
• Payment information: Transaction records are stored on our end. Actual payment details (card numbers, crypto wallet addresses) are processed and stored by our payment providers (Stripe, NOWPayments), not by BMO.

We also collect certain information automatically:

• IP address: Used for security, rate limiting, and abuse prevention.
• Device and browser data: Browser type, operating system, and screen resolution via analytics.
• Usage data: Pages visited, features used, and interaction patterns to help us improve the platform.

We use the information we collect for the following purposes:

• Account management: Creating and maintaining your account, authenticating logins, and managing your profile settings.
• Trade facilitation: Processing trades, matching buyers and sellers, assigning middlemen, and resolving disputes.
• Safety and scam detection: Analyzing activity patterns to detect fraudulent behavior, prevent scams, and enforce our Terms of Service. This includes IP-based analysis and automated flag systems.
• Communications: Sending you important account notifications, trade updates, security alerts, and (optionally) promotional announcements.
• Analytics and improvements: Understanding how users interact with the platform so we can fix bugs, improve performance, and build better features.
• Legal compliance: Responding to legal requests and enforcing our terms.

We do not sell your personal data. We never have and never will.

We share information only with the following categories of service providers, and only to the extent necessary for them to perform their function:

• Supabase: Database hosting, authentication, and real-time infrastructure.
• Stripe: Credit and debit card payment processing.
• NOWPayments: Cryptocurrency payment processing.
• Sentry: Error tracking and performance monitoring (no personal data is intentionally sent; errors may include anonymized technical context).
• Google Analytics: Anonymized usage analytics to understand platform traffic and behavior.

We may also share information when required by law, in response to a valid legal process, or to protect the rights, safety, or property of BMO, our users, or the public.

Publicly visible information (username, reputation score, public profile details) is accessible to other BMO users as part of the platform's normal operation.

Your data is stored in a Supabase-hosted PostgreSQL database with encryption at rest and in transit (TLS/HTTPS). We take security seriously and implement multiple layers of protection:

• Row-Level Security (RLS): Database-level policies ensure users can only access data they are authorized to see.
• Secure authentication: Powered by Supabase Auth with support for email/password and magic link logins.
• Two-factor authentication (2FA): Available for all users and strongly recommended for account protection.
• Password hashing: Passwords are hashed using industry-standard algorithms and never stored in plain text.
• Rate limiting: API endpoints are rate-limited to prevent brute-force attacks and abuse.

While we implement strong security measures, no system is 100% secure. We encourage all users to enable 2FA and use unique, strong passwords.

BMO uses a minimal set of cookies and local storage to provide core functionality:

• Session cookies: Essential for keeping you logged in and maintaining your authenticated session. These are required for the platform to function.
• Theme preference: We store your light/dark mode preference so the interface looks the way you want it.
• localStorage: Used for UI settings like sidebar state, notification preferences, and other interface customizations. This data never leaves your browser.
• Google Analytics: We use Google Analytics to understand aggregate traffic patterns and feature usage. Analytics cookies can be blocked through your browser settings without affecting platform functionality.

We do not use advertising cookies or tracking pixels. We do not participate in cross-site tracking or ad networks.

You have the following rights regarding your personal data:

• Access and export: You can download a copy of your personal data at any time from Settings > Security. This includes your profile information, trade history, and reputation data.
• Delete your account: You can permanently delete your account from Settings > Security. Upon deletion, your personal data will be anonymized in accordance with GDPR and applicable data protection laws.
• Update your information: You can edit your profile, change your email, and update your preferences from your account settings at any time.
• Opt out of communications: You can unsubscribe from promotional emails and non-essential notifications from your notification settings. Security and account-critical notifications cannot be disabled.
• Data portability: EU users have the right to receive their data in a structured, commonly used format under GDPR.

To exercise any of these rights, you can use the self-service tools in your account settings or contact us at privacy@bmo.trading.

We retain data according to the following guidelines:

• Active accounts: Your data is retained for as long as your account remains active. You can delete your account at any time.
• Deleted accounts: When you delete your account, personal identifiers (email, username, IP) are anonymized. Your profile is removed from public view.
• Trade records: Anonymized trade records and reputation history are retained indefinitely for platform integrity and audit purposes. This helps maintain the trust system and prevent abuse.
• Messages: Messages are anonymized when either party deletes their account. The content may be retained in anonymized form for moderation and dispute resolution records.
• Security logs: IP addresses and access logs are retained for up to 90 days for security purposes, then automatically purged.

BMO is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@bmo.trading and we will promptly delete the information.

Users between 13 and 18 (or 16 and 18 in the EU) should use the platform only with the consent of a parent or legal guardian, as outlined in our Terms of Service.

BMO's data is processed and stored on servers managed by Supabase. By using the platform, you consent to the transfer and processing of your data in the region where our infrastructure is hosted.

If you are located in the European Union, you have additional rights under the General Data Protection Regulation (GDPR), including the right to access, rectify, erase, restrict processing, and port your data. We process EU user data under the legal bases of consent, contract performance, and legitimate interest.

If you are located in California, you may have additional rights under the California Consumer Privacy Act (CCPA). We do not sell personal information as defined by the CCPA.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify users through a platform announcement and/or email notification.

We encourage you to review this page periodically. The "Last Updated" date at the top indicates the most recent revision. Your continued use of BMO after changes are posted constitutes your acceptance of the updated policy.

For privacy-related questions, data requests, or to exercise your rights under applicable data protection laws, contact us:

• Privacy Email: privacy@bmo.trading
• General Support: support@bmo.trading
• Support Tickets: Available from your dashboard under "Support Tickets"

We aim to respond to all privacy-related inquiries within 30 days.