Privacy Policy

Effective as of: 07/2026

1. Controller

The controller of personal data is ETNERA LTD · Business Registration Number: HE480731, a company incorporated under the laws of the Republic of Cyprus, registered office: Neofytou Nikolaidi & Theodorou Kolokotroni, ONISIFOROU CENTER, 2nd floor, Agios Theodoros, 8011 Paphos, Cyprus (the "Controller"). Data protection contact: [email protected].

The SkinsCartel website is one of several websites operated by the Controller under different brands and domains on shared infrastructure. The controller of personal data across all of these websites is exclusively ETNERA LTD · Business Registration Number: HE480731. Content creators promoting individual websites are neither controllers nor joint controllers of Users' data.

2. Categories of data processed

Identification data: first and last name.

Steam identifiers: Steam ID, trade URL, public inventory data (including inventory composition and estimated value — to the extent described in Section 8.3).

Payout data: bank account number (IBAN) or payment card details.

Contact data: e-mail address and phone number — collected at transaction settlement for contact in settlement matters (e.g. verification of payout details, failed transfers, KYC), and for marketing purposes only to the extent described in Sections 3.4–3.5.

Technical data: IP address, device and browser identifiers, logs.

Traffic attribution data: the domain/brand from which the User reached the website, campaign parameters.

Content of correspondence with the Controller's representative in the Chat Channel and by e-mail, SMS and telephone.

KYC data (only where collected in accordance with the Terms of Service): scan/photo of an identity document, likeness (selfie/liveness), document data.

Transaction history with the Controller (across all of the Controller's websites).

3. Purposes and legal bases

Conclusion and performance of the agreement for the sale of Items, including negotiations, payouts, contact in settlement matters (e-mail, phone, SMS) and complaint handling — Art. 6(1)(b) GDPR (data under 2.1–2.4, 2.7, 2.9).

Compliance with legal obligations: anti-money laundering and counter-terrorist financing, sanctions laws, tax and accounting obligations — Art. 6(1)(c) GDPR (data under 2.1–2.3, 2.8).

The Controller's legitimate interests — Art. 6(1)(f) GDPR: (a) fraud and abuse prevention, including anti-fraud profiling (Sections 8.1–8.2); (b) establishing, exercising and defending legal claims; (c) analytics and statistics, including measuring the performance of individual brands/domains (attribution data); (d) network and information security; (e) preparing personalised repurchase proposals based on the profiling described in Section 8.3 — provided that the sending of marketing communications itself takes place exclusively under Section 3.4.

The Controller's direct marketing, including in particular: (a) proactive proposals to purchase Items from the User's inventory; (b) notifications of valuations and market price changes of the User's Items (price alerts); (c) information on promotions, bonuses and increased purchase rates; (d) information about the Controller's other websites and brands — sent by e-mail, SMS or telephone only with the User's prior, separate and freely given consent for the given communication channel (Art. 6(1)(a) GDPR; Art. 13 of Directive 2002/58/EC and its national implementations, including Art. 398 of the Polish Electronic Communications Law). Consent is not a condition of concluding the agreement or receiving the payout.

The scope of the marketing consent covers — where the wording of the consent so provides — all websites operated by the Controller (cross-brand marketing); the list of websites covered by the consent is indicated in the wording of the consent. Every marketing message includes an opt-out mechanism (unsubscribe link, or STOP for SMS). Consent may be withdrawn at any time and does not affect settlement communications (Section 3.1).

Provision of the data under 2.1–2.4 is a condition of concluding and settling the agreement; failure to provide it prevents payout. KYC data is required in the cases set out in the Terms of Service. Marketing consents are entirely voluntary and may be withdrawn independently of each other.

4. Recipients of data

Data may be disclosed only to: payment service providers and electronic money institutions, banks, the SMS and e-mail delivery providers, hosting and IT infrastructure providers, an identity verification (KYC) provider — once engaged, accounting, tax and legal advisers, and public authorities where required by law.

Content creators and marketing partners promoting the Controller's websites receive exclusively aggregated and statistical data (e.g. the number and total value of transactions originating from a given domain). Under no circumstances do they receive Users' personal data.

Processors act under data processing agreements compliant with Art. 28 GDPR.

5. Transfers outside the EEA

The Controller as a rule processes data within the European Economic Area. Where a service provider (hosting, communications, identity verification, payments) processes data outside the EEA, the transfer takes place on the basis of a European Commission adequacy decision or Standard Contractual Clauses (Art. 46(2)(c) GDPR). Information on current transfers and safeguards applied is available at [email protected].

6. Retention periods

Transaction data and data collected for AML/KYC purposes — 5 years from the transaction, unless a longer period is required by law.

Data processed on the basis of consent (marketing) — until consent is withdrawn; after withdrawal the Controller may retain proof of the granting and withdrawal of consent (defence of claims, accountability).

Correspondence (Chat Channel, e-mail, SMS, telephone) — for the limitation period for claims under the applicable law.

Technical data and logs — 12 months, unless they constitute evidence of abuse.

7. Data subject rights

The User has the right to: access and obtain a copy of their data (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection to processing based on Art. 6(1)(f) (Art. 21), and withdrawal of consent (Art. 7(3)).

An objection to direct marketing, including profiling for marketing purposes (Section 8.3), is absolute — upon objection the Controller ceases processing the data for that purpose (Art. 21(2)–(3) GDPR).

Requests: [email protected]. The Controller responds without undue delay, at the latest within one month (extendable by two further months in complex cases, with notice).

The rights under 7.1 may be limited by AML laws (e.g. the prohibition on disclosing that a report has been made to a financial intelligence unit).

Complaints may be lodged with the supervisory authority: the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus (Nicosia); the User may also complain to the authority of their habitual residence, in Poland — the President of the Personal Data Protection Office (UODO).

8. Profiling and automated decisions

Anti-fraud profiling: the Controller uses fraud risk assessment mechanisms (profiling within the meaning of Art. 4(4) GDPR), analysing inter alia session parameters, transaction history, Steam account characteristics and payout data. The sole purpose is abuse prevention (Art. 6(1)(f) GDPR).

Where the risk assessment system automatically suspends a payout or blocks a transaction and that decision significantly affects the User, the User has the right — in accordance with Art. 22(3) GDPR — to obtain human intervention on the part of the Controller, to express their point of view and to contest the decision, by contacting [email protected]. Every automatic suspension is reviewed by the Controller's staff.

Marketing profiling: in order to prepare personalised repurchase proposals, the Controller may analyse the publicly available data of the User's Steam inventory and the transaction history with the Controller (e.g. the type and estimated value of Items held). This profiling produces no legal or similarly significant effects on the User — it serves solely to tailor the content of offers; the communication of such offers takes place exclusively under Section 3.4. The User may object at any time (Section 7.2).

9. Cookies

The website uses cookies and similar technologies: strictly necessary (session, security — based on necessity to provide the service), and analytics and marketing cookies (only with consent given via the consent management banner).

A detailed list of cookies, their lifetimes and third-party providers is available in the consent management banner on the website. Consent may be changed or withdrawn at any time in the banner settings.

10. Changes to this Policy

The Controller may update this Policy (e.g. upon changes of providers, data scope or law). Material changes are announced on the website. Archived versions are available on request.

11. Language versions

This Policy is available in Polish (skinscartel.com/pl/polityka-prywatnosci) and English. For Users habitually resident in Poland, the Polish version is binding; discrepancies are interpreted in favour of the User.