Privacy Policy
Last updated: June 9, 2026
1. Data Controller
The data controller for your personal data is:
- Company: Christopher Jahr Enterprises S.L.U.
- NIF: B26613646
- Address: Placa Espana 11, 07002 Palma, Spain
- Email: info@cardcj.com
- Data Protection Contact: privacy@cardcj.com
2. Information We Collect
2.1 Information You Provide
- Account data: email address, username, display name, password (encrypted)
- Profile data: avatar, bio, social media links
- Seller verification data: legal name, date of birth, address, phone number, tax identification (for sellers only)
- Payment data: payment method details are collected and processed directly by Stripe — we do not store your full card numbers
- Shipping addresses: name, street address, city, postal code, country
- Transaction data: card listings, purchases, sales, offers, reviews
2.2 Information Collected Automatically
- Device data: browser type, operating system, screen resolution
- Usage data: pages visited, time spent, search queries, clicks (via Google Analytics)
- IP address: used for fraud prevention and approximate location
- Cookies: see our Cookie Policy
3. Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we process your data on the following legal bases:
- Contract performance (Art. 6(1)(b)): processing necessary to provide our marketplace services, process transactions, and manage your account
- Consent (Art. 6(1)(a)): analytics cookies and marketing emails, which you can withdraw at any time
- Legitimate interests (Art. 6(1)(f)): fraud prevention, platform security, service improvement, and enforcing our Terms
- Legal obligation (Art. 6(1)(c)): tax reporting, legal compliance, and regulatory requirements
4. How We Use Your Information
- Provide and operate the CardCJ marketplace
- Process payments and manage escrow
- Verify seller identity and prevent fraud
- Send transactional emails (order confirmations, shipping updates)
- Provide customer support
- Analyze platform usage to improve the service (via Google Analytics and Vercel Analytics)
- Enforce our Terms of Service and protect users
- Comply with legal and tax obligations
5. Data Sharing
We do not sell your personal data. We share data with the following third parties only as necessary to operate the service:
- Stripe (Ireland/US) — payment processing and fraud prevention
- Supabase (US) — database hosting and authentication
- Vercel (US) — website hosting and analytics
- Resend (US) — transactional email delivery
- Google Analytics (US) — website usage analytics
- Other users: your username, profile info, listings, and reviews are publicly visible
- Buyers/sellers: shipping address and contact info are shared with the counterparty in a transaction
Where data is transferred outside the EEA (to US-based processors), transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards.
6. Data Retention
- Account data: retained while your account is active and for 30 days after deletion
- Transaction data: retained for 5 years for tax and legal compliance
- Seller verification data: retained for 5 years after last transaction for regulatory compliance
- Analytics data: aggregated and anonymized, retained for up to 26 months
- Support communications: retained for 2 years
7. Your Rights (GDPR)
As a user in the European Economic Area, you have the following rights:
- Access (Art. 15): request a copy of your personal data
- Rectification (Art. 16): correct inaccurate or incomplete data
- Erasure (Art. 17): request deletion of your data ("right to be forgotten")
- Restriction (Art. 18): request limitation of processing
- Portability (Art. 20): receive your data in a machine-readable format
- Objection (Art. 21): object to processing based on legitimate interests
- Withdraw consent: where processing is based on consent, you can withdraw at any time
To exercise any of these rights, contact us at privacy@cardcj.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) at www.aepd.es.
8. Data Security
We implement appropriate technical and organizational measures to protect your data:
- All data in transit is encrypted via TLS/SSL
- Data at rest is encrypted in our database (Supabase)
- Payment data is handled entirely by Stripe (PCI DSS Level 1 certified)
- Passwords are hashed and never stored in plain text
- Row-level security policies restrict data access
- Regular security monitoring and access controls
9. Children's Privacy
CardCJ is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact privacy@cardcj.com.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a notice on the website. The "Last updated" date at the top indicates the latest revision.
11. Contact
For privacy-related questions or to exercise your rights:
- Privacy: privacy@cardcj.com
- General: info@cardcj.com
- Address: Christopher Jahr Enterprises S.L.U., Placa Espana 11, 07002 Palma, Spain