1. Introduction
Second Turn Games SIA ("we", "our", or "us") operates the Second Turn Games marketplace platform. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services.
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws in Latvia and the European Union.
Data Controller
| Company | Second Turn Games SIA |
| Registration | 50203665371 |
| Address | Evalda Valtera 5-35, Riga, LV-1021, Latvia |
| Privacy Contact | info@secondturn.games |
2. What Personal Data We Collect
2.1 Account Registration Data
When you create an account, we collect:
- Email address (required) - for account identification, sign-in links, and communication
- Full name (required) - displayed on your profile
- Country (required) - for marketplace localization and regulatory compliance
- Profile picture (optional) - if you upload an avatar
We need your email to send you sign-in links and order updates. Your name, picture, and country appear on your profile so other users know who they are dealing with.
Legal Basis: Contract performance (GDPR Article 6(1)(b)) - necessary to provide marketplace services.
2.2 Seller Verification Data
When you register as a seller and approach regulatory thresholds, additional information is collected:
- Seller status declaration - confirmation that you are selling as a private individual
- Phone number (required) - collected during seller onboarding for parcel terminal notifications and saved to your profile
- Date of birth - for identity verification and DAC7 reporting
- Primary address - for identity verification and DAC7 reporting
- Tax Identification Number (TIN) - collected when you approach DAC7 reporting thresholds
- Bank account details (IBAN) - collected when you request your first withdrawal
Legal Basis: Legal obligation (GDPR Article 6(1)(c)) - compliance with EU DAC7 tax reporting requirements and payment services regulations, and Contract performance (GDPR Article 6(1)(b)) for shipping facilitation.
2.3 Listing Data
When you create a listing to sell a board game, we collect:
- Game information - name, version, publisher, language, condition
- Photos - images of the game (we automatically strip EXIF metadata, including GPS location)
- Price and shipping options
- Condition notes and descriptions - free-text fields you provide
Legal Basis: Contract performance (GDPR Article 6(1)(b)) - necessary to facilitate sales.
2.4 Transaction & Payment Data
When transactions occur through our platform, we collect transaction records, sale amounts, and shipping selections.
- Buyer Phone Number - collected at checkout so the parcel terminal can send you the locker PIN code when your game arrives. You have the option to save this to your profile for future purchases.
Payment Mandate: For Claim this game transactions, Second Turn Games acts as the seller's authorized commercial agent. To execute this mandate, we collect and process transaction data to securely receive the buyer's payment on the seller's behalf. Payment information is processed directly by our payment partner (EveryPay); we do not see or store your full card details.
Legal Basis: Contract performance (GDPR Article 6(1)(b)) - necessary to execute our commercial agent mandate, facilitate transactions, and ensure delivery - and legal obligation (GDPR Article 6(1)(c)).
2.5 Messaging Data
When you communicate with other users:
- Message content - all messages you send and receive
- Conversation metadata - participants, related listing, timestamps
- Read status - whether messages have been read
Do not share sensitive personal information (like your home address or phone number) in messages. We cannot control what happens to information you share with other users.
Legal Basis: Contract performance (GDPR Article 6(1)(b)).
2.6 Security and Login Activity Data
For security and fraud prevention, we automatically collect:
- IP address & Geolocation - your connection's IP address and derived country/city
- Device information - browser type, operating system, device type
- Login timestamps - when you sign in
Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) - protecting our users and platform from fraud. This data is retained for 30 days and then automatically deleted.
2.7 Technical Data
We use a small number of cookies to make the platform work. For full details on the data collected and your choices, please see our Cookie Policy.
3. How We Use Your Personal Data
We use your personal data to:
- Create and manage your account
- Display your game listings to potential buyers
- Facilitate communication between buyers and sellers
- Execute our mandate as a commercial agent to securely receive and route buyer payments to sellers
- Generate shipping labels through Unisend SIA
- Send transactional emails (order notifications, shipping updates)
- Detect and prevent fraud, abuse, and security threats
- Comply with legal obligations, including DAC7 tax reporting
- Improve our platform (with your consent for analytics)
We never sell your personal data to third parties. We never use your data for marketing without your explicit consent.
