This Privacy Policy defines the rules for processing and protecting personal data provided by users in connection with the use of services offered by https://FlashSkins.gg through the website https://FlashSkins.gg.
The controller of personal data is OXMIS LTD, HE 467004, Markou Drakou, 69, Mesa Geitonia, 4002, Limassol, Cyprus, hereinafter referred to as “Administrator”.
For matters related to data processing, the Administrator can be contacted via email: [email protected]
Scope of Processed Data
The Administrator processes users’ personal data to the extent necessary for providing services and ensuring website functionality. Users may log in only via a STEAM account available at steampowered.com. If the user grants permission, the Website retrieves identifying data from their STEAM account: username, avatar, trade URL, and Steamid64.
The scope of processed data may include:
Identification data: name, surname, company name (if applicable);
Transaction data: payment information, bank account number, product purchase details;
Technical data: IP address, browser type and version, language settings, operating system, device type, screen resolution;
Activity data on the site: browsing history, clicks, time spent on the site;
Data obtained through cookies and similar technologies: session IDs, user preferences, analytics data;
Data voluntarily provided by the User: information included in contact forms, inquiries, feedback, comments.
The Administrator does not process special categories of personal data (e.g., health, political or religious views, union membership) under Art. 9 GDPR.
Providing personal data is voluntary, but failure to do so may prevent use of certain site functionalities (e.g., contact form).
The Administrator makes every effort to ensure that the processed data is adequate, relevant, and limited to what is necessary for the processing purposes.
Purposes of Data Processing
Users’ personal data is processed by the Administrator for the following purposes:
Contact and support – responding to inquiries submitted via the contact form, email, or other communication channels. The legal basis is Article 6(1)(b) and (f) of the GDPR (necessary to take action at the user’s request and the Administrator’s legitimate interest in communication).
Service execution – fulfilling legal obligations related to service delivery. Legal basis: Article 6(1)(b) GDPR (performance of a contract or pre-contractual actions).
Marketing activities – sending newsletters, promotional information, showcasing https://FlashSkins.gg in advertising networks (e.g., Google Ads, Meta Ads), and displaying interest-based ads (profiling), subject to prior consent. Legal basis: Article 6(1)(a) GDPR (consent).
Statistical analysis and service development – monitoring user activity (traffic, visit sources, interactions), analyzing behavior to optimize the website, improve service quality, test new features, and prevent abuse. Legal basis: Article 6(1)(f) GDPR (legitimate interest of the Administrator).
Fulfilling legal obligations – issuing invoices, keeping accounting records, handling complaints, pursuing claims, responding to public authorities. Legal basis: Article 6(1)(c) GDPR (legal obligation of the Administrator).
Data may also be processed for other purposes if the user has given separate, informed consent.
Data Retention
Users’ personal data is stored only for the period necessary to fulfill the purposes for which it was collected, considering legal requirements and potential claims.
Specifically, data is stored for the following periods:
Contact data provided via the form – up to 12 months from the end of the conversation, unless it led to a contract; in such case, data may be stored longer.
Data processed to perform contracts or services – for the duration of the contract and the limitation period of claims (for potential litigation or defense).
Data processed on the basis of consent (e.g., marketing, newsletter) – until the consent is withdrawn.
Data processed for tax/accounting purposes – for 5 years from the end of the calendar year in which the tax obligation arose.
Technical and statistical data (e.g., cookies, server logs) – up to 26 months from the last activity.
After the above periods, data is deleted or anonymized unless further processing is required (e.g., ongoing legal proceedings).
The Administrator regularly reviews stored data to ensure it is not retained longer than necessary.
User Rights
Each user has the right, under GDPR, to:
Access their data – confirm whether their data is being processed and access information about the processing purposes, data categories, recipients, and retention period (Art. 15 GDPR);
Rectify data – correct inaccurate or incomplete data (Art. 16 GDPR);
Erase data ("right to be forgotten") – request deletion under conditions defined in Art. 17 GDPR, especially if the data is no longer needed or consent is withdrawn;
Restrict processing – request a restriction under Art. 18 GDPR, e.g., when disputing data accuracy or legality;
Data portability – receive data in a structured, commonly used format and transmit it to another controller (Art. 20 GDPR);
Object to processing – object to processing based on the Administrator's legitimate interest or for direct marketing (Art. 21 GDPR);
Withdraw consent at any time – without affecting the lawfulness of previous processing (Art. 7(3) GDPR);
File a complaint – to the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, www.uodo.gov.pl).
