CSTerminal - CS2 Skin Marketplace

1. Introduction

This Privacy Policy explains how CSTerminal ("we", "us", "our"), operating at csterminal.cc, collects, uses, stores, and protects your personal data when you use our Platform.

This policy is designed to comply with the EU General Data Protection Regulation (GDPR, Regulation 2016/679), the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), the Cyprus Processing of Personal Data (Protection of the Individual) Law 138(I)/2001, and other applicable data protection legislation.

Data Controller:
Redboon Limited (operating as "CSTerminal")
Registration Number: ΗΕ 432621
Bouboulinas 1-3, Bouboulina Building, Floor 4, Flat/Office 42
1060 Nicosia, Cyprus
Email: privacy@csterminal.cc

2. Data We Collect

2.1 Data Provided Through Steam Authentication

Data	Purpose	Legal Basis (GDPR Art. 6)
Steam ID	Account identification, item delivery	Contract performance (Art. 6(1)(b))
Steam Display Name	Personalization, display in UI	Contract performance (Art. 6(1)(b))
Steam Avatar URL	Display in UI	Contract performance (Art. 6(1)(b))
Steam Trade URL / Token	Skin delivery via Steam Trade Offer	Contract performance (Art. 6(1)(b))

2.2 Transaction Data

Data	Purpose	Legal Basis (GDPR Art. 6)
Purchase history	Order fulfillment, account history	Contract performance (Art. 6(1)(b))
Balance transactions	Financial records, dispute resolution	Legal obligation (Art. 6(1)(c))
Withdrawal records	Delivery tracking, support	Contract performance (Art. 6(1)(b))
Payment method metadata	Fraud prevention, refunds	Legitimate interest (Art. 6(1)(f))

2.3 Automatically Collected Data

Data	Purpose	Legal Basis (GDPR Art. 6)
IP address	Security, fraud prevention, analytics	Legitimate interest (Art. 6(1)(f))
Browser type & version	Technical compatibility	Legitimate interest (Art. 6(1)(f))
Device information	Technical compatibility	Legitimate interest (Art. 6(1)(f))
Language preference	Localization	Contract performance (Art. 6(1)(b))

2.4 Data We Do NOT Collect

We do not collect email addresses (unless voluntarily provided for support)
We do not collect real names, phone numbers, or physical addresses
We do not collect payment card details (processed entirely by Stripe)
We do not collect Steam passwords or credentials
We do not use tracking cookies for advertising purposes

3. Cookies and Local Storage

Name	Type	Purpose	Duration
Session cookie	Strictly necessary	Authentication state	Session
csterminal-locale	Functional (localStorage)	Language preference	Persistent
csterminal-theme	Functional (localStorage)	Theme preference	Persistent
cw_conversation	Functional	Live chat conversation tracking	Session
cw_user	Functional	Live chat user identification	1 year

We use only strictly necessary and functional cookies/storage. The live chat widget (powered by Chatwoot) uses functional cookies to maintain your support conversation. We do not use advertising, tracking, or analytics cookies that require consent under the ePrivacy Directive (2002/58/EC). Therefore, no cookie consent banner is required for our current cookie usage.

4. Third-Party Data Processors

We share personal data with the following categories of processors:

Processor	Purpose	Data Shared	Location
Stripe	Payment processing	Payment details, transaction amounts	US/EU (Privacy Shield successor, SCCs)
Valve (Steam)	Authentication, item delivery	Steam ID, Trade URL	US (SCCs)
SIH (Steam Inventory Helper)	Skin delivery fulfillment	Steam ID, Trade Token, order details	EU
Vercel	Hosting infrastructure	IP address, request logs	US/EU (SCCs, DPA)
Neon (PostgreSQL)	Database hosting	All user data (encrypted at rest)	EU region

We are in the process of establishing Data Processing Agreements (DPAs) with all processors as required by GDPR Article 28. For transfers outside the EU/EEA, appropriate safeguards including Standard Contractual Clauses (SCCs) are utilized where available.

