Privacy Policy
Effective Date: 19 April 2025
1. Introduction
Welcome to skinboost.store (the “Website”), an online store operated by Skinboost OÜ (“Skinboost”, “we”, “our” or “us”). Protecting your privacy and the security of your personal data is central to everything we do. This Privacy Policy explains which personal data we collect from you, why we collect it, how we use it, and the rights you have in relation to it. It applies whenever you visit the Website, create an account, purchase Counter‑Strike 2 (CS 2) in‑game items (“Skins”), or otherwise interact with us.
2. Data Controller
Skinboost OÜ
Registration No.: 16720587
Vesivärava tn 50‑301, Kesklinna linnaosa, 10152 Tallinn, Harju maakond, Estonia
E‑mail: info@skinboost.store
For the purposes of Regulation (EU) 2016/679 (“GDPR”) and other applicable data‑protection laws, Skinboost OÜ is the data controller of your personal data.
3. Personal Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account & Identification Data | Steam ID, Steam avatar, nickname, e‑mail address, login username and hashed password (if you create a local account) | Directly from you via Steam OpenID or registration form |
| Transaction Data | Purchased Skin, price, currency, order ID, transaction timestamps, trade URL you provide for item delivery | Generated in the course of purchase |
| Payment Data | Last four digits of card, card type (Visa/Mastercard), payment status | Received from our payment processor; we do not store full card details |
| Technical & Usage Data | IP address, browser type/version, device identifiers, time zone, referring URLs, pages viewed, cookies | Collected automatically via cookies & similar tech |
| Support Data | Content of messages you send to info@skinboost.store, refund requests, return documentation | Directly from you |
| Marketing Preferences | Opt‑in/opt‑out status for newsletters, promotions | Directly from you |
We do not intentionally process special categories of personal data (e.g. health data) nor data of children under 16. If you believe we have collected such data inadvertently, please contact us immediately.
4. Legal Bases for Processing
We process your personal data only when a lawful basis applies:
- Contract Performance (Art. 6 (1)(b) GDPR) – to create your account, process and deliver orders, issue refunds, and provide customer support.
- Legal Obligation (Art. 6 (1)(c) GDPR) – to comply with bookkeeping, tax, and anti‑fraud obligations under EU and Estonian law.
- Legitimate Interests (Art. 6 (1)(f) GDPR) – to secure the Website, prevent fraud, improve our services, and defend legal claims. We balance these interests against your rights and freedoms.
- Consent (Art. 6 (1)(a) GDPR) – for optional cookies, direct marketing e‑mails, and any data sharing that is not strictly necessary for contract performance. You may withdraw consent at any time.
5. How We Use Your Data
- Account Management & Authentication – enabling Steam Login or password‑based login.
- Order Processing & Delivery – validating your trade URL, transferring the purchased Skin via the Steam trading system.
- Payments – forwarding payment details securely to our PCI‑DSS‑compliant payment provider; reconciling payments.
- Customer Support & Returns – verifying orders, answering questions, handling the 14‑day return policy.
- Fraud Prevention & Security – logging IP addresses and transaction patterns to detect abuse.
- Analytics & Service Improvement – using aggregated statistics to understand how users navigate the Website.
- Marketing (with consent) – sending you newsletters or promotional offers.
6. Payment Processing
All payments are handled through a PCI DSS Level 1‑certified payment gateway. Card data is entered directly on the payment provider’s encrypted servers and never touches our systems. We receive only a payment token and limited card metadata (e.g. last four digits, card type) necessary for fraud screening, refunding, and accounting.
7. Cookies & Similar Technologies
We use:
- Essential Cookies – required for core site functionality (e.g. maintaining session after Steam login).
- Analytics Cookies – help us understand Website usage (e.g. Google Analytics with IP anonymisation). Placed only with your consent.
- Marketing Cookies – enable personalised offers and retargeting. Used only if you opt in.
You can manage cookie preferences at any time via our cookie banner or your browser settings. For full details see our Cookie Notice.
8. Sharing & Disclosure of Data
We share personal data only when necessary and under written agreements that protect your data:
| Recipient | Purpose | Location | Safeguards |
| Valve Corporation (Steam) | Account authentication; delivery of Skins via trade offers | USA | Standard Contractual Clauses (SCCs) |
| Payment Processor | Processing Visa/Mastercard payments, fraud checks | EU/EEA or USA | PCI DSS, SCCs as applicable |
| Hosting & Infrastructure Providers | Website hosting, database storage, content delivery | EU (primary) | ISO 27001, data‑processing agreement |
| Professional Advisors | Legal, tax, audit services | EU | Confidentiality agreements |
| Competent Authorities | Where required by law or court order | EU | Legal obligation |
We never sell your personal data.
9. International Data Transfers
Some partners (e.g. Valve Corporation, certain analytics providers) are located outside the European Economic Area. Where we transfer personal data internationally, we rely on:
- European Commission adequacy decisions;
- Standard Contractual Clauses (SCCs) 2021/914 supplemented by appropriate technical and organisational measures; or
- Your explicit consent (for optional services).
10. Data Retention
We keep personal data only as long as necessary for the purposes described:
- Order & Payment Records – 7 years under Estonian accounting law.
- Account Data – as long as your account remains active. If you delete your account, we erase data within 30 days except where retention is required by law.
- Support Tickets – 3 years after closure.
- Marketing Consents – until you withdraw consent or after 2 years of inactivity.
11. Security Measures
We implement industry‑standard safeguards, including:
- TLS 1.3 encryption for all data in transit.
- Hashing and salting of local account passwords using Argon2id.
- Role‑based access controls; staff access on a need‑to‑know basis.
- Regular vulnerability scanning, penetration testing, and DDoS mitigation.
- Encrypted backups stored separately within the EU.
12. Your Rights
Under the GDPR you may exercise the following rights (subject to legal conditions):
- Access – obtain confirmation and a copy of personal data we hold about you.
- Rectification – correct inaccurate or incomplete data.
- Erasure – request deletion (“right to be forgotten”).
- Restriction – limit processing while we resolve a dispute.
- Data Portability – receive data in a structured, commonly used, machine‑readable format.
- Objection – object to processing based on legitimate interests or direct marketing.
- Withdraw Consent – at any time, without affecting prior lawful processing.
- Lodge a Complaint – with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.
To exercise any right, e‑mail privacy@skinboost.store or write to the address above.
13. Children’s Privacy
We do not knowingly collect data from anyone under 16. If you believe a child has provided personal data to us, please contact us so we can delete it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced on the Website or via e‑mail 14 days before they become effective. The “Effective Date” at the top indicates the latest revision
15. Contact
If you have any questions or concerns about this Privacy Policy or our data practices, please contact our Privacy Team:
E‑mail: privacy@skinboost.store
Postal: Privacy Team, Skinboost OÜ, Vesivärava tn 50‑301, 10152 Tallinn, Estonia
