PRIVACY POLICY

01

INTRODUCTION

OpnSkin ("we", "our", "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains in detail how we collect, use, store, share, and protect your personal information when you use our skin marketplace, peer-to-peer trading platform, wallet services, and all related features (collectively referred to as "OpnSkin" or the "Services").

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy and accept the data practices described herein. If you do not agree with any part of this policy, please discontinue your use of our platform immediately. This policy applies to all users of OpnSkin, regardless of how they access the Services (web, mobile, browser extension, or API).

02

WHAT OPNSKIN DOES

OpnSkin is a peer-to-peer marketplace where users can buy and sell in-game skins and virtual items for supported games including Counter-Strike 2, Dota 2, Team Fortress 2, and Rust. Our platform serves as an intermediary to facilitate safe transactions between buyers and sellers. We provide the following core services:

• Marketplace · A platform for listing, browsing, searching, and purchasing in-game skins with built-in escrow protection to ensure both parties are protected during every transaction.
• Instant Sell · A service allowing users to sell their items directly to OpnSkin for an immediate payout at a guaranteed price, without waiting for a buyer (coming soon).
• Payments & Payouts · All marketplace payments are processed securely through Trustap, our payment provider. Buyers pay at checkout via Trustap's hosted page (card, iDEAL, Bancontact, P24, Wero, and other supported methods). Sellers receive their payouts directly to their linked bank account through Trustap after the escrow period.
• KYC & Tiers · An identity verification system and progressive tier structure that rewards active sellers with lower marketplace fees, higher transaction limits, and increased OPN point earnings.
• Skin Draft Leagues & OPN · Optional weekly competitions where users draft five skins (knife, gloves, rifle, sniper, pistol) from a curated pool and score points based on real market price movements × wear multiplier. Two formats are offered: Amateur (free entry, OPN prizes) and Elite (paid entry in OPN, premium real-skin prizes). Powered by OPN, our in-platform points currency earned through marketplace activity and league winnings.

03

PERSONAL DATA WE COLLECT

3.1 Information You Provide Directly

When you create an account, link external services, verify your identity, or contact our support team, you voluntarily provide us with certain personal information. This includes:

• Steam Account Data · When you link your Steam account, we receive your Steam ID, display name, avatar image, and profile URL. This data is necessary for us to verify item ownership, initiate trade offers, and display your identity on the marketplace.
• Email & Google Account · If you sign up with email or link a Google account, we collect your email address, name, and profile data. This is used for account creation, authentication, and communication purposes.
• KYC Documents & Biometric Data · When you choose to verify your identity (Level 2 verification), you provide identity documents (passport, national ID, or driver's licence) and undergo a live selfie capture with liveness detection and automated face matching. This process is carried out by our third-party verification provider, Didit (Didit Technology S.L.). Your identity documents and biometric data (facial image) are transmitted directly to Didit for processing. OpnSkin receives only the verification result (approved, declined, pending) and AML screening status; we do not store your identity documents or biometric images on our servers. Didit processes this data in accordance with their own privacy policy and applicable EU regulations.
• Spending Limits & Self-Exclusion Preferences · If you configure personal spending limits for draft leagues or activate self-exclusion, we store these settings (limit amounts, exclusion period) as part of your account data to enforce them across sessions.
• Payment Information · When you make a purchase, you are redirected to a Trustap-hosted checkout page. OpnSkin does not collect or store your card details or bank information; all payment data is handled directly by Trustap in accordance with their privacy policy and PCI DSS standards.
• Support Communications · Any messages, attachments, screenshots, or other materials you send us through our support channels are collected and stored to resolve your issues effectively.

3.2 Information Collected Automatically

When you use OpnSkin, certain technical and usage information is collected automatically by our servers and analytics tools. This helps us maintain security, diagnose technical issues, and improve the user experience:

• Technical Data · Your IP address, browser type and version, device type, operating system, screen resolution, and timezone. This information is used for security monitoring, fraud detection, and platform optimisation.
• Usage Data · Pages visited, features used, actions taken (such as listings created, trades completed, wallet operations performed), time spent on pages, and navigation paths. This helps us understand how users interact with the platform.
• Cookies & Session Data · Session identifiers, authentication tokens, language preferences, currency settings, and other data stored via cookies and local storage. See our Cookie Policy for full details.

3.3 Steam Data

We access certain data from the Steam platform via the Steam Web API, but only data that is strictly necessary to operate the marketplace. This includes information about item ownership in your Steam inventory, your trade offer eligibility and settings, and your Steam Guard and trade hold status. We do not access or collect your in-game communications, friend list details, purchase history on Steam, or any other data beyond what is required for our marketplace operations.

04

HOW WE USE YOUR DATA

We use the personal data we collect for the following purposes. Each purpose is necessary for us to provide, secure, and improve our Services:

• Provide the Services · Operating your account, facilitating marketplace transactions, managing escrow, processing wallet deposits and withdrawals, and delivering OPN rewards and league prizes.
• Security & Fraud Prevention · Detecting and preventing fraudulent activity, scam trades, account takeovers, and other forms of abuse. This includes our automated scam detection system that monitors trade offers and account behaviour patterns.
• Customer Support · Responding to your support requests, investigating and resolving disputes between buyers and sellers, and communicating important updates about your account or transactions.
• Platform Improvement · Analysing usage patterns to develop new features, improve existing functionality, optimise performance, and fix bugs. This includes A/B testing and user experience research.
• Legal & Compliance · Complying with applicable laws and regulations (including EU/GDPR, French data protection law, anti-money laundering requirements), responding to legal requests, and exercising or defending our legal rights.

05

LEGAL BASIS (GDPR)

Where the General Data Protection Regulation (GDPR) applies to you, we process your personal data on one or more of the following legal bases. The table below maps each processing purpose to its corresponding legal basis:

06

SHARING YOUR DATA

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. We may share your data only in the following limited circumstances, and only to the extent necessary:

• Service Providers · We work with trusted third-party providers who help us operate OpnSkin, including: Trustap (payment processing and escrow for marketplace transactions), Didit (identity verification and AML screening), cloud hosting providers, email delivery services (Resend), and analytics tools (PostHog). These providers process your data on our behalf and under our instructions, subject to appropriate data processing agreements.
• Legal Requests · We may disclose your data to law enforcement agencies, courts, or regulatory authorities when we are legally obligated to do so, or when we receive a valid legal request such as a court order or subpoena.
• Rights & Safety · We may share data when we believe in good faith that it is necessary to enforce our Terms of Use, protect the safety of our users or the public, or protect OpnSkin's legal rights and property.
• Business Transfers · In the event of a merger, acquisition, reorganisation, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such change.

Trustap (payment processing & escrow). To facilitate the collection, holding, and release of funds for marketplace transactions, OpnSkin shares relevant transaction and user data with Trustap.com, an independent third-party processor with whom you enter into a direct contractual relationship when transacting. By using the marketplace you consent to this sharing. Trustap processes this data as an independent controller under its own Privacy Policy; please review it alongside this Policy. This processing is necessary for the performance of your transaction contract and, where applicable, based on your consent under the GDPR.

07

RETENTION

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. The specific retention periods depend on the type of data:

• Account Data · Retained while your account is active and for a reasonable period after account closure (typically 30 days) to allow for reactivation or to resolve any pending issues.
• Transaction & Wallet Records · Retained for the period required by applicable financial regulations and tax laws, which may be up to 10 years depending on your jurisdiction.
• Security Logs · Retained for a limited period (typically up to 12 months) for security monitoring and incident investigation, unless a longer period is required for ongoing legal proceedings or disputes.
• KYC & Verification Data · Your verification status (approved, declined, pending) and AML screening result are retained for the duration of your account and for a minimum of 5 years after account closure, as required by anti-money laundering regulations. Identity documents and biometric data are processed and retained by Didit in accordance with their data retention policy; OpnSkin does not store these documents.
• Spending Limits & Self-Exclusion · Your configured spending limits and self-exclusion history are retained as long as your account is active and for 30 days after account closure.
• Support Records · Retained until the support matter is fully resolved, plus a reasonable follow-up period to handle any related inquiries or escalations.