5. Data Retention

Data Category	Retention Period	Reason
Account data (Steam ID, name)	Until account deletion request	Service provision
Transaction records	7 years after transaction	Tax/accounting obligations
Support tickets	3 years after resolution	Legal claims limitation period
Server logs (IP, requests)	90 days	Security and debugging
AML records	5 years after relationship ends	AMLD5 / Cyprus AML Law

6. Your Rights

6.1 Rights Under GDPR (EU/EEA/Cyprus Residents)

Under the GDPR, you have the following rights:

Right of Access (Art. 15): Request a copy of all personal data we hold about you. We will respond within 30 days.
Right to Rectification (Art. 16): Request correction of inaccurate personal data. Note: Steam-sourced data (name, avatar) is updated automatically from Steam.
Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"). We will delete all data except what we are legally required to retain (e.g., transaction records for tax compliance).
Right to Restriction (Art. 18): Request that we limit the processing of your data in certain circumstances.
Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON).
Right to Object (Art. 21): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Lodge a Complaint: You may file a complaint with your national Data Protection Authority. For Cyprus: Commissioner for Personal Data Protection (www.dataprotection.gov.cy).

6.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the right to:

Right to Know: Request what categories and specific pieces of personal information we have collected about you.
Right to Delete: Request deletion of your personal information, subject to legal exceptions.
Right to Opt Out of Sale: We do not sell personal information as defined under the CCPA. No opt-out is necessary.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
Right to Correct: Request correction of inaccurate personal information.
Right to Limit: Limit the use and disclosure of sensitive personal information. We do not collect sensitive personal information as defined by the CPRA.

6.3 How to Exercise Your Rights

To exercise any of the above rights, contact us at:

Data Protection Requests

Email: privacy@csterminal.cc

Subject line: "Data Subject Request — [Your Steam ID]"

We will verify your identity via Steam authentication before processing any request. Responses within 30 days (GDPR) or 45 days (CCPA).

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the EU/EEA, including the United States. When we transfer data outside the EU/EEA, we ensure adequate protection through:

Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914);
EU-US Data Privacy Framework certification where applicable;
Adequacy decisions by the European Commission where available;
Additional supplementary measures as required by the Schrems II ruling (Case C-311/18).

Our primary database is hosted in the EU region (Neon PostgreSQL), minimizing the need for cross-border data transfers.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

TLS/SSL encryption for all data in transit;
Encryption at rest for database storage;
Access controls and principle of least privilege;
Regular security assessments;
No storage of payment card details (handled entirely by Stripe, PCI DSS Level 1 certified).

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34).

9. Children's Privacy

The Platform is not directed at children under 18. We do not knowingly collect personal information from children under 13 (US COPPA threshold) or under 16 (GDPR default threshold, may vary by Member State).

If we discover that we have collected personal data from a child below the applicable age threshold without valid parental consent, we will delete that data promptly. If you believe a child has provided us with personal data, please contact privacy@csterminal.cc.

10. Do Not Track Signals

We do not track users across third-party websites and therefore do not respond to Do Not Track (DNT) signals. We do not use third-party advertising cookies or cross-site tracking technologies.

11. CCPA Annual Disclosure

In the preceding 12 months:

Categories of PI collected: Identifiers (Steam ID), Internet activity (browsing on our site), commercial information (purchases)
Categories of PI sold: None. We do not sell personal information.
Categories of PI disclosed for business purposes: Identifiers and commercial information (to payment processors and delivery partners as described above)

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via a notice on the Platform. The "Last updated" date at the top indicates when the latest revision was made.

For EU residents, we will seek fresh consent where required for material changes to how personal data is processed.

13. Contact Us

For privacy-related inquiries:

Redboon Limited (CSTerminal) — Data Protection

Bouboulinas 1-3, Bouboulina Building, Floor 4, Flat/Office 42

1060 Nicosia, Cyprus

Email: privacy@csterminal.cc

General support: support@csterminal.cc

Supervisory Authorities:

Cyprus: Commissioner for Personal Data Protection — www.dataprotection.gov.cy
EU: Contact your national Data Protection Authority — EDPB Members List

Document Version History

Version	Date	Changes
1.1	February 20, 2026	Added Redboon Limited as data controller. Added Chatwoot cookies. Updated DPA disclosure. Removed VAT references. Added document versioning.
1.0	February 19, 2026	Initial publication. GDPR, CCPA/CPRA, Cyprus data protection coverage.