QYRONY Privacy Policy
Version: 1.0.0 Last updated: 12 July 2026 Effective from: [●] (at least 30 days after publication)
This Privacy Policy explains how Qyrony Ltd. (“QYRONY”, “we”, “us”, “our”) processes Personal Data when you use the QYRONY Hub platform, in compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, the Swiss nFADP, and other applicable data-protection laws. It is designed to satisfy the information duties in Articles 13 and 14 GDPR.
1. Who we are and how to contact us
1.1. Data controller
For the core platform services (account, listings, orders, payments, wallet, support), the data controller is:
Qyrony Ltd. Registered office:
[●]Company number:[●]Email:privacy@qyrony.com
1.2. Joint controllers (channels)
When a User or Vendor hosts a Channel that aggregates content and interactions, the channel host acts as joint controller with us for the content they publish within that channel. We have a transparent joint-controller arrangement covering the respective roles, responsibilities, and contact points (Article 26 GDPR); a summary is available at [●]/legal/joint-controller-summary.
1.3. Data Protection Officer (DPO)
Email:
dpo@qyrony.comPostal address:[●]
You can contact our DPO with any question about this Policy, your rights, or our processing.
1.4. EU representative (Article 27 GDPR)
[●]
1.5. UK representative
[●]
2. Personal data we collect
We collect Personal Data directly from you, automatically from your device, and from third parties. The categories are summarised below; specific data points are listed in Annex A.
| Category | Examples | Source |
|---|---|---|
| Identity & account | name, display name, email, phone, profile photo, language, time zone, hashed password | You (registration, profile, vendor verification) |
| KYC & vendor verification | date of birth, government ID, tax identifier (e.g. VAT, EIN, SIREN), bank or payout account, beneficial-owner data, sanctions-screening results | You, via KYC providers |
| Authentication & security | hashed passwords, 2FA secrets, device fingerprints, login timestamps, IP address, security-event logs | You (login), automatically |
| Transaction & wallet | order history, invoices, refunds, dispute records, Wallet balance, top-up and payout history, card tokens (PAN and CVV are never stored by us; only the card-network token) | You, payment processors |
| Listings & content | product data, images, descriptions, prices, auction bids, reviews, channel posts, messages, support tickets | You |
| Behavioural & usage | pages viewed, search queries, click patterns, referrer, time spent, items added to cart or watched, auction watchlists | Automatically, via cookies and SDKs (see §5) |
| Device & connection | IP address, user agent, OS, language, screen size, advertising IDs (where permitted) | Automatically |
| Marketing | email engagement, in-app notifications, marketing preferences, attribution data for our own ads | You, automatically |
| Customer support | messages, call recordings (where you consent), attachments | You |
| Public third-party data | sanctions and PEP lists, public company registries | Third parties |
We do not knowingly collect Special Categories of Data (Article 9 GDPR). If you choose to upload it, you do so at your own risk and you consent to our processing it for the purposes of operating the feature; you can delete it at any time.
3. Why we use your data (purposes and lawful bases)
GDPR requires us to have a lawful basis for each processing activity. The table below sets out the purposes for which we process Personal Data and the corresponding legal ground under Article 6(1) GDPR. Legitimate interests are balanced against your rights and freedoms at the time of the legitimate-interest assessment (LIA); you can request a copy of any LIA.
