Privacy Policy

The data controller is the operator of stash.trade (the legal entity behind the affix.trade brand). Until we publish full company details on this page, you can reach the controller for any privacy-related request — including GDPR rights — through our contact form. Please mark privacy requests as "Privacy / GDPR" so we can route them to the right person.

We process only what is necessary to run the marketplace:

• Account data from sign-in providers — when you sign in with Battle.net or Discord we receive your provider user ID, BattleTag or Discord username, public avatar URL and (for Discord) the public part of your profile. We do not receive your password or email unless the provider includes it.
• Profile preferences — theme, parallax setting, sound toggle, watch list and similar non-sensitive UI state.
• User-generated content — listings, services, in-app messages, support-ticket messages and any screenshots or attachments you upload (e.g. item screenshots used by our OCR feature).
• Security and abuse logs — for each sign-in we record the IP address, user-agent string, identity provider used and whether the attempt succeeded. For sensitive actions we may also store the IP of the actor.
• Moderation data — when you report a user, listing, conversation or message we store the report, the referenced content, your identity as the reporter and any administrative actions taken in response.
• Technical data — strictly necessary cookies (session, CSRF, consent state) and basic request metadata. See the Cookie Policy for the full list.

We do not knowingly collect special categories of personal data (health, biometrics, political views, etc.) and we ask you not to submit such data through listings, messages or tickets.

We process your data on the following legal bases under GDPR Article 6(1):

• Contract (Art. 6(1)(b)) — to provide the Service: account, listings, messaging, watch list, support tickets, OCR-assisted listing creation.
• Legitimate interest(Art. 6(1)(f)) — to keep the Service safe and trustworthy: detecting fraud, scams, spam, multi-accounting and abuse; investigating reports; protecting infrastructure; producing aggregated, non-identifying usage statistics. You may object to processing based on legitimate interest at any time (see "Your rights" below).
• Consent (Art. 6(1)(a)) — for non-essential cookies and, in the future, advertising personalization where it is required. Consent is collected through the cookie banner and can be withdrawn at any time without affecting prior processing.
• Legal obligation (Art. 6(1)(c)) — to respond to lawful requests from authorities, to comply with the Digital Services Act (notice-and-action, statement of reasons, transparency reporting) and tax / accounting law where applicable.

We share personal data only with service providers who help us operate stash.trade and only to the extent necessary. Current sub-processors:

• Cloud hosting provider (United States) — application hosting, edge delivery, request logs.
• Managed database provider — PostgreSQL hosting for application data.
• AI vision API provider (United States) — processes item screenshots for OCR-assisted listing creation. Screenshots are sent only when you trigger OCR. The provider operates under an enterprise API agreement that prohibits using inputs to train public models.
• Blizzard Entertainment, Inc. (Battle.net OAuth) — authentication only.
• Discord Inc. — authentication and avatar hosting only.
• Web font provider — serves typefaces used by the interface (delivered without setting tracking cookies on our domain).
• Advertising network — may be enabled in the future to display ads. If so, the cookie banner will require your prior consent and the network will act as an independent controller for advertising data under its own privacy notice.

We do not sell or rent personal data. We do not share message content with third parties unless required by a court order or other binding legal request.

Some of the sub-processors listed above are located outside the European Economic Area (EEA), primarily in the United States. Where such transfers take place, they are protected by appropriate safeguards under GDPR Chapter V — typically the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–U.S. Data Privacy Framework. You may request a copy of the relevant safeguards through our contact form.

We keep personal data only for as long as needed for the purpose it was collected for, and then delete or anonymise it. Indicative retention periods:

• Account profile (BattleTag, avatar URL, preferences) — for the lifetime of your account.
• Listings and services — until you delete them or your account is deleted.
• In-app messages — until you delete the conversation or your account is deleted; deleted with the account.
• Support tickets and reports — up to 3 years from closure, to allow handling of related disputes and to comply with limitation periods under Polish civil law.
• Login & security logs (IP, user-agent, provider, success flag) — up to 12 months, then deleted or anonymised.
• OCR processing logs (token usage, cost, error category, no image content) — up to 90 days for cost monitoring and abuse prevention.
• Soft-deleted accounts — anonymised or hard-deleted within 30 days of deletion request, except where a longer period is required by law (e.g. ongoing fraud investigation, accounting obligations).
• Database backups — rolling backups are retained up to 35 days and are then overwritten.

Under GDPR you have the right to:

• Access (Art. 15) — obtain confirmation of processing and a copy of your data.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure (Art. 17) — request deletion of your account and personal data.
• Restriction (Art. 18) — limit processing in certain circumstances.
• Data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Object (Art. 21) — object to processing based on legitimate interest, including for moderation analytics.
• Withdraw consent (Art. 7) — for processing based on consent (e.g. non-essential cookies), at any time.
• Complaint — lodge a complaint with the Polish data-protection authority (Prezes Urzędu Ochrony Danych Osobowych, uodo.gov.pl) or the supervisory authority in your country of residence.

To exercise any of these rights, use our contact form and we will respond within one month. We may need to verify your identity before acting on a request.

You can request deletion of your account at any time through the contact form. A self-service "Delete account" button will be added to user settings. On deletion we anonymise or remove your profile data, listings, services, messages and watch list. Data we are legally required to keep — such as moderation records of confirmed Terms violations or transactional logs — is retained for the periods set out above and then deleted.

stash.trade uses strictly necessary cookies (sign-in session, CSRF protection, consent state) and your browser's local storage for preferences. Where non-essential technologies — such as analytics or advertising — are used, we ask for your consent through the cookie banner first. See the Cookie Policy for the complete list.

We apply technical and organisational measures appropriate to the risk: HTTPS in transit, encrypted database storage, scoped access for staff, rate limiting on sensitive endpoints, password-less OAuth sign-in (we never see your provider password) and audit logging of administrative actions. No online service is perfectly secure; please use a unique, strong password on your identity provider and enable two-factor authentication there.

stash.trade is intended for users aged 13 and over. We do not knowingly process data of children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it. Note that the Diablo® IV game itself is rated PEGI 18 — please check the rating in your jurisdiction before playing.

We use automated systems for spam and abuse detection, rate limiting and OCR-assisted listing creation. These systems do not make decisions that produce legal effects on you without human review — every account block, listing removal or report outcome is reviewed by a human moderator before becoming final.

We may update this Policy when we add features, add sub-processors or change how we use data. The "Last updated" date at the top of this page reflects the latest revision. For material changes we will display a notice in the application before the change takes effect.

For privacy questions or to exercise your rights, please use our contact form.