Privacy Policy

Best Team Fortress 2 Trading Site | Buy & Sell Skins Privacy Policy

PRIVACY POLICY – buffstack.org

Effective Date: April 20, 2026

1. DATA CONTROLLER AND OVERVIEW

1.1. Identity of Controller. ZORVET LTD (Company No. 17134711), registered in England and Wales, is the Data Controller responsible for processing your personal data. 1.2. Scope. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit buffstack.org and use our services, including purchasing Team Fortress 2 (TF2) items.
1.3. Agreement. By using our website and services, you agree to the terms of this Privacy Policy.

2. INFORMATION WE COLLECT

2.1. Identity and Contact Data. Includes your name, email address, billing address, and other details you provide.
2.2. Transactional Information. Includes order history, receipts, and payment confirmations.
2.3. Payment Details. Processed securely by third-party payment providers; we do not store full card numbers.
2.4. Steam/Trading Data. Includes your Steam username, trade URL, and transaction status.
2.5. Technical Data. IP address, device/browser type, operating system, and referral source.
2.6. Verification Data. Identity documentation, proof of address, and date of birth required for AML/KYC purposes.

3. DATA COLLECTION AND USAGE

3.1. Collection Methods. Data is collected directly from you (checkout, account creation), automatically (cookies, analytics), and from third-party payment processors (e.g., WooCommerce, PayPal, Stripe).
3.2. Purpose of Use. We use personal data to fulfill orders (including TF2 item delivery), communicate regarding transactions, improve site security, and meet legal/regulatory obligations (tax, AML/CTF).
3.3. Legal Basis. We process data only as necessary to perform your order, meet legal obligations, and prevent fraud.

4. DISCLOSURE AND RETENTION

4.1. Data Sharing. Personal data may be shared with acquiring banks, payment processors, technical providers, Steam/Valve, and regulators or authorities when required by law.
4.2. Non-Sale Policy. We do not sell your personal data.
4.3. Retention Periods. KYC/AML records are kept for a minimum of five years. Transaction and order data are retained for up to 6 years to meet accounting and legal requirements. Support correspondence is stored as long as required to handle your query.

5. YOUR RIGHTS AND SECURITY

5.1. UK GDPR Rights. You have the right to access, correct, or erase your personal data, restrict or object to processing, and lodge a complaint with the ICO (www.ico.org.uk).

5.2. Security Measures. We apply technical and organizational safeguards like encryption. However, you are responsible for keeping your login credentials confidential. 5.3. Automated Decisions. Transactions may be subject to automated checks by banks or fraud-monitoring tools; you have the right to request a human review of such decisions.
5.4. Children’s Privacy. Our services are intended for adults aged 18 or over. We do not knowingly collect personal data from children.