| # | Purpose | Lawful basis (Art. 6 GDPR) | Categories of data |
|---|---|---|---|
| 1 | Provide the Platform, including account creation, login, listings, auctions, channels, and messaging | (b) Performance of a contract | Identity, authentication, listings, content, device |
| 2 | Process payments, manage the Wallet, issue refunds, prevent fraud | (b) Contract, (c) Legal obligation (tax, AML), (f) Legitimate interests (fraud prevention) | Transaction, KYC, device, behaviour |
| 3 | Vendor verification (KYC, sanctions screening) | (c) Legal obligation (AML, sanctions), (b) Contract | KYC, identity |
| 4 | Order fulfilment, shipping, returns, customer support | (b) Contract | Identity, transaction, support |
| 5 | Safety, security, fraud and abuse prevention, dispute resolution | (f) Legitimate interests (security of service and Users) | All categories; specifically authentication, device, behaviour, transaction |
| 6 | Product analytics and improvement, A/B testing, debugging | (f) Legitimate interests, (a) Consent for non-essential cookies | Behaviour, device |
| 7 | Personalisation of search, recommendations, and homepage | (f) Legitimate interests (within the strict necessity test), with right to opt out | Behaviour, listings, content |
| 8 | Marketing communications (email, push, in-app) | (a) Consent (Article 7 + ePrivacy), or (f) for existing customers with right to opt out | Identity, behaviour |
| 9 | Personalised advertising (third-party ad networks) | (a) Consent (TCF v2.2) | Behaviour, device, advertising IDs |
| 10 | Tax accounting, financial reporting, regulatory record-keeping | (c) Legal obligation | Transaction, KYC |
| 11 | Comply with law enforcement and lawful government requests | (c) Legal obligation | All categories, as required by the request |
| 12 | Establish, exercise, defend legal claims | (f) Legitimate interests | All relevant categories |
| 13 | Reorganisations, M&A, asset sales | (f) Legitimate interests, (a) Consent for material changes | All categories, as transferred |
Automated decision-making and profiling (Art. 22). We use automated systems to: (a) detect fraud and abuse (with human review for adverse effects); (b) rank search and recommendations; (c) decide whether a Listing complies with the Acceptable Use Policy (with a human review on objection); (d) decide initial eligibility for promotional credit (with the right to contest). We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you (such as refusing service, without human review), unless required or authorised by law (e.g. sanctions screening).
4. Who we share your data with
We do not sell Personal Data. We share data only as set out below.
4.1. Other Users
- Buyers see the Vendor’s public profile and Listing details.
- Vendors see the Buyer’s name, delivery address, and any messages in connection with an order.
- Channel members see the content the host publishes and may see your public profile if you post.
4.2. Service providers (processors)
We engage carefully vetted processors under Article 28 GDPR contracts. The current list of sub-processors is published at [●]/legal/subprocessors and changes are notified at least 30 days in advance.
Categories include: cloud hosting, KYC/sanctions screening, payment processing, fraud scoring, email and SMS delivery, push notifications, customer support tooling, analytics, error tracking, content moderation, and storage (including S3-compatible object storage).
4.3. Payment and banking partners
Payment data is shared with licensed payment-service providers and, where required, card networks. We share the minimum data needed to authorise, settle, and reconcile a transaction. We do not store full card numbers or CVV.
4.4. Shipping and logistics
Order data (name, address, phone, items) is shared with the chosen carrier to fulfil delivery. Tracking events are returned to the Platform.
4.5. Professional advisors and authorities
Auditors, lawyers, tax advisors, banks, and regulators where necessary for the purposes in §3.
4.6. Law enforcement and courts
Where we receive a binding legal request or have reasonable grounds to believe disclosure is necessary to prevent imminent harm, illegal activity, or to enforce our Terms. We assess each request for legal validity, publish aggregate statistics, and challenge over-broad requests where appropriate.
4.7. Corporate transactions
If QYRONY is acquired, merged, or sells assets, your data may be transferred to the acquirer under a written undertaking to honour this Policy.
5. Cookies, SDKs, and similar technologies
We use cookies and similar technologies for authentication, security, preferences, analytics, and (with your consent) marketing.
| Category | Strictly necessary? | Consent required? | Examples |
|---|---|---|---|
| Authentication, security, fraud | Yes — required for the service to work | No (Article 6(1)(f) and Recital 32) | session, csrf, device fingerprint |
| Functional preferences | No | No (legitimate interests for non-intrusive UX preferences) | language, dark mode |
| Analytics (first-party) | No | Yes (TCF v2.2) | page views, performance, error tracking |
| Marketing / advertising | No | Yes (TCF v2.2 / IAB Europe) | third-party ad pixels, retargeting |
We implement the IAB Europe Transparency & Consent Framework (TCF v2.2). You can revisit your choices at any time via the in-app “Cookie preferences” link or the cookies.txt page.
For mobile, the equivalent preferences for SDKs are in your device settings (“Limit Ad Tracking” on iOS, “Opt out of Ads Personalisation” on Android).
6. International data transfers
QYRONY operates from [●] and uses cloud infrastructure in [●]. When Personal Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, we rely on one or more of the following safeguards (Articles 44–49 GDPR):
- Adequacy decisions — e.g. transfers to the UK, Switzerland, Japan, South Korea, certain US states.
