PRIVACY POLICY
Effective Date: November 11, 2025
Last Updated: November 11, 2025
Platform: StarShipDealers (www.starshipdealers.com)
Legal Entity: StarShipDealers LLC, Registration 10330273, 8 the Green, STE A, Dover, Delaware, 19901, United States of America
Governing Law: State of Delaware, United States
1 TABLE OF CONTENTS
- Introduction & Scope
- Data Controller Information
- Legal Basis for Processing
- Data We Collect
- How We Use Your Data
- Data Sharing & Third-Party Services
- International Data Transfers
- Data Retention Periods
- Your Privacy Rights
- Security Measures
- Cookies & Tracking Technologies
- Children's Privacy
- California Privacy Rights (CCPA)
- Changes to This Policy
- Contact Information
1 INTRODUCTION & SCOPE
1.1 Our Commitment to Privacy
StarShipDealers ("we," "us," "our," "Platform") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Platform.
1.2 Who This Policy Applies To
This Privacy Policy applies to:
- All visitors to the StarShipDealers website
- Registered users (buyers and sellers)
- Anyone who communicates with us via email or platform messaging
- Anyone who submits KYC (Know Your Customer) verification
1.3 Acceptance of This Policy
By accessing or using the StarShipDealers Platform, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, you must immediately cease using the Platform.
1.4 Relationship to Other Documents
This Privacy Policy should be read in conjunction with:
- Terms of Service - governing general platform use
- Buyer Protection Agreement - governing buyer-specific obligations
- Seller Protection Agreement - governing seller-specific obligations
- Cookie Policy - governing cookies and tracking technologies
All documents together form our complete legal framework.
2 DATA CONTROLLER INFORMATION
2.1 Data Controller Identity
Legal Name: StarShipDealers LLC
Business Address:
8 the Green
STE A
Dover, Deleware, 19901
United State of America
Business Registration:
Registration 10330273
Platform: www.starshipdealers.com
Contact Email: [email protected]
2.2 Data Protection Officer (DPO)
For all privacy-related inquiries, GDPR requests, and data protection matters:
Email: [email protected]
Subject Line: "GDPR Request" or "Privacy Inquiry"
Response Time: Within 5 business days for acknowledgment, 30 days for full response (as required by GDPR Article 12)
2.3 EU Representative (GDPR Article 27)
As StarShipDealers LLC is established in the United States but processes data of EU residents, we have designated our EU-based affiliate as our GDPR representative:
EU Representative: PC Invest EOOD.
Address: Maystor Aleksi Rilets 17,
Sofia, 1618
Bulgaria, European Union
Registration: 206700965
Contact: [email protected]
Note: For GDPR requests, EU residents may contact either our EU Representative or our Data Protection Officer at [email protected]
3 LEGAL BASIS FOR PROCESSING
Under the General Data Protection Regulation (GDPR) and other applicable data protection laws, we process your personal data based on the following legal grounds:
3.1 Contractual Necessity (GDPR Article 6(1)(b))
Processing necessary to create/manage accounts, process transactions, facilitate communications, deliver items, manage disputes, and enforce Terms of Service.
3.2 Legal Obligation (GDPR Article 6(1)(c))
Processing necessary for KYC/AML verification, tax reporting (1099/VAT), fraud prevention, law enforcement cooperation, and legal data retention.
3.3 Legitimate Interest (GDPR Article 6(1)(f))
Processing for platform security, fraud prevention, improving user experience, customer support, dispute resolution, marketing (with opt-out), and analytics.
3.4 Consent (GDPR Article 6(1)(a))
Processing based on explicit consent: non-essential cookies (marketing/analytics), marketing emails, testimonials using your name, newsletter subscriptions. You may withdraw consent anytime without affecting prior lawful processing.
3.5 Special Categories of Data
We do NOT intentionally collect "special categories" of personal data (GDPR Article 9): racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, health data, sex life/orientation.
