Privacy Policy

ICO Registration: ZB377566 Roninimity Ltd (11755770) | 71-75 Shelton Street, London, WC2H 9JQ [email protected] | www.tcgsold.com 1. INTRODUCTION Roninimity Ltd ("TCGSold", "we", "our", or "us") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the TCGSold website (www.tcgsold.com), mobile application, and associated platform services (together, the "Platform"). We are registered as a data controller with the Information Commissioner's Office (ICO) under registration number ZB377566. Our registered office is at 71-75 Shelton Street, London, WC2H 9JQ. Please read this policy carefully. By creating an account or using the Platform, you acknowledge that you have read and understood how we handle your personal data. If you do not agree with the terms of this policy, please do not use our Platform. This policy should be read alongside our Terms and Conditions, which govern your use of the Platform. 2. DATA CONTROLLER Roninimity Ltd is the data controller responsible for your personal data collected through the Platform. If you have any questions about this policy or our data practices, please contact us at: Email: [email protected] Address: 71-75 Shelton Street, London, WC2H 9JQ ICO Registration Number: ZB377566 3. PERSONAL DATA WE COLLECT 3.1 Data You Provide to Us We collect personal data that you voluntarily provide when you: - Register for an account: name, email address, password (hashed), date of birth (to verify you are 18 or over) - Set up a store on the Platform: store name, store description, store banner/profile images, and contact preferences - Complete identity verification: government-issued identification documents and related information processed via our third-party identity verification provider, Stripe, Inc. - Connect payment processing: bank account details, business or personal financial information, and tax identification numbers processed by Stripe, Inc. - Use our messaging feature: the content of messages exchanged between users on the Platform - Contact us for support: name, email address, and the content of your communication - Complete your profile: profile picture, biography, and other optional information you choose to add 3.2 Data We Collect Automatically When you use the Platform, we automatically collect certain technical and usage data, including: - Device information: device type, operating system, browser type and version, unique device identifiers - Log data: IP address, access times, pages or screens viewed, links clicked, and the page you visited before navigating to our Platform - Usage data: how you interact with the Platform, search queries entered, stores visited, and listings viewed - Location data: general location inferred from your IP address (country/region level); we do not collect precise GPS location unless you explicitly grant permission in the mobile application - Cookies and similar technologies: please see Section 12 for our full Cookie Policy 3.3 Data We Receive from Third Parties We may receive personal data about you from third parties, including: - Stripe, Inc.: transaction data, identity verification outcomes, payment method details, and fraud signals where you have engaged Stripe services through our Platform - Authentication providers: if you register or sign in using a third-party authentication service (such as Apple Sign-In or Google Sign-In), we receive your name and email address from that provider, subject to your permissions - Analytics providers: aggregated and pseudonymised usage data to help us improve the Platform 4. LEGAL BASIS FOR PROCESSING 4.1 Performance of a Contract (Article 6(1)(b) UK GDPR) We process your account registration data, store setup data, transaction data, and messaging data to provide the Platform services you have requested, including facilitating your store, enabling payment processing, and delivering technical support. 4.2 Legitimate Interests (Article 6(1)(f) UK GDPR) We process usage data, device data, and log data to: - Maintain and improve the security, performance, and reliability of the Platform - Detect, investigate, and prevent fraud, abuse, and violations of our Terms and Conditions - Conduct analytics to understand how users engage with the Platform - Send service-related notifications and updates We have carried out a legitimate interests assessment and are satisfied that our interests are not overridden by your rights and freedoms. 4.3 Compliance with Legal Obligations (Article 6(1)(c) UK GDPR) We may process your personal data where necessary to comply with applicable law, including tax obligations, anti-money laundering requirements, or regulatory obligations. 4.4 Consent (Article 6(1)(a) UK GDPR) Where we rely on consent — for example, for marketing emails or non-essential cookies — we will ask for your explicit consent. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. 4.5 Special Category Data Identity verification may involve processing copies of government-issued documents. This processing is carried out by Stripe, Inc. as an independent data controller. We receive only the verification outcome (verified or not verified) and do not store identity document images ourselves. 5. HOW WE USE YOUR PERSONAL DATA We use the personal data we collect to: 1. Create and manage your account and provide access to the Platform 2. Enable you to create, manage, and operate a store on the Platform 3. Facilitate payment processing through Stripe Connect, where you choose to enable it 4. Facilitate identity verification through Stripe Identity, where you choose to use this feature 5. Enable the messaging system between Platform users 6. Process and display listings on the Platform 7. Send transactional emails, including account confirmations, password resets, and service notifications 8. Send marketing communications where you have opted in to receive them 9. Provide customer support and respond to enquiries 10. Monitor, detect, and prevent fraudulent activity, abuse, and violations of our Terms and Conditions 11. Enforce our Terms and Conditions 12. Comply with legal and regulatory obligations 13. Analyse usage patterns and improve the Platform 14. Generate aggregated, anonymised statistical data for our business purposes 6. DISCLOSURE OF YOUR PERSONAL DATA 6.1 Service Providers We engage trusted third-party service providers who process personal data on our behalf as data processors, subject to binding contractual obligations. These include: - Stripe, Inc.: payment processing, Stripe Connect onboarding, and identity verification. Stripe acts as both our data processor and as an independent data controller for its own compliance purposes. Stripe's privacy policy is available at stripe.com/privacy - Cloud infrastructure providers: for hosting, storage, and content delivery (including AWS and Cloudflare) - Analytics providers: for aggregated usage analytics - Email delivery providers: for transactional and marketing emails - Push notification providers: for mobile app notifications 6.2 Public Platform Information Certain information you provide is displayed publicly on the Platform as part of operating your store, including your store name, store description, profile image, listings, and any publicly visible store information. You should not include personal information in publicly visible fields that you do not wish to be publicly accessible. 6.3 Between Users To facilitate communication between Platform users, your username and any information you include in messages will be shared with the recipient of those messages. 