We use essential cookies for website functionality and Google Ads conversion tracking to measure advertising effectiveness. For more details, please see our
Cookies Policy and Privacy Policy.
Privacy Policy
Our commitment to your privacy — a plain-language summary
Ohmyfin Organisation is committed to operating one of the most privacy-respectful SWIFT-tracking services available. The following summary is provided for your convenience; it is not a substitute for, and does not modify, the full legal terms set out below, but it accurately reflects the principles by which we operate.
No sale of personal data. We do not sell, rent or otherwise commercialise your personal data — to advertisers, data brokers or any other party — under any circumstances.
No advertising-network tracking. We do not deploy advertising pixels, behavioural-tracking cookies or remarketing tags from third-party ad networks.
No account required for the free tracker. You are not asked to provide a name, email address or payment card in order to look up a UETR or payment reference.
Strict data minimisation. We process only the information that is strictly necessary to deliver and protect the service — for example, your IP address, used solely to enforce the daily free-search limit and to prevent abuse — and nothing more.
Optional information remains optional. Where you choose to supply an email address so that we may notify you of a payment status update, that address is used solely for the notification you requested and never for marketing.
Defined retention periods. Free-tier scan records are retained only for as long as is necessary to operate the daily-limit mechanism and basic fraud-prevention functions, after which they are deleted or irreversibly anonymised.
Full data-subject rights. Under UK GDPR, EU GDPR and equivalent legislation you have the right to access, rectify, port and erase any personal data you have shared with us. We will respond to all such requests promptly and free of charge.
Analytics for service operation only. Any analytics we employ are configured for the legitimate purpose of operating, securing and improving the service, and not for advertising or behavioural profiling.
Encryption in transit. All connections to ohmyfin.org are protected by industry-standard HTTPS / TLS encryption.
Our guiding principle is straightforward: the less personal data we hold about you, the safer that data is. The full legal text below sets out, in detail, the categories of data we process, the legal bases on which we rely, our retention periods and how you may exercise your rights.
This Privacy Policy ("Policy") explains how Ohmyfin Organisation ("we," "us," or "our") collects, uses, and protects the data you provide to us when you visit and use our website ohmyfin.org.
We reserve the right to change this Policy at any time. Any updates will be effective immediately upon posting on this page.
1. What User Data We Collect
When you visit our website, we may collect the following:
Your IP address
Your email address or/and phone number
Your cross-border payment information, including UETR or reference number, date of payment, amount, sender's bank, beneficiary's bank and currency
Data profile regarding your behavior on our website
Your billing information: name, address, VAT
Analytics and advertising data through Google Ads conversion tracking, including pages visited, interactions, and conversion events
2. Why We Collect It
We collect this data for the following purposes:
To provide you with the services you requested (e.g., tracking payments)
To facilitate proper billing
To better understand your needs and improve our services
To provide you with up-to-date information about our services
To measure advertising effectiveness and optimize our marketing campaigns through Google Ads conversion tracking
To analyze user behavior and website performance to enhance user experience
3. Third-Party Services and Google Ads
We use Google Ads conversion tracking to measure the effectiveness of our advertising campaigns. This service:
Places cookies on your device to track conversions and user interactions
Collects information about your visits to our website and interactions with our ads
Helps us understand which marketing campaigns are most effective
Allows Google to show you personalized ads based on your website visits
When you ask us to keep watching a UETR (i.e. you supply your email after a "Payment Not Found" result), we create a short-lived background watcher record. This is the data flow:
What we store: the UETR you submitted, the email address you supplied, an SHA-256 hash of your IP (never the raw IP), the schedule for re-checks, and a per-row unsubscribe token.
Why: so we can re-query the SWIFT network on your behalf at 2h, 6h, 12h, then every 24h, for up to 7 days, and email you the moment the payment shows up — or once when the 7-day window expires.
Retention: the watcher row stops being processed as soon as the payment is found, the 7-day window ends, or you click "Unsubscribe" in any of our emails. Resolved rows remain only for audit/abuse-prevention purposes and are not used for marketing.
One-click unsubscribe: every email contains a unique unsubscribe link that revokes the watcher with a single click — no login required.
Anti-abuse limits: 10 watcher creations per IP per 24 hours and a 50-active-watcher cap per email address. Email domains must publish a valid MX (or A) record before we accept a watcher.
What we don't do: we don't share watcher emails or UETRs with third parties, we don't add you to any newsletter, and we don't profile you across other features of the site.
5. MT Message Drafter — What Happens to Your Payment Drafts
OhMyFin offers a free MT message drafter at /draft/mt103, /draft/mt202, /draft/mt202cov and /draft/mt199, plus a matching free public API at POST /api/draft/{kind} and POST /api/draft/{kind}/validate. Because these endpoints handle the same fields that appear inside a live SWIFT payment (BICs, account numbers, beneficiary names, references), we want to be explicit about how we treat that data:
We do not persist the payloads. Neither the form submissions nor the API requests are written to our database, to disk, to a queue, or to any analytics pipeline.
We do not log the payloads. Our request logs record only the HTTP method, path, status code and timing — never the JSON body, never the rendered MT message, and never the values of individual SWIFT fields.
The "Share link" button is client-side only. When you click Share, your draft is base64-encoded into the URL fragment (the part after the #). Browsers never send URL fragments to the server, so the payload travels only between you and whoever you hand the link to.
Rate-limit accounting is by IP only. To enforce the 100-builds-per-IP-per-day cap on the public API, we hold an in-memory counter keyed by your IP address. The counter resets daily and is never combined with payload contents.
No third parties. The drafter does not call any external service. Validation and serialisation run entirely inside our own Node.js process.
6. Restricting the Collection of Your Personal Data
If you would like us to delete your personal data, you can simply use 'Delete Account' function in your profile.
We take data protection and your privacy seriously. Your personal information will only be used for the purposes outlined in this Policy and will not be shared with third parties without your consent, except as required by law or as described in the Third-Party Services section above.
If you have any questions or concerns about our Privacy Policy or the data we collect, please contact us: