About

Built on a single premise.

Cash transactions produced no record at any third party. Card payments produce records at every layer they pass through. That is the property eigin is being built to restore at the card-number level, for the card-not-present payments cash cannot reach.

The shift from cash to card was incremental. Tap-to-pay accelerated it. The data consequences were not visible at the time of consent, and the regulatory frameworks that now treat card-derived data as restricted (UK GDPR Articles 15 and 17, PCI-DSS, the Payment Services Regulations) came after the shift, not before. By the time the consumer rights were named in law, the infrastructure that produces the records was already the default.

Some of that data trail is recoverable today. Cash, where it remains a real option. UK GDPR Article 15 to find out what a merchant holds, Article 17 to make them delete it, one merchant at a time. Mobile wallet tokenisation, which protects the card number though not the cross-merchant identifier. These cover part of the surface. They cannot reach the card-not-present payments where cash is not an option and where rights exercises against individual merchants cannot recover the rest of the trail. That is the gap eigin is being built to close.


The product

eigin issues virtual card numbers on Visa and Mastercard rails. Single-use, merchant-locked, spend-capped, or any combination of those controls. The user sets the rules before the payment leaves their hands. The merchant receives a virtual number and a payment confirmation. The real card number is never transmitted.

The novel claim is not the technical mechanism. The card industry already uses tokenisation extensively: PCI-DSS requires it for storage, Apple Pay and Google Pay use it for transmission, the card networks use it internally. eigin extends the same mechanism further by issuing a different number per merchant or per purchase, which prevents the same identifier from being shared across the merchants you pay.

The product runs under the regulatory authorisation of a licensed BaaS partner, to be disclosed at launch. eigin is the software layer and programme manager. eigin is pre-launch as of mid-2026.


The founder

OY

Omer Yusuf

Founder & Director, Eigin Ltd

Omer Yusuf, founder and director of Eigin Ltd. Based in the UK.

Privacy.com has been issuing virtual privacy cards in the US since 2014. Over twelve years of operation, more than 250,000 users. No equivalent product exists for the UK or Europe. The structural reasons the gap has persisted are concrete: regulatory complexity, BaaS partner access friction, scheme economics for a specialised category, commercial pessimism about niche privacy products. The same reasons that made the gap hard to fill are the reasons it has remained open long enough to fill properly.

eigin is being built to fill it.


The infrastructure

eigin runs on EU-hosted infrastructure. The server is self-hosted on Hetzner in Nuremberg. No third-party analytics that track users across the web. Plausible Analytics for aggregated, cookieless traffic data, EU-hosted and GDPR-native. Postmark, used for transactional email, is operated by a US-headquartered company that runs EU and UK entities and is covered by standard contractual clauses under UK GDPR Article 46(2)(c). Card issuing will be provided by a regulated partner, to be disclosed at launch.

A privacy product should not be built on infrastructure that contradicts it. Every tool in the stack was chosen against that standard.


Questions, press, or partnership enquiries: contact@eigin.co

Join the UK waitlist →