Privacy & Data Protection

Privacy Policy

We believe privacy is a right, not a feature. This policy explains exactly what we collect, why we collect it, how long we keep it, and the full range of rights you have over your data — wherever you are in the world.

Last updated: May 2, 2026
Effective: May 2, 2026
Controller: Selnotes Technologies L.L.C.
GDPRUK GDPRCCPA / CPRALGPDPIPEDAAustralian Privacy Act

Introduction & Controller Identity

This Privacy Policy explains how Selnotes Technologies L.L.C. ("Selnotes", "we", "us", or "our") collects, uses, stores, shares, and protects personal data when you use our platform at selnotes.com. It applies to every person who interacts with Selnotes — whether you're a buyer, a seller, or a visitor who never creates an account.

For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent laws, Selnotes Technologies L.L.C. is the data controller — meaning we are the entity that determines why and how your personal data is processed. We do not appoint a separate Data Protection Officer at this time, as we do not meet the mandatory thresholds under Article 37 of the GDPR. However, all data protection enquiries are handled directly by our privacy team — reach us through our contact page, and we are committed to responding within the timeframes required by law.

We process personal data only for the purposes described in this policy and only to the extent necessary for those purposes. We don't sell your personal data. We never have, and we never will.

If you have a question about your data that isn't answered in this policy, or if you want to exercise any of the rights described below, contact us through our contact page. We'll respond within 30 days, and usually much faster.

Data We Collect

We collect different types of personal data depending on how you use the platform. Here is a complete account of every category:

Account & identity data

When you register, we collect your name, email address, and password (stored as a cryptographic hash — we never store your password in plain text). If you sign in with Google, we receive your name, email address, and profile picture from Google's OAuth service. We also collect your chosen username and any optional profile information you choose to add — a bio, website URL, or social handles.

Transaction & purchase data

When you make a purchase, we record the product purchased, the price paid, the date and time of the transaction, any coupon or discount codes applied, and the delivery status of the digital product. For sellers, we record every sale made through your account, including the buyer's identity (for dispute resolution purposes), the product sold, the net amount credited to your balance, and any associated commission.

Payment data

Selnotes does not store your card number, bank card details, or full payment credentials. All payment processing is handled by Stripe, Inc., which is certified to the PCI DSS Level 1 standard — the highest level of payment security certification. We receive from Stripe a transaction reference, the last four digits of the card used, the card network (e.g. Visa, Mastercard), and the outcome of the charge (success or failure). This is sufficient to manage your purchase history and process refunds without us ever touching your raw card data.

Seller payout data

If you're a seller who adds a bank account for withdrawals, we store your bank account holder name, IBAN or account number, BIC/SWIFT code, and a national identity reference where required by law. This data is encrypted at rest using AES-256-CBC encryption — we store only the last four digits and country prefix in a readable form; the full account details are encrypted and can only be accessed during the secure withdrawal process. If you connect PayPal, we store your PayPal email address.

Usage & behavioural data

We automatically collect data about how you interact with the platform — which pages you visit, which products you view, searches you perform, links you click, and how long you spend on each page. This data is used in aggregate to understand how people use Selnotes and to improve the platform. We do not use this data to build individual behavioural profiles for advertising.

Communications

If you contact us via email or through the platform's messaging system, we retain a record of those communications. This includes support conversations, dispute correspondence, seller notifications, and any messages exchanged between buyers and sellers through the platform.

Technical & device data

We collect standard technical data including your IP address, browser type and version, operating system, device type, screen resolution, referring URL, and session timestamps. This data is used for security monitoring, fraud prevention, debugging, and understanding general traffic patterns. IP addresses are not used for targeted advertising.

How We Collect Your Data

We collect personal data through three channels:

Directly from you

The majority of the data we hold is information you provide to us voluntarily — when you create an account, complete a purchase, set up your seller profile, add a bank account, contact support, or write a product review.

Automatically as you use the platform

Certain data is collected passively through cookies, server logs, and analytics tools as you browse and interact with Selnotes. This includes the usage and device data described above. You can manage cookie preferences through our cookie settings or your browser. See the Cookies section for full details.

