Privacy Policy

Last updated: June 24, 2026

1. Who we are

Bitcoin Companies (bitcoincompanies.co) is a public leaderboard tracking companies that hold Bitcoin on their balance sheets. This policy explains what data we collect, how we use it, who we share it with, and the choices you have.

2. Information we collect

Visitors: no account or personal information is required to browse the leaderboard, map, or company profiles.
Account holders: your email address and password (stored only as a salted hash, never in plain text), or, if you use Google sign-in, the profile data described in section 3.
Sign-in technical data: each time you sign in, we record the IP address and browser user agent of that session to keep your account secure.
Registered companies: a professional email address, company name, domain, and the Bitcoin addresses or extended public keys (xpubs) you voluntarily submit to verify your treasury.
Newsletter subscribers: your email address, and optionally a company name.
Reviews: the review text you write and the IP address it was submitted from.

3. How you sign in

You can access your account in a few ways:

Email and password: your password is stored only as a salted bcrypt hash. We never see or store it in plain text.
Google (OAuth): when you choose Google, Google shares your name, email address, profile picture, and a unique Google account ID. We use these only to create and authenticate your account, and we never receive your Google password.
X / Twitter (OAuth): when you choose X, X shares your name, username (handle), profile picture, and a unique X account ID, plus your email address if you grant that permission. We use these only to create and authenticate your account, and we never receive your X password.

We do not use your sign-in to post anything on your behalf.

4. Facebook and Instagram (Meta)

Bitcoin Companies maintains a Meta app used to publish our own posts and announcements to our official Bitcoin Companies Facebook Page and Instagram account through the Meta Graph API. It connects only to accounts that we own and control.

We do not offer Facebook Login. We do not access your Facebook or Instagram profile, friends, or activity, and we do not collect, receive, or store any personal data from Facebook or Instagram users. If we ever add Facebook Login, we will update this policy first and describe exactly what we receive.

5. How we use your information

Operate the leaderboard and display company and treasury data.
Create your account, sign you in, and keep your sessions secure (IP and user agent are used for security and abuse prevention).
Verify Bitcoin treasuries from the addresses you submit.
Send transactional emails (such as sign-in and payment receipts) and, if you subscribe, our newsletter.
Publish our own content to our official social media channels.
Understand aggregate, anonymized product usage.

We do not use your data for advertising, profiling, or automated decision making.

6. How we share information

We do not sell, rent, or monetize personal data. Ever. We share data only with the providers we rely on to run the service, and only as needed:

Google for sign-in (OAuth), if you choose it.
Stripe for fiat subscription payments. It receives your email and company metadata. We never store card details ourselves.
BTCPay Server (self-hosted, non-custodial) for on-chain Bitcoin registration payments. It receives your email, domain, and company name.
Phoenixd (self-hosted, self-custodial) for Lightning review payments.
Mailgun for email delivery. It receives the recipient address and message content.
Google Analytics and Plausible for website usage analytics.
Blockchain data providers (Arkham Intelligence, Trezor Blockbook, mempool.space) receive only public Bitcoin addresses and extended public keys, never personal data.

We also ingest publicly posted company reviews from sources such as Trustpilot. Company and treasury data shown on the leaderboard comes from public sources and voluntary submissions, and is displayed publicly by design. We may also disclose data where required by law.

7. Cookies and analytics

We use an essential session cookie (HTTP-only, SameSite=Lax) to keep you signed in. For analytics we use Google Analytics, which may set cookies to measure aggregate usage, and Plausible, which is cookieless and EU-hosted. We do not use advertising or cross-site tracking cookies.

8. Data retention

We keep your account data for as long as your account is active. Session records, including IP address and user agent, remain until you sign out or your account is deleted. When you delete your account or ask us to remove your data, we do so within 30 days, except where we are required to keep records for legal or accounting reasons.

9. Data deletion

You can request deletion of your data at any time:

Account or company data: email [email protected] or use our contact page, including your registered email, company name, or domain. Deleting your account also removes your sessions (IP address and user agent) and any linked Google sign-in.
Newsletter: use the unsubscribe link in any email we send, or email us.

We will confirm and complete the deletion within 30 days.

10. Your rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict its processing. To exercise any of these rights, contact us using the details in section 12. We will not discriminate against you for doing so.

11. Children's privacy

This site is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us and we will delete it.

12. Changes and contact

We may update this policy from time to time. When we do, we will update the date at the top of this page. Continued use of the site after a change means you accept the updated policy.

Questions about your privacy or this policy? Email [email protected] or use our contact page.