Introduction & Controller Identity
This Privacy Policy explains how Selnotes Technologies L.L.C. ("Selnotes", "we", "us", or "our") collects, uses, stores, shares, and protects personal data when you use our platform at selnotes.com. It applies to every person who interacts with Selnotes — whether you're a buyer, a seller, or a visitor who never creates an account.
For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent laws, Selnotes Technologies L.L.C. is the data controller — meaning we are the entity that determines why and how your personal data is processed. We do not appoint a separate Data Protection Officer at this time, as we do not meet the mandatory thresholds under Article 37 of the GDPR. However, all data protection enquiries are handled directly by our privacy team — reach us through our contact page, and we are committed to responding within the timeframes required by law.
We process personal data only for the purposes described in this policy and only to the extent necessary for those purposes. We don't sell your personal data. We never have, and we never will.
Data We Collect
We collect different types of personal data depending on how you use the platform. Here is a complete account of every category:
Account & identity data
When you register, we collect your name, email address, and password (stored as a cryptographic hash — we never store your password in plain text). If you sign in with Google, we receive your name, email address, and profile picture from Google's OAuth service. We also collect your chosen username and any optional profile information you choose to add — a bio, website URL, or social handles.
Transaction & purchase data
When you make a purchase, we record the product purchased, the price paid, the date and time of the transaction, any coupon or discount codes applied, and the delivery status of the digital product. For sellers, we record every sale made through your account, including the buyer's identity (for dispute resolution purposes), the product sold, the net amount credited to your balance, and any associated commission.
Payment data
Selnotes does not store your card number, bank card details, or full payment credentials. All payment processing is handled by Stripe, Inc., which is certified to the PCI DSS Level 1 standard — the highest level of payment security certification. We receive from Stripe a transaction reference, the last four digits of the card used, the card network (e.g. Visa, Mastercard), and the outcome of the charge (success or failure). This is sufficient to manage your purchase history and process refunds without us ever touching your raw card data.
Seller payout data
If you're a seller who adds a bank account for withdrawals, we store your bank account holder name, IBAN or account number, BIC/SWIFT code, and a national identity reference where required by law. This data is encrypted at rest using AES-256-CBC encryption — we store only the last four digits and country prefix in a readable form; the full account details are encrypted and can only be accessed during the secure withdrawal process. If you connect PayPal, we store your PayPal email address.
Usage & behavioural data
We automatically collect data about how you interact with the platform — which pages you visit, which products you view, searches you perform, links you click, and how long you spend on each page. This data is used in aggregate to understand how people use Selnotes and to improve the platform. We do not use this data to build individual behavioural profiles for advertising.
Communications
If you contact us via email or through the platform's messaging system, we retain a record of those communications. This includes support conversations, dispute correspondence, seller notifications, and any messages exchanged between buyers and sellers through the platform.
Technical & device data
We collect standard technical data including your IP address, browser type and version, operating system, device type, screen resolution, referring URL, and session timestamps. This data is used for security monitoring, fraud prevention, debugging, and understanding general traffic patterns. IP addresses are not used for targeted advertising.
How We Collect Your Data
We collect personal data through three channels:
Directly from you
The majority of the data we hold is information you provide to us voluntarily — when you create an account, complete a purchase, set up your seller profile, add a bank account, contact support, or write a product review.
Automatically as you use the platform
Certain data is collected passively through cookies, server logs, and analytics tools as you browse and interact with Selnotes. This includes the usage and device data described above. You can manage cookie preferences through our cookie settings or your browser. See the Cookies section for full details.
From third parties
When you use Google Sign-In, we receive a limited set of your Google profile data — your name, email, and profile photo — as permitted by your Google account privacy settings. Stripe provides us with the outcome and metadata of payment transactions, but never your raw card details. We may also receive data about you if another user mentions you in a dispute or support request.
Legal Bases for Processing (GDPR & UK GDPR)
Under the GDPR and UK GDPR, every use of your personal data must have a valid legal basis. We rely on the following bases, depending on the specific processing activity:
Performance of a Contract (Article 6(1)(b))
The majority of our processing is necessary to deliver the service you've signed up for. This includes creating and managing your account, processing payments, delivering purchased products, managing your seller balance, processing withdrawal requests, and communicating with you about your orders and listings.
