The data controller for personal information processed through the Service is the SOUQ.GG operating entity identified in our Terms (the “Controller”). The Controller decides why and how personal information is processed. For specific questions about who the controller is in your jurisdiction, contact privacy@souq.gg.

The table below summarizes what we collect, where it comes from, and how long we keep it.

We collect information from three sources:

• Directly from you — for example, when you create an Account, edit your profile, list a Product, submit a review, place an Order, or contact us.
• Automatically — when you use the Service we collect technical information such as IP, device, browser, and how you interact with pages.
• From third parties — for example, Stripe gives us payment status, KYC verification results for Sellers, and chargeback information; OAuth providers give us a verified email and basic profile when you sign in with them; abuse intelligence services may flag suspicious sign-ups.

• Provide, maintain, and improve the Service.
• Authenticate you and keep your Account secure.
• Process Orders, deliver downloads, and run payouts.
• Detect, prevent, and investigate fraud, abuse, and security incidents.
• Respond to support, abuse, and legal requests.
• Send service-related notices (downtime, security, policy updates, Order confirmations).
• Comply with legal obligations (tax, accounting, anti-money-laundering, sanctions screening).
• Personalize discovery (such as recommended products) based on your activity.
• Enforce our Terms and protect our rights and the rights of others.

Some features use AI models (Anthropic and OpenAI) to summarize, categorize, generate, or rewrite content you submit (for example, suggesting a product description). When you use those features:

• Your prompt is sent to the provider only for the duration of the request.
• Provider contracts prohibit using your prompts to train their general-purpose models.
• We never send payment data, password hashes, or other sensitive personal information to AI providers.
• AI output is shown to you for review — nothing is published without your action.

Where the EU or UK GDPR applies, we rely on the following legal bases:

• Contract — to provide the Service you requested.
• Legitimate interests — to secure the Service, prevent abuse, run the business, and improve our product. We weigh these interests against your rights.
• Legal obligation — to comply with applicable laws (tax, fraud, recordkeeping, AML/CFT).
• Consent — where required, such as for certain cookies, marketing emails, or processing of special-category data.

You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We do not sell personal information. We share only as described below:

• Service providers who process data on our behalf under contractual protections — see Processors & sub-processors below.
• Other users — information you choose to publish (profile, listings, reviews, comments) is visible to other users and the public.
• Sellers and Buyers — to complete an Order, we share necessary information between the parties (for example, the Seller sees the Buyer’s username and order ID).
• Legal, safety, and compliance — when required by law, valid legal process, or to protect rights, property, or safety. We will challenge requests we believe to be over-broad.
• Corporate transactions — in a merger, acquisition, or asset transfer, information may be transferred subject to confidentiality protections; we will notify you of any change of controller.

We may change processors with notice for material changes. The current list above is the authoritative processor inventory; sub-processors used by those processors are listed in their own published sub-processor pages.

We use cookies that are strictly necessary to run the Service plus a small number of functional preferences. The full inventory is in the Cookie Policy. We do not currently use third-party advertising or cross-site tracking cookies. If we add optional analytics or marketing cookies, we will request your consent first where required.

We may send you product news, recommendations, and seller updates by email. Where required by law (EU, UK, Canada), marketing emails are opt-in; otherwise you can opt out at any time using the unsubscribe link in any marketing email or by editing your preferences in settings. Transactional emails (Order confirmations, security alerts, legal notices) are not marketing and cannot be opted out of while you have an active Account.

We retain personal information for as long as your Account is active and as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. When you delete your Account, we delete or anonymize personal data within a reasonable period (target: 90 days), except where retention is required by law or for legitimate business purposes (for example, financial records up to 10 years).

Logs and security telemetry are kept on a rolling 13-month window unless we need to keep them longer for security investigations.

We use industry-standard technical and organizational measures: TLS in transit, managed password hashing (Supabase Auth), encryption of payment tokens, least-privilege database access, role-based access for staff, signed download URLs, audit logging of admin actions, and routine review of security configurations. No method of transmission or storage is fully secure; you use the Service at your own risk.

If we discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required, and we will notify affected users without undue delay, including a description of the breach, likely consequences, and the measures we have taken or propose to take.

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of your information.
• Object to or restrict certain processing.
• Request portability of information you provided.
• Withdraw consent (where processing relies on consent).
• Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
• Lodge a complaint with a supervisory authority.

To exercise these rights, email privacy@souq.gg or use the contact form and choose the “Privacy” channel. We will respond within the time required by applicable law (typically 30 days, extendable to 90 in complex cases). We may need to verify your identity before responding.

We may use automated systems to: detect fraudulent payments, flag suspicious sign-ups, throttle abusive API clients, prioritize search results, and recommend Products. None of these systems produces decisions with legal or similarly significant effects without human review. You may request human review of any automated decision that affects you by emailing privacy@souq.gg.

California residents have the right to: (a) know what personal information we collect; (b) request access and a copy in a portable format; (c) request deletion; (d) request correction; (e) opt out of the “sale” or “sharing” of personal information; (f) limit the use of sensitive personal information; and (g) not be discriminated against for exercising these rights. SOUQ.GG does not “sell” or “share” personal information as those terms are defined under the CCPA/CPRA, and we do not knowingly process the personal information of minors under 16 for any sale or share.

To exercise these rights, email privacy@souq.gg. We will verify your request and respond within 45 days, extendable once.

If you are in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD) similar to those described above, including the right to access, correct, anonymize, delete, port, and review automated decisions. To exercise these rights, email privacy@souq.gg.

If you are in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation. You can challenge our handling of your information by contacting privacy@souq.gg. If we cannot resolve your concern, you can complain to the Office of the Privacy Commissioner of Canada.

The Service may be operated from, and personal information may be transferred to and stored in, countries other than your own, including the United States. Where required, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and (where applicable) the EU-US Data Privacy Framework. You can request a copy of the safeguards relevant to a specific transfer by contacting privacy@souq.gg.

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, contact privacy@souq.gg and we will take appropriate steps to delete the information.

We aim to make this notice readable. The text uses plain English where possible, supports keyboard navigation, and meets WCAG 2.2 AA color-contrast targets. If you need this notice in a different format (large print, audio, or a translation), email privacy@souq.gg and we will provide an equivalent version.

We may update this Policy from time to time. We will revise the “Updated” date and, for material changes, provide additional notice (such as an in-product banner or email).

Privacy questions or requests: privacy@souq.gg. For data-protection officer correspondence under the EU/UK GDPR, use the same address with the subject line prefix [DPO]. General contacts are on the Contact page.