Genghis Security: How We Protect Crypto Shoppers
By Claudio Cuccovillo, Founder & CEO of Genghis Ltd · Last updated: 7 May 2026
Genghis is a non-custodial, UK-incorporated digital goods marketplace. We never hold customer crypto, never require identity verification, and never share purchase data with advertisers. This page documents exactly how we secure transactions, what data we hold, and — just as importantly — what we don't do.
If you are a privacy-conscious shopper, a security researcher, or an investor reviewing our infrastructure, everything material is on this page. If something is missing, write to security@genghis.pro and we will add it.
1. The Genghis security framework at a glance
Five commitments that define how Genghis operates. Each one is documented in detail below.
Non-custodial payments
We never hold your crypto. NowPayments processes the transaction; settlement goes directly to suppliers.
No identity verification
No KYC, no phone verification, no selfie. We sell digital consumer goods — no regulator requires it, and we don't collect what we don't need.
Minimal data collection
Email, order history, optional country. That's the operational floor required to deliver a digital code. Nothing more.
No data brokering
We have never sold customer data and never will. Our Privacy Policy contractually forbids it.
UK incorporation
Genghis Ltd, UK Company No. 16315448, registered at 20 Wenlock Road, London N1 7GU. A real legal entity, in a real jurisdiction, on a public register.
2. Why Genghis doesn't require KYC
The short answer: there is no legal basis to require it.
Gift cards, game keys, eSIM data, and prepaid travel products are digital consumer goods. Selling them does not place us under the UK Money Laundering Regulations 2017, the Payment Services Regulations 2017, or any FCA-supervised regime. We are an e-commerce platform, not a money-services business.
Every crypto-native platform that asks for your passport before a $25 gift card is operating either out of regulatory caution that doesn't apply to it, or out of a business model that monetises the data. We do neither.
What this means in practice: when you check out on Genghis, the only information you give us is the email address where the code is delivered. You can use a fresh email each time. You can use a privacy-forward email service. Your purchase history sits in your records, not in a customer profile we build to sell.
If a regulator or law-enforcement agency requests data we do not hold, we cannot produce it. That is by design, not by negligence.
3. How we handle your crypto: non-custodial by design
Genghis never holds, custodies, or commingles user crypto. The flow is structured this way for one reason: a custodial model creates a liability that benefits no one but the platform — and creates real, recurring loss events for users when something goes wrong.
Here is exactly what happens when you pay:
- 1.
You select a product and choose your payment token — Bitcoin, Ethereum, USDT on any supported chain, Solana, Monero, and 300+ others.
- 2.
NowPayments, a regulated payment processor, generates a one-time deposit address for that specific order.
- 3.
You send the exact amount to that one-time address from your wallet of choice. Genghis never sees your wallet's private keys, seed, or balance.
- 4.
NowPayments confirms the transaction on-chain and converts the funds at the agreed rate. The fiat-equivalent settles directly to the supplier or to our operating account, depending on the product.
- 5.
The supplier issues the digital code. We deliver it to your email.
At no point in this flow does Genghis hold your crypto. There is no wallet to drain, no balance to lose, no exchange-style hot-wallet risk. If we disappeared overnight, no user would lose deposited funds — because no user has any.
This is not a marketing claim. It is the architecture.
4. How we handle your data: minimal collection, no tracking
We collect the minimum required to fulfil your order and operate the platform. Specifically:
Email address. Required for code delivery. Stored encrypted at rest. Never sold, never shared with marketing partners.
Order history. Required for refund handling and support. Tied to your email, not to an identity document.
Optional country. Used only for prepaid travel and country-restricted local-currency products where the supplier requires it.
Anonymous traffic data. Aggregated GA4 metrics — page views, country-level location, device type. No retargeting pixels on the purchase confirmation page.
What we do not collect:
Your real name. We never ask.
A physical address. Digital products do not need shipping.
A phone number. We do not run SMS verification.
Your wallet address. Payment is processed by NowPayments. We see the order, not the wallet.
Your IP in any persistent profile. Server logs auto-rotate.
For the full data inventory, retention windows, and your rights under UK GDPR, see our Privacy Policy.
5. Email and code delivery: encryption and storage
Once the supplier issues a code, two things happen.
First, the code is transmitted to our backend over TLS, stored encrypted at rest, and attached to your order record. We retain it for 90 days so we can support refund requests and re-deliver the code if your email provider rejects the message.
