Legal

Privacy Policy

Last updated: May 2026

This Privacy Policy explains what information PUB CDK Store ("we," "us," or "our") collects when you use our website, what we do with it, who we share it with, and what rights you have over your data. We try to keep this document plain and readable. If anything is unclear, contact us via the Contact page and we will explain.

This policy applies to everyone who uses our site, regardless of location. We aim to meet the standards required by GDPR (European Economic Area and United Kingdom), PIPEDA (Canada), CCPA / CPRA (California), and the general principles of consumer privacy law worldwide.

1. Information we collect

We only collect information that is necessary to operate the store, verify payments, deliver your CDK codes, prevent fraud, and meet our legal obligations.

1a. Account information

  • The email address you register with
  • A password, which we store only in securely hashed form
  • A unique account identifier generated by us

We never store your password in plain text. Passwords are hashed before storage, so they cannot be read by us or recovered if our records were ever exposed.

1b. Order and transaction information

  • Products purchased, quantities, and order totals
  • Payment method selected (Stripe, Interac e-Transfer, USDC)
  • Stripe checkout session ID (for card payments)
  • Interac e-Transfer reference code (if used)
  • USDC reference code, chain selected, receiving wallet snapshot, and transaction hash (if used)
  • Coupon codes applied, if any
  • Order notes you voluntarily provide (e.g. your in-game username)
  • Timestamps of order creation, payment confirmation, and code delivery

1c. Fraud prevention and dispute evidence

To protect both buyers and our business from payment fraud and wrongful chargebacks, we log the following technical information at the time of checkout:

  • IP address used to place the order
  • Browser and device characteristics (user agent, screen size, timezone, language settings)
  • Approximate geographic region inferred from the IP address (country and region only, not precise location)
  • Date and time of each significant order event

This data is used solely to (a) match orders to legitimate buyers in case of a payment dispute, (b) detect patterns of fraudulent activity, and (c) provide evidence to card networks and payment processors when we contest a dispute. It is never used for advertising, profiling, or any purpose unrelated to fraud prevention.

1d. Site analytics

We collect anonymous, aggregated statistics about how visitors use the site (e.g. page views, click-through rates on product listings, which payment methods are most popular). This data cannot be tied back to an individual account.

2. Information we do not collect

  • Your password in plain text. Passwords are stored only as secure hashes
  • Full credit card numbers, CVCs, or expiry dates, these are entered directly on Stripe's hosted checkout and never touch our servers
  • Bank account numbers or financial credentials
  • Private cryptocurrency wallet keys or seed phrases. We only ever receive public addresses and transaction hashes
  • Government issued ID, social security numbers, or tax identifiers
  • Health information, biometric data, or any other sensitive special category data

3. How we use your information

We use the information we collect strictly for these purposes:

  • Creating and maintaining your account
  • Processing your orders and delivering CDK codes via email, to ensure delivery as onsite delivery has the possibility to be hacked or leaked
  • Communicating with you about your specific orders (delivery, refunds, support requests)
  • Verifying payments through our payment processors
  • Detecting and preventing fraud, including defending against fraudulent chargebacks
  • Complying with tax, accounting, and other legal obligations
  • Improving the site through aggregated analytics

We do not use your information for behavioral advertising, profiling for marketing purposes, training AI models, or any purpose that you have not consented to or that is not strictly necessary to operate the service.

4. Third parties we share data with

We share the minimum data necessary with the following service providers. None of them are authorized to use your data for any purpose other than providing services to us:

  • Resend β€” delivers our account verification and password-reset emails. They process the recipient email address solely to send these messages.
  • Stripe β€” processes card payments. They receive your name, email, billing address, card information, and order amount when you check out with a card. Stripe is PCI-DSS Level 1 certified.
  • Our SMTP / email provider β€” delivers transactional emails (order confirmations, CDK code delivery, payment instructions). They receive your email address and the contents of the email being sent.
  • Our hosting provider β€” runs our servers and database. They have access to data only insofar as it is necessary to operate the infrastructure.
  • Public blockchain networks (only if you pay with USDC) β€” when you initiate a USDC payment, the transaction is recorded on a public blockchain (Ethereum, Base, Polygon, Arbitrum, or Solana). The blockchain is public by design. We do not control what data is publicly visible on-chain.

We may also disclose information when required by law, valid legal process, or to protect the rights, property, or safety of our company, our users, or others.

We do not sell your data. We do not rent it, trade it, or share it with advertisers or data brokers. This is a hard commitment, not a marketing claim.

5. How long we retain your data

  • CDK codes themselves are purged from our active systems within 30 days of delivery. Your order history still shows that a code was delivered, but the code value itself is no longer stored.
  • Order metadata (date, product, amount, payment method, anonymized buyer identifier) is retained for seven years to meet tax reporting and audit requirements.
  • Fraud-prevention logs (IP, device characteristics) are retained for 180 days unless an active dispute requires longer retention.
  • Account information (name, email, profile picture) is retained for as long as your account is active. If you request account deletion, this is removed within 30 days, subject to the seven-year retention requirement for order metadata noted above.
  • Anonymous analytics are retained indefinitely in aggregated form, since they cannot be tied back to you.

6. Your rights

Depending on where you live, you may have some or all of the following rights regarding your personal data:

  • Access β€” request a copy of the personal data we hold about you
  • Correction β€” ask us to fix data that is inaccurate
  • Deletion β€” request that we delete your account and associated data (subject to our legal retention requirements)
  • Portability β€” request your data in a portable, machine-readable format
  • Restriction β€” ask us to limit how we use your data
  • Objection β€” object to specific uses of your data
  • Withdrawal of consent β€” withdraw consent at any time without affecting the lawfulness of prior processing
  • Complaint β€” lodge a complaint with your local data protection authority if you believe we have violated your rights

To exercise any of these rights, contact us via the Contact page. We will respond within 30 days. We may need to verify your identity before fulfilling certain requests.

7. Cookies and similar technologies

We use a small number of cookies, all of them strictly necessary to operate the site:

  • An authentication session cookie set by Auth.js when you sign in
  • A CSRF protection token to prevent cross-site request forgery
  • A cart-persistence cookie so your cart survives a page refresh

We do not use advertising cookies, third-party tracking pixels, or cross-site tracking technologies.

8. Security

We protect your data using industry-standard measures including encrypted connections (HTTPS/TLS) for all traffic, encrypted storage of sensitive fields in our database, role-based access controls, secure session management, and routine review of our security practices. No system is perfectly secure, but we take this responsibility seriously and treat any incident accordingly. If a breach occurs that materially affects your data, we will notify affected users within 72 hours of discovery, in accordance with GDPR and similar standards.

9. Children

Our service is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. International transfers

Our servers and service providers may be located outside your country of residence. By using our service, you understand that your data may be processed in jurisdictions with different data protection laws than your own. Where applicable, we rely on Standard Contractual Clauses or equivalent legal mechanisms for international transfers.

11. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, services, or applicable law. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify affected users by email or by a prominent notice on the site. Continued use of the service after a change indicates acceptance of the updated policy.

12. Contact

Questions about this policy, requests to exercise your rights, or any other privacy-related concern can be sent through the Contact page. We aim to respond within three business days for routine inquiries and within 30 days for formal data-protection requests.