Privacy Policy
Status: DRAFT for legal review. Not yet binding. Audience: legal team / external counsel for review and finalisation Effective date:
[LEGAL TODO: insert effective date]Last updated: 2026-05-07
This Privacy Policy explains how Coingram OE ("Coingram", "we", "us", "our") collects, uses, and shares personal data when you use the Coingram platform (the "Service"). It applies to all users of the Service worldwide. Together with our Terms of Service and Marketplace Terms, it governs your relationship with us.
If you have questions, contact our data-protection point of contact at [LEGAL TODO: insert privacy/DPO email].
1. Who We Are
Coingram OE is a Greek general partnership (Ομόρρυθμη Εταιρεία) with registered seat at [LEGAL TODO: insert registered address], Greek VAT number (ΑΦΜ) [LEGAL TODO], and General Commercial Registry number (ΓΕΜΗ) [LEGAL TODO].
For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Greek Law 4624/2019 implementing the GDPR, Coingram OE is the controller of your personal data when you use the Service.
[LEGAL TODO: indicate whether a Data Protection Officer (DPO) has been formally designated under Article 37 GDPR. If so, insert the DPO's contact details. The DPO is generally not mandatory for an entity of this size unless core activities involve large-scale monitoring or processing of special-category data.]
2. Personal Data We Collect
We collect the following categories of personal data:
2.1 Data you provide
| Category | Examples | When collected |
|---|---|---|
| Account data | Name, email, username, password (handled by our authentication provider), date of birth, country, profile photo, languages, role (collector/business) | Sign-up and profile completion |
| Identity-verification data | Government ID images, business registration documents, tax identifiers, address, phone number, beneficial-owner information | When you start KYC for buy/sell features |
| Marketplace data | Listings (text, images, prices, conditions), offers, messages with other users, shipping and billing addresses | When you list, buy, offer, or message |
| Payment data | Payment-method information (card type, last four digits, country, expiry — full card numbers are not seen or stored by Coingram), bank account details for receiving payouts (held by Stripe, not us) | Subscription and marketplace transactions |
| Content data | Forum posts, comments, blog posts, ratings, reviews, profile descriptions, collection items, watch- and wishlists | When you create the content |
| Support data | Messages to our support team, attachments, ticket history | When you contact us |
| Marketing preferences | Email preferences, communication opt-ins/opt-outs | When you set them |
2.2 Data we collect automatically
| Category | Examples |
|---|---|
| Device and connection | IP address (and approximate location derived from it), device type, browser type and version, operating system, language settings, time zone |
| Usage | Pages and listings viewed, search queries, clicks, scroll depth, session duration, referring URL, feature usage |
| Diagnostic | Error reports, performance metrics, stack traces (with personal data minimised) |
| Cookies and similar | See clause 7 (Cookies) |
2.3 Data from third parties
| Source | Data |
|---|---|
| Authentication provider (Clerk) | Sign-in identifiers, session metadata |
| Payment service provider (Stripe) | Verification status (KYC outcome), payment status, payout status, masked payment-method metadata |
| External catalogue/data providers (e.g. Numista, Metals API, exchange-rate services) | Public reference data linked to your collection items or queries — not personal data of yours, but contextual to your usage |
| Public sources | Publicly available information (e.g. social profiles you have linked) |
| Sanctions and AML screening | Results of screening conducted by Stripe and applicable lists |
We do not intentionally collect special-category personal data within the meaning of Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data for unique identification, health data, or data concerning a person's sex life or sexual orientation). If you submit such data through free-form fields (e.g. forum posts, profile bios), you do so on your own initiative and acknowledge that it will be visible to the audience you publish it to.
3. Why We Process Your Data and Legal Bases
We process your personal data for the following purposes, each on the legal basis listed in accordance with Article 6 GDPR.
- Provide the Service, manage your account, authenticate sign-ins — Performance of a contract (Art. 6(1)(b))
- Process subscriptions and marketplace transactions, calculate and collect fees — Performance of a contract (Art. 6(1)(b))
- Comply with anti-money-laundering, know-your-customer, sanctions, tax, accounting, and consumer-protection obligations — Legal obligation (Art. 6(1)(c))
- Verify your identity for buy/sell capability — Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))
- Provide customer support and resolve disputes — Performance of a contract (Art. 6(1)(b)) and our legitimate interests (Art. 6(1)(f)) — running an effective support function
- Detect, investigate, and prevent fraud, abuse, malicious activity, or violations of our Terms — Legitimate interests (Art. 6(1)(f)) — protecting the Service, users, and third parties; legal obligation where applicable
- Send service-related communications (transaction confirmations, security alerts, policy changes) — Performance of a contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f))
- Send marketing emails and promotional communications — Consent (Art. 6(1)(a)) — you may opt out at any time
- Personalise content and recommendations on the Service — Legitimate interests (Art. 6(1)(f)) — improving relevance and engagement; consent (Art. 6(1)(a)) where required for non-essential cookies
- Analyse and improve the Service, develop new features — Legitimate interests (Art. 6(1)(f)) — operating and improving the Service
- Run aggregated and anonymised analytics, business intelligence — Legitimate interests (Art. 6(1)(f))
- Establish, exercise, or defend legal claims — Legitimate interests (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c))
Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms. You may object to such processing as described in clause 8 (Your Rights).