From third parties

When you use Google Sign-In, we receive a limited set of your Google profile data — your name, email, and profile photo — as permitted by your Google account privacy settings. Stripe provides us with the outcome and metadata of payment transactions, but never your raw card details. We may also receive data about you if another user mentions you in a dispute or support request.

How We Use Your Data

Personal data is used for the following purposes, each tied to the legal bases described above:

  • Account management — creating and maintaining your account, authenticating your identity when you log in, and enabling the features you use.
  • Transaction fulfilment — processing payments, delivering digital products to buyers, crediting seller balances, and managing the full lifecycle of each order.
  • Payout processing — using seller bank account or PayPal details to execute withdrawal requests.
  • Customer support & dispute resolution — responding to support requests, mediating buyer-seller disputes, and maintaining records of outcomes for audit purposes.
  • Platform safety & fraud prevention — detecting and preventing fraudulent transactions, account takeovers, policy violations, and payment fraud.
  • Legal and financial compliance — maintaining transaction records as required by tax and financial regulations, responding to lawful requests from authorities, and issuing required tax documentation.
  • Platform improvement — using aggregate, anonymised usage data to understand how people navigate Selnotes, where users encounter friction, and how to make the product better.
  • Communications — sending transactional emails (purchase confirmations, download links, withdrawal notifications, dispute updates) and, where you've opted in, product announcements or platform updates.

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you. We do not use your data to create advertising profiles, and we do not use it to make decisions about your account through fully automated processes without human review.

Who We Share Your Data With

We share personal data only with the categories of recipients described below. We never sell your data, and we never share it for third-party advertising purposes.

Stripe, Inc.

Our payment processor. Stripe handles all credit and debit card transactions on Selnotes. When you make a purchase, your payment details are transmitted directly to Stripe's servers — we never see or store your card number. Stripe is PCI DSS Level 1 certified and processes data under its own Privacy Policy. For EU/UK users, Stripe and Selnotes have executed Standard Contractual Clauses to cover international transfers.

Resend (transactional email)

We use Resend to deliver transactional emails — purchase confirmations, download links, seller notifications, password resets, and dispute correspondence. Resend receives your email address and the content of the message being sent. They do not use this data for their own marketing purposes.

Hostinger (hosting infrastructure)

Our platform and its database are hosted on Hostinger's cloud infrastructure. Hostinger has access to our servers for maintenance and infrastructure purposes, but does not independently process your personal data. Data is stored in the data centre region selected during our configuration. For EU/UK users, we ensure appropriate safeguards are in place for any data processed outside the EEA/UK.

Google (OAuth sign-in)

If you use "Sign in with Google," your authentication is handled by Google's identity platform. We receive your name, email address, and profile photo from Google. We don't receive your Google password or access to any other Google account data. Google processes this authentication under its own Privacy Policy.

Sellers (for buyer orders)

When you purchase a product, the seller who created that product will have visibility of the fact that a sale was made. For dispute or support purposes, sellers may see your display name. We do not share your email address or payment details with sellers by default. Sellers are independent controllers for any data they directly receive from buyers through platform messaging.

Legal authorities

We will disclose personal data to law enforcement, regulators, courts, or other public authorities if we are legally required to do so by a valid court order, subpoena, regulatory request, or other legal obligation. Where permitted by law, we will notify you before complying. We do not voluntarily share data with governments or authorities beyond what is legally required.

Business transfers

In the event of a merger, acquisition, asset sale, or restructuring of Selnotes Technologies L.L.C., personal data may be transferred to the acquiring entity. If this happens, we will notify affected users before data is transferred and before it becomes subject to a materially different privacy policy.

International Data Transfers

Selnotes serves users globally. As a result, personal data may be transferred to, stored in, and processed in countries outside your home country — including countries outside the European Economic Area (EEA) or the United Kingdom.

For transfers of personal data from the EEA or UK to countries not recognised by the European Commission or UK Information Commissioner's Office as providing an adequate level of data protection, we rely on one or more of the following safeguards:

  • Standard Contractual Clauses (SCCs) — the standard data protection clauses adopted by the European Commission (and their UK equivalents) which we include in contracts with all relevant third-party processors.
  • Adequacy decisions — where the destination country has been formally recognised as providing equivalent data protection (e.g. transfers to the EU from countries with adequacy status).
  • Processor certifications — where our third-party processors (e.g. Stripe) maintain recognised certifications and binding corporate rules that provide appropriate safeguards.

