GDPR Compliance

SKINS24 serves as the data controller for your personal data as defined under the General Data Protection Regulation (EU) 2016/679. We establish the purposes and methods of processing your personal data whenever you make use of our CS2 marketplace platform.

All data protection enquiries may be directed to our Data Protection Officer at dpo@skins24.co.uk.

As a data subject, the GDPR grants you the following rights:

Right of Access (Article 15): You may obtain a copy of all personal data we hold concerning you, together with details on how it is being processed.

Right to Rectification (Article 16): You may ask us to correct personal data that is inaccurate or to complete data that is incomplete.

Right to Erasure (Article 17): You may request the removal of your personal data where there is no legitimate reason for us to continue processing it, subject to applicable legal retention requirements.

Right to Restriction (Article 18): You may ask us to limit the processing of your data under certain conditions, for example while you dispute its accuracy.

Right to Data Portability (Article 20): You may ask to receive your personal data in a structured, commonly used, machine-readable format for transfer to another controller.

Right to Object (Article 21): You may raise an objection to processing that relies on legitimate interests or that is carried out for direct marketing.

Right to Withdraw Consent (Article 7): Where we process data on the basis of your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that took place before it.

Identity Data: Steam ID, Steam display name, and profile avatar retrieved via Steam OAuth authentication.

Transaction Data: Records of purchases, order specifics, payment references, and item trade logs.

Technical Data: IP address, browser type and version, device details, and usage statistics collected through server logs and cookies.

Communication Data: Support tickets, correspondence, and any supplementary information you provide when reaching out to us.

Contract Performance (Article 6(1)(b)): Account setup, order processing, item delivery, and customer assistance.

Legitimate Interests (Article 6(1)(f)): Fraud prevention, platform security, service enhancement, and business analytics. We have performed balancing assessments to confirm that these interests do not override your fundamental rights.

Legal Obligation (Article 6(1)(c)): Adherence to anti-money laundering rules, tax reporting duties, and cooperation with law enforcement agencies.

Consent (Article 6(1)(a)): Marketing emails and non-essential cookies. Consent may be withdrawn at any time.

We retain personal data in line with the principle of data minimisation. Our specific retention periods are: account data is kept for the duration of your account plus 6 years; transaction records are preserved for 7 years as required by law; server and technical logs are stored for 90 days; support correspondence is maintained for 3 years; and marketing preferences are held until you withdraw your consent.

Once the applicable retention period has passed, data is securely erased or irreversibly anonymised.

We share personal data with the following categories of data processors, each governed by a data processing agreement that ensures compliance with the GDPR:

Steam / Valve Corporation: Authentication and trade execution. Data may be transferred to the United States under Standard Contractual Clauses.

BitSkins: Marketplace integration for item sourcing and fulfilment.

Payment Processor: Transaction processing, payment settlement, and fraud prevention.

Cloud Infrastructure: Hosting and content delivery, utilising EU data centres wherever feasible.

When data is transferred outside the European Economic Area, we ensure that adequate safeguards exist, including Standard Contractual Clauses approved by the European Commission or relevant adequacy decisions.

We deploy appropriate technical and organisational measures as mandated by Article 32 of the GDPR. These include TLS encryption for data in transit, encryption at rest for stored information, role-based access controls, regular security evaluations, staff data-protection awareness training, and formalised incident response procedures.

Should a personal data breach occur that is likely to pose a risk to your rights and freedoms, we will report it to the competent supervisory authority within 72 hours of detection, as stipulated by Article 33 of the GDPR. Where the breach is assessed as likely to result in a high risk, we will also inform affected individuals without undue delay in accordance with Article 34.

Every breach — regardless of its severity — is logged internally, capturing the facts of the incident, its consequences, and the corrective actions taken.

We employ automated systems for fraud detection and anti-money laundering transaction monitoring. These systems may flag transactions for human review based on predefined risk indicators. You retain the right to request human intervention, to express your perspective, and to challenge any decision made exclusively through automated means that has legal or similarly significant effects on you.

To exercise any right afforded to you under the GDPR, please submit a request to dpo@skins24.co.uk. Include your Steam ID or account email address so that we can verify your identity. We will respond within 30 days. Most requests are handled free of charge; however, we may apply a reasonable fee or decline requests that are manifestly unfounded or excessive.

For particularly complex requests, we may extend the response window by up to 60 additional days. If an extension is necessary, we will notify you of the delay and the reasons for it within the initial 30-day period.

If you consider that our handling of your personal data violates the GDPR, you have the right to file a complaint with your local data protection supervisory authority. We encourage you to get in touch with us first at dpo@skins24.co.uk so that we can attempt to address your concerns directly.

Our services are not intended for persons under the age of 18. We do not knowingly gather personal data from minors. If we discover that a child has submitted personal data, we will take immediate steps to remove that information from our records.