This Privacy Policy sets forth the rules governing the processing and protection of personal data provided by users in connection with their use of the services offered by https://FlashSkins.gg via the website (the "Site") https://FlashSkins.gg.
The Administrator of personal data is KEPRA LTD, HE 478473, Tinou 2, 3067, Limassol, Cyprus, hereinafter referred to as the Administrator.
For matters related to the processing of personal data, you may contact the Administrator at the following email address: [email protected]
The scope of data processed
The Data Administrator processes users' personal data to the extent necessary to provide services and ensure the functionality of the Website. Users may log in to the Website exclusively using an account on the STEAM online platform available at: steampowered.com. If the user grants the appropriate permissions, the Website will receive user identification data from their STEAM account, such as their Steam account name, avatar, trade URL, and Steamid64.
The scope of the data processed may include:
Identification data: first name, last name, company name (if applicable);
Transaction data: information about payments made, bank account number, details regarding purchased products;
Data regarding fund withdrawals, including withdrawals made via bank card transfer: first and last name, residential address including country, city, street, and ZIP code, contact information including email address and phone number, IP address, details regarding the requested withdrawal, transaction ID, and other data required by the payment operator to the extent necessary to process and verify the withdrawal;
Technical data: IP address, browser type and version, language settings, operating system, device type, screen resolution;
Data regarding activity on the website: browsing history, clicks, time spent on the site;
Data collected via cookies and similar technologies: session identifiers, user preferences, analytical data;
Data voluntarily provided by the User: information contained in contact forms, inquiries, reviews, and comments.
The newsletter available on the Website constitutes digital content containing commercial information regarding the Administrator's current activities, including information about new products and promotions available on the Website. The newsletter is sent to the User after they have consented to receiving commercial information. With regard to the newsletter, providing an email address is voluntary but necessary to receive the newsletter. The User may unsubscribe from the newsletter at any time free of charge.
The Administrator does not process special categories of personal data (so-called sensitive data) within the meaning of Article 9 of the GDPR, such as data concerning health, political opinions, religious beliefs, or trade union membership.
Providing personal data is voluntary. However, failure to do so may prevent you from using certain features of the website, such as contacting us via the contact form.
The Administrator makes every effort to ensure that the personal data processed is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
Purposes of data processing
The Administrator processes users' personal data for the following purposes:
Contact and handling of inquiries – responding to questions submitted via the contact form, email, or other communication channels. The legal basis for processing is Article 6(1)(b) and (f) of the GDPR (necessity to take action at the request of the data subject and the Administrator's legitimate interest, which is communication with users);
Service provision – fulfilling the legal obligations incumbent upon the Website regarding the provision of services. The legal basis is Article 6(1)(b) of the GDPR (performance of a contract or taking steps prior to entering into a contract);
Processing of payments and withdrawals – handling payments, balance top-ups, and withdrawals, including withdrawals via bank card transfer, identification and verification of transactions, handling complaints regarding payments and withdrawals, and transferring data to payment operators to the extent necessary to process the withdrawal. The legal basis for processing is Article 6(1)(b) and (c) of the GDPR (necessity to take action at the User's request prior to entering into a contract, and a legal obligation incumbent on the Administrator);
Performing marketing activities – sending newsletters and commercial communications, promoting the services at https://FlashSkins.gg through advertising channels (e.g., Google Ads, Meta Ads) using various means (such as email or SMS), and displaying ads tailored to the user's interests (profiling), after obtaining prior consent. The legal basis is Article 6(1)(a) of the GDPR (consent);
Statistical analysis and service development – monitoring user activity on the website (traffic, traffic sources, interactions), conducting behavioral analyses to optimize website performance, improve the quality of services provided, test new features, and prevent abuse. The legal basis is Article 6(1)(f) of the GDPR (the Administrator's legitimate interest);
Compliance with legal obligations – issuing invoices, maintaining accounting records, handling complaints, pursuing claims, and responding to requests from public authorities. The legal basis is Article 6(1)(c) of the GDPR (legal obligation incumbent on the Administrator);
Preventing abuse, fraud, and the use of the Website for unlawful purposes – in particular, verifying the User's identity, analyzing transactions, combating money laundering, terrorist financing, payment fraud, and violations of the Terms of Service, checking sanctions lists, verifying the source of funds, and blocking or suspending transactions in cases of reasonable suspicion of a violation of the law or the Terms of Service. The legal basis for processing is Article 6(1)(c) of the GDPR (a legal obligation incumbent on the Administrator) and Article 6(1)(f) of the GDPR (the Administrator's legitimate interest in ensuring the security of the Website, preventing abuse, and protecting against claims).
