Privacy policy
Placeholder — pending legal review before launch; all [bracketed] details (company, contact emails, email provider, dates) must be completedEffective date: [EFFECTIVE_DATE] · Last updated: [EFFECTIVE_DATE]. This policy explains, in plain language, what personal data cheapkeys collects, why we collect it, who receives it, how long we keep it, and the rights you have over it. It is provided free of charge, is reachable in one click from every page footer, and applies to everyone who uses the store — with or without an account.
1. The short version
We collect the minimum needed to sell and deliver digital goods: your email address, your orders, payment status from our payment processor (never your card number), and the security signals needed to keep fraud out. We use no advertising trackers, no third-party analytics, and no third-party font or script CDNs — every asset is served from our own domain. We never sell or share your personal data for advertising. The rest of this policy is the detail behind that summary, purpose by purpose, with the legal basis for each.
2. Who we are (the data controller)
The controller responsible for the processing described in this policy is [LEGAL_ENTITY_NAME], a [ENTITY_TYPE] registered under company number [COMPANY_NUMBER], VAT number [VAT_NUMBER], with its registered office at [REGISTERED_ADDRESS] (referred to as “cheapkeys”, “we” or “us”). cheapkeys is the trading name of the storefront at https://pay.mmokick.com. Your purchase contract is always with us, not with our suppliers, and we are the controller of the personal data processed to run this store.
General contact: [GENERAL_CONTACT_EMAIL]. If we are ever required to designate a representative in the EU or UK under Article 27 GDPR, their contact details will be published on this page.
3. Privacy contact
We have not designated a Data Protection Officer, because our processing does not meet the thresholds of Article 37(1) GDPR — we are not a public body, and we do not carry out large-scale systematic monitoring or large-scale processing of special categories of data. We do maintain a dedicated privacy contact for all data-protection questions and requests: [PRIVACY_CONTACT_EMAIL]. You can also reach us through the support form, answered by humans within 24 hours.
4. Who this policy covers
This policy covers two groups of people, whose data we collect through different surfaces:
- Buyers and visitors — anyone browsing the store, checking out as a guest, or holding a buyer account. Every section of this policy applies to you except section 14, which is supplier-only.
- Suppliers — the commercial businesses that apply to supply us with keys, top-ups and gift-card codes, whose application, verification and payout data we process (section 14).
5. What we collect from buyers and visitors
We collect only what each feature actually needs:
- Account data — email address, name, and a password (stored only as a secure hash). If you enable two-factor authentication, we store your TOTP configuration.
- Guest checkout data — email address and the order details. For guest orders of €100 or more we email a 6-digit one-time code and record that your email was verified.
- Order and delivery data — the products you buy, prices paid, order history, delivered keys and codes in your key library, and delivery records.
- Top-up fulfilment data — the game-account identifiers you type in for a top-up product (for example a user ID or server ID), exactly as declared on the product form.
- Payment data — the payment status reported by our payment processor, Stripe, and an opaque card fingerprint Stripe derives from your card. You enter card details directly into Stripe’s payment form; we never see or store full card numbers.
- Support data — the messages you send through the support form or by email, and the claim history connected to your orders.
- Technical and security data — your IP address and a country signal provided by our CDN (you can override the detected country at any time), device and browser information in security logs, and a log of each key reveal (time, IP address, device) which protects your purchases and forms part of buyer protection.
6. Why we use it, and the legal basis for each purpose
Under Article 6(1) GDPR every use of personal data needs a legal basis. Here is the complete map — purpose by purpose:
- Running your account and key library — registration, sign-in, 2FA, keeping delivered keys available to you. Basis: performance of a contract, Art 6(1)(b).
- Processing orders, payment and delivery — checkout, charging you through Stripe, delivering keys and codes to the order page, by email, and to your key library; passing top-up identifiers to the fulfilling supplier. Basis: performance of a contract, Art 6(1)(b).
- Guest checkout and email verification — taking guest orders and verifying guest emails with a one-time code on orders of €100 or more. Basis: performance of a contract, Art 6(1)(b), and our legitimate interest in preventing checkout abuse, Art 6(1)(f).
- Support and buyer-protection claims — answering your messages, handling invalid-key and delivery claims, issuing replacements and refunds. Basis: performance of a contract, Art 6(1)(b).
- Fraud prevention and security — velocity checks keyed on email, IP address and card fingerprint; guest order limits; step-up verification; key-reveal logging; investigating and defending payment disputes and chargebacks. Basis: legitimate interests, Art 6(1)(f). The specific interests are: preventing payment fraud against us and against cardholders, protecting buyers’ purchased keys from account takeover, securing our network and service, and establishing and defending legal claims, including chargeback evidence. Fraud prevention is expressly recognised as a legitimate interest by Recital 47 GDPR. Details of automated effects are in section 7, and your right to object is in section 12.
