Qyrony
Feed Market Sell Wallet
Log in

QYRONY Privacy Policy

Version: 1.0.0 Last updated: 12 July 2026 Effective from: [●] (at least 30 days after publication)

This Privacy Policy explains how Qyrony Ltd. (“QYRONY”, “we”, “us”, “our”) processes Personal Data when you use the QYRONY Hub platform, in compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, the Swiss nFADP, and other applicable data-protection laws. It is designed to satisfy the information duties in Articles 13 and 14 GDPR.


1. Who we are and how to contact us

1.1. Data controller

For the core platform services (account, listings, orders, payments, wallet, support), the data controller is:

Qyrony Ltd. Registered office: [●] Company number: [●] Email: privacy@qyrony.com

1.2. Joint controllers (channels)

When a User or Vendor hosts a Channel that aggregates content and interactions, the channel host acts as joint controller with us for the content they publish within that channel. We have a transparent joint-controller arrangement covering the respective roles, responsibilities, and contact points (Article 26 GDPR); a summary is available at [●]/legal/joint-controller-summary.

1.3. Data Protection Officer (DPO)

Email: dpo@qyrony.com Postal address: [●]

You can contact our DPO with any question about this Policy, your rights, or our processing.

1.4. EU representative (Article 27 GDPR)

[●]

1.5. UK representative

[●]

2. Personal data we collect

We collect Personal Data directly from you, automatically from your device, and from third parties. The categories are summarised below; specific data points are listed in Annex A.

CategoryExamplesSource
Identity & accountname, display name, email, phone, profile photo, language, time zone, hashed passwordYou (registration, profile, vendor verification)
KYC & vendor verificationdate of birth, government ID, tax identifier (e.g. VAT, EIN, SIREN), bank or payout account, beneficial-owner data, sanctions-screening resultsYou, via KYC providers
Authentication & securityhashed passwords, 2FA secrets, device fingerprints, login timestamps, IP address, security-event logsYou (login), automatically
Transaction & walletorder history, invoices, refunds, dispute records, Wallet balance, top-up and payout history, card tokens (PAN and CVV are never stored by us; only the card-network token)You, payment processors
Listings & contentproduct data, images, descriptions, prices, auction bids, reviews, channel posts, messages, support ticketsYou
Behavioural & usagepages viewed, search queries, click patterns, referrer, time spent, items added to cart or watched, auction watchlistsAutomatically, via cookies and SDKs (see §5)
Device & connectionIP address, user agent, OS, language, screen size, advertising IDs (where permitted)Automatically
Marketingemail engagement, in-app notifications, marketing preferences, attribution data for our own adsYou, automatically
Customer supportmessages, call recordings (where you consent), attachmentsYou
Public third-party datasanctions and PEP lists, public company registriesThird parties

We do not knowingly collect Special Categories of Data (Article 9 GDPR). If you choose to upload it, you do so at your own risk and you consent to our processing it for the purposes of operating the feature; you can delete it at any time.

3. Why we use your data (purposes and lawful bases)

GDPR requires us to have a lawful basis for each processing activity. The table below sets out the purposes for which we process Personal Data and the corresponding legal ground under Article 6(1) GDPR. Legitimate interests are balanced against your rights and freedoms at the time of the legitimate-interest assessment (LIA); you can request a copy of any LIA.

