Privacy Policy

Last updated: May 2025

1. Who We Are

ye2p ("we", "us", "our") operates the website ye2p.com. This Privacy Policy explains how we collect, use, store and protect your personal data when you use our Service, in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and other applicable European data protection legislation.

2. Data We Collect

We may collect the following categories of personal data:

  • Account data: email address, username and password hash when you register.
  • Purchase data: order history, product keys purchased, and transaction identifiers provided by our payment processor (Stripe).
  • Communication data: messages you send us via the Contact page.
  • Technical data: IP address, browser type, device information and pages visited, collected automatically via server logs and cookies.

We do not collect payment card numbers or bank account details — these are handled exclusively by Stripe and never stored on our servers.

3. Legal Basis for Processing

We process your personal data on the following legal bases (GDPR Article 6):

  • Contract performance (Art. 6(1)(b)): to create your account, process orders and deliver digital products.
  • Legal obligation (Art. 6(1)(c)): to comply with tax, accounting and other legal requirements.
  • Legitimate interests (Art. 6(1)(f)): to improve our Service, prevent fraud and maintain security.
  • Consent (Art. 6(1)(a)): for optional marketing communications, which you may withdraw at any time.

4. How We Use Your Data

We use your personal data to:

  • Create and manage your account.
  • Process and fulfil your orders and deliver game keys to your email.
  • Send transactional emails (order confirmations, delivery notifications).
  • Respond to your enquiries and support requests.
  • Detect and prevent fraud and abuse.
  • Comply with legal and regulatory obligations.
  • Send marketing emails where you have given consent (opt-in only).

5. Data Sharing and Third Parties

We share personal data only where necessary:

  • Stripe, Inc. – payment processing. Stripe acts as a data processor under a Data Processing Agreement and complies with GDPR.
  • Supabase, Inc. – database and authentication hosting. Data is stored on servers in the EU/EEA where possible.
  • Legal authorities – where required by law or court order.

We do not sell, rent or trade your personal data to third parties for marketing purposes.

6. International Data Transfers

Some of our service providers may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as the EU Standard Contractual Clauses (SCCs) or reliance on an adequacy decision by the European Commission, in accordance with GDPR Chapter V.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by applicable law. Specifically:

  • Account data: retained for the duration of your account plus up to 3 years after closure.
  • Purchase records: retained for 7 years for tax and accounting compliance.
  • Support communications: retained for 2 years.
  • Technical logs: retained for up to 90 days.

8. Cookies

We use strictly necessary cookies to provide core functionality (authentication sessions). We may also use analytics cookies to understand how the Service is used; where required by law, we will obtain your consent before placing non-essential cookies. You can control cookies through your browser settings.

9. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights under the GDPR:

  • Right of access (Art. 15): obtain a copy of your personal data we hold.
  • Right to rectification (Art. 16): correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
  • Right to restriction of processing (Art. 18): limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing.
  • Rights related to automated decision-making (Art. 22): we do not make solely automated decisions with significant effects on you.
  • Right to withdraw consent (Art. 7(3)): where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us through our Contact page. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection supervisory authority.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction or disclosure. All data in transit is encrypted using TLS. Passwords are hashed and never stored in plain text. Despite these measures, no internet transmission is completely secure, and we cannot guarantee absolute security.

11. Children's Privacy

Our Service is not intended for persons under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the website. The "Last updated" date at the top indicates when the Policy was last revised. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

13. Contact and Data Controller

The data controller for the purposes of GDPR is ye2p (ye2p.com). For any privacy-related enquiries, requests to exercise your rights, or to reach our Data Protection contact, please use our Contact page.