Privacy Policy

Introduction

CSBoard ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service.

TL;DR: We collect only what's necessary for the platform to work, including financial data for buy/sell transactions. We don't sell your data. Ever.

Data Controller

CSBoard, the operator of the websites csboard.com and csboard.trade, acts as the data controller for the personal data described in this Privacy Policy. CSBoard is operated by an unincorporated team while a formal legal entity is being established; this section will be updated with company name, registration number and registered address as soon as incorporation is completed. Until then, contact [email protected] for any data-protection inquiry.

1. Information We Collect

1.1 Steam Account Information

When you log in via Steam OpenID, we collect publicly available information:

• Steam ID — your unique Steam identifier
• Username — your Steam display name
• Avatar — your Steam profile picture

This is publicly available on Steam. We store it to provide our Service.

1.2 Trade URL

You may provide your Steam Trade URL to enable buy and sell functionality. It is optional for browsing, required for transactions. You can update or remove it at any time.

1.3 Inventory Data

When you provide a Trade URL, we fetch your CS2 inventory from Steam's public API:

• Item names, descriptions, and images
• Item condition (float values, wear level)
• Stickers, patterns, and other item attributes

We do not have custody of your items. We display information from Steam's API to facilitate purchases and price quotes.

1.4 Financial & Transaction Data

When you use the buy/sell, balance, or payout features, we collect and store:

• Account balance — current balance, balance history, and all changes
• Sale records — items sold to the Platform, prices received, timestamps, Steam trade offer IDs
• Purchase records — items bought from the Platform, prices paid, timestamps, Steam trade offer IDs
• Deposit records — amounts deposited, cryptocurrency type, payment provider transaction IDs, blockchain confirmations
• Withdrawal records — payout amounts, destination wallet addresses (partially masked in storage), processing status, completion timestamps
• Frozen balance records — freeze amounts, reasons, investigation status

1.5 User Activity Data

• Items listed for sale to the Platform
• Items watchlisted
• Comments and messages posted
• Last seen timestamp (for online status)
• Referral activity

1.6 Technical Data

• Cookies — JWT token for authentication (keeps you logged in)
• IP address — logged for security and fraud prevention
• Browser information — user agent, language preferences
• Analytics — anonymous usage statistics via Google Analytics (if enabled)

1.7 Communication Data

If you contact our support team, we store your messages, attachments, and our responses for quality assurance and dispute resolution.

KYC, AML and Identity Documents

When required by applicable law, by a payment processor, or where suspicious activity is detected, CSBoard may ask you to provide identity-verification documents in order to use, or to continue using, the Service:

• Government-issued photo ID (passport, national ID, driver's licence)
• Selfie holding the ID for liveness and same-person verification
• Proof of address (utility bill, bank statement, government correspondence — issued within the last 3 months)
• Proof of source of funds (recent payslip, bank statement, exchange withdrawal record, sale receipt)
• Proof of payment-instrument ownership (bank statement, card screenshot showing last four digits and your name)

These documents are processed for the sole purposes of identity verification, anti-money-laundering (AML) compliance, counter-terrorist-financing (CTF) compliance, sanctions screening, fraud prevention and meeting payment-processor requirements. They are stored in encrypted form, access is restricted to compliance personnel on a need-to-know basis, and are retained for the period required by applicable AML legislation (typically 5 years after the end of the business relationship). We may refuse to open or continue an account where doubts about the authenticity of provided documents cannot be resolved.

Transaction-Time Verification

In addition to data collected at registration, when you initiate a transaction we may collect and process:

• Your full name as it appears on your payment instrument
• IP address, browser fingerprint and operating system at the moment of the transaction
• Geolocation data inferred from IP, and where available from device sensors, Wi-Fi access points and cellular network signals (only when you have granted the corresponding browser permission)
• Documents evidencing the payment instrument used (receipt, bank notice, blockchain transaction hash)
• Behavioural-fraud signals (typing rhythm, navigation patterns) generated by anti-fraud middleware

We may suspend, delay or reverse a transaction and request additional verification at any time during processing. We may refuse access to the Service where good-faith doubts about the authenticity of any provided data cannot be resolved.

