Privacy Policy

The data controller for personal information collected through apexresell.com is:

We collect only what we need to deliver the service. The data we process falls into three categories:

Data you give us directly

• Email address — required for account creation and order delivery;
• Display name — optional, shown in community features (defaults to email username);
• Password — stored as a one-way hash; we never see it in plain text;
• Country of residence — determined from your IP and confirmed at checkout for EU VAT calculation under the OSS scheme;
• Avatar preferences — if you choose a generated avatar style.

Data collected automatically

• IP address — for security, fraud prevention, and approximate geo-location;
• Browser & device info — user-agent string, screen size, language preference;
• Site activity — pages viewed, products purchased, XP earned;
• Cookies & local storage — for session management and bundle-builder persistence (see Section 6).

Data from third parties

• Payment metadata — from Lemon Squeezy: order number, tax bucket, last-4 of card. We never receive full card numbers, CVVs, or banking details;
• OAuth profile data — if you sign in with Google: your name and profile photo URL.

• To create and manage your account;
• To deliver products you have purchased;
• To process payments and issue invoices for tax compliance;
• To send transactional emails (receipts, security alerts, password resets);
• To send optional marketing emails (only if you opt in — and you can unsubscribe anytime via the link in every email);
• To detect, prevent, and respond to fraud, abuse, and security threats;
• To improve our products via aggregated, anonymized analytics;
• To comply with our legal obligations (tax records, EU OSS reporting, court orders).

Under the General Data Protection Regulation (GDPR), we rely on these legal bases:

• Contract performance (Art. 6(1)(b) GDPR) — for account creation, order processing, and product delivery;
• Legitimate interests (Art. 6(1)(f) GDPR) — for fraud prevention, security monitoring, and aggregated analytics;
• Consent (Art. 6(1)(a) GDPR) — for marketing emails, optional cookies, and any non-essential data uses;
• Legal obligation (Art. 6(1)(c) GDPR) — for retaining transaction records and complying with tax authorities.

We share personal data with carefully chosen processors who handle it under written data-processing agreements (DPAs):

We do not sell your personal data to third parties. Period.

We use a minimal set of cookies and browser storage. There's no third-party advertising cookies, no cross-site tracking, no adtech.

• Authentication cookies — keep you logged in. Essential, no consent required;
• Bundle builder localStorage — stores your custom bundle in your browser so it persists across sessions. Never sent to our servers until checkout;
• Preferences — remember your chosen avatar style, theme, language.

You can clear all of these at any time via your browser's cookie settings.

• Account data — for as long as your account is active. Closed accounts are fully anonymized within 30 days of closure;
• Order & invoice records — 10 years as required by Bulgarian and EU tax law (Article 38 of the Bulgarian Accountancy Act);
• Server logs — 30 days, unless retained longer for security investigation;
• Marketing email lists — until you unsubscribe or 24 months of inactivity, whichever comes first.

Some of our processors are based outside the EEA (notably in the USA). When personal data is transferred there, we rely on:

• EU-U.S. Data Privacy Framework certifications, where the processor is enrolled;
• Standard Contractual Clauses (SCCs) approved by the European Commission as a fallback;
• Supplementary measures (encryption in transit and at rest, access controls, audit logs).

You have the following rights regarding your personal data:

• Right of access — request a copy of all data we hold about you;
• Right to rectification — correct inaccurate data;
• Right to erasure ("right to be forgotten") — request deletion of your data, subject to retention obligations;
• Right to restrict processing — ask us to pause certain uses;
• Right to data portability — receive your data in machine-readable format;
• Right to object — opt out of processing based on legitimate interests or direct marketing;
• Right to withdraw consent — for any processing based on consent;
• Right to lodge a complaint — with the Bulgarian Commission for Personal Data Protection (CPDP) at cpdp.bg/en or with your local supervisory authority.

To exercise any of these rights, email us at privacy@apexresell.com. We will respond within 30 days as required by GDPR.

Security is non-negotiable. Our measures include:

• TLS 1.3 encryption for all data in transit;
• AES-256 encryption at rest for database and file storage;
• Argon2id password hashing — passwords are never stored or transmitted in plain text;
• Row-level security (RLS) on the database — users can only access their own records;
• Multi-factor authentication available on accounts;
• Regular security audits and dependency monitoring;
• Incident response plan with breach notification within 72 hours as required by Article 33 GDPR.

ApexResell is intended for users 18 years and older. We do not knowingly collect personal data from children under 16. If we become aware that a child has provided us with personal data, we will delete the data and close the account.

We may update this Privacy Policy occasionally. Material changes will be communicated via email to registered users at least 14 days before the new version takes effect. The date at the top of this page reflects the most recent revision.

For privacy questions, data subject requests, or to report a potential breach, contact: