Effective date: 13 September 2025

Applies to: https://bitsellfy.com

 and any related pages or apps that link to this notice (collectively, “BitSellfy”, “we”, “us”, “our”).

WHO WE ARE (CONTROLLER)

Controller: BDigital Sh.p.k, registered in the Republic of Albania (NUIS/NIPT: [●]).

Registered office: Lezhe, Albania.

Privacy email: [[email protected]]

Data Protection Officer (if appointed): [Name / contact]

EU/EEA Representative under GDPR Art. 27 (if required): [Entity and contact in EU/EEA].

We operate a marketplace for digital goods (for example game keys, in-game items and currency, game top-ups, software licenses, digital codes, and similar).

This policy explains how we collect, use, share, and protect personal data about visitors, buyers, and sellers on BitSellfy, including through cookies/SDKs and third-party integrations (payments, KYC/AML, fraud prevention, analytics, and support tools).

Personal Data: information about an identified or identifiable person (for example name, email, IP, device IDs, wallet address).

Processing: any operation on personal data (collection, storage, use, disclosure, deletion).

Controller / Processor: roles as defined by Albanian Law No. 124/2024 (GDPR-aligned).

Sellers: independent merchants listing products on BitSellfy.

Buyers: individuals purchasing from Sellers.

Name, username, email, hashed password, country/region, phone.

KYC/AML (where required by law or by a payment/KYC partner): date of birth, ID/passport details, face/selfie, address, sanctions/PEP screening results.

Order history, listings, cart, prices, fees, discounts; masked payment tokens/IDs returned by providers (we do not store full card numbers).

Crypto: payment transaction hashes, wallet addresses, network/fee data via crypto partners.

IP address, device/browser information, language, referral URLs, session identifiers, log events, security/fraud signals (for example unusual access patterns).

Support tickets, chat logs, dispute/chargeback correspondence, reviews/ratings, feedback.

Business/legal name, NUIS/NIPT, address, representative contact, payout details, tax/VAT information, proof of authorization to sell certain goods.

Account setup and access: create/manage your account, login security. Legal basis: contract.

Marketplace operations: listing, ordering, delivery, payouts, invoices. Legal basis: contract.

Payments and payouts: charge/settle via PSPs/crypto partners. Legal basis: contract and legal obligation.

KYC/AML and sanctions screening: where required by law or partner policies. Legal basis: legal obligation.

Tax and accounting: invoices, statutory records. Legal basis: legal obligation.

Trust and safety/fraud: risk scoring, holds, abuse prevention. Legal basis: legitimate interests.

Support and disputes: help center, order disputes. Legal basis: contract.

Analytics and product improvement: usage statistics, diagnostics. Legal basis: legitimate interests.

Marketing (our own): updates and tips. Legal basis: consent where required.

Cookies/SDKs: strictly necessary vs. optional. Legal basis: legitimate interests or consent depending on category.

Strictly necessary (always on): security, session, consent log.

Analytics/performance (consent): measure traffic and improve features.

Marketing/advertising (consent): measure campaigns and show relevant content.

Server-side signals: rate limiting, bot detection, fraud detection.

Payment and payout processors, crypto gateways, and KYC/AML providers.

Infrastructure and operations vendors (hosting/CDN, monitoring, email/SMS, helpdesk).

Fraud prevention and risk services.

Analytics/diagnostics (only if consented where non-essential).

Sellers (to fulfill your order) – see Section 10 (Roles).

Authorities and dispute-resolution partners where required by law or to protect rights.

We require processors to act only on our instructions and to apply appropriate security.

We may transfer data outside Albania/EEA with appropriate safeguards (for example Standard Contractual Clauses and supplementary measures). We assess recipient laws and implement additional controls where needed. You can request a copy of key SCC terms (redacted).

We keep data only as long as needed for the purpose or to meet legal duties. Typical periods:

Account: while active plus 3 years after last activity (claims/defense).

Orders and accounting records: 10 years from fiscal year end.

KYC/AML: 5 years after the business relationship ends or per applicable duty.

Support/disputes: until case closure plus 3 years.

Consent logs: as long as required to demonstrate compliance.

BitSellfy is an independent controller for platform operation, payments orchestration, risk, compliance, and support.

Sellers are independent controllers for the buyer information they receive to fulfill the order (for example delivery contact, in-game character). Sellers must comply with applicable data-protection laws and may only use buyer data to fulfill and support the order, not for unrelated marketing unless they have a lawful basis.

Processors: certain vendors act as our processors (hosting, email, support, etc.).

Subject to conditions/exceptions in law, you can access, rectify, erase, restrict, object (including to profiling for direct marketing), and port your data. Where we rely on consent, you may withdraw it at any time.

How to exercise: email [email protected]

 from your account email and specify the request type. We may need to verify identity and scope (for example order IDs). If we cannot resolve, you may lodge a complaint with the Information and Data Protection Commissioner of Albania.

We do not knowingly allow accounts under 16 without verified parent/guardian consent for information society services. If you think a child under 16 used BitSellfy without proper consent, contact us to remove the account and related data.

We use administrative, technical, and organizational measures such as network isolation, encryption in transit/at rest where feasible, role-based access, logging, least-privilege, and vendor due diligence. No method is 100% secure; please keep your credentials safe and enable available 2FA.

Data breach: We assess incidents and notify the authority and affected users when required by law.

BitSellfy privacy contact: [email protected]

Information and Data Protection Commissioner (Albania): see official website for current contacts (office in Tirana; general info address [email protected]).

We may update this policy from time to time. We will post the updated version and, for material changes, notify you in-product or by email. Continued use after the effective date means you accept the new policy.

Consumer withdrawal for digital content: keys/codes revealed or services fully performed after express consent typically exclude the 14-day withdrawal right.

Payments/AML: we may conduct KYC/AML checks and retain related records per legal requirements.

E-commerce provider information duties: we publish company identity and contact details on our legal pages/footer.