Exception: KYC selfie photos may constitute biometric data. Processing based on explicit consent (GDPR Article 9(2)(a)) and legal obligation for fraud prevention (GDPR Article 9(2)(f)).
4 DATA WE COLLECT
| Category | Data Collected | Legal Basis | Retention |
|---|---|---|---|
| Account Registration | Username, email, password (encrypted), creation date/IP, verification status | Contractual necessity | Account lifetime + 7 years |
| Profile Information | Display name, avatar, bio, language, timezone | Contractual necessity, legitimate interest | Account lifetime, deleted within 90 days |
| KYC Verification (Sellers) | Name, DOB, address, ID documents, selfie, company/VAT (optional), submission IP/metadata | Legal obligation, contractual necessity | 5 years after account closure |
| Transaction & Order Data | Order ID, items, price, payment method, status, delivery email, confirmation timestamp, dispute details | Contractual necessity, legal obligation | 7 years (tax/legal requirement) |
| Payment Information | Payment method, amount, status, payout info (PayPal email, bank last 4 digits). NOTE: Credit card data handled by Stripe/PayPal (NOT by us) | Contractual necessity | 7 years (financial records) |
| Communication Data | Platform messages, support tickets, email correspondence, timestamps | Contractual necessity, legitimate interest | 3 years after last communication |
| Technical & Usage Data | IP address (anonymized after 90 days), browser/OS, device type, screen resolution, referring URL, page views, time on page, clicks, session duration, cookies | Legitimate interest | 90 days (raw logs), 24 months (anonymized) |
| Fraud Prevention Data | Device fingerprinting, login history, failed attempts, suspicious patterns, duplicate account detection, chargeback history | Legitimate interest, legal obligation | 5 years after last suspicious activity |
| Cookies & Tracking | See Section 11 and Cookie Policy | Varies (consent for non-essential) | See Cookie Policy |
| Key Notes: | |||
| - KYC Storage: Private encrypted storage, restricted to authorized compliance staff only | |||
| - Payment Security: PCI-DSS compliant (we do NOT handle/store credit card data) | |||
| - Communication Monitoring: All platform messages logged to prevent fraud/harassment | |||
| - Special Categories: KYC selfie photos may constitute biometric data (explicit consent + legal obligation) |
5 HOW WE USE YOUR DATA
We use your data for: Account management (create/maintain accounts, authentication, password recovery, transactional emails); Transaction processing (purchases/sales, payment processing, escrow, refunds, invoices); Service delivery (buyer-seller communication, delivery coordination, tracking confirmations, 24-hour inspection, auto-acceptance); Dispute resolution (investigations, evidence review, negotiation, Final Resolution Committee escalation); KYC verification & compliance (identity verification, AML compliance, fraud detection, tax reporting); Fraud prevention & security (monitoring suspicious activity, duplicate accounts, chargeback prevention, IP blocking); Customer support (responding to inquiries, troubleshooting, issue resolution); Platform improvements (analytics, A/B testing, feature development, bug fixes); Legal compliance (tax reporting, law enforcement cooperation, regulatory obligations); Marketing communications (newsletters, promotions, platform updates - opt-out available).
