As a data subject, you have the following rights:

• Right to Access: Request copies of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of data processing
• Right to Data Portability: Receive your data in a structured format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Lodge a Complaint: File a complaint with the ICO

Account Information:

• Steam ID and username
• Email address
• Profile avatar and display name
• Steam inventory data
• Trade URL

Transaction Data:

• Purchase and sale history
• Payment information
• Wallet balance and transaction logs
• Trading history and patterns

Technical Data:

• IP address and location data
• Browser type and version
• Device information
• Cookies and similar technologies
• Usage analytics

Communication Data:

• Support tickets and correspondence
• Chat messages (if applicable)
• Marketing preferences

We process your data under the following legal bases:

Contract Performance:

• Account creation and management
• Processing transactions
• Providing marketplace services
• Customer support

Legitimate Interests:

• Fraud prevention and security
• Service improvements
• Business analytics
• Direct marketing (with opt-out)

Legal Obligations:

• AML/KYC compliance
• Tax reporting
• Law enforcement cooperation
• Regulatory compliance

Consent:

• Marketing communications
• Non-essential cookies
• Newsletter subscriptions

We retain data for the following periods:

• Account Data: Duration of account + 6 years
• Transaction Records: 7 years (legal requirement)
• AML/KYC Documents: 5 years after relationship ends
• Support Tickets: 3 years
• Marketing Data: Until consent withdrawn
• Technical Logs: 90 days
• Cookies: As per Cookie Policy

Third Party Recipients:

• Steam/Valve (authentication and trading)
• BitSkins API (market data)
• Cloudflare (CDN and security)
• AWS (hosting in EU regions)
• Vercel (platform hosting)
• Law enforcement (when legally required)

International Transfers:

• Data is primarily processed in the EU
• Steam services may involve US transfers (Privacy Shield)
• We use Standard Contractual Clauses where required
• Adequate safeguards are in place for all transfers

We implement appropriate technical and organizational measures:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• Regular security audits and penetration testing
• Access controls and authentication
• Employee data protection training
• Incident response procedures
• Regular backups and disaster recovery
• ISO 27001 aligned practices

In case of a personal data breach:

• We will assess the risk to individuals
• Notify the ICO within 72 hours if required
• Inform affected users without undue delay
• Document all breaches internally
• Implement measures to prevent recurrence
• Cooperate with regulatory investigations

We use automated systems for:

• Fraud detection and prevention
• AML transaction monitoring
• Market price calculations
• AI-powered item analysis

You have the right to request human review of automated decisions that significantly affect you.

To exercise any of your GDPR rights:

• Email our DPO at dpo@poshskins.com
• Include proof of identity
• Specify which right(s) you wish to exercise
• We will respond within 30 days
• No fee for most requests
• Complex requests may take up to 90 days

If you're unsatisfied with our data handling:

• Contact our DPO first at dpo@poshskins.com
• You may lodge a complaint with the ICO
• ICO Website: ico.org.uk
• ICO Helpline: 0303 123 1113