Legal · Privacy Policy

Privacy Policy

We collect only what we genuinely need, encrypt it everywhere, never sell it, and give you full control. Below is exactly what we collect, why, with whom we share it and how long we keep it.

Last updated: May 28, 2026 · GDPR · UK GDPR · CCPA compliant · Version 3.0

Encrypted by default

TLS 1.3 in transit, AES-256 at rest, Argon2id passwords.

We never sell data

No third-party ads, no behavioural targeting, no resellers.

You're in control

Export, correct or delete your data anytime from settings.

01Who we are and how to contact us

GG-MARKETPLACE ("GG", "we", "us", "our") is the data controller for the personal data processed via gg-marketplace.com (the "Platform"). We are committed to processing your data lawfully, fairly and transparently, in line with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA) and any other applicable privacy law.

  • Privacy / Data Protection Officer: privacy@gg-marketplace.com
  • Security incidents: security@gg-marketplace.com
  • Legal correspondence: legal@gg-marketplace.com

02What personal data we collect

We only collect data we genuinely need to operate the Platform, secure it, comply with the law and improve the service. Specifically:

CategoryExamples
AccountEmail, display name, password hash (Argon2id), avatar, cover image, bio, country, language.
Identity (Sellers / Priority Sellers)Full legal name, date of birth, government-issued ID, selfie, proof of address, tax/VAT identifier where applicable.
TransactionalOrders placed and received, amounts, products, listing snapshots, timestamps, escrow state, dispute history, ratings, support tickets.
PaymentTokenized card references (we never see or store raw PAN, CVV or expiry), crypto wallet addresses you provide, payout instructions.
CommunicationsOn-platform chat content, email correspondence, support tickets, abuse reports — retained for safety and dispute purposes.
Device & technicalIP address, user agent, device type, OS, browser, language, referrer, page views, session ID, error logs.
Security signalsLogin attempts, 2FA events, device fingerprints, velocity signals and other indicators used to detect fraud and account takeover.
Marketing preferencesNewsletter consent, cookie preferences, A/B-test bucket.

03Why we process your data

Each category of data is processed for one or more clearly defined purposes, each with a legal basis under Article 6 GDPR:

PurposeLegal basis
Create and operate your account, allow login, render the PlatformPerformance of a contract (Art. 6(1)(b))
Process orders, hold funds in escrow, pay sellers, refund buyersPerformance of a contract (Art. 6(1)(b))
KYC, AML and sanctions screening for Sellers / Priority Sellers / large withdrawalsLegal obligation (Art. 6(1)(c))
Prevent fraud, abuse, account takeover and chargebacksLegitimate interest (Art. 6(1)(f)) — protecting users and the Platform
Resolve disputes between buyers and sellersPerformance of a contract / legitimate interest
Send transactional emails (orders, disputes, security alerts, receipts)Performance of a contract
Send marketing emails, in-product promos, satisfaction surveysConsent (Art. 6(1)(a)) — you can withdraw anytime
Product analytics, A/B testing, performance monitoringLegitimate interest, with privacy-preserving aggregation
Comply with tax, accounting and reporting obligations (DAC7, 1099-K, VAT)Legal obligation
Respond to lawful requests from courts, regulators or law enforcementLegal obligation

04Who we share your data with

We never sell your personal data and we never share it for third-party advertising. We only share what is strictly necessary, with vetted processors bound by data-processing agreements (DPAs):

  • Cloud hosting & database: Supabase (managed Postgres) and Cloudflare (edge compute, DDoS protection, CDN).
  • Payment processing — cards: our PCI-DSS Level-1 card acquirer (tokenization only).
  • Payment processing — crypto: NOWPayments and the underlying blockchain networks when you deposit or withdraw on-chain.
  • Email & transactional messaging: our deliverability provider, used only for emails you triggered or consented to.
  • Identity verification (KYC): our regulated KYC/AML vendor, only for accounts that opt into Seller, Priority Seller or large-withdrawal flows.
  • Customer support tooling: ticketing and chat infrastructure used by our internal staff under confidentiality obligations.
  • Analytics & monitoring: privacy-respecting product analytics and error-reporting tools, configured to avoid collecting unnecessary PII.
  • Authorities: courts, regulators, tax authorities and law enforcement, when we receive a valid legal request or when required by law.
  • Buyers and sellers see each other's public profile (display name, country, avatar, ratings, completed orders) — this is essential for the marketplace to function.