6 DATA SHARING & THIRD-PARTY SERVICES
We DO NOT sell, rent, or trade your personal data. We share data only in these circumstances:
6.1 Third-Party Service Providers
| Service Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| PayPal | Payment processing | Email, transaction amount, order ID | PayPal Privacy |
| Stripe | Payment processing | Email, transaction amount, order ID, country | Stripe Privacy |
| OVHcloud | Hosting (database, servers) | All platform data (EU data residency) | OVH Privacy |
| Railway | Application deployment | Application code, env variables, logs | Railway Privacy |
| Cloudflare | CDN, DDoS protection, WAF | IP addresses, HTTP headers, request logs (72h retention) | Cloudflare Privacy |
| Zoho Mail | Transactional emails | Email addresses, email content (support, order confirmations) | Zoho Privacy |
| Mailchimp | Marketing emails (opt-in only) | Email, name, subscription preferences, open/click rates | Mailchimp Privacy |
| Google Analytics | Usage statistics | Anonymized page views, user flows (IP anonymized) | Google Privacy |
| Sentry | Error logging | Crash reports (no personal data) | Sentry Privacy |
| Hotjar | Heatmaps, session recordings | Anonymized clicks, scrolls (IP anonymized) | Hotjar Privacy |
| Google reCAPTCHA | Bot detection, spam prevention | IP, browser info, mouse movements, clicks, keystrokes | Google Privacy |
| MaxMind | Fraud prevention | IP geolocation | MaxMind Privacy |
| Legal Basis: Contractual necessity (payments, hosting), Legitimate interest (fraud prevention, analytics), Consent (marketing emails). | |||
| GDPR Compliance: All providers are GDPR-compliant with Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) for US-based services. | |||
| Opt-Out Options: Marketing emails (unsubscribe link), Analytics/Hotjar (Cookie Settings), reCAPTCHA (not possible - required for security). |
6.2 With Other Platform Users
Publicly visible: Username, profile picture, bio, seller store name, listings, aggregated ratings.
Buyer-seller communications: Platform messages.
Transaction details: Buyer's delivery email (visible to seller), seller's store name (visible to buyer).
6.3 With Legal Authorities
Law enforcement: When legally required (subpoena, court order, search warrant).
Tax authorities: For tax reporting (1099, VAT compliance).
Regulatory bodies: For AML/KYC compliance verification.
Legal Basis: Legal obligation (GDPR Article 6(1)(c)).
6.4 With Professional Advisors
Legal counsel, accountants, consultants (under strict NDAs) for legal compliance and business operations.
Legal Basis: Legitimate interest.
6.5 Business Transfers
If acquired/merged, your data may transfer to the new owner. We will notify you via email 30 days before transfer, ensure equivalent privacy policy, and provide option to delete account.
6.6 Aggregated & Anonymized Data
We may share aggregated, anonymized data that cannot identify you individually (e.g., "10,000 transactions processed in Q1 2025"). This is NOT personal data under GDPR.
7 INTERNATIONAL DATA TRANSFERS
Primary Storage: Global (Cloudflare's global network with data centers worldwide, including EU locations) - GDPR compliant.
Image Storage: Cloudflare R2 (global distributed storage with automatic geographic routing).
Database Hosting: OVHcloud (France - EU data centers in Roubaix/Gravelines) for primary database.
Transfers Outside EU/EEA: Your data may be transferred to the United States and other countries through Cloudflare's global network (not all "adequate" under GDPR Article 45).
Legal Safeguards:
- Standard Contractual Clauses (SCCs) 2021/914 with all US-based service providers (Cloudflare, Stripe, PayPal)
- EU-US Data Privacy Framework compliance (Cloudflare certified)
- Data Processing Agreements (DPAs) with all third-party processors
- Cloudflare's EU Data Localization option available upon request
Your Rights: Obtain transfer safeguard information, request EU-only data storage (may limit platform functionality), object to transfers, file complaint with local data protection authority.
8 DATA RETENTION PERIODS
We retain personal data only as necessary for stated purposes or as legally required.
| Data Type | Retention Period | Legal Basis |
|--------------------------------|-------------------------------------|---------------------------|
| Account registration | Account lifetime + 7 years | Tax/legal requirement |
| KYC documents (sellers) | 5 years after account closure | AML/KYC regulations |
| Transaction records | 7 years after transaction | Tax/accounting laws |
| Payment data | 7 years after transaction | Financial regulations |
| Platform messages | 3 years after last message | Dispute resolution |
| Support tickets | 3 years after closure | Customer service |
| Raw server logs (IP) | 90 days | Fraud prevention |
| Anonymized analytics | 24 months | Statistical analysis |
| Marketing email lists | Until opt-out or account deletion | Consent |
| Delivery evidence | 120 days minimum (seller responsibility) | Dispute resolution |
| Dispute records | 5 years after resolution | Legal defense |
| Suspended/banned accounts | 10 years (permanent record) | Fraud prevention |
Automated Deletion: We automatically anonymize IP addresses after 90 days, delete expired sessions/tokens, purge old logs, remove unverified accounts after 30 days inactivity, and delete user accounts upon request (see Section 9.5).
