By continuing, you agree that you have read and accept our Terms and Conditions and Privacy Policy.
Manage cookies
Cookie Settings
Cookies necessary for the correct operation of the site are always enabled.
Other cookies are configurable.
Other cookies are configurable.
Privacy Policy
Effective Date: 16.10.2025
1. Introduction
This Privacy Policy (“Policy”) explains how polycrafter.org (“we”, “us”, “our”) processes personal data collected through the website https://polycrafter.org (the “Website”) and related services (store, user accounts, support, community). This version is designed to fully meet the expectations of European banks and payment service providers (PSPs) for onboarding and acquiring.
2. Data Controller & Roles
Controller / Merchant of Record: Qylvoro OÜ (registry code 17315512), Mooni tn 18, 10613 Tallinn, Estonia. Qylvoro OÜ is the legal owner and operator of the Website and acts as the data controller for all processing activities.
Processor (intra‑group technical provider): Itemare OÜ (registry code 17309345), Jõe tn 5, Kesklinna linnaosa, Tallinn, 10151, Estonia — provides operational and infrastructure services under a Data Processing Agreement (Art. 28 GDPR).
Processor (intra‑group technical provider): Itemare OÜ (registry code 17309345), Jõe tn 5, Kesklinna linnaosa, Tallinn, 10151, Estonia — provides operational and infrastructure services under a Data Processing Agreement (Art. 28 GDPR).
3. Scope & Definitions
This Policy applies to the Website and subdomains where it appears. “Personal data” refers to any information relating to an identified or identifiable person under Article 4(1) of the General Data Protection Regulation (GDPR). “Processing” refers to any operation performed on personal data under Article 4(2) GDPR.
4. Categories of Personal Data
- Identity & Contact: name, username, email, country/region, billing details.
- Account & Credentials: account ID, hashed password, preferences.
- Transactional: order ID, items, prices, taxes, PSP metadata (no card numbers/CVV stored).
- Device & Logs: IP address, user agent, referrer, event logs.
- Support & Communication: messages, tickets, attachments.
- Marketing & Analytics: consent preferences, campaign IDs, cookie identifiers.
- Fraud Prevention: risk signals, device fingerprints, access logs.
- Account & Credentials: account ID, hashed password, preferences.
- Transactional: order ID, items, prices, taxes, PSP metadata (no card numbers/CVV stored).
- Device & Logs: IP address, user agent, referrer, event logs.
- Support & Communication: messages, tickets, attachments.
- Marketing & Analytics: consent preferences, campaign IDs, cookie identifiers.
- Fraud Prevention: risk signals, device fingerprints, access logs.
5. Purposes & Legal Bases
We process data strictly for the following purposes, based on lawful bases under GDPR:
6. Cookies & Consent
We use cookies for essential functions, analytics and marketing. Non‑essential cookies are not set before you provide consent. Our cookie banner presents equally prominent “Accept all” and “Reject all” options, and allows granular control. Pre‑ticked boxes and implied consent (e.g. scrolling) are not used. Consent logs (timestamp, ID, version) are stored for 12 months.
7. Payments, PSPs & PSD2/SCA
Payments are processed via licensed Payment Service Providers (PSPs) under PSD2. Strong Customer Authentication (SCA) and 3‑D Secure may be applied. We do not store card numbers or CVV. PSPs and banks may request verification or impose security checks to prevent fraud.
8. International Transfers (DPF/SCC)
Where data is transferred outside the EEA, we rely on the EU–US Data Privacy Framework (DPF) for certified providers. Otherwise, we use Standard Contractual Clauses (SCCs) with additional safeguards under Schrems II.
9. Data Retention
We retain personal data only as long as necessary to fulfill the purposes described above or as required by law. Financial data is retained for 7 years under Estonian law; other categories follow the retention periods listed above.
10. Rights under GDPR
You have the right to access, rectify, erase, restrict, object, and port your data. You also have the absolute right to object to direct marketing at any time under Article 21 GDPR.
11. Children’s Data & Automated Decision‑Making
Our services are not intended for children under 16. We do not use automated decision‑making that produces legal effects; fraud‑risk analysis is semi‑automated and subject to human oversight.
12. Security & DPIA
We apply encryption in transit, strict access controls, least‑privilege principles, staff training and incident procedures. Data Protection Impact Assessments (DPIAs) are performed where processing presents high risk (e.g., payments, fraud prevention).
13. Contact & DPO
Data Protection Officer (DPO): privacy@polycrafter.org
Mail: Qylvoro OÜ, Mooni tn 18, 10613 Tallinn, Estonia.
Complaints: Andmekaitse Inspektsioon, Tatari 39, 10134 Tallinn, info@aki.ee, +372 627 4135, https://www.aki.ee/en.
Mail: Qylvoro OÜ, Mooni tn 18, 10613 Tallinn, Estonia.
Complaints: Andmekaitse Inspektsioon, Tatari 39, 10134 Tallinn, info@aki.ee, +372 627 4135, https://www.aki.ee/en.
14. Updates to this Policy
We may revise this Policy periodically to reflect changes in law or practices. Updates will be published with a new effective date on this page.