Legal

Privacy Policy

Last updated 7 May 2026 · Effective 7 May 2026

This Privacy Policy explains how BAM NFT (“we”, “us”, “our”) collects, uses, and protects personal data when you use https://bamnft.com and related services (the “Service”). We act as the data controller for the personal data described below.

We follow the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act. If you have questions about this policy or want to exercise any of your rights, contact us at help@bamnft.com.

1. Who we are

BAM NFT operates a multi-merchant NFT storefront platform. The controller for personal data processed through the Service is the legal entity operating BAM NFT. Contact: help@bamnft.com.

2. Data we collect

We collect only what we need to operate the Service:

Provided by you

• Email address — required to confirm your purchase and to deliver receipts and order updates.
• Public wallet address — the EVM-compatible address you provide so we can mint your NFT directly to you. This is a public identifier on the blockchain, not a credential.
• Optional account details — name and merchant-account information when you sign up as a seller or submit a contact form.

Collected automatically

• Transaction metadata — order ID, NFT, price, currency, payment provider session and intent identifiers, capture/refund timestamps. We do not see or store full card numbers; those are handled by our payment processors.
• Technical data — IP address, user-agent, device type, referring page, and timestamps, used for security, fraud prevention, and aggregate analytics.
• Cookies and similar storage — see our Cookie Policy.

Received from third parties

• Payment processors (Stripe, uPayWise, MoonPay, and other rails we may add) — confirmation, decline, and refund signals via signed webhooks. They may also share fraud-risk indicators tied to your transaction.
• Public blockchain data — on-chain transaction status that we read to confirm a mint, transfer, or buyback has settled.

3. How we use your data and on what legal basis

Each processing activity has a specific lawful basis under Article 6 of the GDPR:

• Performance of contract — to create and fulfil your order, charge your card, mint the NFT to your wallet, and send order communications.
• Legitimate interests — to prevent fraud, secure the Service, debug failures, and improve the product, balanced against your rights.
• Legal obligation — to comply with tax, accounting, anti-money-laundering, and consumer-protection law.
• Consent — for non-essential cookies and any optional marketing communications. You can withdraw consent at any time.

We do not sell personal data, and we do not use your data for automated decisions that produce legal or similarly significant effects on you.

4. Who we share data with

We share personal data only with carefully selected processors and only as necessary to operate the Service:

• Payment processors — Stripe, uPayWise, MoonPay, and equivalent acquirers we may engage. Card details are submitted directly to these processors and never touched by our servers.
• Hosting and infrastructure — cloud hosting, database, queueing, and email-delivery providers that run the Service under data-processing agreements.
• Analytics — privacy-respecting analytics tooling, configured to collect aggregate usage data only.
• Legal and regulatory authorities — when we are legally required to disclose information, or to defend or enforce our legal rights.

5. Blockchain transactions are public

NFT mints and transfers are recorded on a public blockchain (currently Polygon mainnet). Once a transaction is settled on chain, the wallet address, token ID, and transaction details are publicly visible and cannot be deleted, edited, or made private by us — that is how public blockchains work. Please consider this before you submit a wallet address you wish to keep unlinked from your identity.

6. International transfers

Some of our processors are based outside the EEA (for example in the United States). Where personal data is transferred outside the EEA, we rely on European Commission adequacy decisions or on Standard Contractual Clauses (SCCs) with appropriate supplementary measures. You can request a copy of the transfer mechanism by emailing us.

7. Retention

We keep personal data only for as long as we need it for the purposes described above:

• Order and payment records — for the period required by tax and accounting law (typically five years in Norway after the end of the financial year).
• Account data — for as long as your account is active, and for a short period after closure to handle disputes and legal claims.
• Technical and security logs — for up to 12 months, then aggregated or deleted.
• On-chain data — cannot be deleted by us; see Section 5.

8. Your rights

Under the GDPR you have the right to:

• access the personal data we hold about you;
• request that we correct inaccurate data;
• request that we delete your data, subject to our legal-retention obligations and to the immutability of on-chain records;
• restrict or object to certain processing;
• receive your data in a portable, machine-readable format and have it transmitted to another controller where technically feasible;
• withdraw any consent you have given, without affecting prior lawful processing; and
• lodge a complaint with Datatilsynet (Norwegian Data Protection Authority) or your local supervisory authority.

To exercise any of these rights, email help@bamnft.com. We will respond within one month.

9. Security

We use industry-standard technical and organisational measures to protect personal data: TLS in transit, encryption at rest with managed-database providers, role-based access controls, and signed webhooks for all payment-provider integrations. No system is perfectly secure; if you believe your data has been compromised, contact us at help@bamnft.com immediately.

10. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. The current version, with its “Last updated” date, is always available at https://bamnft.com/privacy. Material changes will be communicated to active users by email or in-product notice.

12. Contact

Questions or complaints about this policy can be sent to help@bamnft.com.