4. How We Share Your Data
We do not sell your personal data. We share it only where necessary, as set out below.
4.1 With other users of the Service
When you use the public-facing parts of the Service, certain personal data is intentionally visible to other users:
- Public profile: username, profile photo, country (if you set it), bio, ratings received, public collections, listings, public forum posts, blog posts.
- Marketplace transactions: when you transact, the counterparty sees your username, the agreed shipping address (for sellers), and any messages you send through the Service.
- Forum and community features: posts and comments are public to other users by default.
You can adjust the visibility of certain profile elements through your privacy settings.
4.2 With service providers (processors)
We share data with carefully selected third-party service providers who process personal data on our behalf, under written data-processing agreements. Current categories:
| Category | Provider(s) | Purpose | Region |
|---|---|---|---|
| Authentication | Clerk | Sign-in, session management | United States |
| Payments and KYC | Stripe Payments Europe Ltd / Stripe, Inc. | Payment processing, identity verification, payouts | Ireland / United States |
| Database hosting | Supabase | Application database | [LEGAL TODO: confirm region] |
| Application hosting | Vercel, Inc. | Hosting and content delivery | United States and Europe |
| Email delivery | Resend | Transactional and marketing emails | [LEGAL TODO: confirm] |
| Logging and observability | Grafana / Loki, Sentry | Error and performance monitoring | [LEGAL TODO: confirm] |
| Product analytics | PostHog | Usage analytics | [LEGAL TODO: confirm] |
| AI / ML services | [LEGAL TODO: list e.g. OpenAI, Anthropic, etc. — Coingram Intelligence] | AI-assisted features | United States |
| Third-party data sources | Numista, Metals API, eBay, news/RSS providers | Catalogue, market, and content data | Various |
| File storage | Supabase Storage | User-uploaded images and documents | [LEGAL TODO: confirm] |
[LEGAL TODO: legal team to validate the full list of sub-processors and add/remove as needed; consider publishing a sub-processor list page that can be updated independently of this Policy.]
4.3 With other recipients
We may also share your personal data with:
- Law-enforcement, courts, and regulators, when we are legally required to do so or where it is necessary to protect rights, safety, or property;
- Tax authorities (including the Greek AADE), as required by Greek and EU tax-reporting obligations, including under the EU Directive on Administrative Cooperation (DAC7) where applicable;
- Professional advisers (lawyers, auditors, accountants) where reasonably necessary;
- Successors in interest in the event of a merger, acquisition, or sale of all or part of our business — in which case we will give you advance notice and an opportunity to object where required by applicable law;
- Other parties with your consent or at your direction.
5. International Transfers
Some of our service providers are located outside the European Economic Area (EEA), including in the United States. Where personal data is transferred outside the EEA, we put in place appropriate safeguards in accordance with Articles 44–49 GDPR, including:
- Standard Contractual Clauses approved by the European Commission;
- Adequacy decisions issued by the European Commission (e.g. the EU–US Data Privacy Framework, where the recipient is certified);
- Supplementary measures where appropriate, such as encryption, pseudonymisation, and access controls.
You can request a copy of the safeguards applicable to a specific transfer by contacting us at [LEGAL TODO: insert email].
6. Retention
We keep personal data for as long as necessary to fulfil the purposes for which it was collected and to comply with legal obligations:
| Data | Retention |
|---|---|
| Account data | While the account is active, plus a reasonable period after closure for legal-claim and tax-recordkeeping purposes |
| Transaction data (orders, invoices, payments, transfers) | At least ten (10) years in accordance with Greek tax and accounting obligations |
| KYC / AML records | At least five (5) years after the end of the business relationship, in accordance with applicable AML rules [LEGAL TODO: confirm exact period — Greek AML L. 4557/2018] |
| Marketing-consent records | While the consent is valid, plus a reasonable period as evidence after withdrawal |
| Logs (security, error, access) | Up to twelve (12) months, except where extended retention is needed for security investigation or legal claims |
| Backups | Rolling backups for up to [LEGAL TODO: insert period] |
| Forum / public content | Until you delete it (subject to clause 4.1) or until the account is closed; some content may remain in cached or quoted form |
After the applicable retention period, we either delete the data or anonymise it irreversibly.
7. Cookies and Similar Technologies
We use cookies and similar technologies (such as local storage and pixels) to operate, secure, and improve the Service.
- Strictly necessary: required to operate the Service (authentication session, security, load balancing, fraud prevention). These do not require consent.
