'%3e%3cpath%20d='M12.2%201.00098H2.4C1.8%201.00098%201.2%201.30098%200.7%201.70098C0.2%202.20098%200%202.80098%200%203.50098V6.80098C0%207.40098%200.2%208.00098%200.7%208.50098C1.2%209.00098%201.8%209.20098%202.5%209.20098H12.3C12.5%209.20098%2012.7%209.30098%2012.9%209.40098C13.1%209.60098%2013.1%209.70098%2013.1%2010.001V13.301C13.1%2013.501%2013%2013.701%2012.9%2013.901C12.7%2014.101%2012.6%2014.101%2012.3%2014.101H2.4C2.2%2014.101%202%2014.001%201.8%2013.901C1.6%2013.701%201.6%2013.601%201.6%2013.301V12.701H0V13.301C0%2014.001%200.2%2014.601%200.7%2015.001C1.2%2015.501%201.8%2015.701%202.4%2015.701H12.2C12.9%2015.701%2013.5%2015.501%2013.9%2015.001C14.4%2014.501%2014.6%2013.901%2014.6%2013.301V10.001C14.6%209.30098%2014.4%208.70098%2013.9%208.30098C13.4%207.80098%2012.8%207.60098%2012.2%207.60098H2.4C2.2%207.50098%202%207.50098%201.9%207.30098C1.7%207.20098%201.7%207.00098%201.7%206.80098V3.50098C1.7%203.30098%201.8%203.10098%201.9%202.90098C2%202.70098%202.2%202.70098%202.4%202.70098H12.2C12.4%202.70098%2012.6%202.80098%2012.8%202.90098C13%203.10098%2013%203.30098%2013%203.50098V4.00098H14.7V3.50098C14.7%202.80098%2014.5%202.20098%2014%201.80098C13.5%201.30098%2012.9%201.00098%2012.2%201.00098Z'%20fill='%23363257'/%3e%3cpath%20d='M26.3002%203.90098L21.6002%209.00098H18.4002V0.000976562H16.7002V15.701H18.4002V10.601H21.6002L26.3002%2015.701H28.5002L23.1002%209.80098L28.5002%203.90098H26.3002Z'%20fill='%23363257'/%3e%3cpath%20d='M31.7996%200.000976562H30.0996V1.70098H31.7996V0.000976562Z'%20fill='%23363257'/%3e%3cpath%20d='M49.4998%2014.001H47.7998V15.701H49.4998V14.001Z'%20fill='%23363257'/%3e%3cpath%20d='M31.7996%203.90137H30.0996V15.7014H31.7996V3.90137Z'%20fill='%23363257'/%3e%3cpath%20d='M43.6%203.90137H34V15.7014H35.7V6.30137C35.7%206.10137%2035.8%205.90137%2035.9%205.70137C36.1%205.50137%2036.3%205.50137%2036.5%205.50137H43.6C43.8%205.50137%2044%205.60137%2044.2%205.70137C44.4%205.90137%2044.4%206.00137%2044.4%206.30137V15.7014H46.1V6.30137C46.1%205.60137%2045.9%205.00137%2045.4%204.60137C44.9%204.10137%2044.3%203.90137%2043.6%203.90137Z'%20fill='%23363257'/%3e%3cpath%20d='M51.9002%201.70098C51.4002%202.20098%2051.2002%202.80098%2051.2002%203.40098V13.201C51.2002%2013.901%2051.4002%2014.501%2051.9002%2014.901C52.4002%2015.401%2053.0002%2015.601%2053.6002%2015.601H65.8002V13.901H53.6002C53.4002%2013.901%2053.2002%2013.801%2053.0002%2013.701C52.8002%2013.501%2052.8002%2013.401%2052.8002%2013.101V3.50098C52.8002%203.30098%2052.9002%203.10098%2053.0002%202.90098C53.2002%202.70098%2053.3002%202.70098%2053.6002%202.70098H65.8002V1.00098H53.6002C53.0002%201.00098%2052.4002%201.30098%2051.9002%201.70098Z'%20fill='%23363257'/%3e%3cpath%20d='M69.6998%2013.801C69.4998%2013.601%2069.4998%2013.501%2069.4998%2013.201V0.000976562H67.7998V13.201C67.7998%2013.901%2067.9998%2014.501%2068.4998%2014.901C68.9998%2015.401%2069.5998%2015.601%2070.1998%2015.601H72.1998V14.001H70.1998C70.0998%2014.001%2069.8998%2014.001%2069.6998%2013.801Z'%20fill='%23363257'/%3e%3cpath%20d='M84.5%2013.2014C84.5%2013.4014%2084.4%2013.6014%2084.3%2013.8014C84%2014.0014%2083.9%2014.0014%2083.6%2014.0014H76.5C76.3%2014.0014%2076.1%2013.9014%2075.9%2013.8014C75.7%2013.6014%2075.7%2013.5014%2075.7%2013.2014V3.90137H74V13.3014C74%2014.0014%2074.2%2014.6014%2074.7%2015.0014C75.2%2015.5014%2075.8%2015.7014%2076.4%2015.7014H83.5C84.2%2015.7014%2084.8%2015.5014%2085.3%2015.0014C85.8%2014.5014%2086%2013.9014%2086%2013.3014V3.90137H84.3V13.2014H84.5Z'%20fill='%23363257'/%3e%3cpath%20d='M99.5002%204.60098C99.0002%204.10098%2098.4002%203.90098%2097.8002%203.90098H89