- Legal obligations — keeping invoicing, order and accounting records for statutory tax and commercial-law retention periods, complying with EU sanctions law, and responding to lawful requests from authorities. Basis: legal obligation, Art 6(1)(c).
- Service emails — order receipts, delivery notices, one-time codes and account security messages. Basis: performance of a contract, Art 6(1)(b). We do not send marketing email today. If we ever introduce it, it will be strictly opt-in under Art 6(1)(a), with an unsubscribe link in every message and withdrawal as easy as signing up (Art 7(3) GDPR).
If we ever want to use your data for a new purpose beyond the ones above, we will tell you first and identify the legal basis before that processing starts (Art 13(3) GDPR).
7. Automated decisions and fraud screening
Some fraud controls act automatically at checkout, and we want you to know exactly how they work. Guest orders are capped at €200; guest orders of €100 or more require an emailed verification code; orders of €250 or more always require your bank’s 3-D Secure authentication step (a step your bank runs, through Stripe — not us); and orders of €300 or more (€150 for accounts younger than 7 days) can be placed on a short manual review hold before delivery. Velocity rules watch how often the same email, IP address or card fingerprint is used.
The significance for you: an automated rule can delay a delivery pending review or decline a checkout. If that happens, no money is kept — declined or cancelled orders are refunded in full. You always get a human: contact support and a person will review the decision, hear your side, and can overturn it. We provide that human review for every automated hold or decline — where a decision qualifies as solely automated decision-making under Art 22(1) GDPR, the review is your legal right (Art 22(3)); where it does not, we offer the same review anyway, as a service commitment. We do no other profiling — no advertising profiles, no scoring beyond these fraud checks.
8. Who receives your data
We share personal data only with the parties needed to run the store:
- Stripe (Stripe Payments Europe, Ltd. and Stripe, Inc.) — our payment processor for card, Apple Pay and Google Pay payments. Stripe receives your payment details directly and tells us the payment status. For its own fraud prevention, anti-money-laundering and legal compliance, Stripe acts as an independent controller of transaction data under its own privacy policy; for the rest it processes data on our instructions.
- Cloudflare, Inc. — our CDN and security layer, which terminates TLS in front of our servers and supplies the IP and country signals described above. Cloudflare acts as our processor under a data-processing agreement; see its privacy policy.
- [EMAIL_SUBPROCESSOR] — our transactional email provider, which delivers receipts, one-time codes, delivery and support emails as our processor.
- Suppliers — for top-up products only, the fulfilling supplier receives the game-account identifiers you entered, because crediting your game account is impossible without them. Suppliers never receive your payment details.
- Professional advisers — accountants, auditors and legal advisers, under confidentiality, where their work requires it.
- Authorities and courts — where the law obliges us to disclose, or where disclosure is necessary to establish or defend legal claims.
Everything else stays on our own infrastructure. We use no analytics vendors, no advertising networks, and no external file-storage provider. We do not sell personal data, and we do not share it for cross-context advertising — with anyone. Supplier-side recipients — our bank, PayPal where a supplier chooses PayPal payouts, and the verification sources we check — are listed in section 14, and the transfer mechanism for each is covered in section 9.
9. International transfers
Some of the recipients above, and some supplier-side recipients from section 14, process personal data in the United States, so data can leave the EU/EEA. Two GDPR mechanisms protect these transfers, and they are alternatives, not a stack: an Art 45 adequacy decision — for the US, the EU–US Data Privacy Framework (DPF), a partial adequacy decision that covers a transfer only while the specific receiving company holds a live DPF certification — and, where no adequacy decision covers the transfer, the 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as a safeguard under Art 46(2)(c). For each recipient we rely on the DPF where its certification covers the data, and otherwise on the SCCs:
- Stripe — we contract with Stripe Payments Europe, Ltd. in Ireland (inside the EEA); the third-country transfer is the onward flow to Stripe, Inc. in the United States. That transfer relies on Stripe, Inc.’s EU–US Data Privacy Framework certification while it remains live, and otherwise on the 2021 Standard Contractual Clauses incorporated in Stripe’s data-processing terms.
- Cloudflare, Inc. — United States. The transfer relies on Cloudflare, Inc.’s EU–US Data Privacy Framework certification while it remains live, and otherwise on the 2021 Standard Contractual Clauses in our data-processing agreement with Cloudflare.