You may request a copy of the relevant safeguards governing any specific transfer by contacting us through our contact page.

Retention & Deletion

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. Here are the specific retention periods for different categories of data:

Data categoryRetention period
Account data (name, email, username)For the lifetime of your account, plus 30 days following account deletion to allow for reactivation or dispute resolution.
Transaction & purchase records7 years from the date of transaction. This is required by financial and tax regulations in most jurisdictions in which we operate.
Seller payout & bank account dataRetained while your account is active and for 7 years after account closure for financial compliance. Encrypted at rest throughout.
Usage & behavioural logs90 days in identifiable form. Aggregate, anonymised usage statistics may be retained indefinitely.
Support & dispute correspondence3 years from the resolution of the case, or 7 years if the dispute resulted in a financial decision.
Security & fraud logs (IP, device)12 months in identifiable form, then deleted or fully anonymised.
Cookies (session)Session cookies are deleted when you close your browser. Persistent cookies are deleted within the timeframe stated at the point of consent.
BackupsEncrypted database backups are retained for up to 30 days, after which they are permanently deleted.

When your account is deleted, we initiate a deletion process within 30 days. Data that must be retained for legal or regulatory reasons (primarily transaction records) is isolated and retained only for the required period, after which it is permanently deleted. Data that is not subject to retention requirements is deleted immediately upon account closure.

You may request early deletion of specific data under your right to erasure (described below), subject to the exceptions that apply under applicable law.

Your Rights (GDPR & UK GDPR)

If you are located in the European Union, the European Economic Area, or the United Kingdom, you have a comprehensive set of rights over your personal data under the GDPR and UK GDPR. These rights are not contingent on your citizenship — they apply based on your location. Each right is described in full below.

Right of Access (Art. 15)

You can request a full copy of all personal data we hold about you, along with information about how it is being used, where it came from, who it is shared with, and how long we plan to keep it.

Right to Rectification (Art. 16)

If any personal data we hold about you is inaccurate or incomplete, you can ask us to correct or complete it. You can update most account information directly from your profile settings.

Right to Erasure (Art. 17)

You can request deletion of your personal data — the 'right to be forgotten' — in certain circumstances: when the data is no longer necessary, when you withdraw consent, or when you object to processing based on legitimate interests and we have no overriding grounds to continue.

Right to Restrict Processing (Art. 18)

You can ask us to pause processing of your data while a dispute about its accuracy or legality is resolved, or while we assess an objection you've raised.

Right to Data Portability (Art. 20)

For data you've provided to us and that we process on the basis of contract or consent, you can request a structured, machine-readable copy (e.g. JSON or CSV) that you can transfer to another service.

Right to Object (Art. 21)

You can object to processing that is based on our legitimate interests, and to any processing for direct marketing purposes. If you object to direct marketing, we will stop immediately. If you object to other legitimate-interest processing, we'll assess whether our grounds override your interests.

Right to Withdraw Consent (Art. 7)

Where processing is based on your consent, you can withdraw that consent at any time. This does not affect the lawfulness of processing carried out before the withdrawal.

Right to Lodge a Complaint

You have the right to complain to your local data protection supervisory authority. In the EU, this is the authority in the member state where you live or work, or where you believe the infringement occurred. In the UK, it is the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, contact us through our contact page and select the Privacy category. We will respond within 30 days. In complex cases we may extend this by a further 60 days, but we will notify you if that's necessary. We do not charge a fee for handling rights requests, and we will never retaliate against you for exercising them.

We may need to verify your identity before fulfilling a request — this is to protect your data from unauthorised access, not to create barriers. Identity verification will be proportionate to the sensitivity of the request.

California Residents — CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you additional privacy rights. This section describes those rights and explains how to exercise them.

What we collect and why (California disclosure)

The table below maps the categories of personal information we collect to the business purposes for which we use them, as required by California Civil Code §1798.100 et seq.