- Standard Contractual Clauses (SCCs) — the 2021 EU Commission SCCs (Module 1 controller–controller, Module 2 controller–processor, Module 3 processor–processor) and the UK International Data Transfer Addendum, executed with each recipient.
- UK and Swiss equivalents — the UK IDTA and Swiss FDPIC SCCs where applicable.
- Supplementary measures — encryption in transit and at rest, pseudonymisation, contractual and organisational access controls, and a transfer-impact assessment for each destination.
You can request a copy of the safeguards and the transfer-impact assessment for your data at dpo@qyrony.com.
7. How long we keep your data
We retain Personal Data only as long as necessary for the purposes in §3, then delete or irreversibly anonymise it. The principal retention periods are:
| Data | Retention | Reason |
|---|---|---|
| Account profile | Account life + 30 days | Closure cushion, recovery |
| KYC and vendor verification | Account life + 5 years (or as required by local AML) | AML/KYC obligations |
| Transaction, Wallet, invoices | 10 years | Tax and accounting law |
| Auction bids and order detail | 5 years after auction close | Consumer protection, disputes |
| Reviews | Until you delete them + up to 5 years | Legitimate interests (buyer confidence) |
| Support tickets | 3 years from last contact | Quality, complaint handling |
| Server logs (with IP) | 6–12 months | Security, debugging |
| Marketing engagement | 24 months of inactivity | Legitimate interests |
| Backups | Rolling 35-day window, then deleted | Disaster recovery only |
Where a legal hold or ongoing dispute requires longer retention, we preserve the data for the duration of the hold and delete it afterwards.
8. Your rights under GDPR
Subject to the conditions and exceptions in GDPR, you have the following rights. They are free of charge, normally answered within one month, and extendable by two further months for complex requests (we will tell you within one month if an extension is needed).
| Right | What it means | How to exercise it |
|---|---|---|
| (a) Access (Art. 15) | Confirm whether we process your data and obtain a copy | Account → Privacy → Download my data |
| (b) Rectification (Art. 16) | Correct inaccurate or incomplete data | Edit your profile, or write to us |
| (c) Erasure (Art. 17) | “Right to be forgotten” — delete data we are not required to keep | Account → Delete account, or write to us |
| (d) Restriction (Art. 18) | Pause processing while a dispute is resolved | Write to dpo@qyrony.com |
| (e) Portability (Art. 20) | Receive your data in a structured, machine-readable format (JSON or CSV) and transmit it to another controller | Account → Privacy → Download my data |
| (f) Objection (Art. 21) | Object to processing based on legitimate interests, including profiling | Opt-out controls in product, or write to us |
| (g) Automated decisions (Art. 22) | Not be subject to a decision based solely on automated processing that has legal or similarly significant effects, and to obtain human review | Write to dpo@qyrony.com |
| (h) Withdraw consent (Art. 7(3)) | Withdraw any consent at any time — the withdrawal does not affect the lawfulness of prior processing | Cookie preferences, marketing unsubscribe, account settings |
| (i) Lodge a complaint (Art. 77) | Lodge a complaint with your local supervisory authority | See §8.2 below |
We will not retaliate against you for exercising your rights.
8.1. Identity verification
To prevent unauthorised disclosure, we may need to verify your identity before responding. We use a risk-based approach — the more sensitive the request, the stronger the verification.
8.2. Right to lodge a complaint with a supervisory authority
Without prejudice to any other remedy, you have the right to lodge a complaint with the data-protection authority in your habitual residence, place of work, or place of the alleged infringement. A list of EEA supervisory authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en. The lead authority for Qyrony Ltd. is [●]. UK residents may complain to the ICO (ico.org.uk); Swiss residents to the FDPIC (edoeb.admin.ch).
9. Children
The Platform is not directed at children under 16 (or the equivalent digital-consent age in your country). We do not knowingly collect data from children. If you believe a child has provided data to us, contact dpo@qyrony.com and we will delete it promptly.
10. Security
We take the security of your data seriously. Our measures include (Article 32 GDPR):
- TLS 1.3 in transit; AES-256 at rest.
- Field-level encryption for sensitive identifiers and KYC data.