.9002V0.000976562H88.2002V15.701H97.8002C98.5002%2015.701%2099.1002%2015.501%2099.5002%2015.001C100%2014.501%20100.2%2013.901%20100.2%2013.301V6.30098C100.2%205.70098%20100%205.10098%2099.5002%204.60098ZM98.6002%2013.201C98.6002%2013.401%2098.5002%2013.601%2098.4002%2013.801C98.2002%2014.001%2098.0002%2014.001%2097.8002%2014.001H90.7002C90.5002%2014.001%2090.3002%2013.901%2090.1002%2013.801C89.9002%2013.601%2089.9002%2013.501%2089.9002%2013.201V6.30098C89.9002%206.10098%2090.0002%205.90098%2090.1002%205.70098C90.2002%205.50098%2090.5002%205.50098%2090.7002%205.50098H97.8002C98.0002%205.50098%2098.2002%205.60098%2098.4002%205.70098C98.6002%205.90098%2098.6002%206.00098%2098.6002%206.30098V13.201Z'%20fill='%23363257'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_161_344'%3e%3crect%20width='100.2'%20height='15.7'%20fill='white'%20transform='translate(0%200.000976562)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Política de Privacidade
Last updated: 19 June 2026
At a glance
Skin.Club is operated by Moontain Limited, a Cyprus-incorporated company. We are the controller of your personal data. We collect data you give us (account, KYC, payment), data about how you use the platform (activity, device, location), and data from third parties (Steam, identity-verification providers). We use this data to run the platform, verify your age and identity, prevent fraud, comply with anti-money-laundering law, and send you marketing where you have agreed to it. Identity verification involves a biometric liveness check carried out by our verification provider; we receive only your identity document and the verification result, not the biometric template. We use automated systems to support risk scoring and account decisions, but significant decisions about your account are made or reviewed by a person, and you can request human review. We share your data with service providers (hosting, analytics, advertising, identity verification) and in limited cases transfer it outside the EU/EEA under appropriate safeguards. You have the right to access, correct, delete, object to, restrict and port your data. You can exercise your rights through privacy@skin.club.
About this policy
This Privacy Policy describes how Moontain Limited (“Skin.Club”, “we”, “us”, “our”) collects, uses, shares and protects your personal data when you access or use the Skin.Club website at https://skin.club (the “Platform”) and related services (the “Services”).
We are the controller of your personal data. This means we decide what personal data is collected about you, why it is collected and how it is used.
This policy is designed to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the Cyprus Personal Data Protection Law (Law 125(I)/2018), and applicable national rules implementing the ePrivacy Directive.
If you do not agree with any part of this policy, please do not use the Platform.
Who we are and how to contact us
Controller: Moontain Limited, incorporated in the Republic of Cyprus under registration number HE410299, registered office at 13 Kypranoros Street, Office 205, 1061 Nicosia, Cyprus.
General enquiries: help@skin.club
Data Protection Officer: privacy@skin.club (or write to the registered office, marked FAO “Data Protection Officer”).
EU/EEA matters: You may also contact the Cyprus Commissioner for Personal Data Protection (https://www.dataprotection.gov.cy).
The personal data we collect
Information you give us
Account information: Steam ID, username, display name, email address (optional for some flows), language preference, password credentials.
