Skip to main content

Legal · EN

Privacy Policy

What data we collect, why, how long we retain it, and how to exercise your rights. Prepared within the GDPR + Turkish KVKK framework.

Last updated: TBD

1. Data Controller

Data controller: [TBD-Entity], [TBD-Address]. Whether registration with the Turkish data registry (VERBİS) is required will be assessed and stated here once incorporation is complete.

Data protection contact (DPO): [TBD-Email].

2. Legal Framework

This policy is prepared in accordance with applicable data-protection law, in particular Turkey's Law No. 6698 on the Protection of Personal Data (KVKK) and Regulation (EU) 2016/679 (the GDPR).

3. Data We Collect

The following data is processed depending on how you use the service:

  • Account data: email address, display name, password hash (never the plain password), phone number (for verification).
  • Profile and communication: optional profile picture, preferred language, notification settings, on-platform chat transcripts.
  • Identity verification (KYC): identity document, selfie, and verification metadata. Sensitive documents in this category are processed and stored by Stripe Identity; Sigmamarkt only retains the verification status (passed/failed/match score). Document images are not stored on our servers.
  • Payment data: card number, CVV, IBAN, or bank account number are NOT stored on Sigmamarkt servers. All card entry occurs in Stripe's PCI-DSS-compliant hosted fields. Sigmamarkt only stores the Stripe-issued token, payment status, last four digits, card brand, and 3DS outcome.
  • Transaction metadata: order records, escrow states, dispute records, refund-to-credit movements.
  • Technical data: IP address, device/browser fingerprint (canvas/WebGL — for fraud detection), session cookies, user agent, language preference.
  • Security data: sign-in attempts, failed verification events, risk-score signals.
  • Marketing: email marketing preferences (only on opt-in).

4. The Hand-off Ceremony and Publisher Account Access

Special provision for account sales: when an account listing is published, the account is transferred into temporary Sigmamarkt custody (the Hand-off Ceremony). This processing relies solely on the express authorisation the seller grants in the Seller Agreement.

Within the Hand-off scope: (a) Sigmamarkt accesses the publisher account (e.g. Riot, Epic) for a limited period with the seller's permission; (b) the seller credentials used for this access (password + 2FA backup) are stored on our servers under envelope encryption + KMS; the plain-text password is NEVER written to logs, error messages, or any other storage layer; (c) when the listing closes or the seller withdraws it, the account is returned via Reverse Hand-off and the credentials are deleted.

While in Hand-off custody an account is accessed only for: (i) the automated scan at listing time, (ii) the Check Accessibility step triggered when a buyer presses the purchase button, and (iii) human moderation when necessary (dispute review). Each such access is written to the audit log.

5. Purposes and Legal Bases

  • Service performance (contract — GDPR Art. 6(1)(b), KVKK Art. 5(2)(c)): membership, listings, payments, disputes.
  • Legal obligation (GDPR Art. 6(1)(c), KVKK Art. 5(2)(ç)): KYC/AML rules, financial record retention, tax law.
  • Legitimate interest (GDPR Art. 6(1)(f), KVKK Art. 5(2)(f)): fraud prevention, risk scoring, account security, double-listing detection, wash-trading detection.
  • Explicit consent (GDPR Art. 6(1)(a), KVKK Art. 5(1)): marketing notifications, optional analytics.

6. Third-Party Service Providers

To deliver the service we rely on the following processors:

  • Supabase (database and authentication infrastructure): user session, profile, listing, and order data.
  • Stripe (payments + identity verification): card data, KYC documents, 3DS, payout operations. Sensitive data goes directly to Stripe; Sigmamarkt does not see or store such data.
  • Anthropic (AI dispute pre-resolution): used in dispute analysis. Data sent to the model is stripped of personal identifiers (anonymised/pseudonymised); the data is not used to train the model.
  • Postmark / Resend (transactional email): notifications, verification emails, dispute alerts.
  • Smartproxy (residential proxy): used for geo-matching when accessing publisher endpoints. End-user personal data does not flow through the proxy; only outbound publisher-login traffic from Sigmamarkt servers does.
  • Sentry (error monitoring — optional): application error stack traces. User data is scrubbed.
  • Vercel (hosting): application delivery; short-lived request metadata (IP, user agent) is logged.
  • PostHog (analytics — Phase 7+, self-hosted, optional): usage funnels and A/B testing measurements; no ad-network sharing.

Some providers above are located outside the EU/EEA (e.g. in the US). In such cases Standard Contractual Clauses (SCCs) and equivalent safeguards are applied.

7. Retention Periods

  • Account profile: while the account is open + 90 days after closure (recovery window).
  • Transaction and payment records (including audit log): 5 years under financial record-keeping obligations (Turkish Tax Procedure Code / applicable EU rules; the final period will be confirmed at incorporation).
  • Chat records: continuously while a dispute is open; otherwise 12 months.
  • Hand-off vault credentials: deleted as soon as the listing closes; encrypted backups are fully purged within 30 days.
  • KYC document images: governed by Stripe Identity's retention policy; not stored on Sigmamarkt servers.
  • Marketing opt-in records: until opt-out.
  • Security logs: 12 months.

8. Data Subject Rights

Your rights under GDPR and KVKK include:

  • The right to know which data is processed (right of access).
  • The right to rectification of inaccurate data.
  • The right to erasure under specific conditions (right to be forgotten). Erasure may be delayed where an open dispute, financial obligation, or legal retention duty applies; in such cases the reason will be explained.
  • The right to restriction and to object.
  • The right to data portability — to receive your data in a machine-readable format.
  • The right to withdraw consent for consent-based processing (past processing remains valid).
  • The right to lodge a complaint with the data-protection authority (the KVKK Authority in Turkey, or the relevant national authority in the EU).

Requests: [TBD-Email]. We undertake to respond within 30 days; for complex requests this may be extended to 60 days with reasoning provided.

9. Cookies

For cookie details, see the Cookie Policy.

10. Security Measures

  • Passwords are stored using one-way hashes (bcrypt/argon2 family).
  • Publisher account credentials are encrypted under envelope encryption + KMS; plain text is never written to disk or logs.
  • Database access is constrained per user via Row-Level Security (RLS).
  • All traffic is carried over HTTPS / TLS.
  • Admin operations require two-signature approval, audit logging, and a written reason.
  • Suspected breaches are notified to the KVKK Authority within 72 hours.

11. Data of Minors

The service is not directed at users under 18. If we detect that we have collected personal data from someone under 18, we delete it without undue delay.

12. Changes

This policy may be updated. We will give at least 14 days' notice of material changes.

This text is a draft. It is not binding until reviewed by a Turkish fintech lawyer and GDPR/KVKK counsel. The effective date will be set after final approval.