9 YOUR PRIVACY RIGHTS
9.1 GDPR Rights (EU/EEA/UK Users)
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request confirmation of processing + copy of data (categories, purposes, recipients, retention, source) | Email [email protected] (subject: "GDPR Access Request"). Response: 30 days, PDF/CSV format |
| Rectification (Art. 16) | Correct inaccurate personal data | Update in Account Settings or email [email protected] |
| Erasure (Art. 17) | Delete data when no longer necessary, consent withdrawn, unlawfully processed, or legal obligation. Limitations: Tax/AML compliance, legal claims, public interest archiving | Email (subject: "GDPR Erasure Request") |
| Restriction (Art. 18) | Stop processing (but retain data) when contesting accuracy, processing unlawful, needed for legal claims, or pending objection verification | Email (subject: "GDPR Restriction Request") |
| Portability (Art. 20) | Receive data in machine-readable format (CSV/JSON). Scope: Automated processing based on consent/contract only | Email (subject: "GDPR Portability Request") |
| Object (Art. 21) | Object to legitimate interest processing or direct marketing. Always allowed for marketing (click "Unsubscribe") | Email (subject: "GDPR Objection") or unsubscribe link |
| Withdraw Consent (Art. 7(3)) | Withdraw consent for marketing emails, non-essential cookies, KYC (may prevent selling) | Marketing: Unsubscribe link. Cookies: Cookie settings. KYC: Email [email protected] |
| Automated Decision-Making (Art. 22) | Not subject to solely automated decisions with legal/significant effects. We use human review for fraud detection, KYC, disputes | Request human intervention via [email protected] |
9.2 Rights for All Users (Regardless of Location)
- Access: Request copy of personal data
- Correction: Request correction of inaccurate data
- Deletion: Request deletion (subject to legal retention)
- Portability: Request data in machine-readable format
- Opt-Out: Unsubscribe from marketing
9.3 How to Exercise Rights
Verify Identity: Provide username, registered email, security questions (last transaction date, order ID). KYC-verified accounts may need ID copy.
Submit Request: Email [email protected] (Subject: "GDPR [Type]" e.g., "GDPR Access Request"). Include: full name/username, registered email, request description, preferred export format.
Response Timeline: Acknowledgment within 5 business days, full response within 30 days (may extend by 2 months for complex requests).
9.4 Lodge a Complaint
EU/EEA/UK: Contact your local Data Protection Authority.
California (US): California Attorney General.
Preferred: Contact us first at [email protected] to resolve concerns.
9.5 Account Deletion
- Account Settings > Privacy & Security > "Delete My Account" (confirm + optional feedback)
OR Email [email protected] (subject: "Account Deletion Request")
After Deletion: Public profile removed (7 days), access revoked immediately, data anonymized (90 days), financial/legal records retained (7 years - required by law), confirmation email sent.
Warning: Deletion is permanent and irreversible. Withdraw wallet funds before deletion.
10 SECURITY MEASURES
We implement industry-standard technical and organizational security measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction.
Technical Measures: TLS 1.3 encryption (in transit), AES-256 encryption (at rest for passwords/KYC/payment data), bcrypt/Argon2 password hashing, optional 2FA, secure KYC file storage (OVH private access-controlled), database firewalls/access controls/regular audits.
Organizational Measures: Access on need-to-know basis, staff data protection training, background checks for key personnel, NDAs for all staff, quarterly security audits & penetration testing, documented incident response plan.
