Last updated: 2026-05-27
1. Data Controller
EuroDomains, contact at privacy@eurodomains.net.
2. Data We Collect
Account: email, hashed password (argon2id), display name, localeProfile: country, optional VAT id, optional bioKYC: identity documents (encrypted at rest, AES-256-GCM)Activity: listings, offers, bids, messages, escrow eventsTechnical: IP address (hashed sha256 for analytics), user agent, session token (hashed)Cookies: see /legal/cookies3. Legal Basis (GDPR Art. 6)
Contract performance (account, marketplace transactions)Legal obligation (tax, AML)Legitimate interest (fraud prevention, analytics with hashed identifiers)Consent (marketing emails, non-essential cookies)4. Retention
Active account: until deletionSoft delete: 30 days reversible window, then hard delete (Phase 11 BullMQ job)Tax / AML records: 10 years (legal requirement)Audit log: append-only, hash-chained, retained for 7 yearsIP / user agent: 90 days then anonymised5. Sharing
We do not sell personal data. Limited disclosure to:
Payment provider (Phase V2 — Stripe/Mollie); currently mock providerEmail provider (Phase V2 — currently mock); we never share to marketersAuthorities upon legal request6. Your Rights (GDPR Art. 15-22)
Access (export all your data — /settings/danger)Rectification (edit profile)Erasure (soft delete + 30-day window)Restriction / objectionData portability (JSON export)Right to lodge complaint with your supervisory authority7. Security
TLS 1.2+ enforcedargon2id password hashingAES-256-GCM for TOTP secrets + KYC documentsSession cookies HttpOnly + Secure + SameSite=StrictHashed IPs in logs (sha256 first 16 chars)Rate limiting (Phase 0 + per-feature)8. International Transfers
Data stays in the EU (Hetzner Germany). No transfers to third countries by default.
9. Changes
Material changes announced 30 days in advance via in-app banner + email.