CategoryData collectedBusiness purpose
IdentifiersName, email address, username, IP addressAccount management, authentication, security, communications
Financial informationTransaction records, payment metadata (via Stripe), seller bank/PayPal detailsPayment processing, payout disbursement, financial compliance
Commercial informationProducts purchased, products sold, purchase history, order valuesOrder fulfilment, dispute resolution, seller analytics
Internet / electronic activityPages visited, search queries, click patterns, session dataPlatform improvement, fraud detection, security monitoring
Geolocation dataCountry and region (derived from IP address)Tax compliance, regional feature availability
Professional informationSeller profile data, product listings, bank account holder nameMarketplace functionality, payout processing
Sensitive personal informationBank account and routing numbers, national ID references (sellers only, encrypted)Payout processing only

We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioural advertising. Therefore, the right to opt out of sale does not apply, and we do not offer a "Do Not Sell My Personal Information" mechanism — because there is nothing to opt out of.

Your California rights

  • Right to Know — You can request disclosure of the specific pieces of personal information we have collected about you, the categories of sources, the business purposes, and the categories of third parties with whom we share it.
  • Right to Delete — You can request deletion of your personal information, subject to exceptions including data we are required to retain for legal compliance.
  • Right to Correct — You can request correction of inaccurate personal information we maintain about you.
  • Right to Limit Use of Sensitive Personal Information — You can direct us to limit our use of sensitive personal information (such as your bank account details) to only what is necessary to perform the services you've requested. We already operate on this basis — we do not use sensitive financial data for any purpose other than processing your withdrawals.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of these rights. We will not deny services, charge different prices, or provide a different level of service to any user who exercises their California privacy rights.

To submit a verifiable California consumer request, contact us through our contact page, select the Privacy category, note "California Privacy Request", and describe the specific right you wish to exercise. We respond within 45 days, with a possible 45-day extension in complex cases with prior notice.

You may designate an authorised agent to submit a request on your behalf. The agent must provide written authorisation signed by you, and we may contact you directly to verify the request.

Other Regional Privacy Rights

In addition to GDPR and CCPA, Selnotes recognises and complies with privacy obligations under the following laws. If any of these apply to you, the rights they grant are in addition to, not instead of, the rights described above.

🇧🇷

Brazil — LGPD (Lei Geral de Proteção de Dados)

Brazilian users have the right to access, rectify, delete, and port their data, as well as the right to information about sharing, the right to object, and the right to revoke consent. The legal bases we rely on under the LGPD map to those described in the GDPR section above. To exercise your LGPD rights, contact us through our contact page.

🇨🇦

Canada — PIPEDA & provincial equivalents

Canadian users have the right to access personal information we hold about them and to challenge its accuracy. We collect personal information with your knowledge and consent, except where the law permits otherwise. Our privacy practices comply with the ten fair information principles under PIPEDA. Complaints may be directed to the Office of the Privacy Commissioner of Canada.

🇦🇺

Australia — Privacy Act 1988 (APPs)

Australian users have rights under the Australian Privacy Principles, including the right to access and correct personal information. If you believe we have breached the APPs, you may complain to us first; if unresolved, you may escalate to the Office of the Australian Information Commissioner (OAIC).

🇸🇬

Singapore — PDPA (Personal Data Protection Act)

Singaporean users have the right to access and correct their personal data and to withdraw consent, subject to legal and contractual restrictions. We comply with the PDPA's requirements for data collection, use, and disclosure.

🇯🇵

Japan — Act on Protection of Personal Information (APPI)

Users in Japan have the right to disclose, correct, and cease use of their personal data under the APPI. Our data handling practices are designed to comply with the third-party provision restrictions and cross-border transfer requirements of the APPI.

Users in other jurisdictions with applicable privacy laws — including South Africa (POPIA), India (DPDP Act), Thailand (PDPA), South Korea (PIPA), and others — may also contact us to exercise the rights available to them under their local law. We assess all privacy requests in good faith regardless of jurisdiction.