2. How We Use Your Information

• Service Delivery — displaying your profile, listings, and inventory
• Authentication — keeping you logged in securely
• Processing Transactions — executing buy/sell operations, crediting balance, processing payouts
• Fraud Prevention & AML — monitoring transactions for suspicious activity, preventing money laundering, detecting abuse patterns
• Price Calculation — using market data and item attributes to generate accurate price quotes
• Communication — support responses, transaction notifications, important service updates
• Dispute Resolution — investigating reported issues using transaction logs and trade history
• Service Improvement — understanding usage patterns to improve the platform
• Legal Compliance — meeting regulatory obligations for financial record-keeping

What We Do Not Do With Your Data

• We do not sell your personal data to any third party.
• We do not rent or licence your personal data to any third party.
• We do not use your personal data for third-party advertising or to build cross-site advertising profiles.
• We do not share your financial data with advertisers, marketing networks or data brokers.
• We do not track you across other websites that are not operated by CSBoard.

3. Financial Data Processing

Due to the financial nature of our buy/sell and balance features, we maintain detailed transaction records:

3.1 Payment Processors

Cryptocurrency deposits and withdrawals are processed through third-party payment providers (currently NowPayments). When you make a deposit or withdrawal, the following data is shared with the payment processor:

• Transaction amount and currency
• Destination wallet address (for withdrawals)
• Order/transaction reference ID

We do not share your Steam profile, inventory data, or activity data with payment processors.

3.2 Fraud Detection

We monitor transactions for patterns indicating fraud, abuse, or money laundering. This includes:

• Unusual transaction volumes or frequencies
• Rapid buy/sell cycles at manipulated prices
• Multiple accounts from the same IP or device
• Transactions associated with known fraudulent activity

If suspicious activity is detected, we may freeze your balance and request additional verification.

3.3 Auditing & Record-Keeping

All financial transactions are logged with timestamps, amounts, item details, and user identifiers for auditing purposes. These records are maintained in compliance with applicable financial regulations.

4. Data Storage & Security

Your data is stored securely on our servers. We implement:

• Encrypted connections (HTTPS/TLS)
• Encrypted database storage for sensitive financial data
• Wallet addresses partially masked in storage and display
• Access controls with role-based permissions
• Regular security monitoring and updates
• Authentication via Steam OpenID (no passwords stored)

No method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

5. Data Sharing & Third Parties

5.1 Steam (Valve Corporation)

We use Steam OpenID for authentication and Steam's API for inventory data. See Steam's Privacy Policy for details on their data handling.

5.2 Payment Processors

Cryptocurrency transactions are processed through NowPayments. Only transaction-specific data (amount, currency, wallet address) is shared — not your profile or activity data. See NowPayments' Privacy Policy.

5.3 Other Users

Information you make publicly visible on the platform (comments, public profile fields) is visible to other users. Your Trade URL is not shared with other users. Your financial data (balance, transactions) is private and never shared with other users.

5.4 Analytics Providers

We may use Google Analytics for anonymous usage statistics. No personally identifiable information or financial data is shared with analytics providers.

5.5 Legal Requirements

We may disclose your information, including financial transaction records, if required by law, court order, or governmental authority, or to prevent fraud and protect the rights of CSBoard and its users.

Mergers, Acquisitions and Reorganisations

If CSBoard is involved in a merger, acquisition, asset transfer, reorganisation, financing, bankruptcy or sale of all or part of its assets, your personal data may be transferred to the relevant counterparty as part of that transaction. We will require any successor entity to honour the commitments made in this Privacy Policy or to provide you with notice and an opportunity to object before any material change in processing.

6. Your Rights (GDPR & Privacy)

You have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you, including transaction history
• Rectification — update or correct your information via profile settings
• Erasure ("Right to be Forgotten") — request deletion of your account and associated data
• Data Portability — request your data in a machine-readable format
• Withdraw Consent — stop using the Service at any time

To exercise these rights, contact us at [email protected]

Response Window for Data-Subject Requests

We respond to data-subject requests (access, rectification, erasure, portability, restriction, objection) within **30 calendar days** of receipt, in line with GDPR Article 12. Where a request is particularly complex or where you submit multiple requests, this period may be extended by up to two further months; we will inform you of any such extension and the reasons within the initial 30-day window. We may request reasonable proof of identity before fulfilling the request to prevent unauthorised disclosure.

