Privacy policy

Last updated: 18 December 2025

1. Scope

This Privacy Policy (“Policy”) explains how Exeskins (“ExeSkins,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards your information when you:

  • visit https://exeskins.com (the “Website”);
  • install or use our browser extension (the “Extension”); or
  • access any other feature, application, or service that links to this Policy (together with the Website and Extension, the “Services”).

This Policy does not apply to games, websites, products, or services that we do not own or control, nor to individuals we do not employ or manage.

2. Interpretation & Definitions

The capitalised terms below have the meanings given here or in Section 19 (Annex of Definitions). Definitions apply equally in singular and plural.

  • Account – a unique account created so you can access the Services.
  • Affiliate – an entity that controls, is controlled by, or is under common control with ExeSkins.
  • Cookies – small text files placed on your device that store information about your browsing.
  • Country – Poland (unless otherwise stated).
  • Device – any device capable of accessing the Services (e.g., computer, phone, tablet).
  • Personal Data – information that identifies or relates to an identifiable individual.
  • Service Provider – any natural or legal person that processes data on our behalf.
  • Third-Party Social Media Service – any social-network site through which you may log in to or create an Account.
  • Usage Data – data collected automatically through the Services (e.g., page-visit duration).

You – the individual using the Services, or any company or entity on whose behalf that individual acts.

3. How We Collect Personal Information

  • Directly from you — Registration details, e-mail, feedback, marketplace listings, support requests
  • Automatically — IP address, device type, operating system, browser, referral URLs, timestamps, in-app events, cookie identifiers, local Extension storage
  • Public / third-party sources — Data from linked Steam accounts (including trade status and Steam Trade Protection reversal events where applicable), payment processors/PSPs, verification and fraud-prevention partners, and other sources you authorise
  • Affiliate programme — Referral codes, payout wallets, statistics required to calculate commissions

4. Categories of Personal Information We Collect

Depending on how you use the Services, we may collect:

  • Contact Data – name (if provided), e-mail, phone, postal address
  • Account Data – username, password hash, Steam ID, profile image
  • Identity & Verification Data – identity document details and images, selfie/liveness data, proof of address (where required), verification outcomes and related audit logs
  • Compliance & Risk Data – sanctions/PEP screening results, adverse-media indicators (where applicable), risk flags/scores, source-of-funds/source-of-wealth information (where requested), payout destination details (e.g., IBAN/bank details or wallet identifiers), and related review notes
  • Financial & Transaction Data – card or crypto-wallet identifiers, bank/payout identifiers, transaction history, internal balance movements, payouts and payout requests
  • Dispute / Reversal Data – chargeback/dispute information received from PSPs, Steam trade status and Steam Trade Protection reversal events, related communications and case notes
  • Biographical & Demographic Data – date of birth, age, gender (optional)
  • Biometric Data – facial images/selfie/liveness and facial-match results (only if you complete identity/KYC verification, and only where permitted)
  • Internet / Activity Data – IP address, device/browser details, cookie/analytics identifiers, security and anti-fraud logs
  • Location Data – country or region inferred from IP, device, or user input
  • Inference Data – preferences, purchase patterns, and similar analytics profiles

We do not intentionally collect sensitive data such as health, racial or religious information.

5. Cookies and Other Tracking Technologies

We use Cookies, web beacons, tags, scripts, and local Extension storage to:

  • recognise repeat visitors and save their settings;
  • analyse Service performance through tools like Google Analytics and Google Tag Manager;
  • deliver and measure advertising (only where legally permitted).

You can manage cookies via your browser or our Cookie Consent Banner. Note that some parts of the Services may not function if Cookies are disabled. Our Services currently do not respond to “Do Not Track” signals. Visit https://exeskins.com/page/cookie-policy for Cookies Policy.

6. Legal Bases for Processing (EEA / UK users)

Where the EU GDPR or UK GDPR applies, we rely on:

  1. Contract – to provide, manage, and deliver the Services;
  2. Legitimate Interests – to secure and improve the Services, prevent fraud, and conduct analytics (balanced against your interests and rights);
  3. Consent – for optional cookies, direct marketing, or linking third-party accounts;
  4. Legal Obligation – to meet KYC/AML, tax, or court-order requirements. Where we process Biometric Data for identity verification, we do so only where permitted and (where required) on the basis of your explicit consent or another applicable legal basis under law.

You may withdraw consent at any time (Section 13).