To exercise any rights, the user may contact the Administrator at: [email protected].
Data Recipients
The Administrator may share users’ personal data with third parties solely to the extent necessary to properly provide services, fulfill legal obligations, or protect the Administrator’s legitimate interests. Sharing is done in compliance with applicable laws, particularly the GDPR.
Categories of recipients may include:
Technical and IT service providers – such as hosting providers, analytics tools (e.g., Google Analytics), cloud computing services, IT support and infrastructure;
Marketing and advertising providers – entities that support advertising campaigns and effectiveness analysis (e.g., Meta Platforms Ireland Ltd., Google Ireland Ltd.);
Email and newsletter providers – such as MailerLite, Mailchimp, FreshMail – for sending messages and managing subscriber lists;
External legal, accounting, and advisory service providers – who support the Administrator in business operations and are bound by confidentiality;
Public authorities – such as courts, prosecutors, police, and the President of the Personal Data Protection Office – only where required by law.
All entities processing data on behalf of the Administrator act under data processing agreements and are required to apply appropriate technical and organizational safeguards.
The Administrator does not sell, commercially share, or disclose user personal data to other entities, except as explicitly stated in this Policy or required by law.
Transfer of Personal Data Outside the EEA
Due to the Administrator’s use of external service providers, users’ personal data may be transferred to third countries (i.e., outside the European Economic Area – EEA), especially the United States.
Transfers occur only when necessary for specific processing purposes (e.g., analytics, newsletters, marketing tools), with adequate safeguards.
If data is transferred to third countries, the Administrator ensures the transfer is based on:
An adequacy decision by the European Commission (e.g., Data Privacy Framework for the USA);
Standard Contractual Clauses (SCC) adopted by the European Commission;
Other instruments compliant with Articles 46–49 of the GDPR.
Entities that may process personal data outside the EEA include: Google LLC (Google Analytics, Google Ads), Meta Platforms, Inc. (Facebook Pixel).
The Administrator ensures that all such transfers are protected by legal, technical, and organizational safeguards to protect the rights and freedoms of data subjects.
Cookies
The website https://FlashSkins.gg uses cookies and similar technologies (e.g., local storage, tracking pixels) to:
Ensure proper functioning and security of the website;
Remember user preferences and customize the interface;
Analyze user behavior and optimize site performance (e.g., Google Analytics);
Run marketing campaigns (e.g., Google Ads, Meta Pixel);
Personalize content and ads based on user interests.
Cookies are small text files stored on the user’s device that enable recognition of the device during future visits.
The Website uses the following types of cookies:
Necessary – ensure the website works properly (e.g., navigation, secure areas);
Functional – remember selected user settings and customize the interface (e.g., language);
Analytical and statistical – collect data on how users interact with the site (e.g., visit count, time spent);
Marketing and advertising – allow personalized ad display and effectiveness tracking on external sites.
On the first visit, users can manage cookie settings via a banner or consent manager. Non-essential cookies (e.g., marketing, analytics) are only installed after consent.
Users may modify cookie settings at any time – accept all, reject some or all, or withdraw consent – via browser settings or the consent panel.
Detailed instructions can be found in browser settings (e.g., Chrome, Firefox, Safari).
Limiting cookies may affect certain website functionalities.
Final Provisions
The Administrator reserves the right to update the Privacy Policy, especially in case of:
Changes in data protection or electronic services law;
Introduction of new services, features, or technologies;
Changes in the Administrator’s details.
Users will be informed of significant changes via a notice on the website or by customary means (e.g., email).
The updated Policy applies from the moment it is published on the site, unless a different date is specified.
In matters not covered by this Policy, the GDPR, the Data Protection Act, and other applicable regulations shall apply.
Questions or requests regarding data processing may be sent to: [email protected].