Manifestly unfounded or excessive requests (in particular repetitive requests) may be charged a reasonable fee or refused, in line with GDPR Article 12(5).

7. Cookies

• Authentication (Essential) — JWT token to keep you logged in. Required for the Service to function.
• Preferences — currency and language settings.
• Analytics (Optional) — Google Analytics for anonymous usage statistics. Can be disabled in browser settings.

Cookies — Detailed Categories and Opt-Out

We use the following categories of cookies and similar technologies. You can manage cookie preferences through the in-product cookie banner and through your browser settings.

Strictly necessary

Required for the Service to operate. Cannot be disabled without breaking the Service.

• csboard_auth — JWT authentication token (session lifetime)
• csboard_csrf — CSRF protection token
• csboard_locale — selected language (functional storage of preference)
• csboard_currency — selected display currency

Analytics & performance

Help us understand how users interact with the Service in aggregate. Loaded only after you accept analytics cookies in the banner.

• Google Analytics — opt-out: install the Google Analytics Opt-out Browser Add-on (https://tools.google.com/dlpage/gaoptout)
• Yandex.Metrika (when serving Russian-language users) — opt-out: https://yandex.com/support/metrica/general/opt-out.html

Functional

Remember non-essential preferences such as compact/comfortable density, dismissed banners, recently viewed items.

If you reject analytics or functional cookies, the Service remains usable but some preferences will not persist between sessions. More general information about cookies and how to control them is available at https://www.allaboutcookies.org/.

Minors and Parental Contact

The Service is restricted to users aged 18 and above. We do not knowingly collect personal or financial data from minors. We will not knowingly collect personally identifiable information from any child under 13.

If you are a parent or legal guardian and believe that a child under 18 has provided personal data to CSBoard, please contact us at [email protected]. We will promptly investigate and, where confirmed, delete the relevant data and close the account.

8. Children's Privacy

Our Service is restricted to users aged 18 and above. We do not knowingly collect personal or financial data from minors. If you are a parent or guardian and believe your child has used our Service, contact us immediately.

9. Data Retention

We retain different types of data for different periods:

• Account data — retained while your account is active. Deleted upon account deletion request.
• Listings & watchlists — removed upon account deletion.
• Financial transaction records — minimum 5 years after the transaction date, regardless of account status. Required for regulatory compliance and fraud prevention.
• Deposit & withdrawal records — minimum 5 years. Includes amounts, dates, and anonymized wallet information.
• IP address logs — 90 days, then automatically purged.
• Support conversations — 2 years after last interaction.
• Anonymized analytics — retained indefinitely for service improvement.

International Data Transfers — Detailed Disclosure

Your data may be processed and stored on servers and cloud infrastructure located in jurisdictions outside the European Economic Area (EEA), including the United States, United Kingdom, and other countries where our infrastructure providers operate.

• Where we transfer personal data of EEA, UK or Swiss residents outside their respective economic area, we rely on appropriate safeguards under GDPR Articles 44–49: Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Addendum, the Swiss-US Data Privacy Framework where applicable, or your explicit consent.
• Some destination jurisdictions may have data-protection laws that are less strict than those of your country of residence. By using the Service, you acknowledge this and consent to such transfer where it is necessary for the performance of our contract with you.
• A copy of the relevant safeguards (e.g. signed SCCs) can be requested at [email protected].

10. International Data Transfers

Your data may be processed and stored on servers located outside your country of residence. By using the Service, you consent to the transfer of your data to other jurisdictions. We ensure that appropriate safeguards are in place for international transfers.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified via a prominent notice on the Platform or by email. Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

12. Third-Party Links

Our Service may contain links to third-party websites (Steam Community, payment provider pages, external guides). We are not responsible for their privacy practices. Review their privacy policies before providing personal information.

13. Contact Us

For questions, concerns, or data requests: