Privacy Policy

We collect information you provide directly when you create an account or use the platform:

• Account information: username, email address, and password (stored as a bcrypt hash — we never store your plain-text password).
• Lightning address: if you choose to add one to receive payments as a seller.
• Listing content: titles, descriptions, images, prices, and shipping details you publish.
• Order information: buyer name, shipping address, phone number (optional), and quantity when placing an order.
• Messages: the content of direct messages exchanged between users on the platform.
• Reviews: ratings and comments you leave for sellers.

We also collect limited technical information automatically:

• Session tokens: a JWT stored in an HttpOnly cookie to keep you signed in.
• Server logs: standard web server logs including IP addresses and request timestamps, retained briefly for security and debugging purposes.

We do not collect browser fingerprints, use third-party tracking pixels, or sell advertising.

We use the information we collect to:

• Create and manage your account
• Facilitate transactions between buyers and sellers
• Forward Lightning payments to the seller's Lightning address
• Display your listings, profile, and reviews to other users
• Enable real-time messaging between users
• Send order status notifications within the platform
• Detect and prevent fraud, abuse, and violations of our Terms of Service
• Respond to support requests

We do not use your data for targeted advertising, sell it to third parties, or share it with data brokers.

The following information is visible to other users of the platform:

• Your username (on your public profile)
• Your listings, including titles, descriptions, images, and prices
• Your seller rating and reviews left by buyers
• The date you joined the platform

Your email address, password hash, Lightning address, and order details are never publicly visible. Messages are only visible to the two participants in a conversation.

Payments on lnbay are processed via the Bitcoin Lightning Network. When a buyer places an order, we generate a Lightning invoice via our payment processor (OpenNode) and forward the payment to the seller's Lightning address upon confirmation.

Lightning transactions are recorded on the Bitcoin network and are inherently pseudonymous. We do not store the private keys of any wallet, and we do not take custody of funds beyond the brief routing period. Payment data (invoice strings, charge IDs) is stored in our database solely to track order status and facilitate refunds.

We retain your account data for as long as your account is active. If you delete your account, your personal information (name, email, password hash, Lightning address) is deleted from our database.

Your username is permanently reserved after deletion and stored in a separate table to prevent impersonation. Transaction records (orders, payments) may be retained for legal and financial record-keeping purposes even after account deletion. Your listings and messages may also remain in the database in anonymised form.

Server logs are typically purged on a rolling basis within 30 days.

lnbay uses a single HttpOnly session cookie named auth_token to keep you signed in. This cookie cannot be accessed by JavaScript and is transmitted only over HTTPS in production.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

lnbay uses the following third-party services, which may process data on our behalf:

• OpenNode — Lightning Network payment processing. When an order is created, basic order details are shared with OpenNode to generate and monitor payment invoices. OpenNode's own privacy policy governs their data handling.
• Google Fonts — fonts are loaded from Google's CDN. Google may log the request IP. You can block this by using a browser extension if desired.

We do not integrate with social networks, advertising platforms, or data analytics services.

We take reasonable technical measures to protect your data, including:

• Passwords hashed with bcrypt (cost factor 12) — never stored in plain text
• Authentication via signed JWT tokens with 7-day expiry
• HttpOnly, SameSite cookies to prevent XSS-based session theft
• Server-side input validation on all API endpoints

No system is completely secure. If you believe you have found a security vulnerability, please contact us responsibly before disclosing it publicly.

You have the right to:

• Access the personal information we hold about you
• Correct inaccurate information via the Settings page
• Delete your account at any time from Settings — this removes your personal data from our systems
• Export — contact us to request a copy of your data
• Object to processing in cases where we rely on legitimate interests

To exercise any of these rights, use the Settings page or contact us via the Contact page.

lnbay is not directed at children under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has created an account, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page and, where appropriate, notify users via the platform. Your continued use of lnbay after changes are posted constitutes your acceptance of the updated policy.

If you have questions or concerns about this Privacy Policy or how your data is handled, please reach out via the Contact page.