Your privacy matters to us. This Policy describes our practices in plain language. We never sell your personal data. You have full rights to access, correct, and delete your information as detailed below.
1. Data Controller
For users in the European Economic Area (EEA) and the United Kingdom, CSS Capital acts as the data controller with respect to personal data processed through the Platform and Services.
Contact for privacy matters:
- Email: csscapital95@gmail.com
- Subject line: "Privacy Request — [Your Name]"
- Website: csscapitalpayment.org
We aim to respond to all privacy inquiries within 30 days as required by GDPR Article 12.
2. Categories of Personal Data We Collect
2.1 Identity and Contact Data
- Email address (required for account delivery and communication);
- Phone number (optional, used where provided);
- Name or display name (if provided during onboarding or support);
- Country of residence (for compliance and service eligibility).
2.2 Blockchain and Transaction Data
- Wallet addresses (public blockchain addresses used for NFT minting and delivery);
- Transaction hashes and minting records (on-chain data, inherently public);
- Payment reference numbers and order metadata.
2.3 Technical Data
- IP address and approximate geolocation;
- Browser type, version, and operating system;
- Device identifiers and screen resolution;
- Access timestamps, session duration, and page views;
- HTTP referrer (how you arrived at our site).
2.4 Communications Data
- Support tickets, emails, and chat records;
- Feedback, survey responses, and testimonials (where provided with consent).
2.5 KYC/Compliance Data (where required)
- Government-issued identification documents;
- Proof of address;
- Sanctions and PEP screening results.
3. How We Collect Personal Data
We collect personal data through the following means:
- Directly from you — when you purchase a Membership Pass, contact us for support, or participate in community channels;
- Automatically — through server logs, cookies, and analytics tools when you visit the Platform;
- From blockchain networks — on-chain transaction and wallet data that is publicly available;
- From payment processors — transaction confirmation data passed back to us post-payment;
- From KYC providers — identity verification results where we conduct AML/KYC checks.
4. Legal Bases for Processing (GDPR Article 6)
| Purpose | Legal Basis |
|---|---|
| Delivering Membership Pass access and community onboarding | Performance of contract (Art. 6(1)(b)) |
| Processing payments and minting NFTs | Performance of contract (Art. 6(1)(b)) |
| Customer support and dispute resolution | Performance of contract (Art. 6(1)(b)) |
| Fraud prevention and platform security | Legitimate interests (Art. 6(1)(f)) |
| Anti-money laundering and sanctions screening | Legal obligation (Art. 6(1)(c)) |
| Tax record keeping | Legal obligation (Art. 6(1)(c)) |
| Marketing communications (newsletters, community updates) | Consent (Art. 6(1)(a)) |
| Analytics and service improvement | Legitimate interests (Art. 6(1)(f)) |
5. How We Use Your Personal Data
We use collected personal data to:
- Create and manage your account and deliver Membership Pass access;
- Process transactions and coordinate NFT minting and delivery;
- Provide customer support and respond to your inquiries;
- Verify your identity and conduct AML/KYC checks where required;
- Screen against applicable sanctions lists;
- Detect and prevent fraud, abuse, and security incidents;
- Improve and maintain the Platform and Services;
- Send transactional communications (purchase confirmations, access notifications);
- Send marketing communications about new tiers, features, and community updates where you have opted in;
- Meet legal and regulatory obligations;
- Enforce these Terms and our Community Standards.
6. Data Sharing and Disclosure
6.1 Third-Party Processors
We may share personal data with carefully selected third-party processors who assist us in operating the Services, including:
- Payment processors — to handle card and crypto transactions;
- Cloud hosting and infrastructure providers — for secure data storage and service delivery;
- Analytics providers — for anonymized platform usage analysis;
- KYC/AML screening providers — for identity verification and compliance;
- Communication tools — for email delivery and support ticketing.
All processors are bound by Data Processing Agreements (DPAs) and are required to process data only in accordance with our instructions and applicable law.
6.2 Legal Disclosure
We may disclose personal data where required by law, regulation, court order, or government authority, or where disclosure is necessary to protect the rights, property, or safety of CSS Capital, our users, or the public.