Third-Party Security: All service providers (payment processors, cloud hosts) are GDPR-compliant, SOC 2 Type II certified (or equivalent), subject to Data Processing Agreements, regularly audited.
Your Responsibility: Use strong unique password, enable 2FA (recommended), never share credentials, log out of shared devices, report suspicious activity to {{ support_email }}. Warning: StarShipDealers will NEVER ask for your password via email/support tickets (phishing).
Data Breach Notification (GDPR Article 33): Within 72 hours via email + Platform homepage notice. Notification includes: breach nature, consequences, mitigation measures, contact information. Your Action: Change password, enable 2FA, monitor accounts, contact [email protected]
11 COOKIES & TRACKING TECHNOLOGIES
We use cookies and tracking technologies to provide, secure, and improve our Platform. For comprehensive details, see our Cookie Policy at www.starshipdealers.com/legal/cookie-policy.
Essential Cookies (Always Active): Session management, CSRF tokens, language preferences, shopping cart. Legal basis: Legitimate interest.
Analytics Cookies (Optional): Google Analytics (anonymized IPs), page views, user flow. Legal basis: Consent (EU/EEA/UK). Opt-out: Cookie settings or Google Analytics Opt-Out.
Marketing Cookies (Optional): Google Ads, Facebook Pixel, retargeting. Legal basis: Consent (EU/EEA/UK). Opt-out: Cookie settings or browser settings.
Third-Party Cookies: PayPal, Stripe, Google may set cookies. See their privacy policies: PayPal, Stripe, Google.
Cookie Management: Cookie Settings banner (first visit), Account Settings > Privacy > Cookie Preferences, browser settings (may affect functionality).
Do Not Track (DNT): No industry standard exists. We do not alter data collection for DNT signals. Use cookie settings to control tracking.
12 CHILDREN'S PRIVACY
StarShipDealers is NOT intended for children under 18 years. We do NOT knowingly collect data from anyone under 18. If you are under 18, you must NOT create an account, use the Platform, purchase/sell items, or submit personal information.
Parental Notice: If your child has provided us with personal data, contact [email protected] immediately. We will verify the claim, delete the account and data within 7 days, and refund transactions if applicable.
COPPA Compliance (US): We do NOT collect personal information from children under 13.
13 CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)
Scope: California residents have additional rights under CCPA/CPRA.
Categories of Personal Information Collected: See Section 4. Summary: Identifiers (username, email, IP), commercial information (purchase history), internet activity (browsing history), geolocation (IP-based), financial information (payment method, not card numbers), professional information (KYC: company name, VAT), biometric information (KYC selfies for sellers).
13.1 CCPA/CPRA Rights
| Right | Description | How to Exercise |
|---|---|---|
| Right to Know | Request categories/pieces of PI collected, sources, purposes, sharing/selling practices | Email [email protected] (subject: "CCPA Right to Know") |
| Right to Delete | Request deletion (subject to legal exceptions) | Email [email protected] (subject: "CCPA Deletion Request") |
| Right to Opt-Out of "Sale" | We do NOT sell PI to data brokers. Under CCPA's broad definition, analytics/advertising sharing may constitute "sale" | Cookie Settings > Disable marketing cookies OR footer link "Do Not Sell My Personal Information" |
| Right to Non-Discrimination | We will NOT deny service, charge different prices, or provide different quality for exercising rights | Automatic (no action required) |
| Right to Correct (CPRA) | Request correction of inaccurate PI | Email [email protected] OR Account Settings |
| Right to Limit Sensitive PI Use (CPRA) | Limit use of sensitive PI (KYC, biometric). Note: We use sensitive PI ONLY for identity verification, fraud prevention, legal compliance (necessary for Platform function - cannot opt out) | N/A (already limited to necessary uses) |
| Authorized Agent: Agent must provide written authorization signed by you, verify identity, provide proof of authorization (e.g., power of attorney). Email [email protected] (subject: "CCPA Authorized Agent Request"). | ||
| Shine the Light (Cal. Civ. Code § 1798.83): We do NOT share data with third parties for direct marketing. | ||
| Response Timeline: Acknowledgment within 10 days, full response within 45 days (may extend 45 days for complex requests). |
14 CHANGES TO THIS POLICY
StarShipDealers reserves the right to modify this Privacy Policy at any time.