- Functional: remember your preferences (language, theme, dismissals).
- Analytics: measure how the Service is used (e.g. PostHog).
- Marketing: deliver and measure marketing campaigns.
Non-essential cookies are set only with your consent, which you can give or withdraw through our cookie banner or settings. For details, see our [LEGAL TODO: link to Cookie Policy if extracted; otherwise embed full cookie list here].
8. Your Rights
Subject to conditions and exceptions in applicable law, you have the following rights regarding your personal data:
| Right | What it means |
|---|---|
| Access (Art. 15 GDPR) | Obtain confirmation of whether we process your data and a copy of it |
| Rectification (Art. 16) | Correct inaccurate or incomplete data |
| Erasure (Art. 17) | Request deletion in certain circumstances |
| Restriction (Art. 18) | Restrict processing in certain circumstances |
| Portability (Art. 20) | Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller |
| Objection (Art. 21) | Object to processing based on legitimate interests, including profiling |
| Withdraw consent (Art. 7) | Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal |
| Lodge a complaint (Art. 77) | File a complaint with a supervisory authority — for Greece, the Hellenic Data Protection Authority (HDPA / Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα) at https://www.dpa.gr |
| Not be subject to solely automated decisions (Art. 22) | Where applicable; we currently do not make solely automated decisions producing legal or similarly significant effects on you |
To exercise your rights, contact us at [LEGAL TODO: insert privacy email]. We may need to verify your identity before responding. We will respond within one month, extendable by a further two months for complex requests.
9. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, including:
- TLS encryption in transit;
- Encryption at rest for sensitive data stores;
- Access control and least-privilege principles for our team;
- Logging and monitoring;
- Regular security review;
- Incident-response procedures.
No system is completely secure. If we become aware of a personal-data breach affecting you, we will notify you and the competent supervisory authority in accordance with Articles 33–34 GDPR.
10. Children
The Service is not directed at, and we do not knowingly collect personal data from, individuals under the age of [LEGAL TODO: confirm minimum age — typically 18 for marketplace use; some platforms allow ≥16 under GDPR Art. 8 with parental consent for non-marketplace features]. If you believe we have collected data of a minor, contact us and we will delete it.
11. Automated Decision-Making and Profiling
Some features of the Service involve profiling in the sense of Article 4(4) GDPR, including:
- recommending listings, content, and other users based on your activity;
- detecting suspected fraud or abuse based on patterns;
- ranking content in feeds and search results.
These activities do not currently produce legal or similarly significant effects on you within the meaning of Article 22 GDPR. Decisions that may significantly affect you (e.g. account suspension, refusal of KYC) involve human review or rely on third-party providers whose policies we link to.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable advance notice (in-Service or by email) before the change takes effect. The "Last updated" date at the top reflects the most recent revision.
13. Contact
| Purpose | Contact |
|---|---|
| Privacy / data-protection enquiries and rights requests | [LEGAL TODO: insert email] |
| Data Protection Officer (if designated) | [LEGAL TODO: insert if designated] |
| Postal address | Coingram OE, [LEGAL TODO: insert registered address] |
You may also lodge a complaint with the Hellenic Data Protection Authority (HDPA) — Kifisias Avenue 1-3, 11523 Athens, Greece, or online at https://www.dpa.gr.
Notes for Legal Review
This draft is a starting point. Items flagged [LEGAL TODO] require completion or validation by counsel. Specific points the legal team should verify:
- Confirm DPO designation status (Article 37 GDPR triggers — likely not mandatory at our scale, but document the decision).
- Confirm legal-basis mapping in clause 3 — particularly the boundary between contract and legitimate interests for personalisation, recommendations, and fraud detection.
- Validate sub-processor list and arrange formal data-processing agreements (Article 28 GDPR) with each. Consider publishing a separate sub-processor list page for easier updating.
- Confirm international-transfer safeguards (Standard Contractual Clauses, Data Privacy Framework certifications) are in place for each non-EEA recipient.
- Validate retention periods against Greek tax law (Code of Tax Procedure / KFD), AML law (L. 4557/2018), accounting obligations, and statute of limitations.
- Decide whether to publish a separate Cookie Policy or keep cookie information embedded.
- Validate minimum-age threshold and approach for under-18 / under-16 users.
- Add specific text required by EU AI Act for AI-assisted features once the Act is in force (transparency obligations under Articles 50/52).
- Add DAC7 / OECD Model Reporting Rules disclosures if Coingram qualifies as a "reporting platform operator" under Council Directive (EU) 2021/514.
- Decide whether the Privacy Policy is governed by Greek law and dispute-resolution clauses (often handled cross-reference to ToS).
- Validate compliance with EU ePrivacy Directive (2002/58/EC) as transposed into Greek law (L. 3471/2006) for cookies and electronic communications.
- Add a "California consumer rights" supplement if we expect material US traffic, and similarly for UK GDPR if we serve UK users.