7. How We Use Personal Information

We process Personal Data to:

  • Provide and operate the Website and Extension;
  • Process transactions, maintain internal accounting, and administer your Internal Balance;
  • Perform compliance checks (including KYC/KYB where applicable), sanctions/PEP screening, and risk-based reviews;
  • Conduct fraud prevention, security monitoring, and transaction monitoring to detect suspicious, unusual, or abusive activity;
  • Review and process payout requests (including manual review prior to instructing a PSP);
  • Detect, investigate, and manage disputes, chargebacks, and Steam Trade Protection reversal events, and enforce our Terms (including decisions related to account restrictions, holds, fees, and refund eligibility where applicable);
  • Respond to inquiries and provide customer support;
  • Send administrative notices (e.g., security alerts, policy updates);
  • Send marketing material — only if you opt in (unsubscribe anytime);
  • Analyse performance and develop new features;
  • Comply with applicable laws and cooperate with PSPs, auditors, and competent authorities where required or permitted.

8. How We Share Personal Information

  • Service Providers — Hosting and infrastructure providers; payment service providers and payout partners (e.g., Stripe, ZEN, WhitePay); identity/KYC vendors; sanctions/PEP screening and fraud-prevention partners; analytics providers; and customer support tools (each contractually bound to process data only for our purposes and under appropriate safeguards)
  • Affiliates & Group Companies — Same privacy commitments as this Policy
  • Business partners / ad networks — To present offers with your consent or where otherwise permitted
  • Other users — If you voluntarily publish information (e.g., listings, profile details)
  • Legal authorities — To comply with valid requests, defend legal claims, or prevent harm
  • Prospective buyers — In case of merger, acquisition, or asset sale (subject to confidentiality)

We do not “sell” personal information as defined by the California Consumer Privacy Act (CCPA). The only data “sharing” under CCPA may arise from third-party advertising cookies, which you can disable via our Cookie Banner.

9. International Transfers

We operate globally. Your data may be processed on servers located in the European Union, the United States, or other jurisdictions. When we transfer Personal Data from the EEA/UK to a country lacking an adequacy decision, we rely on Standard Contractual Clauses or equivalent safeguards.

10. Retention of Personal Data

  • Transaction records — ≥ 5 years (tax / AML)
  • KYC/identity verification, screening, payout-review, and compliance records — ≥ 5 years after the end of the business relationship or the relevant transaction (AML / legal)
  • Fraud, security, dispute/chargeback, and Steam Trade Protection reversal records and related logs — typically ≥ 5 years where needed for AML, security, or legal claims
  • Marketing-opt-out records — Duration of opt-out + proof period
  • Analytics / product usage data — Up to 2 years, unless required longer for security, AML compliance, or legal claims

Where required by law or a competent authority, we may retain data for longer periods.

When data is no longer needed, we delete or anonymise it.

11. Your Privacy Rights

Depending on your jurisdiction, you may have the right to:

  • Access / Know – obtain a copy of your Personal Data;
  • Correct – request rectification of inaccurate data;
  • Delete – request erasure (“right to be forgotten”);
  • Port – receive data in machine-readable format;
  • Restrict / Object – limit or object to processing based on legitimate interests;
  • Opt out of marketing – via “unsubscribe” links or profile settings;
  • Opt out of sale / sharing – toggle “Do Not Sell or Share My Data” in your Account (CCPA/CPRA users);
  • Shine the Light – request disclosure of direct-marketing data sharing (California).

Submit requests at privacy@exeskins.com or through the Privacy Center in your Account. We will verify your identity (or authorised agent) before fulfilling any request.

Please note: certain requests (including deletion/erasure) may be limited where we must retain information to comply with legal obligations (e.g., AML/CTF, tax) or to establish, exercise, or defend legal claims (e.g., disputes/chargebacks).

12. Security

We employ industry-standard technical and organisational measures—encrypted transport (TLS), hashed passwords, firewalls, role-based access controls—to protect Personal Data. No method of transmission or storage is entirely secure; you use the Services at your own risk.

13. Children’s Privacy

The Services are not directed to children under 18 years of age (or the minimum age in your jurisdiction). We do not knowingly collect data from minors. If you believe a child has provided data, please contact us and we will delete it.

14. In-Game Communications

ExeSkins does not monitor or record your voice/text communications inside Counter-Strike 2 (or any other game). Communications that occur on our Website or Extension are governed by this Policy.

15. Third-Party Links

Our Services may contain links to external sites we do not control. We are not responsible for their content or privacy practices. Review their policies before providing data.

16. Changes to This Policy

We may update this Policy periodically. Material changes will be announced by e-mail and/or an in-service banner at least seven (7) days before they take effect. The “Last updated” date at the top reflects the current version.

17. Contact Us

If you are in the EEA/UK and are dissatisfied with our response, you may lodge a complaint with your local supervisory authority.

18. Do Not Track Signals

Our Websites do not currently recognise or respond to browser-initiated “Do Not Track” signals.

19. Annex A — Definitions (Full List)

Affiliate, Account, Biometric Data, Business Partner, Cookies, Country, Device, Extension, Inference Data, Non-Identifiable Data, Personal Data, Service, Service Provider, Third-Party Social Media Service, Usage Data, User Content, Website, You – have the meanings set forth in Sections 2–4 and throughout this Policy.