- Independent third-party penetration testing at least annually.
- ISO/IEC 27001 and PCI-DSS alignment for the payment environment.
- Role-based access control, least-privilege, hardware-key MFA for staff, audit logging.
- Documented incident-response plan with a 72-hour breach-notification target (Articles 33–34 GDPR).
- Vendor risk management for all processors.
You can read more at [●]/security and review our latest audit certifications on request.
11. Marketing communications
- We send marketing communications only with your consent (or, for existing customers, on a soft-opt-in basis where the law allows, with a clear unsubscribe in every message).
- Every email contains an unsubscribe link and a preference centre link.
- Push notifications can be turned off in your device or in-app settings.
- We do not pass your email to third parties for their own marketing.
12. Third-party links and embedded content
The Platform may link to or embed third-party sites, ads, or social widgets (e.g. video players, maps, social share buttons). Those providers set their own cookies and read your IP. We are not responsible for their privacy practices — review their policies before interacting.
13. Changes to this Policy
We will update this Policy when our practices change or when the law requires it. The current version is always at this URL with an updated “Last updated” date. Material changes (changes to purposes, lawful bases, recipients, retention, or your rights) are notified by email and an in-product banner at least 30 days in advance. Non-material changes (clarifications, typo fixes) are made without advance notice.
14. Contact
For privacy matters:
Data Protection Officer — Qyrony Ltd.
dpo@qyrony.comPostal:[●]EU representative:[●]UK representative:[●]
For a Subject Access Request or any other data-subject request, email privacy@qyrony.com or use the in-product privacy tools.
Annex A — Detailed data inventory (Article 30, internal)
This annex supports our Record of Processing Activities. It is published in summary form to keep the customer-facing Policy readable; the full ROPA is available on request to dpo@qyrony.com.
| Processing | Controller(s) | Processor | Data categories | Data subjects | Recipients | Retention | Transfers | Safeguards |
|---|---|---|---|---|---|---|---|---|
| Account & auth | Qyrony | Cloud, auth | Identity, authentication | All Users | Cloud provider | Account life + 30d | See §6 | SCCs, encryption |
| KYC/AML | Qyrony | KYC provider, bank | KYC, identity | Vendors | KYC, bank, regulators | 5y | See §6 | SCCs |
| Payments & Wallet | Qyrony (as payment agent) | PSP, bank, card networks | Transaction | Buyers, vendors | PSP, bank, card networks | 10y | See §6 | PCI-DSS, SCCs |
| Listings & content | Qyrony (and channel host for their channel) | Cloud, storage, moderation | Listings, content | All Users | Other Users, search engines, storage provider | Until deletion + 5y (reviews) | See §6 | SCCs |
| Auctions | Qyrony | Cloud | Bid history, identity | Bidders, vendors | Vendors | 5y from close | See §6 | SCCs |
| Channels | Joint: Qyrony + channel host | Cloud | Content, identity | Channel members | Channel members, search engines | Channel life | See §6 | SCCs, joint-controller arrangement |
| Marketing | Qyrony | Email, push, ad partners | Identity, behaviour | All Users (consenting) | Ad networks (with consent) | Until withdrawal + 24m | See §6 | Consent, SCCs |
| Analytics | Qyrony | Analytics | Behaviour, device | All Users (consenting) | Analytics provider | 13–24 months | See §6 | SCCs, pseudonymisation |
| Support | Qyrony | Support tooling | Identity, content | Users in contact | Support vendor | 3y | See §6 | SCCs |
| Security & fraud | Qyrony | Fraud scoring | Device, behaviour, transaction | All Users | Fraud vendor, law enforcement (on request) | 6–12m logs | See §6 | SCCs, encryption |
Annex B — Defined terms
- “Personal Data” — any information relating to an identified or identifiable natural person.
- “Processing” — any operation performed on Personal Data (collection, storage, use, disclosure, deletion).
- “Special Category Data” — data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health data, sex life, or sexual orientation.
- “Profiling” — automated processing of Personal Data to evaluate certain personal aspects, in particular to analyse or predict performance, economic situation, preferences, interests, reliability, behaviour, location, or movements.
- “Consent” — freely given, specific, informed, and unambiguous indication of the data subject’s wishes.
End of Privacy Policy.