← Back to SkinBox

Privacy Policy

Last updated: 14 April 2026.

1. What we collect

Only what we actually need to run the Service. Specifically:

From Steam (via OpenID): your 64-bit SteamID, your public display name, your avatar URL. We do not receive or store your Steam password.
From you directly: an email address (for receipts, verification codes, and password-reset-style flows), an optional display name, and any messages you send through support or to other users.
From Stripe: the payment outcome (success / pending / failed), the last four digits of the card, the card brand, and the country of issue. We never see or store full card numbers. Stripe handles all card data under PCI-DSS Level 1.
From your browser automatically: IP address, user agent string, approximate geolocation derived from IP, the pages you visited on SkinBox, and the referrer URL that brought you here. These are logged for 30 days and used only for abuse detection, rate limiting, and debugging.
Cookies: a session cookie after login, a CSRF token cookie, a currency preference cookie, and a theme preference cookie. No third-party ad cookies. No Google Analytics.

2. What we do with it

Let you log in, place listings, place bids, send offers, and receive payouts.
Send you transactional email: receipts, shipping confirmations, dispute updates, and security alerts.
Prevent fraud, chargeback abuse, and money laundering via Stripe Radar and in-house heuristics.
Show staff enough context to resolve a support ticket you opened yourself.
Generate aggregate, de-identified stats like "total volume traded this week".

3. What we do NOT do

We do not sell your data. Not to advertisers, not to data brokers, not to anyone.
We do not use your data for behavioral advertising.
We do not load third-party ad or tracking scripts on our pages.
We do not share your email with other users unless you explicitly opt in (e.g. leaving it in a public review).

4. Who we share it with

Only the parties we cannot avoid if we want the Service to work:

Stripe — to process deposits and payouts.
Steam (Valve) — every login round-trips through Steam's OpenID endpoint.
Hosting provider — operational access to server logs for debugging.
Law enforcement — only on receipt of a valid legal demand issued under the laws of SkinBox's operating jurisdiction.

5. How long we keep it

Account data: for the life of the account, then 90 days after deletion for dispute resolution, then purged.
Transaction records: 7 years (required by accounting and tax law).
Server logs with IP addresses: 30 days.
Support messages: 2 years after the ticket is closed.

6. Your rights

Depending on where you live you may have the right to:

Get a copy of all data we hold about you.
Correct inaccurate data.
Delete your account and all data we can legally delete (we must keep transaction records for tax purposes).
Export your data in a machine-readable format.
Withdraw consent to marketing emails.
Lodge a complaint with your local data-protection authority.

Email [email protected] and we'll respond within 30 days.

7. Security

We encrypt data in transit (TLS 1.3) and at rest. Passwords — where we use them — are hashed with bcrypt. Secrets are stored in environment variables, not in the codebase. We rate-limit sensitive endpoints, set strict CSP headers, and run automated dependency scans. No system is unhackable. If a breach ever occurs we will notify affected users within 72 hours of discovering it.

8. Children

SkinBox is not intended for users under 18. If we learn that a user is under 18, we will delete the account and refund any remaining balance.

9. Changes

We'll post any changes to this page and update the "Last updated" date. Material changes will also be emailed to you if we have your address.