Registered address:
Email: support@lootkey.org
Supervisory Authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, info@aki.ee, https://www.aki.ee)
__________ acts as the data controller determining the purposes and means of processing personal data.

This Privacy Policy applies to all personal data collected through the lootkey.org website, store, payment portals, and related services involving the sale of computer games and digital assets.

We process personal data in accordance with Regulation (EU) 2016/679 (GDPR) and Estonian law. Our legal bases include contractual necessity, legal obligation (AML/KYC), legitimate interests (fraud prevention, analytics), consent (marketing, cookies), and public interest (law enforcement).

- Identification data (name, email, billing address)
- Account data (login credentials, orders, preferences)
- Payment data (method, transaction ID; no full card data stored)
- Technical data (IP, browser, OS, device)
- AML/KYC verification data (ID, sanction screening)
- Communications (support messages, logs)

Data is processed for:
- Account creation and management
- Payment processing and product delivery
- AML/CFT compliance and fraud prevention
- Customer support and dispute resolution
- Marketing and analytics (if consented)
- Legal recordkeeping and audits

In compliance with the 6th EU Anti-Money Laundering Directive (AMLD6), LootKey.org may require identity verification for suspicious or high-value transactions. KYC data is securely retained for at least 5 years.

Data retention periods:
- Transaction data — 7 years
- Account data — life of account + 3 years
- Support tickets — 2 years
- Cookie data — up to 24 months
- Consent logs — 12 months
After expiration, data is anonymized or securely deleted.

We share data only when necessary:
- Payment processors (e.g., Stripe, Adyen, Paysera)
- Hosting providers (EU-based)
- Legal/audit consultants
- AML/fraud monitoring systems
All third parties are bound by GDPR-compliant Data Processing Agreements (DPAs).

If data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) or participation in the EU–US Data Privacy Framework (DPF). Supplementary measures are implemented per Schrems II compliance requirements.

We apply encryption, firewalls, multi-factor authentication, access restriction, and regular audits. Incident response and data breach procedures follow GDPR Articles 33–34.

You have rights to:
- Access, rectification, erasure
- Restriction or objection to processing
- Data portability
- Withdraw consent
Requests: support@lootkey.org  (response within 1 month).

If a breach occurs, we notify the Estonian Data Protection Inspectorate within 72 hours and affected users where high risk exists (GDPR Art. 33–34).

Cookies are used for analytics, personalization, and marketing only after consent. See https://lootkey.org/cookie-policy for details.

lootkey.org is for users aged 18+. We do not knowingly collect data from minors.

This policy may be updated. Material changes are published on the Website or via email notification.

______
Address: _________
Email: support@lootkey.org 
Supervisory Authority: Andmekaitse Inspektsioon (info@aki.ee, https://www.aki.ee)