05International data transfers

Some of our processors operate outside the European Economic Area (EEA), notably in the United States. Whenever we transfer personal data outside the EEA, we rely on one or more of the following safeguards: an adequacy decision of the European Commission, the EU-U.S. Data Privacy Framework, the latest version of the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum where applicable, and supplementary technical measures including encryption in transit and at rest.

06How long we keep your data

We keep data only for as long as we genuinely need it. The retention periods below are the maximums; we may delete sooner when no longer required.

DataRetention
Active account dataWhile the account is active
Closed-account profile data24 months after closure, then anonymized
Transactions, invoices, payout records10 years (tax / accounting obligations)
KYC documents and AML records7 years after the end of the business relationship
Chat between buyer and seller24 months after the related order is closed
Support tickets36 months after closure
Server access logs90 days
Security event logs12 months
Marketing preferencesUntil consent is withdrawn

07Your rights

If you are in the EEA, the UK or another jurisdiction with comparable privacy rights, you can exercise the following rights free of charge:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data when there is no overriding legal reason to keep it (e.g. tax retention).
  • Restriction — ask us to limit how we use your data while a complaint is being resolved.
  • Portability — receive your data in a structured, machine-readable format and transmit it to another service.
  • Objection — object to processing based on legitimate interest, including profiling for fraud-prevention.
  • Withdraw consent — for any processing based on consent, with effect for the future.
  • Not be subject to a decision based solely on automated processing that has a legal or similarly significant effect on you.
  • Lodge a complaint with your local supervisory authority (in Portugal: CNPD).

To exercise any of these rights, email privacy@gg-marketplace.com from the email address on file or from Settings → Privacy. We respond within 30 days; complex requests may be extended by a further 60 days with notice.

08Cookies and similar technologies

We use a small number of cookies and similar technologies. Strictly necessary cookies (session, CSRF, load-balancing, 2FA) are always active because the Platform cannot function without them. Analytics and preferences cookies are only set when you accept them in our cookie banner.

You can review and change your choices at any time via the cookie banner or our Cookie Policy. See our full Cookie Policy for the complete list, vendors and durations.

09How we protect your data

  • TLS 1.3 in transit, AES-256 at rest on managed Postgres.
  • Passwords stored with Argon2id and per-user salt — we never see them in plaintext.
  • Row-level security (RLS) on every user-data table; each query runs with the requester's identity.
  • Two-factor authentication (TOTP) available, mandatory for staff and on sensitive flows.
  • Strict secrets management; service-role keys never reach the browser.
  • Continuous vulnerability scanning, dependency scanning and audit logging.
  • Documented data-breach response with notification to affected users and to the supervisory authority within 72 hours where required by Art. 33 GDPR.

10Children

The Platform is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact privacy@gg-marketplace.com and we will delete it without undue delay.

11Notice for California residents (CCPA / CPRA)

California residents have additional rights, including the right to know what personal information we collect, the right to delete, the right to correct, the right to opt out of "sale" or "sharing" of personal information, and the right not to be discriminated against for exercising these rights. We do not sell personal information as defined by the CCPA and we do not share personal information for cross-context behavioral advertising. To exercise your California rights, contact privacy@gg-marketplace.com.

12Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced via email and via an in-product banner at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

Questions, data requests or complaints? Write to privacy@gg-marketplace.com — our DPO replies within 30 days.