Privacy Policy – K2KEY DIGITAL LTD
Last Updated:17-02-2025
Registered in England & Wales: Company No. 15643526
1. Data Controller
K2KEY DIGITAL LTD ("we," "us," or "our") is a UK-registered company operating https://k2key.com, specializing in the sale of digital products, including CD keys, game licenses, and digital gift cards.
· Registered Address: [Insert UK Address]
· Data Protection Officer (DPO): [email protected]
2. Data We Collect & Why
We process the following data to fulfill legal, contractual, and operational obligations:
|
Category |
Purpose |
Legal Basis |
Retention Period |
|
Email, Name, Billing Address |
Order fulfillment, tax compliance, fraud checks |
Contractual necessity |
6 years (tax obligations) |
|
IP Address, Device Details |
Security monitoring, service optimization |
Legitimate interests |
12 months |
|
Transaction History |
Customer support, refunds |
Legal obligation |
6 years (financial records) |
|
Marketing Preferences |
Promotional communications (if consented) |
Explicit consent |
Until consent withdrawal |
Payment Data:
· We use secure third-party payment gateways to process transactions. We do not store full payment card details (e.g., CVV, full card numbers). Tokenized payment data is retained only as required by law or for dispute resolution.
3. Your Rights
Under GDPR (EU/UK) and CCPA (California):
· Access/Portability: Request a copy of your data via [email protected] (processed within 30 days).
· Deletion: Delete non-essential data through your account settings or by contacting us.
· Opt-Out of Marketing: Unsubscribe via links in emails or adjust preferences in your account.
· Object to Processing: Challenge data use for legitimate interests (e.g., profiling).
· CCPA-Specific Rights: California residents may request disclosure of data categories sold/shared and opt out via our website footer ("Do Not Sell My Personal Information").
4. International Data Transfers
· EU/EEA → UK: Relies on the UK’s adequacy decision under GDPR.
· Global Transfers: Data transferred outside the EU/UK is safeguarded by Standard Contractual Clauses (SCCs) or equivalent legal mechanisms.
· Third-Party Processors: We only engage vendors adhering to GDPR/CCPA standards under strict Data Processing Agreements (DPAs).
5. Security Measures
· Technical Safeguards: SSL/TLS encryption, regular penetration testing, and AWS infrastructure with ISO 27001 compliance.
· Organizational Controls: Annual GDPR/CCPA training for staff, vendor due diligence, and breach response protocols (72-hour notification to regulators if required).
6. Children’s Privacy
Our services are not directed at minors. We do not knowingly process data from:
· Users under 16 (EU/UK) or 13 (US) without verified parental consent.
· Suspected underage accounts are suspended pending age verification.
7. Third-Party Disclosures
We may share data with:
· Payment Processors: To complete transactions (tokenized data only).
· Analytics Providers: For service improvement (IP anonymization enabled).
· Legal/Regulatory Bodies: When required by law (e.g., fraud investigations).
8. Policy Updates
· Material changes are notified via email 30 days in advance.
· Archived versions of this policy are available upon request.
Contact Us
· GDPR/UK Inquiries: [email protected] | Post: 71-75, Shelton Street,Covent Garden,London,UNITED KINGDOM