Privacy Policy
How we handle your data at slapEFT
Contents
- 1. Overview
- 2. What We Don't Collect
- 3. Information We Collect
- 4. Biometric Data (Fingerprints)
- 5. Legal Basis for Processing
- 6. Data Retention
- 7. Data Security
- 8. Your Rights (GDPR/CCPA)
- 9. Government Requests
- 10. Third-Party Services
- 11. Children's Privacy
- 12. International Data Transfers
- 13. Changes to This Policy
- 14. Contact Us
1. Overview
slapEFT ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our FD-258 to EFT conversion service at slapeft.com (the "Service").
By using slapEFT, you consent to the collection and use of information as described in this policy. If you do not agree, please do not use our Service.
2. What We Don't Collect
Unlike most websites, we deliberately avoid collecting data we don't need:
- No accounts required - No email, no password, no profile to hack
- No Google Analytics - Zero external tracking scripts
- No Facebook Pixel - No social media tracking
- No advertising networks - No ad tech, no retargeting
- No persistent cookies - Only session tokens for security (CSRF protection)
- No IP address storage - IP addresses are not logged except temporarily for rate limiting
- No device fingerprinting - We don't track your browser or device
3. Information We Collect
| Data Type | Purpose | Retention |
|---|---|---|
| Uploaded FD-258 image | Generate EFT file | 7 days (auto-delete) |
| Extracted fingerprint images | Encode into EFT format | 7 days (auto-delete) |
| Demographic data (name, DOB, etc.) | Required fields in EFT file | 7 days (auto-delete) |
| Recovery email (optional) | Send download link if requested | 7 days (encrypted) |
| Payment confirmation | Verify purchase completed | 90 days (for support) |
Demographic Information
The personal information you enter (name, date of birth, address, physical characteristics) is embedded in your EFT file as required by the ANSI/NIST-ITL format. This is necessary for ATF acceptance. We do not use this information for marketing or any purpose other than generating your EFT file.
Payment Information
We accept cryptocurrency payments through BTCPay Server, which we self-host. We do not collect or store credit card numbers. Payment records contain only transaction IDs and confirmation status.
4. Biometric Data (Fingerprints)
We recognize that fingerprint data is sensitive biometric information requiring special protection.
How We Handle Your Fingerprints
- Collection: You voluntarily upload your fingerprint card image
- Processing: We extract fingerprint regions and encode them in WSQ format
- Storage: Fingerprint images are stored temporarily on encrypted servers
- Purpose: Solely to generate your EFT file for ATF submission
- Sharing: We never share, sell, or transfer your fingerprint data to any third party
- Retention: Automatically deleted 7 days after upload
- Your control: You can delete your data immediately after download
Biometric Data Rights
Depending on your jurisdiction, you may have specific rights regarding biometric data under laws such as:
- Illinois Biometric Information Privacy Act (BIPA)
- Texas Capture or Use of Biometric Identifier Act
- Washington Biometric Privacy Law
- California Consumer Privacy Act (CCPA)
We honor all applicable biometric privacy laws. Contact us to exercise your rights.
5. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) and UK, we process your data under the following legal bases:
- Contract: Processing necessary to provide the service you requested (EFT generation)
- Consent: You explicitly consent by uploading your data and agreeing to this policy
- Legitimate Interest: Basic analytics to improve service quality and security
For biometric data specifically, we rely on your explicit consent provided when you upload your fingerprint card.
6. Data Retention
We retain your data for the minimum time necessary:
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Fingerprint images | 7 days | Automatic secure deletion |
| Demographic data | 7 days | Automatic secure deletion |
| Generated EFT files | 7 days | Automatic secure deletion |
| Payment records | 90 days | Manual deletion after period |
| Support correspondence | 1 year | Manual deletion |
Immediate Deletion: You can delete all your data immediately after downloading your EFT file by clicking the "Delete My Data" button on the download page. We encourage this.
7. Data Security
We implement industry-standard security measures:
- Encryption in transit: All data transmitted via HTTPS/TLS 1.3
- Encryption at rest: Sensitive data encrypted using Fernet (AES-128-CBC)
- Access control: No direct file access; all requests authenticated
- Rate limiting: Protection against brute-force and abuse
- CSRF protection: All forms protected against cross-site request forgery
- Security headers: Strict CSP, X-Frame-Options, HSTS enabled
- No external scripts: Reduced attack surface by avoiding third-party JavaScript
While we take security seriously, no system is 100% secure. We recommend deleting your data immediately after download to minimize any risk.
8. Your Rights
All Users
- Access: Request what data we hold about you
- Deletion: Delete your data at any time (self-service or by request)
- Portability: Download your EFT file (the data you provided, in portable format)
GDPR Rights (EEA/UK Users)
Under the General Data Protection Regulation, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erasure ("right to be forgotten")
- Restrict processing
- Data portability
- Object to processing
- Withdraw consent at any time
- Lodge a complaint with a supervisory authority
CCPA Rights (California Residents)
Under the California Consumer Privacy Act, you have the right to:
- Know what personal information we collect
- Know whether we sell or disclose your data (we don't)
- Say no to the sale of personal information (we don't sell data)
- Access your personal information
- Request deletion of your information
- Equal service regardless of exercising your rights
We do not sell your personal information. We have not sold personal information in the preceding 12 months.
Exercising Your Rights
To exercise any of these rights, contact us at support@slapeft.com. We will respond within 30 days (or sooner as required by law).
9. Government Requests
We publish a Warrant Canary updated monthly to confirm we have not received any secret government orders, national security letters, or gag orders.
If we receive a valid legal request for user data:
- We will comply only with legally valid requests backed by proper authority
- We will notify users unless legally prohibited from doing so
- We will remind requesters that data auto-deletes after 7 days
- We will challenge overly broad requests
10. Third-Party Services
We minimize third-party dependencies to protect your privacy:
| Service | Purpose | Data Shared |
|---|---|---|
| BTCPay Server (self-hosted) | Payment processing | None - we host it ourselves |
| Fly.io | Hosting infrastructure | Server logs only (no user data) |
| Cloudflare (if enabled) | DDoS protection | IP addresses for security |
We do not use Google Analytics, Facebook, advertising networks, or any service that tracks users across websites.
11. Children's Privacy
Our Service is not directed to individuals under 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.
Note: Minors may have fingerprint cards processed by a parent or legal guardian for legitimate NFA trust purposes.
12. International Data Transfers
Our servers are located in the United States. If you access our Service from outside the US, your data will be transferred to and processed in the US.
For EEA/UK users: By using our Service, you consent to this transfer. We implement appropriate safeguards including encryption and minimal data retention to protect your data.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.
For significant changes affecting your rights, we will provide prominent notice on our homepage.
Continued use of the Service after changes constitutes acceptance of the revised policy.
14. Contact Us
For privacy-related questions, concerns, or to exercise your rights:
Email: support@slapeft.com
Response time: Within 30 days (usually faster)
For GDPR complaints, you may also contact your local data protection authority.
Last updated: January 2026
