01Who we are and how to contact us
GG-MARKETPLACE ("GG", "we", "us", "our") is the data controller for the personal data processed via gg-marketplace.com (the "Platform"). We are committed to processing your data lawfully, fairly and transparently, in line with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA) and any other applicable privacy law.
- Privacy / Data Protection Officer: privacy@gg-marketplace.com
- Security incidents: security@gg-marketplace.com
- Legal correspondence: legal@gg-marketplace.com
02What personal data we collect
We only collect data we genuinely need to operate the Platform, secure it, comply with the law and improve the service. Specifically:
| Category | Examples |
|---|---|
| Account | Email, display name, password hash (Argon2id), avatar, cover image, bio, country, language. |
| Identity (Sellers / Priority Sellers) | Full legal name, date of birth, government-issued ID, selfie, proof of address, tax/VAT identifier where applicable. |
| Transactional | Orders placed and received, amounts, products, listing snapshots, timestamps, escrow state, dispute history, ratings, support tickets. |
| Payment | Tokenized card references (we never see or store raw PAN, CVV or expiry), crypto wallet addresses you provide, payout instructions. |
| Communications | On-platform chat content, email correspondence, support tickets, abuse reports — retained for safety and dispute purposes. |
| Device & technical | IP address, user agent, device type, OS, browser, language, referrer, page views, session ID, error logs. |
| Security signals | Login attempts, 2FA events, device fingerprints, velocity signals and other indicators used to detect fraud and account takeover. |
| Marketing preferences | Newsletter consent, cookie preferences, A/B-test bucket. |
03Why we process your data
Each category of data is processed for one or more clearly defined purposes, each with a legal basis under Article 6 GDPR:
| Purpose | Legal basis |
|---|---|
| Create and operate your account, allow login, render the Platform | Performance of a contract (Art. 6(1)(b)) |
| Process orders, hold funds in escrow, pay sellers, refund buyers | Performance of a contract (Art. 6(1)(b)) |
| KYC, AML and sanctions screening for Sellers / Priority Sellers / large withdrawals | Legal obligation (Art. 6(1)(c)) |
| Prevent fraud, abuse, account takeover and chargebacks | Legitimate interest (Art. 6(1)(f)) — protecting users and the Platform |
| Resolve disputes between buyers and sellers | Performance of a contract / legitimate interest |
| Send transactional emails (orders, disputes, security alerts, receipts) | Performance of a contract |
| Send marketing emails, in-product promos, satisfaction surveys | Consent (Art. 6(1)(a)) — you can withdraw anytime |
| Product analytics, A/B testing, performance monitoring | Legitimate interest, with privacy-preserving aggregation |
| Comply with tax, accounting and reporting obligations (DAC7, 1099-K, VAT) | Legal obligation |
| Respond to lawful requests from courts, regulators or law enforcement | Legal obligation |
04Who we share your data with
We never sell your personal data and we never share it for third-party advertising. We only share what is strictly necessary, with vetted processors bound by data-processing agreements (DPAs):
- Cloud hosting & database: Supabase (managed Postgres) and Cloudflare (edge compute, DDoS protection, CDN).
- Payment processing — cards: our PCI-DSS Level-1 card acquirer (tokenization only).
- Payment processing — crypto: NOWPayments and the underlying blockchain networks when you deposit or withdraw on-chain.
- Email & transactional messaging: our deliverability provider, used only for emails you triggered or consented to.
- Identity verification (KYC): our regulated KYC/AML vendor, only for accounts that opt into Seller, Priority Seller or large-withdrawal flows.
- Customer support tooling: ticketing and chat infrastructure used by our internal staff under confidentiality obligations.
- Analytics & monitoring: privacy-respecting product analytics and error-reporting tools, configured to avoid collecting unnecessary PII.
- Authorities: courts, regulators, tax authorities and law enforcement, when we receive a valid legal request or when required by law.
- Buyers and sellers see each other's public profile (display name, country, avatar, ratings, completed orders) — this is essential for the marketplace to function.
05International data transfers
Some of our processors operate outside the European Economic Area (EEA), notably in the United States. Whenever we transfer personal data outside the EEA, we rely on one or more of the following safeguards: an adequacy decision of the European Commission, the EU-U.S. Data Privacy Framework, the latest version of the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum where applicable, and supplementary technical measures including encryption in transit and at rest.
06How long we keep your data
We keep data only for as long as we genuinely need it. The retention periods below are the maximums; we may delete sooner when no longer required.
| Data | Retention |
|---|---|
| Active account data | While the account is active |
| Closed-account profile data | 24 months after closure, then anonymized |
| Transactions, invoices, payout records | 10 years (tax / accounting obligations) |
| KYC documents and AML records | 7 years after the end of the business relationship |
| Chat between buyer and seller | 24 months after the related order is closed |
| Support tickets | 36 months after closure |
| Server access logs | 90 days |
| Security event logs | 12 months |
| Marketing preferences | Until consent is withdrawn |
07Your rights
If you are in the EEA, the UK or another jurisdiction with comparable privacy rights, you can exercise the following rights free of charge:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your data when there is no overriding legal reason to keep it (e.g. tax retention).
- Restriction — ask us to limit how we use your data while a complaint is being resolved.
- Portability — receive your data in a structured, machine-readable format and transmit it to another service.
- Objection — object to processing based on legitimate interest, including profiling for fraud-prevention.
- Withdraw consent — for any processing based on consent, with effect for the future.
- Not be subject to a decision based solely on automated processing that has a legal or similarly significant effect on you.
- Lodge a complaint with your local supervisory authority (in Portugal: CNPD).
To exercise any of these rights, email privacy@gg-marketplace.com from the email address on file or from Settings → Privacy. We respond within 30 days; complex requests may be extended by a further 60 days with notice.
08Cookies and similar technologies
We use a small number of cookies and similar technologies. Strictly necessary cookies (session, CSRF, load-balancing, 2FA) are always active because the Platform cannot function without them. Analytics and preferences cookies are only set when you accept them in our cookie banner.
You can review and change your choices at any time via the cookie banner or our Cookie Policy. See our full Cookie Policy for the complete list, vendors and durations.
09How we protect your data
- TLS 1.3 in transit, AES-256 at rest on managed Postgres.
- Passwords stored with Argon2id and per-user salt — we never see them in plaintext.
- Row-level security (RLS) on every user-data table; each query runs with the requester's identity.
- Two-factor authentication (TOTP) available, mandatory for staff and on sensitive flows.
- Strict secrets management; service-role keys never reach the browser.
- Continuous vulnerability scanning, dependency scanning and audit logging.
- Documented data-breach response with notification to affected users and to the supervisory authority within 72 hours where required by Art. 33 GDPR.
10Children
The Platform is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact privacy@gg-marketplace.com and we will delete it without undue delay.
11Notice for California residents (CCPA / CPRA)
California residents have additional rights, including the right to know what personal information we collect, the right to delete, the right to correct, the right to opt out of "sale" or "sharing" of personal information, and the right not to be discriminated against for exercising these rights. We do not sell personal information as defined by the CCPA and we do not share personal information for cross-context behavioral advertising. To exercise your California rights, contact privacy@gg-marketplace.com.
12Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced via email and via an in-product banner at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.
Questions, data requests or complaints? Write to privacy@gg-marketplace.com — our DPO replies within 30 days.