Second, the code is delivered to your email via SendPulse, our transactional email infrastructure provider, also over TLS. The delivery email contains the code, the order reference, and redemption instructions. It does not contain marketing content, advertising pixels, or third-party tracking.
If you want a code purged from our system before the 90-day window expires, write to support and we will delete it. We do not log or track when, where, or how you redeem the code. The supplier may track redemption on their own system — that is outside our control — but Genghis itself has no visibility into post-delivery activity.
6. What we don't do
This is the section most security pages skip. We think it's the most important one. Trust isn't built only by claims of what a platform does — it's built by being explicit about what it doesn't.
We do not sell user data. Not aggregated, not anonymised, not in any form. Our Privacy Policy contractually forbids it.
We do not run advertising tracking on the order confirmation page. No Pixel, no Google Ads conversion tag tied to your email. Conversion measurement is server-side and de-identified.
We do not track gift-card redemption. Once the code reaches your inbox, what you do with it is invisible to us.
We do not share purchase history with third parties beyond the supplier who fulfils the order — and even then, the supplier sees the SKU and the redemption email, not your full Genghis order history.
We do not have insurance against custodial loss — and we will not claim to. Custodial-loss insurance is meaningful only for platforms that custody user funds. We do not, so any cover would be theatrical.
We do not require account creation to make a purchase. You can check out with an email address and walk away. An account is optional, used only by people who want to track orders or accumulate Tribe loyalty rewards.
We do not retain payment data. Crypto transactions are settled by NowPayments. We never see, store, or log your wallet address, transaction signature, or balance.
7. Third-party processors and what they see
Three external services touch a Genghis transaction. Here is exactly what each one sees.
NowPayments
Handles the crypto payment leg
Sees: the deposit address it generated, the transaction hash, the converted fiat amount, and an internal Genghis order reference. Does not see your email, your name, or any redemption data.
Suppliers (Bamboo, Tillo, Piggy, Xoxoday)
Licensed digital-goods distributors
Each one receives the SKU, the denomination, the redemption email, and a Genghis order reference. They do not see your wallet, your payment token, or any other order on your account.
SendPulse
Handles transactional email
Sees: the recipient email, the code in transit, and standard email metadata. SendPulse is GDPR-compliant and stores data within the EU.
We do not use any other third-party processors that touch user data on the purchase path. Analytics (GA4, Microsoft Clarity) and the help-centre platform (Zendesk) operate on aggregated, de-identified data only — they never receive payment, wallet, or code information.
8. Reporting a security concern
If you discover a vulnerability, suspect a compromised order, or notice anything that looks wrong:
Email: security@genghis.pro
Initial review: within 24 hours.
Substantive response: within 72 hours.
Disclosure policy: we follow coordinated disclosure. If you report a vulnerability in good faith, we acknowledge, investigate, and resolve before any public disclosure. We do not pursue legal action against good-faith security researchers.
For order-specific issues — undelivered codes, suspicious activity on your account — use the contact form.
9. Review history
This page is reviewed at minimum every 90 days, or whenever there is a material change to our infrastructure, suppliers, or data handling.
7 May 2026 — Initial publication. Authored and reviewed by Claudio Cuccovillo, Founder & CEO.
10. UK incorporation and legal jurisdiction
Genghis Ltd is a private company limited by shares, incorporated in England and Wales.
Company name: Genghis Ltd
Company number: 16315448
Registered office: 20 Wenlock Road, London N1 7GU, United Kingdom
Director: Claudio Cuccovillo
Public registration:Companies House
We are subject to English law. Disputes are resolved under the jurisdiction of the courts of England and Wales, as set out in our Terms & Conditions. Data protection is governed by the UK GDPR and the Data Protection Act 2018, detailed in our Privacy Policy. Refund handling is documented in our Refund Policy.
If you have a question this page does not answer, the About page explains who we are and how we got here.
Ready to spend your crypto safely?
4,300+ brands. 300+ tokens. 80+ countries. Instant delivery, no KYC.
Browse the catalogLast updated: 7 May 2026 — Reviewed by Claudio Cuccovillo, Founder & CEO of Genghis Ltd. Genghis Ltd, UK Company No. 16315448, 20 Wenlock Road, London N1 7GU. Contact: security@genghis.pro.