#PurposeLawful basis (Art. 6 GDPR)Categories of data
1Provide the Platform, including account creation, login, listings, auctions, channels, and messaging(b) Performance of a contractIdentity, authentication, listings, content, device
2Process payments, manage the Wallet, issue refunds, prevent fraud(b) Contract, (c) Legal obligation (tax, AML), (f) Legitimate interests (fraud prevention)Transaction, KYC, device, behaviour
3Vendor verification (KYC, sanctions screening)(c) Legal obligation (AML, sanctions), (b) ContractKYC, identity
4Order fulfilment, shipping, returns, customer support(b) ContractIdentity, transaction, support
5Safety, security, fraud and abuse prevention, dispute resolution(f) Legitimate interests (security of service and Users)All categories; specifically authentication, device, behaviour, transaction
6Product analytics and improvement, A/B testing, debugging(f) Legitimate interests, (a) Consent for non-essential cookiesBehaviour, device
7Personalisation of search, recommendations, and homepage(f) Legitimate interests (within the strict necessity test), with right to opt outBehaviour, listings, content
8Marketing communications (email, push, in-app)(a) Consent (Article 7 + ePrivacy), or (f) for existing customers with right to opt outIdentity, behaviour
9Personalised advertising (third-party ad networks)(a) Consent (TCF v2.2)Behaviour, device, advertising IDs
10Tax accounting, financial reporting, regulatory record-keeping(c) Legal obligationTransaction, KYC
11Comply with law enforcement and lawful government requests(c) Legal obligationAll categories, as required by the request
12Establish, exercise, defend legal claims(f) Legitimate interestsAll relevant categories
13Reorganisations, M&A, asset sales(f) Legitimate interests, (a) Consent for material changesAll categories, as transferred

Automated decision-making and profiling (Art. 22). We use automated systems to: (a) detect fraud and abuse (with human review for adverse effects); (b) rank search and recommendations; (c) decide whether a Listing complies with the Acceptable Use Policy (with a human review on objection); (d) decide initial eligibility for promotional credit (with the right to contest). We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you (such as refusing service, without human review), unless required or authorised by law (e.g. sanctions screening).

4. Who we share your data with

We do not sell Personal Data. We share data only as set out below.

4.1. Other Users

  • Buyers see the Vendor’s public profile and Listing details.
  • Vendors see the Buyer’s name, delivery address, and any messages in connection with an order.
  • Channel members see the content the host publishes and may see your public profile if you post.

4.2. Service providers (processors)

We engage carefully vetted processors under Article 28 GDPR contracts. The current list of sub-processors is published at [●]/legal/subprocessors and changes are notified at least 30 days in advance.

Categories include: cloud hosting, KYC/sanctions screening, payment processing, fraud scoring, email and SMS delivery, push notifications, customer support tooling, analytics, error tracking, content moderation, and storage (including S3-compatible object storage).

4.3. Payment and banking partners

Payment data is shared with licensed payment-service providers and, where required, card networks. We share the minimum data needed to authorise, settle, and reconcile a transaction. We do not store full card numbers or CVV.

4.4. Shipping and logistics

Order data (name, address, phone, items) is shared with the chosen carrier to fulfil delivery. Tracking events are returned to the Platform.

4.5. Professional advisors and authorities

Auditors, lawyers, tax advisors, banks, and regulators where necessary for the purposes in §3.

4.6. Law enforcement and courts

Where we receive a binding legal request or have reasonable grounds to believe disclosure is necessary to prevent imminent harm, illegal activity, or to enforce our Terms. We assess each request for legal validity, publish aggregate statistics, and challenge over-broad requests where appropriate.

4.7. Corporate transactions

If QYRONY is acquired, merged, or sells assets, your data may be transferred to the acquirer under a written undertaking to honour this Policy.

5. Cookies, SDKs, and similar technologies

We use cookies and similar technologies for authentication, security, preferences, analytics, and (with your consent) marketing.

CategoryStrictly necessary?Consent required?Examples
Authentication, security, fraudYes — required for the service to workNo (Article 6(1)(f) and Recital 32)session, csrf, device fingerprint
Functional preferencesNoNo (legitimate interests for non-intrusive UX preferences)language, dark mode
Analytics (first-party)NoYes (TCF v2.2)page views, performance, error tracking
Marketing / advertisingNoYes (TCF v2.2 / IAB Europe)third-party ad pixels, retargeting

We implement the IAB Europe Transparency & Consent Framework (TCF v2.2). You can revisit your choices at any time via the in-app “Cookie preferences” link or the cookies.txt page.

For mobile, the equivalent preferences for SDKs are in your device settings (“Limit Ad Tracking” on iOS, “Opt out of Ads Personalisation” on Android).