Identity and age-verification information: full legal name, date of birth, nationality, government-issued identification document, a photograph of you with the document (“selfie”), and biometric data derived from a liveness check, collected through our identity-verification provider (see Section 5).
Payment information: limited payment card details (scheme, last four digits, expiry, token) or wallet identifier, required to process deposits. We do not store full card numbers.
Communications: the content of messages you send us through support chat, email or other channels.
Information we collect automatically
Device and technical information: IP address, device identifiers, browser type and version, operating system, language, time zone, screen resolution, device fingerprint.
Location information: approximate location derived from your IP address and, where you permit it, more precise location.
Platform activity: pages visited, features used, cases opened, transaction history, win/loss records, session duration, clicks, scroll behaviour, referral source, timestamps.
Cookies and similar technologies: see Section 11.
Security and fraud signals: login attempts, authentication events, device reputation signals, behavioural anomalies.
Information we receive from third parties
Steam: your Steam ID, Steam level, publicly visible profile information, and information needed for inventory or trade functionality.
Identity-verification provider: verification results, biometric liveness outcomes, sanctions/PEP screening results and related risk flags.
Fraud and device-intelligence providers: device reputation, bot-detection scores, anomaly signals.
Payment service providers: transaction authorisation results, fraud scores, chargeback data.
Advertising and analytics providers: attribution signals, advertising identifiers, conversion data.
Publicly available sources: sanctions lists, PEP lists, adverse-media databases (for AML screening).
How and why we use your personal data
The table below sets out each purpose, the data involved, the legal basis, and how long we keep the data. Where we rely on legitimate interests we have carried out a balancing test, and you have the right to object (Section 10).
Purpose Data categories Legal basis (EU GDPR) Retention Creating and managing your account; authenticating you via Steam Steam ID, username, email, password credentials, device/IP Article 6(1)(b) — performance of a contract Duration of your account plus 5 years after closure (AML record-keeping) Verifying your age and identity (KYC); sanctions and PEP screening Full name, DOB, nationality, ID document, photograph/selfie, biometric liveness data, screening results Article 6(1)(c) — legal obligation under Cyprus AML law (Law 188(I)/2007 as amended); and Article 9(2)(a) — explicit consent for the biometric liveness check (see Section 5) 5 years after the end of the customer relationship. Biometric templates are not retained by us; they are processed by our verification provider and deleted or anonymised shortly after verification Processing deposits and other payment transactions Payment card details (limited), transaction data, wallet identifiers Article 6(1)(b) — contract; Article 6(1)(c) — legal obligation (AML and tax record-keeping) 5 years after the transaction Preventing, detecting and investigating fraud, bot activity and abuse Device fingerprint, IP, behavioural signals, transaction data, Steam data, support correspondence Article 6(1)(f) — legitimate interests in protecting the integrity of the Platform and our users 12 months from the last relevant signal, or longer where required to defend a legal claim AML transaction monitoring and suspicious-activity reporting Transaction data, KYC data, behavioural signals, risk scores Article 6(1)(c) — legal obligation; Article 10 — processing relating to criminal offences as authorised by law 5 years after the end of the customer relationship, or longer if a suspicious-activity report is filed Risk scoring and account decisions, including suspension/ban Account data, transaction data, behavioural signals, fraud signals, KYC data Article 6(1)(f) — legitimate interests in detecting and preventing breaches of our Terms and fraud. These decisions are not based solely on automated processing — see Section 6 Decision records retained 5 years for accountability Keeping the Platform secure; logging and monitoring Access logs, IP, device, session data Article 6(1)(f) — legitimate interests in network and information security (Recital 49); Article 6(1)(c) where logging is legally required 12 months Providing customer support Support tickets, chat transcripts, email correspondence, account data Article 6(1)(b) — contract; Article 6(1)(f) — service improvement 3 years after ticket closure Sending you direct marketing by email and push Email address, account data, preferences Article 6(1)(a) — consent Until you withdraw consent; suppression record kept 3 years Profiling for marketing (offers tailored to your activity) Activity data, preferences, transaction history, inferred attributes Article 6(1)(a) — consent Until you withdraw consent Website and app analytics Cookie identifiers, device and usage data, IP (truncated where feasible) Article 6(1)(a) — consent, via cookie banner Per analytics cookie expiry (see Cookie Policy); aggregated data may be kept longer Advertising, retargeting and measurement (incl. Meta, Google, TikTok, Twitter/X, Amazon) Cookie and pixel identifiers, hashed email (where applicable), activity data Article 6(1)(a) — consent, via cookie banner Per the expiry set by the relevant cookie (see Cookie Policy) Complying with lawful requests from authorities and regulators Any relevant account, KYC or transaction data Article 6(1)(c) — legal obligation; Article 6(1)(f) — legitimate interests in compliance Per the request, or 5 years (whichever is longer) Establishing, exercising or defending legal claims Any relevant data Article 6(1)(f) — legitimate interests For the applicable limitation period (ordinarily 6 years in Cyprus for contractual claims) Special categories of personal data (biometrics)
Biometric data — a short liveness-check image or video captured to confirm that the person presenting an identity document is a real, present human — is a special category of personal data under Article 9 GDPR. We only process biometric data where you initiate our identity-verification process, which is required to register on and use the Platform.