4. Third-Party Services (Data Processors)
We use trusted third-party services to operate our platform. These services process your data on our behalf under Data Processing Agreements (DPAs) that ensure GDPR compliance.
| Service | Purpose | Data Shared |
|---|---|---|
| EveryPay | Payment processing (executing our payment mandate) under EU PSD2 regulations. | Name, email, transaction data |
| Unisend SIA | Parcel delivery between Baltic parcel terminals. | Names, phone numbers, terminal selections |
| Supabase | Backend infrastructure (database, authentication, storage). | Account info, listings, messages, photos |
| Resend | Transactional email delivery. | Email addresses, names, order info |
| Vercel | Website hosting and analytics (with consent). | Server logs, performance metrics |
| Cloudflare | Security and bot protection. | IP address, browser fingerprint |
(Note: We also use BoardGameGeek and MapLibre/Carto, but no personal data is shared with them - only game IDs and map tile requests).
5. Tax Authority Data Sharing (DAC7)
Under EU Council Directive 2021/514 (DAC7), we are legally required to report seller information to the Latvia State Revenue Service (VID) - but only for sellers who exceed specific annual sales or revenue thresholds.
This applies to all EU platforms (eBay, Vinted, Etsy). If you already pay taxes on your income honestly, this changes nothing for you. If you are just clearing out your personal game shelf, you will likely never hit these thresholds.
If you approach the reporting thresholds, we will notify you and request your Tax Identification Number (TIN). If you exceed the thresholds, we report your data to VID, which is automatically exchanged with tax authorities in your country of residence.
For current reporting thresholds, plain-language examples, and a detailed breakdown of what data is reported, see our DAC7 Tax Reporting Guide.
Legal Basis: Legal obligation (GDPR Article 6(1)(c)). We cannot refuse to report this data or delete it upon request.
6. How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account, plus 90 days |
| Listings & Messages | Until deleted by the user or upon account deletion |
| Transaction records | 7 years (legal requirement for tax/accounting) |
| DAC7 reported data | 7 years from reporting date |
| Login activity | 30 days |
We keep your account data until you delete it. Transaction records stick around for 7 years because tax law requires it - even if you delete your account.
7. Your Rights Under GDPR
You have the right to:
- Access (Article 15): View your profile data, listings, and login activity.
- Data Portability (Article 20): Download your data in a machine-readable format.
- Rectification (Article 16): Edit your profile information at any time.
- Erasure (Article 17): Delete your account (excluding legally mandated transaction records).
- Object (Article 21): Object to processing based on legitimate interest (e.g., analytics).
- Lodge a Complaint: File a complaint with the Latvian Data State Inspectorate (DVI) at dvi.gov.lv.
To exercise your rights, contact info@secondturn.games. We will respond within 30 days.
8. Data Security & International Transfers
We protect your data with HTTPS/TLS encryption in transit, AES-256 encryption at rest, Row-Level Security, HTTP-only authentication cookies, rate limiting, and EXIF data stripping for uploaded photos.
Your data is primarily stored in the European Union (Stockholm, Sweden). Some service providers are US-based but have certified compliance with EU-US data transfer frameworks and standard contractual clauses.
9. Age Requirements
- You must be at least 16 years old to use the Platform.
- You must be at least 18 years old to sell using our Claim this game feature (required by payment regulations).
We do not knowingly collect personal data from anyone under 16. If you believe someone under 16 has created an account, please contact us.
10. Contact Us
| For | Details |
|---|---|
| General support | info@secondturn.games |
| Address | Second Turn Games SIA, Evalda Valtera 5-35, Riga, LV-1021, Latvia |