GDPR Policy

For the purposes of the GDPR, SellCodeApp acts as the data controller for personal data collected through our platform. This means we determine the purposes and means by which your personal data is processed.

• Platform: SellCodeApp — sellcodeapp.com
• Contact: [email protected]

Where sellers collect personal data from their buyers through the platform (e.g., for support purposes), they may act as an independent data controller or processor. Sellers are responsible for ensuring their own GDPR compliance in such cases.

We only process your personal data where we have a valid lawful basis under Article 6 of the GDPR:

Account and identity data

• Name, email address, username, and password (hashed)
• Profile information — biography, avatar, social links
• Identity verification documents (where KYC is required)

Transaction and financial data

• Purchase history, order IDs, and license records
• Billing address and payment method type (card details are held by our payment processors — not by us)
• Withdrawal account details for sellers

Technical and usage data

• IP address and approximate location
• Browser type, device, and operating system
• Pages visited, session duration, and clickstream data
• Cookie identifiers and tracking data

Communications data

• Support ticket messages and attachments
• Reviews, comments, and ratings you post
• Emails sent between you and SellCodeApp

We retain your personal data only for as long as necessary for the purposes described in this policy, or as required by law:

• Account data: Retained for the duration of your account. Deleted or anonymized within 30 days of account deletion, unless required for legal compliance.
• Transaction records: Retained for up to 7 years to comply with tax and financial reporting obligations.
• Support communications: Retained for 2 years after the ticket is closed.
• Marketing consent records: Retained until you withdraw consent, plus 1 year for compliance evidence.
• Server logs and IP data: Retained for up to 90 days for security purposes.

SellCodeApp may transfer your personal data to countries outside the EEA. Where such transfers occur, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers only to countries with an adequacy decision by the European Commission
• Data Processing Agreements (DPAs) with all third-party processors

You may request a copy of the safeguards in place by contacting [email protected].

We share personal data with trusted third-party processors bound by Data Processing Agreements. Key categories include:

• Payment processors — to handle transactions securely (e.g., Stripe, PayPal)
• Cloud hosting providers — to store and serve platform data
• Email delivery services — to send transactional and marketing emails
• Analytics providers — to help us understand platform usage
• Fraud prevention services — to detect and prevent abuse

We do not sell your personal data to any third party.

You may exercise any of these rights by contacting us at [email protected]. We will respond within 30 days.

• Access (Article 15): Request a copy of the personal data we hold about you.
• Rectification (Article 16): Request correction of inaccurate or incomplete personal data.
• Erasure (Article 17): Request deletion of your personal data where there is no overriding legitimate reason to continue processing it.
• Restriction (Article 18): Request that we limit the processing of your data in certain circumstances.
• Portability (Article 20): Request your data in a structured, machine-readable format.
• Object (Article 21): Object to processing based on legitimate interests, including direct marketing.
• Withdraw consent: Where processing is based on your consent, you may withdraw it at any time.

In the event of a personal data breach, SellCodeApp will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights
• Document all breaches internally, including those that do not require external notification

If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or the location of the alleged infringement.

A full list of EU supervisory authorities is available at: edpb.europa.eu

We would appreciate the opportunity to address your concerns directly before you approach a supervisory authority. Please contact us first at [email protected].

For any GDPR-related queries, data subject requests, or concerns about how we handle your personal data: