Privacy Policy

3.1 Account Information

When you create an account, we collect:

• Email address (required for account creation and authentication)
• Password (stored in encrypted, hashed format)
• Account creation timestamp
• Two-factor authentication credentials (if enabled)

We do NOT require or collect: full name, physical address, phone number, government identification, or Know Your Customer (KYC) information unless specifically requested by you for account recovery purposes.

3.2 Transaction Information

When you make purchases, we collect:

• Product selections and order details
• Transaction amounts and timestamps
• Cryptocurrency payment information (wallet addresses, transaction IDs on public blockchains)
• Account balance and transaction history
• Purchase records and order fulfillment data

Note: Cryptocurrency transactions are recorded on public blockchains and are pseudonymous but not anonymous. We do not have control over blockchain data.

3.3 Usage and Technical Data

We automatically collect certain technical information when you use the Platform:

• IP address (anonymized after 90 days for non-security purposes)
• Browser type and version
• Device information (operating system, screen resolution)
• Referring/exit pages and URLs
• Session duration and navigation patterns
• Timestamps of access

This data is collected via server logs and is used for security monitoring, fraud prevention, and service improvement.

3.4 Communications Data

When you contact us for support or use our ticketing system, we collect:

• Support ticket content and correspondence
• Email communications
• Telegram usernames (if you contact us via Telegram)
• Timestamps of communications

3.5 Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

• Essential Cookies: Required for authentication, security, and core functionality
• Preference Cookies: Store your settings (theme, language preferences)
• Security Cookies: Help detect fraudulent activity and protect your account

We do NOT use advertising cookies, third-party analytics (Google Analytics, Facebook Pixel, etc.), or cross-site tracking mechanisms. You can control cookie preferences through your browser settings.

4.1 Contract Performance

• Creating and managing your account
• Processing transactions and delivering purchased products
• Maintaining order history and transaction records
• Providing customer support and responding to inquiries

4.2 Legitimate Interests

• Fraud prevention and security monitoring
• Improving Platform functionality and user experience
• Troubleshooting technical issues
• Analyzing usage patterns to optimize services
• Enforcing our Terms of Service

4.3 Legal Obligations

• Complying with applicable laws and regulations
• Responding to lawful requests from authorities
• Maintaining records required by financial regulations
• Preventing illegal activities (money laundering, fraud, etc.)

4.4 Consent

• Sending promotional communications (only if you opt-in)
• Using optional features requiring additional data processing

5.1 Service Providers

We engage trusted third-party service providers who process data on our behalf under strict contractual obligations:

• Hosting and Infrastructure: Supabase (PostgreSQL database, authentication)
• Content Management: Sanity CMS (product and inventory data)
• Payment Processing: NowPayments (cryptocurrency payment gateway)

All service providers are contractually bound to process data only as instructed, implement appropriate security measures, and comply with GDPR where applicable.

5.2 Legal Requirements

We may disclose information when required by law or in good faith belief that such action is necessary to:

• Comply with legal process (subpoenas, court orders, warrants)
• Enforce our Terms of Service
• Respond to claims of illegal activity or policy violations
• Protect the rights, property, or safety of VirtualBridge, users, or the public

We will notify affected users of legal demands unless prohibited by law or court order.

5.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, user information may be transferred to the acquiring entity. You will be notified via email and/or a prominent notice on the Platform of any change in ownership or use of your personal information.

5.4 No External Sharing

We explicitly do NOT share your data with:

• Advertising networks or data brokers
• Social media platforms
• Third-party marketers
• Any entity outside our organization except as stated above

6.1 Technical Safeguards

• Encryption: TLS 1.3 for data in transit, AES-256 encryption for sensitive data at rest
• Authentication: Bcrypt password hashing, optional two-factor authentication (2FA)
• Access Controls: Role-based access, principle of least privilege for staff
• Network Security: Firewalls, intrusion detection systems, DDoS protection
• Database Security: Row-level security policies, automated backups

6.2 Organizational Measures

• Regular security audits and vulnerability assessments
• Employee training on data protection and security best practices
• Incident response plan for data breaches
• Secure development lifecycle practices

6.3 Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you within 72 hours of discovery via email, as required by GDPR. We will provide information about the nature of the breach, potential consequences, and measures taken to address it.

6.4 Your Responsibility

While we implement robust security measures, you are responsible for:

• Maintaining the confidentiality of your account credentials
• Using strong, unique passwords
• Enabling two-factor authentication
• Immediately reporting suspected unauthorized access

7.1 Retention Periods

• Account Information: Retained for the duration of account activity, plus 90 days after account deletion
• Transaction Records: 7 years (required for financial compliance and tax purposes)
• Support Communications: 3 years after ticket closure
• Server Logs: IP addresses anonymized after 90 days; anonymized logs retained for 1 year
• Security Incident Data: 5 years (for investigation and legal defense purposes)

7.2 Deletion Process

After retention periods expire, we securely delete or anonymize personal information using industry-standard data destruction methods. Anonymized data may be retained indefinitely for statistical and research purposes.

8.1 Right of Access

You have the right to request a copy of the personal information we hold about you. We will provide this information in a structured, commonly used, machine-readable format within 30 days.

8.2 Right to Rectification

You can request correction of inaccurate or incomplete personal information. You may update most information directly through your account settings.

8.3 Right to Erasure ("Right to be Forgotten")

You may request deletion of your personal information, subject to legal retention requirements. We will delete your data within 30 days unless we have a legitimate reason to retain it (e.g., ongoing legal obligation, unresolved dispute).

8.4 Right to Restriction of Processing

You can request that we limit how we process your information in certain circumstances (e.g., while contesting data accuracy).

8.5 Right to Data Portability

You have the right to receive your personal information in a portable format and transfer it to another service provider.

8.6 Right to Object

You may object to processing of your personal information based on legitimate interests or for direct marketing purposes.

8.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

8.8 Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days and may request identity verification to prevent unauthorized access.

8.9 Right to Lodge a Complaint

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority (supervisory authority).

9.1 Transfer Safeguards

When transferring data outside the European Economic Area (EEA), we implement appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission (for transfers to jurisdictions deemed to provide adequate protection)
• Service providers certified under relevant privacy frameworks

9.2 Data Localization

Where required by local law, we store personal information within specific geographic regions and comply with data localization requirements.

13.1 Right to Know

You have the right to request information about the categories and specific pieces of personal information we have collected about you in the past 12 months.

13.2 Right to Delete

You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.

13.3 Right to Opt-Out

We do NOT sell personal information to third parties. If this changes in the future, we will provide a clear opt-out mechanism.

13.4 Non-Discrimination

We will not discriminate against you for exercising your CCPA rights. You will not be denied services or charged different prices for exercising your rights.

13.5 Authorized Agents

You may designate an authorized agent to make requests on your behalf. We require written authorization and identity verification.