Privacy Policy
Version 1.0 — last updated 13 July 2026. How we handle your personal data under the GDPR.
1. Who is responsible
The controller for the processing of your personal data on TCGBoxes.io is Codiro B.V., [Street + number], [Postal code] [City], the Netherlands, KvK [00000000]. For all privacy questions and requests: privacy@tcgboxes.io.
2. What data we process, why, and on which legal basis
Account data — username, email address, password hash or the ID of your Google/Twitch login. Purpose: creating and securing your account. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Profile and shipping data — name, phone number and address, if you provide them. Purpose: shipping redeemed cards to you. Legal basis: performance of a contract.
Orders, wallet and transaction data — purchases, deposits, withdrawals, wallet transactions, opening results and payout details (IBAN or PayPal email you enter for a withdrawal). Purpose: providing the service, paying you out, fraud prevention and bookkeeping. Legal basis: performance of a contract; compliance with legal obligations (Art. 6(1)(c), tax and accounting law); legitimate interest in fraud prevention (Art. 6(1)(f)). Payments themselves are processed by Mollie; we never see or store your card number.
Chat and public activity — messages you post in streamer chats and the public parts of your collection/profile (you can set your collection to private in your settings). Legal basis: performance of a contract; your choices control visibility.
Technical data — IP address, browser information and security logs. Purpose: keeping the Platform secure, preventing abuse and multi-account fraud. Legal basis: legitimate interest in security (Art. 6(1)(f)).
Newsletter — your email address, only if you opted in. Legal basis: consent (Art. 6(1)(a)), withdrawable at any time via the unsubscribe link or your settings.
Contact messages — your name, email and message when you contact support. Purpose: answering you. Legal basis: legitimate interest / pre-contractual steps.
3. Who receives your data
We share personal data only with parties needed to run the service, under data processing agreements where required: our hosting provider (EU), payment provider Mollie B.V. (NL), our email delivery service, and shipping carriers (name and address only, for redemptions). When you log in with Google or Twitch, those parties process your login according to their own privacy policies. We never sell personal data. We disclose data to authorities only when legally required.
4. Transfers outside the EU
Our systems and primary processors are located in the EU. Where a service provider processes data outside the European Economic Area (for example US-based login providers you choose to use), the transfer is protected by an adequacy decision or EU Standard Contractual Clauses.
5. How long we keep data
Account and collection data: for as long as your account exists, then deleted or anonymised within 30 days of account closure. Transaction and invoice data: 7 years (Dutch fiscal retention obligation). Security and IP logs: up to 12 months. Chat messages: up to 12 months. Contact correspondence: up to 2 years after the ticket is closed. Newsletter consent records: until you withdraw consent.
6. Your rights
You have the right to access your data, receive a copy (portability), correct inaccurate data, have data erased, restrict processing, and object to processing based on legitimate interest. Where processing is based on consent you can withdraw it at any time, without affecting prior processing. Send requests to privacy@tcgboxes.io — we respond within one month. We may ask you to verify your identity first. Note that we must retain transaction records for the legal retention period even after an erasure request.
If you believe we handle your data unlawfully, you can lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens, or with the supervisory authority of your own EU country.
7. Cookies
We use strictly functional cookies only: a session cookie to keep you logged in and to operate your shopping cart, and a cookie remembering the streamer shop you are browsing. These are necessary for the service and therefore do not require a consent banner. We do not use third-party advertising or tracking cookies. If we introduce analytics or marketing cookies in the future, we will ask for your consent first.
8. Security
Connections are encrypted (TLS), passwords are stored using strong one-way hashing, payment details never touch our servers, access to personal data is limited to authorised personnel, and pack openings are verifiable through the provably fair system. No system is perfectly secure; if a breach occurs that risks your rights and freedoms we will notify the Autoriteit Persoonsgegevens and, where required, you, in accordance with Articles 33 and 34 GDPR.
9. Automated decision-making
Pack opening results are generated by the provably fair algorithm described in our terms — this is the product itself, not profiling. We do not make automated decisions about you that produce legal or similarly significant effects. Fraud-prevention flags are always reviewed by a human before an account is restricted.
10. Age limit
The Platform is for adults (18+). We do not knowingly process data of minors; accounts found to belong to minors are closed and their data deleted.
11. Changes
We may update this policy; the version and date at the top always reflect the current text. Significant changes will be announced on the Platform.