Privacy Policy

1. Who we are

This Privacy Policy describes how [PLACEHOLDER: Legal name of the entity operating the marketplace] (“we”, “us”) processes personal data when you use [PLACEHOLDER: Trading / brand name — e.g. “Flagswing”] (the “Service”).

Contact: [PLACEHOLDER: contact@yourdomain.com]. If you maintain a separate address for privacy requests, publish it here once finalized.

Registered / principal address (if you publish one): [PLACEHOLDER: Registered office or principal business address — obtain from your records; do not invent]. Tax / company identifiers (only if you choose to publish): [PLACEHOLDER: Tax / VAT ID if you publish one — or remove this sentence].

Effective date: [PLACEHOLDER: Effective date of this document — e.g. 17 April 2026]. Update this date whenever you publish a new version users should read.

2. Scope

This policy applies to visitors, account holders, buyers, subscribers, and others who interact with the Service, including when you browse pages, create an account, purchase a license, or contact support.

If you access the Service on behalf of a company, you represent that you have authority to share any personal data you provide for that organization.

3. Data we may collect

Depending on how you use the Service, we may process categories such as: account and profile details; authentication identifiers; billing and transaction records (often handled by our payment partner: Paddle); support messages; technical logs (IP address, device/browser type, approximate location from IP); usage and diagnostics; and marketing preferences where permitted.

List the specific tools you rely on (hosting, analytics, email, ads, CRM) in an internal data map, and expand this section when you add a new vendor that processes personal data.

We do not knowingly collect special-category data unless a feature explicitly requires it.

4. Purposes and legal bases

We process personal data to:

• Provide, secure, and improve the Service (contract / legitimate interests).
• Process purchases, subscriptions, and tax or invoicing obligations where applicable (contract / legal obligation).
• Communicate service and security notices (contract / legitimate interests).
• Respond to requests and enforce our terms (legitimate interests / legal obligation).
• Run optional analytics or advertising where you have consented or law permits (consent / legitimate interests). Map each purpose to the legal bases that apply in your markets with qualified counsel.

5. Sharing and processors

We share personal data with vendors that help us operate the Service (hosting, email, support tooling, payment processing). Payment data is typically collected directly by Paddle subject to their terms and privacy notice.

We may disclose information if required by law, to protect rights and safety, or as part of a business transfer subject to safeguards. Maintain a subprocessor or vendor list if your regulator or customers expect it.

6. International transfers

We may process data in countries other than where you live. Describe the transfer tools you rely on (for example Standard Contractual Clauses or adequacy decisions) with advice from counsel.

7. Retention

We keep personal data only as long as needed for the purposes above, including legal, tax, and dispute resolution needs. Add concrete retention periods for accounts, invoices, marketing consents, and logs as your operations mature.

8. Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, or object to certain processing, and to data portability. You may withdraw consent where processing is consent-based. Explain how to exercise rights and any verification steps you require.

You may lodge a complaint with a supervisory authority: [PLACEHOLDER: Supervisory or complaint body if applicable — e.g. EU/UK data authority link]. Add the authority name and website when finalized.

9. Cookies and similar technologies

We use cookies and similar technologies as described in our Cookie Policy. If you use advertising or cross-site analytics, describe your consent tool and opt-out links.

10. Children

The Service is not directed to children under the age required in your region. State the minimum age you enforce and how you handle parental consent if minors may use the Service.

11. Security

We implement administrative, technical, and organizational measures appropriate to the risk, such as encryption in transit, access controls, and vendor review. Security improves over time; avoid overstated marketing claims.

12. Automated decision-making

State whether you use solely automated decisions that produce legal or similarly significant effects. If you do not, say so plainly.

13. Changes

We may update this Privacy Policy from time to time. We will post the updated version and revise the effective date. Describe how you notify users of material changes (email, banner, or account message).

14. Contact

Questions about privacy: [PLACEHOLDER: contact@yourdomain.com]. Add a Data Protection Officer or EU/UK representative only if you appoint one.