Cookies & Tracking Technologies

We use cookies and similar technologies to make Selnotes work, to keep your session active, and to understand how people use the platform. Here is exactly what we use and why:

Strictly Necessary

Required

These cookies are essential for the platform to function. They include session authentication cookies (to keep you logged in), CSRF protection tokens, and functional state that allows the shopping cart and checkout to work. You cannot opt out of these cookies without the platform ceasing to function correctly.

Functional

Optional

These cookies remember your preferences — such as your display settings and saved items — so you don't have to re-enter them on each visit. They are not used to track you across other websites.

Analytics

Optional

We use analytics to understand aggregate usage patterns — which features are used most, where users drop off in checkout flows, and how overall traffic changes over time. We do not use individual-level tracking for analytics, and we do not share analytics data with third parties for advertising.

Third-party (Stripe)

Required

Stripe sets cookies during the checkout process to prevent fraud and ensure payment security. These are set by Stripe's domain and are governed by Stripe's own cookie policy. They are necessary for payment processing to function.

You can manage or withdraw consent for non-essential cookies at any time by updating your browser's cookie settings or by contacting us. Most browsers allow you to refuse cookies, delete existing cookies, or be notified when a cookie is set. Note that disabling cookies may affect the functionality of Selnotes.

Children's Privacy

Selnotes is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If we learn that a user is under 16, we will promptly delete their account and all associated personal data.

If you are a parent or guardian and believe that a child under 16 has created an account on Selnotes without your consent, please contact us through our contact page and we will take immediate action. For users aged 16–17, we may require parental consent for certain features, including adding financial account information.

Where applicable, we comply with the Children's Online Privacy Protection Act (COPPA) in the United States and equivalent obligations under the GDPR and UK GDPR.

Security

We implement technical and organisational measures appropriate to the risk of processing personal data on a digital platform. Our security approach includes:

  • Encryption in transit — all data transmitted between your browser and our servers is protected by TLS (Transport Layer Security).
  • Encryption at rest — sensitive financial data (bank account numbers, national ID references) is encrypted using AES-256-CBC. Passwords are stored as bcrypt hashes with a salt — we never store or have access to your plain-text password.
  • Access controls — access to production systems and databases is restricted to authorised personnel only, governed by least-privilege principles.
  • Payment security — all card data is processed through Stripe's PCI DSS Level 1 certified infrastructure, meaning it never touches our servers.
  • Security monitoring — we monitor our platform for unusual activity, failed authentication attempts, and anomalous transaction patterns as part of our fraud prevention programme.

Despite these measures, no internet service can guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authorities within 72 hours of becoming aware of the breach (as required by Article 33 of the GDPR), and we will notify affected users without undue delay where required under Article 34. We will tell you what happened, what data was affected, what we've done to contain it, and what you can do to protect yourself.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, applicable law, or regulatory requirements. When we make material changes — changes that affect your rights or significantly alter how we handle your data — we will notify you by email (if you have an account) and by posting a prominent notice on the platform.

For non-material changes (typographical corrections, clarifications that don't alter meaning), we will update the "Last updated" date without sending a notification. We encourage you to review this policy periodically. Your continued use of Selnotes after a policy update constitutes acceptance of the revised terms.

Contact Us & Data Protection Enquiries

For all privacy-related matters — data subject requests, questions about this policy, complaints, or concerns about how we handle your data — please get in touch through our contact page. Select the Privacy category and your request will reach our privacy team directly.

We will acknowledge your request within 5 business days and aim to resolve it fully within 30 days. For GDPR requests, we will comply within the one-month statutory period. For CCPA requests, within 45 days. If we need an extension, we will tell you before the initial period expires.

Supervisory authority contacts

If you are located in the EU or UK and you're not satisfied with our response to your complaint, you have the right to escalate to the relevant data protection supervisory authority:

  • EU users — the data protection authority (DPA) of the EU member state where you live, work, or where the infringement occurred. A full list is available at edpb.europa.eu.
  • UK users — the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
  • California users — the California Privacy Protection Agency (CPPA) or the California Attorney General at oag.ca.gov/privacy.

Selnotes Technologies L.L.C.
We take every privacy concern seriously and we're committed to handling your data with the care and respect it deserves.