The biometric data is captured and processed by our identity-verification provider, SumSub, acting as our processor. It is used solely to assess whether the person on camera matches the photograph on the submitted identity document and is alive at the time of capture. We do not receive or retain the biometric template; we receive your identity document and the verification result (including confirmation that the face matched the document).
Legal basis. We rely on your explicit consent under Article 9(2)(a) GDPR, which you provide before the liveness check begins. We do not use biometric data for any purpose other than identity and age verification, and we do not sell or share it with advertisers, data brokers or other third parties.
Automated decision-making and profiling
We use automated systems to support decisions about your account, including detecting fraud, bot activity, multi-accounting and chargeback abuse; risk scoring that determines verification level, transaction limits or manual review; and profiling for marketing, where you have consented.
How decisions are made. Our systems apply pre-defined rules, statistical models and third-party risk signals to account, device, behavioural and transactional data. The models score and flag accounts, but decisions that have a legal or similarly significant effect on you are made or reviewed by a member of our compliance or trust-and-safety team. We do not take such decisions based solely on automated processing.
Your rights. Even though a person is involved in significant decisions, you can always ask us to review a decision about your account. You have the right to obtain human review, to express your point of view, and to contest the decision. Contact privacy@skin.club describing the decision; we will route your request to a reviewer who was not involved in the original decision.
Who we share your personal data with
We share your personal data with the following categories of recipient. In most cases these recipients act as our processors and handle your data only on our documented instructions, under a written data processing agreement.
Category of recipient Examples / role Why we share Hosting and cloud infrastructure AWS; content delivery network (Cloudflare); database and storage services To run the Platform Identity verification SumSub To verify your age and identity, screen for sanctions/PEP, and assess fraud risk Payment processing Card acquirers and payment service providers To process your deposits and detect payment fraud Fraud and device intelligence FingerprintJS and similar vendors To detect bots, multi-accounting and abuse Customer support tooling Zendesk and similar platforms To respond to your enquiries Analytics Google Analytics; Amplitude; Microsoft Clarity To understand how the Platform is used and improve it Email and notifications Mailgun; Customer.io; OneSignal; Novu Account notifications and, where you have consented, marketing Advertising partners Meta, Google Ads, TikTok, Twitter/X, Amazon advertising To show you relevant advertising on third-party platforms, where you have consented Professional advisers Lawyers, accountants, auditors Where necessary to run the business or defend legal claims Authorities and regulators Law enforcement, tax authorities, data-protection and other regulators Where required by law or to protect our rights and the safety of others Corporate transactions Prospective acquirers, investors and their advisers In a merger, acquisition, reorganisation or financing, subject to confidentiality and data-protection safeguards We do not sell your personal data. We do not share your personal data with third parties for their own independent marketing purposes, except where you have consented.
International data transfers
Some recipients in Section 7 are based, or process data, outside the European Economic Area (EEA), including in the United States. When we transfer personal data outside the EEA, we ensure one of the following safeguards is in place:
An adequacy decision of the European Commission covering the destination, including the EU-US Data Privacy Framework where the recipient is certified under it;
The European Commission’s Standard Contractual Clauses (SCCs), together with any additional measures required; or
Another safeguard recognised under applicable law, including binding corporate rules.
Where a US recipient is not certified under the EU-US Data Privacy Framework, we rely on the SCCs. You can request a copy of the relevant safeguards by writing to privacy@skin.club.
