By continuing, you agree that you have read and accept our Terms and Conditions and Privacy Policy.
Manage cookies
Cookie Settings
Cookies necessary for the correct operation of the site are always enabled.
Other cookies are configurable.
Other cookies are configurable.
Privacy Policy
Last updated: 30 September 2025
1. Data Controller
Itemare OÜ (registry code 17309345)
Registered address: Jõe tn 5, Kesklinna linnaosa, Tallinn, 10151, Estonia
Email: privacy@lootkey.org | support@lootkey.org
Data Protection Officer (DPO): privacy@lootkey.org
Supervisory Authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, info@aki.ee, https://www.aki.ee)
Itemare OÜ acts as the data controller determining the purposes and means of processing personal data.
Registered address: Jõe tn 5, Kesklinna linnaosa, Tallinn, 10151, Estonia
Email: privacy@lootkey.org | support@lootkey.org
Data Protection Officer (DPO): privacy@lootkey.org
Supervisory Authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, info@aki.ee, https://www.aki.ee)
Itemare OÜ acts as the data controller determining the purposes and means of processing personal data.
2. Scope
This Privacy Policy applies to all personal data collected through the lootkey.org website, store, payment portals, and related services involving the sale of computer games and digital assets.
3. Legal Basis and Principles
We process personal data in accordance with Regulation (EU) 2016/679 (GDPR) and Estonian law. Our legal bases include contractual necessity, legal obligation (AML/KYC), legitimate interests (fraud prevention, analytics), consent (marketing, cookies), and public interest (law enforcement).
4. Data Categories
- Identification data (name, email, billing address)
- Account data (login credentials, orders, preferences)
- Payment data (method, transaction ID; no full card data stored)
- Technical data (IP, browser, OS, device)
- AML/KYC verification data (ID, sanction screening)
- Communications (support messages, logs)
- Account data (login credentials, orders, preferences)
- Payment data (method, transaction ID; no full card data stored)
- Technical data (IP, browser, OS, device)
- AML/KYC verification data (ID, sanction screening)
- Communications (support messages, logs)
5. Purposes of Processing
Data is processed for:
- Account creation and management
- Payment processing and product delivery
- AML/CFT compliance and fraud prevention
- Customer support and dispute resolution
- Marketing and analytics (if consented)
- Legal recordkeeping and audits
- Account creation and management
- Payment processing and product delivery
- AML/CFT compliance and fraud prevention
- Customer support and dispute resolution
- Marketing and analytics (if consented)
- Legal recordkeeping and audits
6. AML/KYC Compliance
In compliance with the 6th EU Anti-Money Laundering Directive (AMLD6), LootKey.org may require identity verification for suspicious or high-value transactions. KYC data is securely retained for at least 5 years.
7. Retention
Data retention periods:
- Transaction data — 7 years
- Account data — life of account + 3 years
- Support tickets — 2 years
- Cookie data — up to 24 months
- Consent logs — 12 months
After expiration, data is anonymized or securely deleted.
- Transaction data — 7 years
- Account data — life of account + 3 years
- Support tickets — 2 years
- Cookie data — up to 24 months
- Consent logs — 12 months
After expiration, data is anonymized or securely deleted.
8. Data Sharing
We share data only when necessary:
- Payment processors (e.g., Stripe, Adyen, Paysera)
- Hosting providers (EU-based)
- Legal/audit consultants
- AML/fraud monitoring systems
All third parties are bound by GDPR-compliant Data Processing Agreements (DPAs).
- Payment processors (e.g., Stripe, Adyen, Paysera)
- Hosting providers (EU-based)
- Legal/audit consultants
- AML/fraud monitoring systems
All third parties are bound by GDPR-compliant Data Processing Agreements (DPAs).
9. International Transfers
If data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) or participation in the EU–US Data Privacy Framework (DPF). Supplementary measures are implemented per Schrems II compliance requirements.
10. Security
We apply encryption, firewalls, multi-factor authentication, access restriction, and regular audits. Incident response and data breach procedures follow GDPR Articles 33–34.
11. User Rights
You have rights to:
- Access, rectification, erasure
- Restriction or objection to processing
- Data portability
- Withdraw consent
Requests: privacy@lootkey.org (response within 1 month).
- Access, rectification, erasure
- Restriction or objection to processing
- Data portability
- Withdraw consent
Requests: privacy@lootkey.org (response within 1 month).
12. Data Breach Notification
If a breach occurs, we notify the Estonian Data Protection Inspectorate within 72 hours and affected users where high risk exists (GDPR Art. 33–34).
13. Cookies
Cookies are used for analytics, personalization, and marketing only after consent. See https://lootkey.org/cookie-policy for details.
14. Children
lootkey.org is for users aged 18+. We do not knowingly collect data from minors.
15. Updates
This policy may be updated. Material changes are published on the Website or via email notification.
16. Contact
Itemare OÜ
Address: Jõe tn 5, Tallinn, 10151, Estonia
Email: privacy@lootkey.org
Supervisory Authority: Andmekaitse Inspektsioon (info@aki.ee, https://www.aki.ee)
Address: Jõe tn 5, Tallinn, 10151, Estonia
Email: privacy@lootkey.org
Supervisory Authority: Andmekaitse Inspektsioon (info@aki.ee, https://www.aki.ee)