- [EMAIL_SUBPROCESSOR] — where its processing takes place outside the EU/EEA, the transfer relies on an Art 45 adequacy decision if one covers the recipient (for a US provider, a live DPF certification), and otherwise on the 2021 Standard Contractual Clauses.
- PayPal (supplier payout emails only — see section 14) — the contracting entity for European customers is PayPal (Europe) S.à r.l. et Cie, S.C.A. in Luxembourg (inside the EEA). Where a supplier’s payout email flows onward to PayPal’s United States entities, that transfer relies on the receiving entity’s EU–US Data Privacy Framework certification while it remains live, and otherwise on Standard Contractual Clauses.
- Supplier verification sources (section 14) — sanctions screening uses the EU’s published consolidated list and equivalent publicly available lists, which we consult without sending supplier data to anyone. Verifying registration details against the official business register of the supplier’s home country sends only those registration details to that register; where that country is outside the EU/EEA, this limited, occasional transfer is necessary to enter into and perform our contract with that supplier (Art 49(1)(b)–(c) GDPR).
Because DPF protection exists only while a certification is live, we state it conditionally and check certifications before relying on them — and you can verify any US recipient yourself on the official list at dataprivacyframework.gov. We assess each transfer against the destination country’s law and apply supplementary measures where needed, following the EDPB’s Recommendations 01/2020. You can obtain a copy of the safeguards used for any transfer (including the relevant Standard Contractual Clauses) by writing to [PRIVACY_CONTACT_EMAIL].
10. How long we keep data
Retention is set per category — a fixed period where possible, otherwise the criteria that determine it:
- Order and delivery records (including guest orders and your key library) — for the life of your account and a minimum of 5 years, so your keys stay available to you, and thereafter as long as the tax and accounting laws that apply to us require (typically 6–10 years from the transaction, depending on the applicable national law).
- Account data — until you delete your account. Deletion takes effect after a 30-day grace period, after which delivered keys become inaccessible; records we must keep by law (invoices, accounting entries) are retained for their statutory periods only.
- Security and fraud logs (IP, device, velocity and key-reveal logs) — for as long as needed to detect fraud patterns and to evidence delivery in payment disputes; the criteria are the card networks’ chargeback windows and the statutory limitation periods for the claims involved.
- One-time verification codes — valid only briefly and not kept beyond verification or expiry; we retain the fact that a guest email was verified with the order record.
- Support correspondence — for as long as needed to resolve the matter and, afterwards, for the limitation period of any related claim.
- Card data — never stored by us at all; Stripe holds it. We keep only Stripe’s opaque card fingerprint alongside the payment record, for the same period as the order record it belongs to.
When a retention period ends, the data is deleted or irreversibly anonymised (Art 5(1)(e) GDPR).
11. Your rights under the GDPR
You can exercise all of the following rights free of charge:
- Access (Art 15) — confirmation of what we process about you, and a copy of it.
- Rectification (Art 16) — correction of inaccurate or incomplete data.
- Erasure (Art 17) — deletion of your data where no legal ground requires us to keep it. Deleting your account triggers the 30-day grace period described in section 10.
- Restriction (Art 18) — pausing processing while a dispute about the data is resolved.
- Portability (Art 20) — your account and order data in a structured, commonly used, machine-readable format, where processing is based on contract or consent and carried out by automated means.
- Objection (Art 21) — see section 12, which sets this out separately as the law requires.
- Withdrawing consent (Art 7(3)) — where we ever rely on consent, you can withdraw it at any time, as easily as you gave it, without affecting the lawfulness of processing before withdrawal.
To exercise any right, email [PRIVACY_CONTACT_EMAIL] or use the support form. We may ask you to confirm your identity — normally by replying from the email address on the account or order (Art 12(6)). We respond within one month; for complex or numerous requests we may extend by up to two further months, and if so we will tell you within the first month and explain why (Art 12(3)).
Complaints: you have the right to lodge a complaint with a data-protection supervisory authority — in the EU Member State of your habitual residence, your place of work, or the place of the alleged infringement (Art 77 GDPR) — as well as with the supervisory authority of the country where [LEGAL_ENTITY_NAME] is established. A directory of all EU authorities is published by the European Data Protection Board. We would appreciate the chance to resolve your concern first, but you are never required to contact us before complaining.
12. Your right to object
You have the right to object, on grounds relating to your particular situation, at any time, to processing we base on legitimate interests (Art 6(1)(f)) — including the fraud-prevention and security processing described in sections 6 and 7. If you object, we will stop unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is needed to establish, exercise or defend legal claims (Art 21(1) GDPR).