08

YOUR RIGHTS (GDPR)

If the GDPR applies to you (for example, if you are located in the European Economic Area), you have the following rights regarding your personal data. You can exercise any of these rights at any time:

• Right of Access · You can request a copy of all personal data we hold about you, along with information about how it is processed.
• Right to Rectification · You can request that we correct any inaccurate or incomplete personal data.
• Right to Erasure · You can request that we delete your personal data, subject to certain legal exceptions (such as data we are required to retain by law).
• Right to Restriction · You can request that we limit the processing of your data in certain circumstances, for example while a complaint is being investigated.
• Right to Portability · You can request to receive your personal data in a structured, commonly used, machine-readable format, and to have it transferred to another controller.
• Right to Object · You can object to processing of your data that is based on our legitimate interests, including profiling. We will stop processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent · Where we process your data based on your consent (e.g. marketing), you can withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority. In France, this is the CNIL (Commission Nationale de l'Informatique et des Libertés).

09

SECURITY

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. Our security measures include:

• All data transmitted between your browser and our servers is encrypted using TLS (HTTPS). Sensitive data at rest is also encrypted where applicable.
• Secure session management with CSRF protection, HTTP-only cookies, and automatic session expiration after periods of inactivity.
• Role-based access controls ensuring that only authorised personnel can access personal data, with access logged and monitored.
• Regular security audits, vulnerability assessments, and updates to our security practices in line with industry best practices.
• DDoS protection and web application firewall provided by Cloudflare to protect against external attacks.

While we strive to protect your data, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to doing everything reasonably possible to safeguard your information.

10

COOKIES

OpnSkin uses cookies and similar technologies for essential functionality (authentication, security), user preferences (language, currency), and analytics (understanding how the platform is used). We use only the cookies that are necessary to provide a secure and functional experience, plus optional analytics cookies that you can decline. For a complete list of all cookies we use, their purposes, and their durations, please see our dedicated Cookie Policy.

11

BROWSER EXTENSION

If you choose to install the OpnSkin browser extension, it may access additional data on your device to provide its features. The extension is designed to enhance your experience when browsing Steam market pages by displaying OpnSkin prices, savings, and comparison data directly in the Steam interface.

What the extension does

• Displays OpnSkin marketplace prices alongside Steam Community Market prices on item listing pages
• Shows price comparisons and potential savings when buying through OpnSkin instead of Steam
• Reads Steam inventory page content to help you identify items that can be listed on OpnSkin
• Synchronises your login session between the OpnSkin website and the extension for seamless operation
• Stores your extension preferences (display settings, notification preferences) locally on your device

Data accessed by the extension

• Cookies · The extension accesses OpnSkin session cookies to synchronise your authenticated state between the website and the extension, so you don't need to log in separately.
• Local Storage · Extension preferences, cached price data, and display settings are stored locally on your device and are not transmitted to our servers.
• Page Content · The extension reads the DOM (page structure) of Steam Community Market pages to inject price overlay elements. It does not read content from any other websites.

We do not sell, share, or transmit extension-collected data to any third party. The extension communicates only with OpnSkin servers to fetch pricing data and verify your session.

12

MINORS

Our Services are not intended for, and should not be used by, individuals under the age of 18. We do not knowingly collect personal data from minors under 18 years of age. Age verification is enforced during our identity verification (KYC) process: users who do not meet the minimum age of 18 are automatically declined. If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at [email protected] so that we can take steps to delete such information from our systems.

13

INTERNATIONAL TRANSFERS

Your personal data is primarily processed within the European Union. However, some of our service providers (such as cloud infrastructure or payment processors) may process data in other countries. When your data is transferred outside the EU/EEA, we ensure that appropriate safeguards are in place, such as the European Commission's standard contractual clauses or adequacy decisions, to provide a level of data protection equivalent to that in the EU.

14

CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email (if we have your email address) or by posting a prominent notice on the platform. The "Effective date" at the top of this page will always indicate when the policy was last revised. We encourage you to review this page periodically to stay informed about how we protect your data.

15

CONTACT

If you have any questions, concerns, or requests regarding this Privacy Policy, your personal data, or how we handle your information, please contact us using any of the methods below. We aim to respond to all inquiries within 30 days.