Privacy Policy

1. Data we collect

• Account data — email address and hashed password when you register. Personal accounts also collect first name, last name, phone number, and date of birth. Business accounts collect company name, business registration number, Tax Identification Number (TIN), and optionally VAT number in place of personal identity data.
• Profile & listing data — seller profile information, card listings, prices, and images you upload.
• Transaction data — order details, shipping addresses, and purchase history.
• Messages — conversations between buyers and sellers on the platform.
• Collection & wishlist data — cards you mark as owned or wanted.
• Offer data — price offers you send or receive on listings and buy orders, including offer amounts, counter-offers, and their outcome.
• Usage data — anonymised page-view and performance metrics collected by Vercel Analytics and Speed Insights (no cookies; no cross-site tracking).

2. Why we use your data

3. Third-party processors

We share data only with processors necessary to run the service:

• Stripe — payment processing. Card details are handled entirely by Stripe and never stored on our servers.
• Shipit — shipping label generation and carrier integration. Order details and delivery addresses are shared with Shipit solely to fulfil shipments.

We do not sell your data to any third party. In addition to the processors above, we are required by law to share seller income data with the Finnish Tax Administration (Vero) annually under EU DAC7 (Directive 2021/514). Vero acts as an independent data controller for that data, not as our processor.

4. Data security

Your data is stored on servers located within the European Union. Some data is processed by third-party service providers operating outside the EU — specifically Stripe for payment processing, and our transactional email provider. Any such transfers are covered by Standard Contractual Clauses (SCCs) as required by GDPR. Sensitive data — including seller Tax Identification Numbers and financial identifiers — is encrypted at rest. We use industry-standard measures to protect data in transit and at rest, and restrict access to personal data to authorised systems and personnel only.

5. Data retention

We keep your data for as long as your account is active. If you delete your account, your personal data is erased within 30 days, except where we are required to retain it for legal or accounting purposes (typically up to 7 years for financial records).

6. Your rights (GDPR)

Under EU law you have the right to:

• Access — request a copy of your data.
• Rectification — correct inaccurate data.
• Erasure— ask us to delete your data (“right to be forgotten”).
• Restriction — limit how we process your data.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interest.

To exercise any of these rights, contact us using the feedback form. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

7. Cookies

We use a single session cookie to keep you logged in. We do not use advertising or third-party tracking cookies.

8. Changes to this policy

We may update this policy from time to time. Significant changes will be announced via a notice on the site. If you disagree with a significant change, you may close your account.

9. Data controller & contact

The data controller responsible for your personal data is:

Polaris Cards
Business ID: 3630006-4
Email: info@polaris.cards

You may also exercise your GDPR rights or file a complaint with your national data protection authority.