Legitimate Interests (Article 6(1)(f))
We process certain data based on our legitimate interest in operating a safe, functional, and improving platform. This includes fraud prevention and platform security, maintaining transaction records for dispute resolution, sending product and service updates directly related to features you use, and analysing aggregate usage patterns to improve Selnotes. We have assessed these interests against your rights and freedoms and are satisfied they do not override them. You may object to processing based on legitimate interests — see Your Rights.
Legal Obligation (Article 6(1)(c))
We are required by law to retain certain financial and transactional records for tax compliance purposes. In some jurisdictions, we are also required to verify seller identities or report earnings above certain thresholds to tax authorities. We process data to the extent required to comply with these obligations.
Consent (Article 6(1)(a))
Where we rely on consent — for example, for certain non-essential cookies or for optional marketing communications — we will ask for it explicitly. You can withdraw consent at any time without affecting the lawfulness of processing that took place before withdrawal.
For sellers based in the EU or UK who provide bank account data, the processing of this financial information also falls under Article 9 handling considerations where applicable, and is subject to the same encryption and access controls described in this policy.
How We Use Your Data
Personal data is used for the following purposes, each tied to the legal bases described above:
- Account management — creating and maintaining your account, authenticating your identity when you log in, and enabling the features you use.
- Transaction fulfilment — processing payments, delivering digital products to buyers, crediting seller balances, and managing the full lifecycle of each order.
- Payout processing — using seller bank account or PayPal details to execute withdrawal requests.
- Customer support & dispute resolution — responding to support requests, mediating buyer-seller disputes, and maintaining records of outcomes for audit purposes.
- Platform safety & fraud prevention — detecting and preventing fraudulent transactions, account takeovers, policy violations, and payment fraud.
- Legal and financial compliance — maintaining transaction records as required by tax and financial regulations, responding to lawful requests from authorities, and issuing required tax documentation.
- Platform improvement — using aggregate, anonymised usage data to understand how people navigate Selnotes, where users encounter friction, and how to make the product better.
- Communications — sending transactional emails (purchase confirmations, download links, withdrawal notifications, dispute updates) and, where you've opted in, product announcements or platform updates.
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you. We do not use your data to create advertising profiles, and we do not use it to make decisions about your account through fully automated processes without human review.
International Data Transfers
Selnotes serves users globally. As a result, personal data may be transferred to, stored in, and processed in countries outside your home country — including countries outside the European Economic Area (EEA) or the United Kingdom.
For transfers of personal data from the EEA or UK to countries not recognised by the European Commission or UK Information Commissioner's Office as providing an adequate level of data protection, we rely on one or more of the following safeguards:
- Standard Contractual Clauses (SCCs) — the standard data protection clauses adopted by the European Commission (and their UK equivalents) which we include in contracts with all relevant third-party processors.
- Adequacy decisions — where the destination country has been formally recognised as providing equivalent data protection (e.g. transfers to the EU from countries with adequacy status).
- Processor certifications — where our third-party processors (e.g. Stripe) maintain recognised certifications and binding corporate rules that provide appropriate safeguards.
You may request a copy of the relevant safeguards governing any specific transfer by contacting us through our contact page.
Retention & Deletion
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. Here are the specific retention periods for different categories of data:
When your account is deleted, we initiate a deletion process within 30 days. Data that must be retained for legal or regulatory reasons (primarily transaction records) is isolated and retained only for the required period, after which it is permanently deleted. Data that is not subject to retention requirements is deleted immediately upon account closure.
You may request early deletion of specific data under your right to erasure (described below), subject to the exceptions that apply under applicable law.
Your Rights (GDPR & UK GDPR)
If you are located in the European Union, the European Economic Area, or the United Kingdom, you have a comprehensive set of rights over your personal data under the GDPR and UK GDPR. These rights are not contingent on your citizenship — they apply based on your location. Each right is described in full below.
Right of Access (Art. 15)
You can request a full copy of all personal data we hold about you, along with information about how it is being used, where it came from, who it is shared with, and how long we plan to keep it.