If we ever process your data for direct marketing, you can object at any time and we will stop, unconditionally and without exception (Art 21(2)–(3) GDPR). To object, email [PRIVACY_CONTACT_EMAIL].
13. Cookies and similar technologies
We use only cookies the store needs to work — none for advertising, analytics or cross-site tracking. We have assessed each one against Article 5(3) of the ePrivacy Directive and rely on its exemption for cookies strictly necessary to provide a service you explicitly request; because nothing we set falls outside that assessment, the site shows no cookie banner. The full inventory, by name:
- Session cookie (set by us; its name ends in
-session) — keeps you signed in and preserves your cart, your checkout state, and any country/currency override you choose (the override is stored in this session, not in a separate cookie); expires when your session ends or after a period of inactivity. - Security token cookie (set by us; named
XSRF-TOKEN) — protects forms against cross-site request forgery; lives for the session. - Stripe fraud-prevention cookies (
__stripe_mid, approx. 1 year;__stripe_sid, approx. 30 minutes) — set by Stripe only when the payment form loads at checkout, and used solely to prevent fraud on payments; Stripe is the recipient of the data these cookies access, and they are not used for advertising or analytics. We treat them as strictly necessary to the payment service you request; if EU guidance ever requires consent for them, we will ask before setting them.
No analytics cookies, no advertising or retargeting cookies, no social-media pixels, no A/B-testing or affiliate trackers — and no third-party fonts or scripts that could track you. If we ever introduce a non-essential cookie, nothing will be set until you are asked first, with a “reject” option as prominent as “accept”, granular per-purpose choices, and a permanent settings control to change your mind — never pre-ticked boxes, never consent buried in terms.
14. Supplier data: applications, verification and payouts
Suppliers are businesses, but the people behind them have privacy rights too. When you apply to supply cheapkeys, we collect: the legal name, trading name, country of establishment, registration number, VAT ID, website and registered address of the business; the name, email address and phone number of the contact person; verification documents (a registration extract or business licence, and an identity document); and payout details (account holder and IBAN, with optional BIC, for SEPA bank transfer — or a PayPal payout email where the supplier chooses PayPal payouts).
We use this data as follows:
- Assessing your application and running the supplier relationship, including payouts — performance of a contract, Art 6(1)(b).
- Verifying registration details against public business registers and checking key sourcing — legitimate interests, Art 6(1)(f): keeping unauthorised or unlawfully sourced keys out of the catalogue, protecting buyers, and meeting the seller-vetting standards our payment processor requires. We document this assessment and tier checks to what the relationship actually warrants.
- Sanctions screening — checking supplier details, and payouts, against EU (and equivalent) restrictive-measures lists — legal obligation, Art 6(1)(c): EU sanctions regulations bind us directly and prohibit making funds available to designated persons.
- Tax and accounting record-keeping — legal obligation, Art 6(1)(c).
To be precise about what we do not do: we are not an obliged entity under EU anti-money-laundering law and we do not perform statutory customer due diligence — our checks are fraud prevention and sanctions compliance. Screening results are recorded as risk indicators, not as records of criminal offences (Art 10 GDPR). Verification documents are stored on private storage on our own infrastructure, accessible only to authorised staff through signed, expiring links; payout details appear only in masked form in audit logs. Recipients are limited to our bank (for SEPA payouts), PayPal (only where a supplier chooses PayPal payouts, under PayPal’s own privacy policy), the screening sources we check against, our professional advisers, and authorities on lawful request. We keep supplier verification data for the duration of the relationship and at least six months afterwards, then delete it unless tax, accounting or limitation periods require longer. Every right in sections 11 and 12 applies equally to supplier contacts; write to [PRIVACY_CONTACT_EMAIL] or [email protected].
15. Data we receive from other sources
Most data comes straight from you, but not all of it (Art 14 GDPR). The categories and sources are: from Stripe, the outcome of your payment, the opaque card fingerprint described above, and notices of any card dispute or chargeback your bank raises (which we receive automatically and record against the order); from Cloudflare, your IP address and a coarse country signal derived from it; and, for suppliers, confirmation data from publicly accessible business registers used to verify registration details. We do not buy data about you from data brokers or any other source. This indirectly obtained data is kept for the same periods as the records it belongs to: payment and security data per section 10, supplier verification data per section 14.
16. What you must provide, and what happens if you don’t
An email address and a completed payment are contractual requirements — without them we cannot deliver digital goods or send your receipt, so we cannot process the order. For top-up products, the game-account identifiers requested on the product page are equally required: without them the top-up cannot be credited. Everything else is optional: an account is not required (guest checkout works up to €200 per order), your name is needed only for an account, and no statutory obligation requires you to provide us any data.
