Privacy notice

We collect only the data needed to run the marketplace:

• Email address
• Hashed password (bcrypt, cost factor 12)
• Display name and (optional) verified in-game username
• Submitted screenshots (Pokemon stats panels, item images, TM images) used for verification and listing previews
• Listings, offers, ratings, and chat messages you create
• IP-derived rate-limit identifiers, kept transiently and not associated with your account record
• Discord OAuth account ID, only if you sign in with Discord

We do not collect real names, postal addresses, phone numbers, payment information, browsing data outside this domain, or any form of cross-site tracking data. There are no advertising or analytics trackers on this site.

We use the data above for account security, marketplace operation, dispute resolution, fraud prevention, and transactional notifications. We never sell your data and we never share it for advertising purposes.

We set only essential session cookies needed to keep you signed in. We do not load analytics, advertising, or tracking scripts. The consent banner gates anything beyond essential cookies, and that section is currently empty by design.

We rely on a small set of trusted infrastructure providers:

• Supabase - database and storage, hosted in the EU-West-1 region
• Resend - transactional email delivery, EU region
• Hostinger VPS - application hosting, located in Germany

We keep your account data while your account is active.

• Soft-deleted accounts are fully removed within 30 days
• Verification screenshots auto-purge after 30 days
• Chat messages are retained while their related listing or offer is live

You can access, export, correct, or delete your personal data at any time. Email the operator at support@pokeonemarketplace.com to exercise these rights. We respond within 30 days.

We do not knowingly collect data from anyone under 13 years old, or under 16 in the European Economic Area. If we learn that we have collected data from a child below the age of consent, we will delete it.

Traffic is HTTPS-only. Passwords are hashed with bcrypt at cost factor 12. Backend access uses scoped service-role keys, and private storage objects are served through short-lived signed URLs. Session secrets are generated fresh per deployment.

If we confirm a personal data breach that is likely to affect your rights, we will notify affected users within 72 hours, in line with GDPR Article 33.

Your data is processed in the European Union: Germany for application hosting and EU-West-1 for the database. We do not transfer personal data to the United States or any other country outside the EU/EEA.

We may update this notice. Significant changes will be posted on the site at least 14 days before they take effect.

Questions about this privacy notice can be sent to support@pokeonemarketplace.com.