Data may also be processed for other purposes if the user has given separate and informed permission.
Data retention
Users' personal data is retained only for as long as is necessary to fulfill the purposes for which it was collected, in accordance with applicable laws and to address any claims that may arise in connection with its processing.
Specifically, data is retained for the following periods:
contact information provided via the form – up to 12 months after the end of communication, unless the contact resulted in the conclusion of a contract, in which case the data may be processed for a longer period, in accordance with the provisions below;
data processed for the purpose of performing a contract or providing services – for the duration of the contract and for the period of the statute of limitations for claims related to the performance of the service or contract (for the purpose of potentially asserting claims or defending against them);
data concerning payments and disbursements, including disbursements made via bank card transfer – for the period necessary to process the transaction, handle complaints, fulfill settlement, accounting, and tax obligations, and prevent fraud, and subsequently for the statute of limitations period for any claims or for the period required by applicable law;
data processed on the basis of consent (e.g., marketing, newsletters) – until consent is withdrawn;
data processed for tax and accounting purposes – for 5 years from the end of the calendar year in which the tax obligation arose;
technical and statistical data (e.g., cookies, server logs) – for up to 26 months from the time of the last activity;
data processed to prevent abuse, fraud, money laundering, or the use of the Website for unlawful purposes – for the period necessary to conduct verification, handle a report or proceeding, and subsequently for the period required by law or the statute of limitations for claims.
After the periods specified above have elapsed, the data is deleted or anonymized, unless there is a need for further processing (e.g., for the purposes of ongoing court or administrative proceedings).
The data administrator regularly reviews the collected data to ensure that it is not retained longer than necessary.
User Rights
Every user has the right, within the scope and under the terms set forth in the GDPR, to:
Access to their personal data – The user has the right to obtain confirmation from the Administrator as to whether their data is being processed, and if so, to access it and obtain information regarding the purposes of processing, categories of data, recipients, the planned retention period, as well as their rights (Article 15 of the GDPR);
Rectification of data – The User has the right to have their data corrected if it is inaccurate or incomplete (Article 16 of the GDPR);
Deletion of data ("right to be forgotten") – The User may request the deletion of their personal data if one of the conditions specified in Article 17 of the GDPR applies, in particular when the data is no longer necessary for the purposes for which it was collected, or when consent has been withdrawn;
Restriction of data processing – The User may request the restriction of data processing in the cases provided for in Article 18 of the GDPR, e.g., when the User disputes the accuracy of the data or the processing is unlawful, but does not wish for the data to be erased;
Data portability – The User has the right to receive the personal data they have provided to the Administrator in a structured, commonly used, machine-readable format, and – where technically feasible – to transmit it to another Administrator (Article 20 of the GDPR);
Objection to data processing – The User has the right to object to the processing of their personal data that is carried out on the basis of the Administrator's legitimate interest or for direct marketing purposes (Article 21 of the GDPR);
Withdrawal of consent at any time – If data processing is based on consent, the User has the right to withdraw it at any time, without affecting the lawfulness of the processing carried out prior to its withdrawal (Article 7(3) of the GDPR);
To lodge a complaint with a supervisory authority – If the User believes that the processing of their data violates data protection regulations, they have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, www.uodo.gov.pl).
To exercise their rights, Users may contact the Administrator at the following email address: [email protected].
Recipients of personal data
The Administrator may disclose users' personal data to third parties only to the extent necessary for the proper provision of services, the fulfillment of legal obligations, and the protection of the Administrator's legitimate interests. Such disclosure is carried out in accordance with applicable laws, in particular the GDPR.
The categories of recipients to whom personal data may be disclosed include, in particular:
Technical and IT service providers – including providers of hosting, analytics tools (e.g., Google Analytics), cloud computing services, technical support, and IT infrastructure;
Marketing and advertising service providers – entities that enable the implementation of advertising campaigns and the analysis of their effectiveness (e.g., Meta Platforms Ireland Ltd., Google Ireland Ltd.);
Payment and withdrawal operators – entities handling payments, balance top-ups, withdrawals, refunds, bank transfers, transfers to bank cards, and other payment or withdrawal methods available on the Website, to the extent necessary to process and verify transactions;
Verification, security, AML/KYC, and anti-fraud service providers – entities assisting the Administrator in verifying Users' identities, analyzing transactions, combating abuse, fraud, money laundering, and terrorist financing, checking sanctions lists, and detecting activities that violate the law or the Terms of Service;
Email and newsletter service providers – such as MailerLite, Mailchimp, and FreshMail – to the extent necessary for sending messages and managing subscriber lists;
External accounting, legal, and consulting service providers – who assist the Administrator in managing business operations, provided they have access to the data in connection with the services they provide and are bound by professional secrecy;
Authorized public authorities – such as courts, the prosecutor's office, the police, and the President of the Personal Data Protection Office – exclusively in cases where the obligation to disclose information arises from legal provisions.
