1. Data Controller
For the purposes of the General Data Protection Regulation (EU) 2016/679, SKINS24 is the data controller for your personal data. We decide the purposes and means of processing whenever you use our CS2 marketplace.
2. Your GDPR Rights
As a data subject, you have the following rights:
Access (Article 15): obtain a copy of the personal data we hold about you and information on how it is processed.
Rectification (Article 16): have inaccurate data corrected and incomplete data completed.
Erasure (Article 17): request deletion where we no longer have a lawful reason to keep the data, subject to retention obligations.
Restriction (Article 18): restrict processing in defined circumstances — for example while accuracy is being verified.
Portability (Article 20): receive your data in a structured, machine-readable format to hand to another controller.
Objection (Article 21): object to processing based on legitimate interests or for direct marketing.
Withdraw consent (Article 7): pull back any consent you previously gave. Withdrawal does not invalidate processing that occurred beforehand.
3. Data We Process
Identity: Steam ID, Steam display name, and avatar retrieved through Steam OAuth.
Transactions: orders, payment references, and item delivery logs.
Technical: IP address, browser and device details, and usage metrics from server logs and cookies.
Support: tickets, messages, and information you provide when contacting us.
4. Lawful Bases
Contract (Article 6(1)(b)): account creation, order processing, delivery, and support.
Legitimate interests (Article 6(1)(f)): fraud prevention, security, product analytics. Balancing tests confirm these interests do not override your rights.
Legal obligation (Article 6(1)(c)): AML, tax, and law-enforcement cooperation.
Consent (Article 6(1)(a)): marketing emails and non-essential cookies — always revocable.
5. Retention
We apply data minimisation. Specific retention windows: account data is kept for the lifetime of the account plus 6 years; transaction records are held for 7 years as required by law; server and technical logs are retained for 90 days; support correspondence is kept for 3 years; and marketing preferences are held until withdrawn.
Once a retention window ends, data is securely deleted or irreversibly anonymised.
6. Processors and International Transfers
We share personal data with the categories of processors below, each under a GDPR-compliant data-processing agreement:
Steam / Valve: authentication and trade execution. Transfers to the United States rely on Standard Contractual Clauses.
BitSkins: item sourcing and fulfilment.
Payment processor: authorisation, settlement, and fraud controls.
Cloud infrastructure: hosting and content delivery, preferring EU data centres where feasible.
Transfers outside the European Economic Area are only made with appropriate safeguards — Standard Contractual Clauses or relevant adequacy decisions.
7. Security
We apply the technical and organisational measures required by Article 32: TLS in transit, encryption at rest, role-based access control, regular security reviews, staff privacy awareness, and incident-response procedures.
8. Breach Notification
If a personal data breach is likely to put your rights and freedoms at risk, we notify the competent supervisory authority within 72 hours of detection (Article 33). Where the risk to individuals is high, we inform affected users without undue delay (Article 34).
Every breach is logged internally, including the facts, impact, and remedial actions.
9. Automated Decision-Making
We use automated systems for fraud detection and AML transaction monitoring. These systems can escalate transactions to human review based on defined risk signals. You have the right to request human intervention, express your point of view, and contest any decision that has a legal or similarly significant effect on you and was made solely by automated means.
10. Exercising Your Rights
Email dpo@skins24.co.uk with your Steam ID or account email so we can verify your identity. We respond within 30 days. Most requests are free; however, we may charge a reasonable fee or refuse requests that are manifestly unfounded or excessive.
For particularly complex requests we can extend the response deadline by up to 60 days — we'll tell you within the first 30 days if that applies and why.
11. Complaints
You have the right to lodge a complaint with your local data-protection supervisory authority if you believe we have handled your data improperly. We encourage you to contact dpo@skins24.co.uk first so that we can try to resolve the matter directly.
12. Children
SKINS24 is not intended for users under 18 and we do not knowingly collect data from minors. If we learn that a child has supplied us with personal data, we remove it without delay.