Right to Rectification (Art. 16)
If any personal data we hold about you is inaccurate or incomplete, you can ask us to correct or complete it. You can update most account information directly from your profile settings.
Right to Erasure (Art. 17)
You can request deletion of your personal data — the 'right to be forgotten' — in certain circumstances: when the data is no longer necessary, when you withdraw consent, or when you object to processing based on legitimate interests and we have no overriding grounds to continue.
Right to Restrict Processing (Art. 18)
You can ask us to pause processing of your data while a dispute about its accuracy or legality is resolved, or while we assess an objection you've raised.
Right to Data Portability (Art. 20)
For data you've provided to us and that we process on the basis of contract or consent, you can request a structured, machine-readable copy (e.g. JSON or CSV) that you can transfer to another service.
Right to Object (Art. 21)
You can object to processing that is based on our legitimate interests, and to any processing for direct marketing purposes. If you object to direct marketing, we will stop immediately. If you object to other legitimate-interest processing, we'll assess whether our grounds override your interests.
Right to Withdraw Consent (Art. 7)
Where processing is based on your consent, you can withdraw that consent at any time. This does not affect the lawfulness of processing carried out before the withdrawal.
Right to Lodge a Complaint
You have the right to complain to your local data protection supervisory authority. In the EU, this is the authority in the member state where you live or work, or where you believe the infringement occurred. In the UK, it is the Information Commissioner's Office (ICO) at ico.org.uk.
To exercise any of these rights, contact us through our contact page and select the Privacy category. We will respond within 30 days. In complex cases we may extend this by a further 60 days, but we will notify you if that's necessary. We do not charge a fee for handling rights requests, and we will never retaliate against you for exercising them.
We may need to verify your identity before fulfilling a request — this is to protect your data from unauthorised access, not to create barriers. Identity verification will be proportionate to the sensitivity of the request.
California Residents — CCPA / CPRA
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you additional privacy rights. This section describes those rights and explains how to exercise them.
What we collect and why (California disclosure)
The table below maps the categories of personal information we collect to the business purposes for which we use them, as required by California Civil Code §1798.100 et seq.
We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioural advertising. Therefore, the right to opt out of sale does not apply, and we do not offer a "Do Not Sell My Personal Information" mechanism — because there is nothing to opt out of.
Your California rights
- Right to Know — You can request disclosure of the specific pieces of personal information we have collected about you, the categories of sources, the business purposes, and the categories of third parties with whom we share it.
- Right to Delete — You can request deletion of your personal information, subject to exceptions including data we are required to retain for legal compliance.
- Right to Correct — You can request correction of inaccurate personal information we maintain about you.
- Right to Limit Use of Sensitive Personal Information — You can direct us to limit our use of sensitive personal information (such as your bank account details) to only what is necessary to perform the services you've requested. We already operate on this basis — we do not use sensitive financial data for any purpose other than processing your withdrawals.
- Right to Non-Discrimination — We will not discriminate against you for exercising any of these rights. We will not deny services, charge different prices, or provide a different level of service to any user who exercises their California privacy rights.
To submit a verifiable California consumer request, contact us through our contact page, select the Privacy category, note "California Privacy Request", and describe the specific right you wish to exercise. We respond within 45 days, with a possible 45-day extension in complex cases with prior notice.
You may designate an authorised agent to submit a request on your behalf. The agent must provide written authorisation signed by you, and we may contact you directly to verify the request.
Other Regional Privacy Rights
In addition to GDPR and CCPA, Selnotes recognises and complies with privacy obligations under the following laws. If any of these apply to you, the rights they grant are in addition to, not instead of, the rights described above.
Brazil — LGPD (Lei Geral de Proteção de Dados)
Brazilian users have the right to access, rectify, delete, and port their data, as well as the right to information about sharing, the right to object, and the right to revoke consent. The legal bases we rely on under the LGPD map to those described in the GDPR section above. To exercise your LGPD rights, contact us through our contact page.
Canada — PIPEDA & provincial equivalents
Canadian users have the right to access personal information we hold about them and to challenge its accuracy. We collect personal information with your knowledge and consent, except where the law permits otherwise. Our privacy practices comply with the ten fair information principles under PIPEDA. Complaints may be directed to the Office of the Privacy Commissioner of Canada.
Australia — Privacy Act 1988 (APPs)
Australian users have rights under the Australian Privacy Principles, including the right to access and correct personal information. If you believe we have breached the APPs, you may complain to us first; if unresolved, you may escalate to the Office of the Australian Information Commissioner (OAIC).
Singapore — PDPA (Personal Data Protection Act)
Singaporean users have the right to access and correct their personal data and to withdraw consent, subject to legal and contractual restrictions. We comply with the PDPA's requirements for data collection, use, and disclosure.
Japan — Act on Protection of Personal Information (APPI)
Users in Japan have the right to disclose, correct, and cease use of their personal data under the APPI. Our data handling practices are designed to comply with the third-party provision restrictions and cross-border transfer requirements of the APPI.
Users in other jurisdictions with applicable privacy laws — including South Africa (POPIA), India (DPDP Act), Thailand (PDPA), South Korea (PIPA), and others — may also contact us to exercise the rights available to them under their local law. We assess all privacy requests in good faith regardless of jurisdiction.
Children's Privacy
Selnotes is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If we learn that a user is under 16, we will promptly delete their account and all associated personal data.
If you are a parent or guardian and believe that a child under 16 has created an account on Selnotes without your consent, please contact us through our contact page and we will take immediate action. For users aged 16–17, we may require parental consent for certain features, including adding financial account information.
Where applicable, we comply with the Children's Online Privacy Protection Act (COPPA) in the United States and equivalent obligations under the GDPR and UK GDPR.
Security
We implement technical and organisational measures appropriate to the risk of processing personal data on a digital platform. Our security approach includes:
- Encryption in transit — all data transmitted between your browser and our servers is protected by TLS (Transport Layer Security).
- Encryption at rest — sensitive financial data (bank account numbers, national ID references) is encrypted using AES-256-CBC. Passwords are stored as bcrypt hashes with a salt — we never store or have access to your plain-text password.
- Access controls — access to production systems and databases is restricted to authorised personnel only, governed by least-privilege principles.
- Payment security — all card data is processed through Stripe's PCI DSS Level 1 certified infrastructure, meaning it never touches our servers.
- Security monitoring — we monitor our platform for unusual activity, failed authentication attempts, and anomalous transaction patterns as part of our fraud prevention programme.
Despite these measures, no internet service can guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authorities within 72 hours of becoming aware of the breach (as required by Article 33 of the GDPR), and we will notify affected users without undue delay where required under Article 34. We will tell you what happened, what data was affected, what we've done to contain it, and what you can do to protect yourself.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, applicable law, or regulatory requirements. When we make material changes — changes that affect your rights or significantly alter how we handle your data — we will notify you by email (if you have an account) and by posting a prominent notice on the platform.
For non-material changes (typographical corrections, clarifications that don't alter meaning), we will update the "Last updated" date without sending a notification. We encourage you to review this policy periodically. Your continued use of Selnotes after a policy update constitutes acceptance of the revised terms.
Contact Us & Data Protection Enquiries
For all privacy-related matters — data subject requests, questions about this policy, complaints, or concerns about how we handle your data — please get in touch through our contact page. Select the Privacy category and your request will reach our privacy team directly.
We will acknowledge your request within 5 business days and aim to resolve it fully within 30 days. For GDPR requests, we will comply within the one-month statutory period. For CCPA requests, within 45 days. If we need an extension, we will tell you before the initial period expires.
Supervisory authority contacts
If you are located in the EU or UK and you're not satisfied with our response to your complaint, you have the right to escalate to the relevant data protection supervisory authority:
- EU users — the data protection authority (DPA) of the EU member state where you live, work, or where the infringement occurred. A full list is available at edpb.europa.eu.
- UK users — the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
- California users — the California Privacy Protection Agency (CPPA) or the California Attorney General at oag.ca.gov/privacy.
Selnotes Technologies L.L.C.
We take every privacy concern seriously and we're committed to handling your data with the care and respect it deserves.