DisbursedDisbursed
← Back to home

Legal

Privacy Policy

Last updated: 14 May 2026

This Privacy Policy explains how Disbursed ("we", "us", "our") collects, uses, and protects information when you use the Disbursed dashboard and API at disbursed.io (the "Service"). Disbursed is a non-custodial mass-payout tool for the Binance Smart Chain (BSC). We never hold your funds, tokens, or private keys.

1. Information we collect

We collect the minimum data needed to run the Service:

  • Wallet address. When you sign in with Sign-In-With-Ethereum (SIWE) we record your public wallet address as your account identifier.
  • Optional profile data. If you set an email address or display name in Settings, we store those values.
  • Batch and contact data. Recipient addresses, amounts, labels, the on-chain transaction hash, and batch metadata (status, timestamps).
  • Webhook configuration. Destination URLs, descriptions, and event filters you configure. Webhook signing secrets are stored only as a salted hash; the plaintext secret is shown to you exactly once at creation.
  • Operational logs. Request IPs, user-agent strings, error traces, and rate-limit counters, kept for up to 30 days for abuse prevention and incident response.

2. Information we do NOT collect

  • Your private keys or seed phrase. All signing happens in your wallet, in your browser. We never see them.
  • Your funds. Every payout flows wallet → smart contract → recipients directly on BSC. We are not in the custody path.
  • KYC documents. No government ID, no proof of address, no real-name data is requested by Disbursed itself. Your own jurisdiction may impose KYC duties on you as the payer; those are your responsibility.
  • Cross-site tracking. No Google Analytics, Facebook Pixel, ad SDKs, or third-party profiling tools.

3. How we use information

  • Operate the Service — showing past batches, looking up contacts, delivering webhooks.
  • Authenticate API requests against your account.
  • Investigate and prevent abuse, fraud, and security incidents.
  • Send transactional notifications to email addresses you have provided.

4. Sharing and third parties

We do not sell or rent your data. Disbursed runs on Cloudflare infrastructure (Workers, D1, KV, R2) and uses public BSC RPC endpoints. These providers process data on our behalf under their own terms.

When you configure an outgoing webhook, Disbursed will deliver signed HTTP POSTs to the URL you specify. We are not responsible for how the receiving system handles those payloads.

We will disclose information only when compelled by a valid, enforceable legal order in a jurisdiction in which we operate, and only the specific data demanded.

5. Cookies and local storage

We use first-party cookies and browser local storage only for essential functions: keeping you signed in (JWT), remembering your wallet connection, and persisting UI preferences. We do not use cross-site tracking cookies.

6. On-chain data is public

Every BSC transaction — sender, recipient, token, amount, timestamp — is publicly visible on the chain and on block explorers like BscScan. Disbursed cannot make on-chain data private. Be mindful of this when you choose recipient addresses for sensitive payouts.

7. Data retention

  • Batch and contact records — retained for the lifetime of your account.
  • Operational logs — 30 days.
  • Account deletion — you may request full deletion of your account at any time by emailing privacy@disbursed.io. We will purge all off-chain records associated with your wallet address within 30 days. On-chain transactions are immutable and cannot be deleted by anyone, including us.

8. Security

  • Server-side data is encrypted at rest by Cloudflare.
  • All API and dashboard traffic uses HTTPS.
  • Webhook payloads are signed with HMAC-SHA256 so receivers can verify authenticity.
  • We do not store private keys, seed phrases, or any credentials that could move funds.

9. Your rights

Subject to applicable law — including GDPR for EU residents and CCPA for California residents — you may have the right to access, correct, export, or delete your personal data. Email privacy@disbursed.io to exercise these rights.

10. Children

The Service is not intended for users under 18. We do not knowingly collect data from minors.

11. International users

The Service is operated from Cloudflare's global edge network. Your data may be processed in any jurisdiction where Cloudflare operates.

12. Changes to this policy

We will update this policy as needed. The "Last updated" date at the top reflects the most recent change. Material changes will be announced via a banner in the dashboard.

13. Contact

  • privacy@disbursed.io — privacy questions and data requests
  • security@disbursed.io — security disclosures