All entities processing personal data on behalf of the Administrator act pursuant to data processing agreements entered into with the Administrator and are required to implement appropriate technical and organizational measures to ensure data protection.
The Administrator does not sell, commercially disclose, or otherwise share users' personal data with other entities, except in cases explicitly stated in this Privacy Policy or as required by applicable law. If the User chooses to withdraw funds via bank card transfer, the data necessary to process the withdrawal – including, in particular, first and last name, residential address, contact information, IP address, and transaction details – may be transferred to the payment operator handling the selected withdrawal method. The scope of the data transferred depends on the technical, regulatory, and security requirements of the relevant payment operator.
Transfer of personal data to a third country
Due to the use of external service providers by the Administrator, Users' personal data may be transferred to third countries, i.e., countries outside the European Economic Area (EEA), in particular to the United States of America.
Data is transferred only when necessary to achieve specific data processing purposes (e.g., statistical analysis, sending newsletters, operating marketing tools) and with appropriate mechanisms in place to protect personal data.
In the case of data transfers to entities based in third countries, the Administrator ensures that this takes place exclusively on the basis of:
a decision by the European Commission confirming an adequate level of personal data protection (e.g., the Data Privacy Framework mechanism in the case of the U.S.), or
Standard Contractual Clauses (SCCs) adopted by the European Commission, or
other instruments in accordance with Articles 46–49 of the GDPR.
Entities that may process Users' personal data outside the EEA include, in particular: Google LLC (Google Analytics, Google Ads), Meta Platforms, Inc. (Facebook Pixel).
The Administrator ensures that in every case of data transfer outside the EEA, appropriate legal, technical, and organizational safeguards are applied to protect the rights and freedoms of the persons whose data is being transferred.
Cookies
The website https://FlashSkins.gg uses cookies and other similar technologies (e.g., local storage, tracking pixels) for the following purposes:
to ensure the proper functioning and security of the website;
to remember user preferences and customize the interface;
to analyze user behavior and optimize the website's performance (e.g., Google Analytics);
conduct marketing activities (e.g., Google Ads, Meta Pixel);
personalize content and ads according to the User's interests.
Cookies are small text files stored on the user's device that allow the device to be recognized during subsequent visits and enable the collection of specific information.
The Website uses the following types of cookies:
Essential – enable the Website to function properly, e.g., navigation, access to secure areas (without them, the Website would not function correctly);
Functional – remember the user's selected settings and personalize the interface (e.g., language selection);
Analytical and statistical – collect data on how the Website is used for analytical and statistical purposes (e.g., number of visits, time spent on the site);
Marketing and advertising – enable the display of personalized ads on external websites and the measurement of their effectiveness.
Upon their first visit to the Website, users are given the option to select their cookie settings via a dedicated banner or consent management panel. Non-essential cookies (e.g., marketing or analytics cookies) are installed only after the user's explicit consent has been obtained.
You have the right to change your cookie settings at any time, specifically: to accept all cookies, to reject some or all of them, or to withdraw previously granted consent.
Cookie settings can also be changed through your web browser's configuration. Detailed information can be found in the settings of specific browsers (e.g., Chrome, Firefox, Safari).
Restricting the use of cookies may affect certain features available on the Website.
Final Provisions
The Administrator reserves the right to make changes to the Privacy Policy, in particular in the event of:
changes in the law regarding the protection of personal data or the provision of electronic services;
the implementation of new services, features, or technologies;
changes to the Administrator's contact information.
Users will be notified of significant changes to the Privacy Policy via an announcement on the Website or by other customary means (e.g., email).
The amended Privacy Policy takes effect upon its publication on the Website, unless a different effective date is expressly specified.
In matters not covered by this Policy, the provisions of the GDPR, the Personal Data Protection Act, and other generally applicable laws shall apply.
Any questions, requests, or comments regarding the processing of personal data may be directed to the following email address: [email protected].