6.4 Legal Obligations We may disclose your personal data to law enforcement agencies, regulatory bodies, courts, or other third parties where we are required to do so by applicable law or legal process, including a court order, subpoena, or similar legal obligation. We will notify you of any such disclosure to the extent permitted by law. 6.5 Business Transfers In the event of a merger, acquisition, reorganisation, insolvency, or sale of all or a portion of our business or assets, your personal data may be transferred to the successor entity. We will provide notice if your personal data is transferred and becomes subject to a materially different privacy policy. 6.6 No Sale of Personal Data We do not sell, rent, or trade your personal data to any third party for their own marketing or commercial purposes. 7. INTERNATIONAL DATA TRANSFERS Some of our third-party service providers, including Stripe, Inc. and certain infrastructure providers, are based in the United States or other countries outside the United Kingdom. Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements, including: - Standard Contractual Clauses (SCCs) approved by the ICO or adopted under the UK GDPR International Data Transfer Agreement (IDTA) - Transfers to countries benefiting from an adequacy decision by the UK Secretary of State - Binding Corporate Rules where applicable You may request details of the specific safeguards in place for international transfers by contacting us at [email protected]. 8. DATA RETENTION We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying legal, regulatory, tax, accounting, or reporting requirements. Our general retention periods are: - Account data: retained for the duration of your account and for up to 7 years following account closure, to comply with tax and financial record-keeping obligations under UK law - Transaction records: retained for 7 years in accordance with HMRC requirements - Identity verification outcomes: retained for the duration of your account plus 12 months, after which only a record of verified status is retained - Support communications: retained for 3 years from the date of the communication - Usage and log data: retained for up to 12 months in identifiable form, then aggregated or deleted - Marketing preferences: retained until you withdraw consent or for 3 years of inactivity Where we are required by law to retain data for longer periods, we will do so. Where data is no longer required, we will securely delete or anonymise it. 9. YOUR RIGHTS UNDER UK GDPR Subject to applicable exceptions, you have the following rights in relation to your personal data: 9.1 Right of Access You have the right to request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one calendar month of receipt. 9.2 Right to Rectification You have the right to request correction of inaccurate or incomplete personal data we hold about you. 9.3 Right to Erasure You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (if consent is the legal basis), or where you object to processing and there are no overriding legitimate grounds. This right is subject to legal retention obligations. 9.4 Right to Restrict Processing You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest its accuracy or where processing is unlawful. 9.5 Right to Data Portability Where processing is based on your consent or on a contract, and processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format. 9.6 Right to Object You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims. 9.7 Rights Relating to Automated Decision-Making You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you, unless such processing is necessary for a contract, authorised by law, or based on your explicit consent. 9.8 Exercising Your Rights To exercise any of the above rights, please contact us at [email protected] with the subject line "Data Subject Request". We may need to verify your identity before processing your request. We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive. 9.9 Right to Complain If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We would, however, appreciate the opportunity to address your concerns before you approach the ICO and ask that you contact us in the first instance at [email protected]. 10. SECURITY OF YOUR PERSONAL DATA We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include: - Encryption of data in transit using TLS - Encryption of data at rest - Access controls and role-based permissions limiting employee access to personal data - Regular security testing and vulnerability assessments - Third-party payment data is processed by Stripe, Inc. which is PCI DSS Level 1 certified Notwithstanding these measures, no system is completely secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the ICO as required by UK GDPR. 11. MINIMUM AGE REQUIREMENT The Platform is intended for users who are 18 years of age or older. We do not knowingly collect personal data from individuals under the age of 18. If you are under 18 years of age, please do not create an account or provide any personal data through the Platform. If we become aware that we have inadvertently collected personal data from a person under the age of 18, we will take steps to delete that data promptly. If you believe we may have collected personal data from a minor, please contact us immediately at [email protected]. 12. COOKIES AND SIMILAR TECHNOLOGIES 12.1 What Are Cookies? Cookies are small text files placed on your device when you visit our website. We also use similar technologies including pixel tags, web beacons, and local storage. 12.2 Cookies We Use We use the following categories of cookies: - Strictly Necessary Cookies: essential for the Platform to function, including authentication and security cookies. These cannot be disabled. - Performance and Analytics Cookies: help us understand how users interact with the Platform so we can improve performance. These are only set with your consent. - Functionality Cookies: remember your preferences and settings to enhance your experience. These are only set with your consent. - Marketing Cookies: used to deliver relevant content and track the effectiveness of our communications. These are only set with your explicit consent. 12.3 Managing Cookies You can manage your cookie preferences through our cookie consent tool displayed on your first visit to the Platform. You can also manage cookies through your browser settings; however, disabling strictly necessary cookies may impair your ability to use the Platform. 13. THIRD-PARTY LINKS AND SERVICES The Platform may contain links to third-party websites and services. This Privacy Policy does not apply to those third-party sites. We are not responsible for the privacy practices of third-party sites and encourage you to review their privacy policies before providing any personal data. 14. CHANGES TO THIS PRIVACY POLICY We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this policy and, where changes are material, notify you by email or by a prominent notice on the Platform. Your continued use of the Platform following notification of changes constitutes your acceptance of the updated policy. 15. CONTACT US If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us: Email: [email protected] Post: Roninimity Ltd, 71-75 Shelton Street, London, WC2H 9JQ ICO Registration: ZB377566 We aim to respond to all enquiries within 5 business days.