Our commitment
to transparency.

Terms of Service

These Terms of Service ("Terms") govern your access to and use of the MercadoBTC platform, including its mobile application, web interface, API, and related services (collectively, the "Service"). Please read them carefully before using MercadoBTC.

By creating an account or using any part of the Service, you agree to be bound by these Terms. If you are using MercadoBTC on behalf of a business, you represent that you have authority to bind that business to these Terms.

Eligibility & Account Registration

To use MercadoBTC, you must:

• Be at least 18 years of age or the age of legal majority in your jurisdiction
• Have the legal capacity to enter into a binding agreement
• Not be located in, or a resident of, any jurisdiction where use of cryptocurrency payment services is prohibited
• Not be on any government-issued sanctions or watchlist

You are responsible for providing accurate registration information and maintaining the confidentiality of your account credentials. You must notify us immediately of any unauthorized account access at security@mercadobtc.com.

Description of Service

MercadoBTC provides merchants with software infrastructure to generate Bitcoin Lightning Network invoices, display payment QR codes, and track incoming payment confirmations. The Service does not:

• Hold, custody, or control your Bitcoin at any point
• Guarantee transaction confirmation times (which depend on the Lightning Network)
• Provide fiat currency conversion or settlement
• Act as a financial institution, bank, or money services business

We reserve the right to modify, suspend, or discontinue any part of the Service at any time with reasonable notice where practicable.

Fees & Billing

MercadoBTC charges a flat fee per transaction processed through our platform. Current fee schedules are published on our pricing page and may be updated with 30 days' written notice to active merchants.

All fees are deducted automatically at the time of transaction. There are no hidden charges, monthly minimums, or setup fees.

Prohibited Uses

You may not use MercadoBTC to process payments for, or in connection with, any of the following:

• Illegal goods, services, or activities under applicable law
• Money laundering, terrorist financing, or sanctions evasion
• Fraudulent transactions or misrepresentation of goods and services
• Gambling or lottery services where prohibited by law
• Adult content platforms without age verification systems
• Any activity that violates a third party's intellectual property rights

Violation of these prohibitions may result in immediate account suspension and, where required, reporting to relevant authorities.

Limitation of Liability

To the maximum extent permitted by applicable law, MercadoBTC and its affiliates, officers, and employees shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of Bitcoin, loss of revenue, or data loss.

Our total cumulative liability for any claim arising from these Terms or the Service shall not exceed the total fees paid by you to MercadoBTC in the three (3) months preceding the claim.

Governing Law & Disputes

These Terms are governed by and construed in accordance with the laws of the applicable jurisdiction in which MercadoBTC is incorporated, without regard to conflict of law provisions.

Any disputes arising under these Terms shall first be attempted to be resolved through good-faith negotiation. If unresolved within 60 days, disputes shall be submitted to binding arbitration administered by a mutually agreed-upon arbitration body.

You waive any right to participate in a class-action lawsuit or class-wide arbitration against MercadoBTC.

Contact

For questions about these Terms, please contact our legal team.

Security Policy

Security is foundational to MercadoBTC. Because our platform operates on a non-custodial model — meaning we never hold your Bitcoin — the attack surface is fundamentally different from traditional fintech. This policy describes how we protect our infrastructure, your account, and your data.

Infrastructure Security

MercadoBTC's backend infrastructure is designed with security-first principles at every layer:

• Encryption in transit: All data transmitted between clients and our servers is encrypted using TLS 1.3. Older protocol versions are rejected.
• Encryption at rest: All stored data is encrypted using AES-256. Database backups are encrypted and stored in geographically distributed locations.
• Network segmentation: Production systems are isolated from development and staging environments. Strict firewall rules limit inter-service communication.
• Access controls: Internal systems use role-based access control (RBAC). All access to production environments requires multi-factor authentication and is logged.
• Dependency management: We continuously scan dependencies for known vulnerabilities using automated tooling and apply patches on a defined schedule.

Non-Custodial Architecture

The most important security property of MercadoBTC is what we don't hold. Our platform is fully non-custodial:

This means that even in the unlikely event of a MercadoBTC server breach, your Bitcoin cannot be stolen from our infrastructure — because it is never there.

Account Security

We provide multiple layers of account protection for merchants:

• Two-factor authentication (2FA): Required for all merchant accounts. We support TOTP authenticator apps. SMS 2FA is not offered due to SIM-swap risks.
• Session management: Login sessions expire after inactivity. All active sessions are visible in your account dashboard and can be remotely terminated.
• Login anomaly detection: We flag and challenge logins from unrecognized devices or unusual locations.
• Password standards: Passwords are hashed using bcrypt with a high cost factor. We never store plaintext passwords.
• API key security: API keys can be scoped to specific permissions and rotated at any time. Compromised keys can be revoked instantly from the dashboard.

Incident Response

We maintain a formal incident response plan. In the event of a security incident that may affect your data:

• We will notify affected merchants within 72 hours of becoming aware of the incident
• Notifications will be sent to the primary email address on your account
• We will provide a clear description of what happened, what data was affected, and what steps we are taking
• We will post a public incident report for significant events within 14 days of resolution

Bug Bounty Program

We believe in working with the security research community to keep MercadoBTC safe. If you discover a security vulnerability in our platform, we want to hear from you.

Scope: Our bug bounty covers the MercadoBTC web application, mobile app, and public API. Infrastructure and third-party services are out of scope.

Rewards: Valid reports are rewarded based on severity (informational, low, medium, high, critical). Reward amounts are determined on a case-by-case basis.

Rules: Do not access or modify data belonging to other users. Do not perform denial-of-service attacks. Do not publicly disclose a vulnerability before we have had a reasonable opportunity to address it.

Security Best Practices for Merchants

The most common attack vectors target users, not infrastructure. We recommend:

• Use a dedicated email address for your MercadoBTC account that is not shared with other services
• Enable 2FA immediately after account creation and store backup codes securely offline
• Regularly sweep funds from your Lightning hot wallet to cold storage
• Verify that you are on the official MercadoBTC domain before entering credentials
• Be skeptical of any communication claiming to be from MercadoBTC that asks for your private key or seed phrase — we will never ask for this
• Keep the MercadoBTC terminal app updated to receive the latest security patches