GDPR Compliance

SKINS24 is the data controller responsible for your personal data as defined under the General Data Protection Regulation (EU) 2016/679. We determine the purposes and means of processing your personal data when you use our CS2 marketplace platform.

For all data protection enquiries, you may contact our Data Protection Officer at dpo@skins24.co.uk.

As a data subject, you are entitled to the following rights under the GDPR:

Right of Access (Article 15): You may request a copy of all personal data we hold about you, along with information about how it is processed.

Right to Rectification (Article 16): You may request correction of inaccurate personal data or completion of incomplete data.

Right to Erasure (Article 17): You may request deletion of your personal data where there is no compelling reason for its continued processing, subject to legal retention requirements.

Right to Restriction (Article 18): You may request that we restrict the processing of your data in certain circumstances, such as when you contest its accuracy.

Right to Data Portability (Article 20): You may request to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object (Article 21): You may object to processing carried out on the basis of legitimate interests or for direct marketing purposes.

Right to Withdraw Consent (Article 7): Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

Identity Data: Steam ID, Steam display name, and profile avatar obtained through Steam OAuth authentication.

Transaction Data: Purchase history, order details, payment references, and item trade records.

Technical Data: IP address, browser type and version, device information, and usage analytics collected through server logs and cookies.

Communication Data: Support tickets, correspondence, and any information you provide when contacting us.

Contract Performance (Article 6(1)(b)): Account creation, transaction processing, item delivery, and customer support.

Legitimate Interests (Article 6(1)(f)): Fraud prevention, platform security, service improvements, and business analytics. We have conducted balancing tests to ensure these interests do not override your fundamental rights.

Legal Obligation (Article 6(1)(c)): Compliance with anti-money laundering regulations, tax reporting, and law enforcement cooperation.

Consent (Article 6(1)(a)): Marketing communications and non-essential cookies. You may withdraw consent at any time.

We retain personal data in accordance with the principle of data minimisation. Specific retention periods are as follows: account data is retained for the duration of your account plus 6 years; transaction records are retained for 7 years as required by law; technical logs are retained for 90 days; support correspondence is retained for 3 years; and marketing preferences are retained until you withdraw consent.

Data is securely deleted or anonymised once the applicable retention period has expired.

We share personal data with the following categories of data processors, each operating under a data processing agreement that ensures GDPR compliance:

Steam / Valve Corporation: Authentication and trade processing. Data may be transferred to the United States under Standard Contractual Clauses.

BitSkins: Marketplace integration for item sourcing and delivery.

EcommPay: Payment processing and fraud prevention.

Cloud Infrastructure: Hosting and content delivery within EU data centres where possible.

Where data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission or adequacy decisions.

We implement appropriate technical and organisational measures as required by Article 32 of the GDPR. These include TLS encryption for data in transit, encryption at rest for stored data, role-based access controls, regular security assessments, employee data protection awareness, and documented incident response procedures.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk, we will also notify affected data subjects without undue delay under Article 34.

All breaches, regardless of severity, are documented internally with details of the facts, effects, and remedial actions taken.

We use automated systems for fraud detection and anti-money laundering transaction monitoring. These systems may flag transactions for manual review based on predefined risk criteria. You have the right to request human intervention, express your point of view, and contest any decision made solely by automated processing that produces legal or similarly significant effects.

To exercise any of your GDPR rights, send a request to dpo@skins24.co.uk. Please include your Steam ID or account email so we can verify your identity. We will respond to your request within 30 days. There is no fee for most requests; however, we may charge a reasonable fee or refuse requests that are manifestly unfounded or excessive.

For complex requests, we may extend the response period by an additional 60 days, in which case we will notify you of the extension and the reasons for it within the initial 30-day period.

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first at dpo@skins24.co.uk so that we may address your concerns directly.

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a child has provided personal data, we will take immediate steps to delete that information from our systems.