Legal
Last updated: June 17, 2025 · sellmycode.net
This policy applies to individuals in the European Economic Area (EEA) and the United Kingdom. It supplements our Privacy Policy and explains how SellMyCode complies with the General Data Protection Regulation (GDPR) and UK GDPR.
Right to access
Request a copy of your personal data
Right to rectification
Correct inaccurate or incomplete data
Right to erasure
Request deletion of your personal data
Right to object
Object to processing for marketing
Right to restriction
Limit how we use your data
Right to portability
Receive your data in a portable format
01
Data controller
For the purposes of the GDPR, SellMyCode acts as the data controller for personal data collected through our platform. This means we determine the purposes and means by which your personal data is processed.
- Platform: SellMyCode — sellmycode.net
- Contact: [email protected]
Where sellers collect personal data from their buyers through the platform (e.g., for support purposes), they may act as an independent data controller or processor. Sellers are responsible for ensuring their own GDPR compliance in such cases.
02
Lawful basis for processing
We only process your personal data where we have a valid lawful basis under Article 6 of the GDPR:
| Processing activity | Lawful basis |
| Account registration and management | Contract |
| Processing purchases and payments | Contract |
| Sending transaction emails and receipts | Contract |
| Fraud prevention and security monitoring | Legitimate interest |
| Platform analytics and improvement | Legitimate interest |
| Sending marketing emails and newsletters | Consent |
| Compliance with legal obligations | Legal obligation |
03
Data we collect
Account and identity data
- Name, email address, username, and password (hashed)
- Profile information — biography, avatar, social links
- Identity verification documents (where KYC is required)
Transaction and financial data
- Purchase history, order IDs, and license records
- Billing address and payment method type (card details are held by our payment processors — not by us)
- Withdrawal account details for sellers
Technical and usage data
- IP address and approximate location
- Browser type, device, and operating system
- Pages visited, session duration, and clickstream data
- Cookie identifiers and tracking data
Communications data
- Support ticket messages and attachments
- Reviews, comments, and ratings you post
- Emails sent between you and SellMyCode
04
Data retention
We retain your personal data only for as long as necessary for the purposes described in this policy, or as required by law:
- Account data: Retained for the duration of your account. Deleted or anonymized within 30 days of account deletion, unless required for legal compliance.
- Transaction records: Retained for up to 7 years to comply with tax and financial reporting obligations.
- Support communications: Retained for 2 years after the ticket is closed.
- Marketing consent records: Retained until you withdraw consent, plus 1 year for compliance evidence.
- Server logs and IP data: Retained for up to 90 days for security purposes.
05
International data transfers
SellMyCode may transfer your personal data to countries outside the EEA. Where such transfers occur, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Transfers only to countries with an adequacy decision by the European Commission
- Data Processing Agreements (DPAs) with all third-party processors
You may request a copy of the safeguards in place by contacting [email protected].
06
Third-party processors
We share personal data with trusted third-party processors bound by Data Processing Agreements. Key categories include:
- Payment processors — to handle transactions securely (e.g., Stripe, PayPal)
- Cloud hosting providers — to store and serve platform data
- Email delivery services — to send transactional and marketing emails
- Analytics providers — to help us understand platform usage
- Fraud prevention services — to detect and prevent abuse
We do not sell your personal data to any third party.
07
Exercising your rights
You may exercise any of these rights by contacting us at [email protected]. We will respond within 30 days.
- Access (Article 15): Request a copy of the personal data we hold about you.
- Rectification (Article 16): Request correction of inaccurate or incomplete personal data.
- Erasure (Article 17): Request deletion of your personal data where there is no overriding legitimate reason to continue processing it.
- Restriction (Article 18): Request that we limit the processing of your data in certain circumstances.
- Portability (Article 20): Request your data in a structured, machine-readable format.
- Object (Article 21): Object to processing based on legitimate interests, including direct marketing.
- Withdraw consent: Where processing is based on your consent, you may withdraw it at any time.
We may need to verify your identity before fulfilling a data subject request to protect your privacy and security.
08
Data breach notification
In the event of a personal data breach, SellMyCode will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights
- Document all breaches internally, including those that do not require external notification
09
Supervisory authority
If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or the location of the alleged infringement.
A full list of EU supervisory authorities is available at: edpb.europa.eu
We would appreciate the opportunity to address your concerns directly before you approach a supervisory authority. Please contact us first at [email protected].
10
Contact
For any GDPR-related queries, data subject requests, or concerns about how we handle your personal data: