Last updated: [DATE TBD]
1. Data Controller
[TODO: insert legal entity name, registered address, contact email, and DPO contact if applicable.]
2. Data We Collect
Account data (username, email, hashed password). Profile data (name, shipping address, phone) when you provide it. Transaction data (bids placed, items won, payment intent IDs — note: no card numbers are stored, those are held by Stripe). Connection metadata (IP address, timestamps) for security and abuse prevention.
3. Legal Basis
Performance of the contract (Art. 6(1)(b) GDPR) for account, auction, and payment data. Legitimate interest (Art. 6(1)(f)) for fraud and abuse prevention.
4. Third-Party Processors
Stripe (payments, EU + US). Google OAuth and Twitch OAuth if you choose those login methods. Twitch and YouTube for embedded video playback (these set their own cookies when loaded). Hosting provider [TODO].
5. Data Retention
Account data is kept for the lifetime of your account. Transaction records are kept for [TODO: e.g., 10 years per Portuguese tax law]. Deletion requests are honored within 30 days, subject to legal retention requirements.
6. Your Rights Under GDPR
Access, rectification, erasure ("right to be forgotten"), restriction, portability, and objection. You may also lodge a complaint with the Comissão Nacional de Proteção de Dados (CNPD). To exercise these rights, contact us at [TODO].
7. Cookies and Local Storage
We store an authentication token and your username in your browser's local storage (essential). Third-party embeds (Twitch, YouTube, Stripe) may set their own cookies when loaded.
8. International Transfers
[TODO: specify if any data is transferred outside the EEA, e.g., Stripe processing in the US, and reference applicable safeguards (SCCs, etc.).]
9. Changes to This Policy
We will notify you of material changes by email and require fresh consent where required.
10. Contact
[TODO: insert contact details for privacy requests.]