6.3 Business Transfers
In the event of a merger, acquisition, or asset sale, personal data may be transferred to the relevant third party. Users will be notified via the Platform prior to such transfer where reasonably practicable.
6.4 No Sale of Data
We do not sell, rent, or trade personal data to any third party for commercial purposes.
7. International Data Transfers
Some of our processors are located outside the European Economic Area (EEA). Where personal data is transferred to countries not deemed adequate by the European Commission, we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) — as adopted by the European Commission under GDPR Article 46(2)(c);
- UK International Data Transfer Agreements (IDTAs) — for transfers from the UK;
- Binding Corporate Rules — where applicable.
You may request a copy of the applicable transfer safeguards by contacting us at csscapital95@gmail.com.
8. Data Retention Periods
| Data Category | Retention Period |
|---|---|
| Account and contact data | Duration of active relationship + 3 years after closure |
| Transaction and payment records | 7 years (tax/financial compliance) |
| KYC/identity verification records | 5 years post-transaction (AML obligations) |
| Support communications | 3 years from resolution |
| Server access logs | 12 months (security purposes) |
| Marketing consent records | Until consent is withdrawn + 3 years |
After applicable retention periods expire, data is securely deleted or anonymized.
9. Your Rights Under GDPR
If you are located in the EEA or UK, you have the following rights with respect to your personal data:
Request a copy of all personal data we hold about you (Data Subject Access Request).
Request correction of inaccurate or incomplete personal data.
Request deletion of your personal data where no legitimate legal basis for continued processing exists.
Request that we limit the processing of your data in certain circumstances.
Receive your personal data in a structured, commonly used machine-readable format.
Object to processing based on legitimate interests or for direct marketing purposes.
Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
Complain to your local data protection authority (DPA) if you believe we have violated your rights.
To exercise any of these rights, email us at csscapital95@gmail.com with the subject "GDPR Request — [Right Type]". We will respond within 30 days. Some requests may be subject to identity verification.
10. Cookies and Tracking Technologies
10.1 What We Use
The Platform may use cookies and similar technologies including local storage, session storage, and pixels to:
- Maintain session state and user preferences;
- Analyse traffic and usage patterns (using anonymized analytics);
- Protect against fraud and detect bots.
10.2 Your Choices
You may configure your browser to reject cookies or receive alerts when cookies are set. Disabling cookies may affect the functionality of certain parts of the Platform. We do not use third-party advertising cookies.
11. Data Security
CSS Capital implements appropriate technical and organizational security measures to protect personal data against accidental loss, unauthorized access, disclosure, or destruction, including:
- Encrypted data transmission via TLS/HTTPS;
- Access controls and role-based permissions for staff;
- Regular security assessments and monitoring;
- Incident response procedures in compliance with GDPR Article 33 (72-hour breach notification to supervisory authorities).
No system is completely secure. In the event of a data breach affecting your rights and freedoms, we will notify you and relevant authorities as required by law.
12. Children's Privacy
Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data, we will take steps to delete such data promptly. If you believe we have inadvertently collected data from a minor, please contact us immediately.
13. Blockchain Data and On-Chain Transparency
Wallet addresses and transaction data recorded on blockchain networks (Ethereum, Polygon) are inherently public and permanent. We cannot delete or alter on-chain data. By purchasing a Membership Pass, you acknowledge that your wallet address and transaction history will be publicly visible on the blockchain. Where possible, we recommend using a purpose-specific wallet address for privacy.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date above and, where feasible, notify affected users through community channels or email. We encourage you to review this Policy periodically.
15. Contact Us and Supervisory Authorities
For all privacy-related inquiries, data subject requests, or complaints:
- Email: csscapital95@gmail.com
- Telegram: t.me/+ZmGa1XwgB2VhNmVi
If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. Examples include:
- EU: Your national Data Protection Authority (DPA) — see the full list at edpb.europa.eu;
- UK: Information Commissioner's Office (ICO) — ico.org.uk.