6. International data transfers

QYRONY operates from [●] and uses cloud infrastructure in [●]. When Personal Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, we rely on one or more of the following safeguards (Articles 44–49 GDPR):

  • Adequacy decisions — e.g. transfers to the UK, Switzerland, Japan, South Korea, certain US states.
  • Standard Contractual Clauses (SCCs) — the 2021 EU Commission SCCs (Module 1 controller–controller, Module 2 controller–processor, Module 3 processor–processor) and the UK International Data Transfer Addendum, executed with each recipient.
  • UK and Swiss equivalents — the UK IDTA and Swiss FDPIC SCCs where applicable.
  • Supplementary measures — encryption in transit and at rest, pseudonymisation, contractual and organisational access controls, and a transfer-impact assessment for each destination.

You can request a copy of the safeguards and the transfer-impact assessment for your data at dpo@qyrony.com.

7. How long we keep your data

We retain Personal Data only as long as necessary for the purposes in §3, then delete or irreversibly anonymise it. The principal retention periods are:

DataRetentionReason
Account profileAccount life + 30 daysClosure cushion, recovery
KYC and vendor verificationAccount life + 5 years (or as required by local AML)AML/KYC obligations
Transaction, Wallet, invoices10 yearsTax and accounting law
Auction bids and order detail5 years after auction closeConsumer protection, disputes
ReviewsUntil you delete them + up to 5 yearsLegitimate interests (buyer confidence)
Support tickets3 years from last contactQuality, complaint handling
Server logs (with IP)6–12 monthsSecurity, debugging
Marketing engagement24 months of inactivityLegitimate interests
BackupsRolling 35-day window, then deletedDisaster recovery only

Where a legal hold or ongoing dispute requires longer retention, we preserve the data for the duration of the hold and delete it afterwards.

8. Your rights under GDPR

Subject to the conditions and exceptions in GDPR, you have the following rights. They are free of charge, normally answered within one month, and extendable by two further months for complex requests (we will tell you within one month if an extension is needed).

RightWhat it meansHow to exercise it
(a) Access (Art. 15)Confirm whether we process your data and obtain a copyAccount → Privacy → Download my data
(b) Rectification (Art. 16)Correct inaccurate or incomplete dataEdit your profile, or write to us
(c) Erasure (Art. 17)“Right to be forgotten” — delete data we are not required to keepAccount → Delete account, or write to us
(d) Restriction (Art. 18)Pause processing while a dispute is resolvedWrite to dpo@qyrony.com
(e) Portability (Art. 20)Receive your data in a structured, machine-readable format (JSON or CSV) and transmit it to another controllerAccount → Privacy → Download my data
(f) Objection (Art. 21)Object to processing based on legitimate interests, including profilingOpt-out controls in product, or write to us
(g) Automated decisions (Art. 22)Not be subject to a decision based solely on automated processing that has legal or similarly significant effects, and to obtain human reviewWrite to dpo@qyrony.com
(h) Withdraw consent (Art. 7(3))Withdraw any consent at any time — the withdrawal does not affect the lawfulness of prior processingCookie preferences, marketing unsubscribe, account settings
(i) Lodge a complaint (Art. 77)Lodge a complaint with your local supervisory authoritySee §8.2 below

We will not retaliate against you for exercising your rights.

8.1. Identity verification

To prevent unauthorised disclosure, we may need to verify your identity before responding. We use a risk-based approach — the more sensitive the request, the stronger the verification.

8.2. Right to lodge a complaint with a supervisory authority

Without prejudice to any other remedy, you have the right to lodge a complaint with the data-protection authority in your habitual residence, place of work, or place of the alleged infringement. A list of EEA supervisory authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en. The lead authority for Qyrony Ltd. is [●]. UK residents may complain to the ICO (ico.org.uk); Swiss residents to the FDPIC (edoeb.admin.ch).

9. Children

The Platform is not directed at children under 16 (or the equivalent digital-consent age in your country). We do not knowingly collect data from children. If you believe a child has provided data to us, contact dpo@qyrony.com and we will delete it promptly.