Material Changes (new data collection, rights changes): Email notification 30 days before effective date + Platform homepage notice + "Last Updated" date change.
Minor Changes (clarifications, typos): "Last Updated" date change only (no email).
Acceptance: Continuing to use the Platform after changes = acceptance.
Objection: You may delete account before changes take effect, withdraw consent, or exercise GDPR/CCPA rights (Sections 9, 13).
Version History: Previous versions archived, available at [email protected].
15 CONTACT INFORMATION
General Inquiries: [email protected] | www.starshipdealers.com/legal/privacy | [Your Complete Business Address]
Data Protection Officer (GDPR): [email protected] (subject: "GDPR Request" or "Privacy Inquiry"). Response: 5 business days (acknowledgment), 30 days (full response). Handles: GDPR rights, CCPA rights (California), privacy complaints, data breach inquiries, consent withdrawal, cookie preferences, account deletion.
Customer Support (Non-Privacy): {{ support_email }} (24-48h response). Handles: Order issues, technical support, dispute resolution, account recovery.
Legal Department: [email protected]. Handles: Legal compliance, law enforcement requests, subpoenas/court orders, intellectual property disputes.
Business Hours: Monday-Friday, 9:00 AM - 6:00 PM EST. GDPR Requests: Processed 24/7 (response within statutory timeframes).
17 APPENDIX A: GLOSSARY OF TERMS
Personal Data: Any information relating to an identified or identifiable natural person (e.g., name, email, IP address, transaction history).
Data Controller: The entity that determines the purposes and means of processing personal data (StarShipDealers).
Data Processor: A third party that processes personal data on behalf of the Data Controller (e.g., OVH, Railway, Stripe, Zoho).
Data Subject: The individual to whom personal data relates (you, the user).
Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion).
Consent: Freely given, specific, informed, and unambiguous indication of your agreement to processing.
Legitimate Interest: A lawful basis for processing when necessary for the legitimate interests of the Data Controller, balanced against your rights.
GDPR: General Data Protection Regulation (EU Regulation 2016/679).
CCPA: California Consumer Privacy Act (California Civil Code § 1798.100 et seq.).
COPPA: Children's Online Privacy Protection Act (US federal law).
KYC: Know Your Customer (identity verification process for sellers).
AML: Anti-Money Laundering (regulations to prevent financial crimes).
DPA: Data Protection Authority (government regulator for privacy/data protection).
DPO: Data Protection Officer (person responsible for data protection compliance).
SCC: Standard Contractual Clauses (EU-approved contracts for international data transfers).
PCI-DSS: Payment Card Industry Data Security Standard (security standards for handling credit card data).
18 APPENDIX B: LEGAL REFERENCES
This Privacy Policy complies with:
- General Data Protection Regulation (GDPR) - EU Regulation 2016/679
- California Consumer Privacy Act (CCPA) - California Civil Code § 1798.100–1798.199
- California Privacy Rights Act (CPRA) - Effective January 1, 2023
- Children's Online Privacy Protection Act (COPPA) - 15 U.S.C. §§ 6501–6506
- ePrivacy Directive - EU Directive 2002/58/EC (Cookie Law)
- Data Protection Act 2018 (UK)
- Delaware General Corporation Law (if incorporated in Delaware)
- Electronic Communications Privacy Act (ECPA) - 18 U.S.C. § 2510 et seq.
19 DOCUMENT END
Effective Date: November 11, 2025
Last Updated: November 11, 2025
Version: 1.01
Document ID: PP-2025-101
For questions or concerns about this Privacy Policy, contact:
[email protected]