17. How we protect data
All traffic to the store is encrypted with TLS (HTTPS everywhere). Card payments are processed by Stripe, a certified PCI DSS Level 1 service provider — card details go from your browser directly to Stripe and never touch our servers. Internally we apply least-privilege access controls; two-factor authentication (available on every account, in use on staff access, enforceable for supplier accounts, and recommended for yours); hashed passwords; security logging; and private, access-controlled storage for verification documents (Art 32 GDPR).
If a personal-data breach ever occurs despite this, we will notify the competent supervisory authority within 72 hours where required (Art 33 GDPR) and inform you directly, without undue delay, if the breach is likely to put your rights and freedoms at high risk (Art 34 GDPR).
18. Children
The store is not directed at children. You must be at least 16 years old — or the age of digital consent in your country, which EU law allows Member States to set between 13 and 16 (Art 8 GDPR) — to create an account or buy from us. We do not knowingly collect personal data from children under 13; if you believe a child has provided us data, contact [PRIVACY_CONTACT_EMAIL] and we will delete it.
19. US state privacy disclosures
For residents of California and other US states with privacy laws, in addition to everything above: the categories of personal information we collect are identifiers (email, name, IP address), commercial information (orders and order history), and internet activity limited to the security logs described in section 5. The categories of third parties it is disclosed to are those in section 8: our payment processor, CDN/security provider, email provider, fulfilling suppliers (top-up identifiers only), professional advisers, and authorities. We collect and use these categories only for the purposes mapped in section 6 — in plain terms: providing the store and your account, processing payment and delivering your purchases, customer support and buyer-protection claims, security and fraud prevention, and complying with legal obligations — and for no other purpose. Retention per category is set out in section 10: identifiers and commercial information follow the account and order-and-delivery-record periods there, and internet activity follows the security-and-fraud-log period.
We do not sell personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined in the California Consumer Privacy Act — which is why this site has no “Do Not Sell or Share My Personal Information” link. The only sensitive personal information we collect is your account log-in credential set — your email combined with a password we store only as a hash and, if you enable it, your two-factor configuration. We use it solely to sign you in and keep your account secure, never to infer characteristics about you, and we disclose it to no one — so the right to limit the use of sensitive personal information does not apply to this use, and a limit request has nothing further to switch off. And because we never sell or share anyone’s personal information — including that of consumers under 16 — the opt-in consent the CCPA requires before selling or sharing a minor’s data is never triggered.
Your rights (where your state provides them): to know and access the personal information we hold, to correct it, to delete it, to receive it in a portable format, to opt out of sale, sharing and targeted advertising (inapplicable here: we sell and share nothing, so there is no opt-out to perform — if you submit one anyway, we will respond by confirming that no sale or sharing occurs), to limit the use of sensitive personal information (see above), and not to be discriminated against for exercising any of these rights. Submit requests by either method: email [PRIVACY_CONTACT_EMAIL] or the support form. You can also act through an authorized agent: we accept requests submitted by an agent who provides signed, written proof of your authorization, and we will verify your identity directly with you. We verify requests against the email on your account or order and respond within 45 days (extendable once by 45 days with notice). If we deny a request, we will explain why, and you may appeal by replying to our decision; we decide appeals within 45 days with a written explanation, and if we deny yours we will point you to your state attorney general or privacy regulator.
Do Not Track and Global Privacy Control: we do not track visitors across other websites, so there is no cross-site tracking for these browser signals to switch off — and because we sell and share nothing, there is no sale or sharing for an opt-out preference signal such as GPC to opt you out of: the outcome the signal requests is already every visitor’s default. If we ever begin selling or sharing personal information, we will build in recognition of GPC and other universal opt-out signals and honor them as valid opt-outs before that change takes effect. Nevada residents: we do not sell covered information as defined in NRS 603A, and we honor verified opt-out requests. These statutory rights apply notwithstanding any choice-of-law provision, and nothing in our terms waives them.
20. Changes to this policy
The effective date and last-updated date at the top of this page change whenever the policy does. If we make a material change — a new purpose, a new recipient, a new category of data — we will give you active notice before it takes effect: by email if you have an account, and by a clear notice on the site. Earlier versions are archived and available on request from [PRIVACY_CONTACT_EMAIL].
21. How to contact us
Privacy requests: [PRIVACY_CONTACT_EMAIL]. Anything else: the support form (first human response within 24 hours), [email protected], or [GENERAL_CONTACT_EMAIL]. By post: [LEGAL_ENTITY_NAME], [REGISTERED_ADDRESS].