10. Security

We take the security of your data seriously. Our measures include (Article 32 GDPR):

  • TLS 1.3 in transit; AES-256 at rest.
  • Field-level encryption for sensitive identifiers and KYC data.
  • Independent third-party penetration testing at least annually.
  • ISO/IEC 27001 and PCI-DSS alignment for the payment environment.
  • Role-based access control, least-privilege, hardware-key MFA for staff, audit logging.
  • Documented incident-response plan with a 72-hour breach-notification target (Articles 33–34 GDPR).
  • Vendor risk management for all processors.

You can read more at [●]/security and review our latest audit certifications on request.

11. Marketing communications

  • We send marketing communications only with your consent (or, for existing customers, on a soft-opt-in basis where the law allows, with a clear unsubscribe in every message).
  • Every email contains an unsubscribe link and a preference centre link.
  • Push notifications can be turned off in your device or in-app settings.
  • We do not pass your email to third parties for their own marketing.

12. Third-party links and embedded content

The Platform may link to or embed third-party sites, ads, or social widgets (e.g. video players, maps, social share buttons). Those providers set their own cookies and read your IP. We are not responsible for their privacy practices — review their policies before interacting.

13. Changes to this Policy

We will update this Policy when our practices change or when the law requires it. The current version is always at this URL with an updated “Last updated” date. Material changes (changes to purposes, lawful bases, recipients, retention, or your rights) are notified by email and an in-product banner at least 30 days in advance. Non-material changes (clarifications, typo fixes) are made without advance notice.

14. Contact

For privacy matters:

Data Protection Officer — Qyrony Ltd. dpo@qyrony.com Postal: [●] EU representative: [●] UK representative: [●]

For a Subject Access Request or any other data-subject request, email privacy@qyrony.com or use the in-product privacy tools.


Annex A — Detailed data inventory (Article 30, internal)

This annex supports our Record of Processing Activities. It is published in summary form to keep the customer-facing Policy readable; the full ROPA is available on request to dpo@qyrony.com.

ProcessingController(s)ProcessorData categoriesData subjectsRecipientsRetentionTransfersSafeguards
Account & authQyronyCloud, authIdentity, authenticationAll UsersCloud providerAccount life + 30dSee §6SCCs, encryption
KYC/AMLQyronyKYC provider, bankKYC, identityVendorsKYC, bank, regulators5ySee §6SCCs
Payments & WalletQyrony (as payment agent)PSP, bank, card networksTransactionBuyers, vendorsPSP, bank, card networks10ySee §6PCI-DSS, SCCs
Listings & contentQyrony (and channel host for their channel)Cloud, storage, moderationListings, contentAll UsersOther Users, search engines, storage providerUntil deletion + 5y (reviews)See §6SCCs
AuctionsQyronyCloudBid history, identityBidders, vendorsVendors5y from closeSee §6SCCs
ChannelsJoint: Qyrony + channel hostCloudContent, identityChannel membersChannel members, search enginesChannel lifeSee §6SCCs, joint-controller arrangement
MarketingQyronyEmail, push, ad partnersIdentity, behaviourAll Users (consenting)Ad networks (with consent)Until withdrawal + 24mSee §6Consent, SCCs
AnalyticsQyronyAnalyticsBehaviour, deviceAll Users (consenting)Analytics provider13–24 monthsSee §6SCCs, pseudonymisation
SupportQyronySupport toolingIdentity, contentUsers in contactSupport vendor3ySee §6SCCs
Security & fraudQyronyFraud scoringDevice, behaviour, transactionAll UsersFraud vendor, law enforcement (on request)6–12m logsSee §6SCCs, encryption

Annex B — Defined terms

  • “Personal Data” — any information relating to an identified or identifiable natural person.
  • “Processing” — any operation performed on Personal Data (collection, storage, use, disclosure, deletion).
  • “Special Category Data” — data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health data, sex life, or sexual orientation.
  • “Profiling” — automated processing of Personal Data to evaluate certain personal aspects, in particular to analyse or predict performance, economic situation, preferences, interests, reliability, behaviour, location, or movements.
  • “Consent” — freely given, specific, informed, and unambiguous indication of the data subject’s wishes.

End of Privacy Policy.

© 2026 Qyrony

Terms of Service Privacy Policy Trust & Safety Support