How long we keep your personal data
We keep your personal data only for as long as necessary for the purposes for which it was collected, including to comply with legal, regulatory, tax, accounting or reporting obligations and to defend legal claims. The specific period for each purpose is in the Section 4 table. In summary:
Active account data: duration of your account plus 5 years after closure.
KYC, AML and transaction records: 5 years after the end of the customer relationship.
Fraud and security records: 12 months (longer where needed to defend a claim).
Marketing: until you withdraw consent, plus a 3-year suppression record for evidential purposes.
Legal-claims records: the applicable limitation period (ordinarily 6 years in Cyprus for contractual claims).
When we no longer need your personal data, we delete or anonymise it.
Your rights
Subject to applicable law, you have the following rights in relation to your personal data.
Right What it means Right of access Obtain a copy of the personal data we hold about you and information about how we process it. Right to rectification Ask us to correct inaccurate or incomplete personal data. Right to erasure (“right to be forgotten”) Ask us to delete your personal data in certain circumstances. This is not absolute: we may need to keep certain data to meet legal obligations (including AML record-keeping) or defend legal claims. Right to restriction of processing Ask us to temporarily stop processing your personal data, e.g. while we look into a rectification or objection request. Right to object Object to processing based on legitimate interests, or to direct marketing. Where you object to direct marketing, we will stop. Right to data portability Receive the personal data you provided to us in a structured, commonly used, machine-readable format, where processing is based on consent or contract and carried out by automated means. Rights relating to automated decision-making See Section 6. Right to withdraw consent Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal. Right to lodge a complaint Lodge a complaint with your supervisory authority. See Section 16. How to exercise your rights. Write to privacy@skin.club, or use the in-platform data request form or the support chat in your account. You can request erasure by any of these channels. We may ask you to verify your identity before we respond; because erasure is permanent, we take additional steps to confirm your identity before carrying it out.
Response time. We respond within one month, which we may extend by up to two further months for complex or numerous requests, telling you within the first month.
No charge. Exercising your rights is free. If a request is manifestly unfounded or excessive we may charge a reasonable fee or refuse it, with a clear explanation.
Cookies and similar technologies
We use cookies, pixels, local storage and similar technologies to run the Platform, remember your preferences, understand how the Platform is used, and (with your consent) show you relevant advertising. Non-essential cookies are only set after you consent through our cookie banner. You can change your preferences at any time through the “Cookie settings” link in the Platform footer. Full details are in our Cookie Policy at https://skin.club/en/cookie-policy.
Children
The Platform is for adults only. You must be at least 18 to register and use it. We do not knowingly collect personal data from anyone under 18. If we learn that we have, we will close the account and delete the data without undue delay, subject to legal-retention obligations. If you believe we have collected data from a minor, contact privacy@skin.club immediately.
How we protect your personal data
We use technical and organisational measures to protect your personal data against unauthorised access, loss, alteration or disclosure, including:
Encryption of data in transit (TLS) and, for sensitive data, at rest.
Role-based access controls and least privilege.
Multi-factor authentication for staff access to systems processing personal data.
Vulnerability management, including periodic penetration testing.
Security monitoring, logging and alerting.
Confidentiality and data-protection commitments from staff and service providers.
Security-awareness training for staff who handle personal data.
An incident-response plan for personal-data breaches.
No system is completely secure. While we take security seriously, we cannot guarantee that personal data will never be accessed, disclosed or altered without authorisation. If you believe your account has been compromised, contact us immediately.
Changes to this policy
We may update this policy from time to time to reflect changes in our processing, in applicable law, or in our business. For material changes we will notify you in the Platform and, where appropriate, by email before they take effect. The date at the top shows when it was last updated.
Country-specific information
Our lead supervisory authority in the EEA is the Cyprus Commissioner for Personal Data Protection. You may also lodge a complaint with the supervisory authority of the EU member state where you live, work, or where the alleged infringement took place. Where other privacy laws apply to our processing, we will honour rights granted to you under those laws; contact privacy@skin.club for more information.
Contact and complaints
If you have any questions, concerns or complaints about how we handle your personal data, please contact us first so we can address them:
Email: privacy@skin.club
Post: Moontain Limited, FAO Data Protection Officer, 13 Kypranoros Street, Office 205, 1061 Nicosia, Cyprus
You also have the right to lodge a complaint with a supervisory authority. Details of the Cyprus Commissioner for Personal Data Protection are at https://www.dataprotection.gov.cy.