Legal

Privacy Policy

Effective date: 1 May 2025 · Operated by GXS Vault

Plain summary: We collect only what is needed to run your order. We use no tracking scripts, no advertising pixels, and no analytics tools. We do not sell your data. You can request full deletion at any time. Order records are kept for 2 years for security purposes.

1. Who we are

GXS Vault is a solo-operated digital marketplace run by a private individual (the "Founder"). We are not a registered company. All data is managed directly by the Founder.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the GXS Vault platform at localhost:8000 (development) and any future public domain.

2. Legal basis & applicable law

This policy is written in compliance with:

Albanian Law No. 124/2024 on personal data protection (aligned with EU GDPR principles).
EU General Data Protection Regulation (GDPR) — applied where users are located in the EU/EEA.

Our legal bases for processing your data are: contract (to fulfil your order), legitimate interest (fraud prevention, platform security), and legal obligation (record-keeping).

3. What data we collect

Account data — your name, email address, and hashed password when you register.
Order data — shipping/billing address and order details required to fulfil your purchase.
Payment data — GXS Vault does not store raw payment credentials. Crypto payments are processed by NOWPayments on their servers. We store only the payment status, transaction reference, and amount.
Communication data — messages you send via the contact form or support channels.
Technical data — IP address and browser type, logged automatically for fraud prevention and security. Not used for profiling.

4. What we do NOT collect

We use no third-party analytics tools (no Google Analytics, no Facebook Pixel, no Hotjar, no similar services).
We use no advertising or retargeting pixels.
We do not collect or store payment card details at any point.
We do not sell, rent, or share your personal data with advertisers or data brokers.

5. How we use your data

To create and manage your account.
To process and fulfil your orders.
To send transactional emails (order confirmations, password resets) via Resend.
To respond to support requests via Discord or email.
To detect and prevent fraud, unauthorised access, and abuse.
To maintain records required for security and dispute resolution.

6. Cookies & local storage

GXS Vault does not use cookies. We use browser localStorage to store:

Your session token (to keep you logged in).
Your cart ID (to persist your cart between visits).
Your region preference.

This data is stored entirely on your device and is never transmitted to third parties. You can clear it at any time by clearing your browser's local storage. No cookie consent banner is required because no tracking cookies are used.

7. Sub-processors

We share minimal data with the following services as strictly required to operate:

Supabase — hosted PostgreSQL database (EU region). Stores account and order data.
Resend — transactional email delivery. Your email address and email content are shared solely for sending.
NOWPayments — crypto payment processing. Your payment is handled on their platform. GXS Vault receives only the payment status and transaction reference.

All sub-processors are contractually prohibited from using your data for their own purposes.

8. Data retention

Account data — retained while your account is active. Deleted within 30 days of an approved deletion request.
Order data — retained for 2 years from the date of purchase for security, fraud prevention, and dispute resolution purposes. This applies even after account deletion.
Contact/support messages — deleted after 12 months.
Technical logs — retained for 90 days, then purged.

9. Your rights

You have the right to:

Access — request a copy of the data we hold about you.
Rectification — correct inaccurate data.
Erasure — request deletion of your account and personal data (order records retained for 2 years as stated above).
Restriction — ask us to stop processing your data in certain circumstances.
Portability — receive your data in a machine-readable format.
Object — object to processing based on legitimate interests.

To exercise any right, contact us. We respond within 30 days.

10. Security

We protect your data with:

TLS encryption for all data in transit.
Bcrypt-hashed passwords — your password is never stored in plain text.
Strict CORS policies limiting which origins can interact with the backend.
HMAC-SHA512 signature verification on all payment webhooks.
Cryptographically random JWT and session secrets.

11. International data transfers

Your data may be processed on servers within the EU (Supabase EU region). Where any data is processed outside the EEA, we ensure equivalent protections are in place in line with GDPR requirements.

12. Children

GXS Vault is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has registered, contact us immediately and we will delete the account.

13. GXS brand disclaimer

GXS Vault is independent of all other GXS-branded services. We have no access to, and no responsibility for, data held by other GXS services (such as GXS Top-Ups). Privacy requests must be directed to the specific service that holds your data.

14. Changes

This policy may be updated at any time. The effective date at the top will reflect any changes. Continued use of the platform after updates constitutes acceptance.

15. Contact

Privacy questions or data requests: use the contact page. We respond within 30 days.