1. Introduction & Scope

This Privacy Policy ("Policy") describes how Sidemarket LLC ("Sidemarket," "we," "us," or "our") collects, uses, shares, and protects personal data when you access or use the Sidemarket platform, including our website at sidemarket.io and all related services (collectively, the "Platform"). 

By accessing or using the Platform, you acknowledge that you have read and understood this Policy. If you do not agree with the practices described herein, you should not use the Platform. 

This Policy applies to all users of the Platform, including buyers, sellers, and visitors, regardless of geographic location. Where specific rights apply based on your jurisdiction, such as the European Union, the United Kingdom, California, or Türkiye, those rights are detailed in Section 11. 

This Policy also applies, to the extent relevant, to individuals who interact with the Platform without creating an Account ("Visitors"), such as persons who browse public listings, visit the Platform through a shared link, or whose personal data such as IP address or device information is automatically collected through cookies and security services when they access the Platform. Visitor data is processed only for the purposes disclosed in this Policy, including Platform security, analytics, and fraud prevention, and on the legal bases described in Section 5. Where a registered user refers or invites a non-registered individual to the Platform, any personal data provided in connection with that referral is used solely to facilitate the referral and is not retained beyond what is necessary for that purpose. 

This Policy forms part of the Agreements as defined in our Terms of Service, alongside the Cookie Policy, and the Data Processing Addendum where applicable. 

2. Data Controller Information

Sidemarket LLC is a limited liability company organized under the laws of the State of Delaware, United States. For the purposes of applicable data protection laws, including the EU General Data Protection Regulation ("GDPR"), the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and the Turkish Personal Data Protection Law ("KVKK," Law No. 6698), Sidemarket LLC acts as the data controller responsible for your personal data. 

Data Controller: 

Sidemarket LLC 
131 Continental Dr Suite 305
Newark, DE 19713 
United States of America 
Contact: privacy@sidemarket.io 

Data Protection Contact: 

Sidemarket has designated a data protection contact point for all privacy-related inquiries. Until such time as the appointment of a Data Protection Officer is required under applicable law, all data protection matters may be directed to: privacy@sidemarket.io. 

If you have any questions or concerns regarding the processing of your personal data, you may contact us at the address above or as set forth in Section 15. 

3. Personal Data We Collect

We collect and process the following categories of personal data. 

3.1 Account Data

When you create an account on the Platform, we collect data through Google OAuth authentication, including your name, email address, profile photograph, and Google account identifier. 

3.2 Verification Data

To ensure the integrity and safety of transactions on the Platform, we facilitate identity verification through Stripe Identity (Know Your Customer, or "KYC") and phone verification through SMS verification. The KYC process may require you to submit a government-issued photo identification document and a selfie photograph for document-to-person matching. Biometric data, including facial imagery used for identity matching, is collected, processed, and stored exclusively by Stripe Identity on Stripe's infrastructure. Sidemarket does not receive, store, or have direct access to biometric data at any point. Sidemarket receives only the verification result (pass/fail), your full legal name, date of birth, and verification status. Phone number and SMS verification data is processed through our SMS verification provider. For details on Stripe's processing of biometric data, please refer to Stripe's Privacy Policy (https://stripe.com/privacy). 

3.3 Transaction Data

When you engage in transactions on the Platform, we collect data related to those transactions, including listing details, transaction amounts, payment status and payout schedule information, payment method information, bank transfer details (processed through Stripe Connect), payout information, transaction history, and dispute evidence submitted by either party in connection with a transaction dispute under our Terms of Service. 

3.4 Usage Data

We automatically collect data about how you interact with the Platform, including IP addresses, browser type and version, device type and identifiers, operating system, pages visited, features used, clickstream data, session duration, referring URLs, and analytics data collected through Cloudflare analytics tools.

3.5 Communication Data

When you communicate with other users through the Platform's messaging system, we collect the content of those messages, timestamps, message metadata, and associated file attachments. We also collect data from communications you send directly to us, such as support requests or feedback. 

3.6 Integration & Verification Data

When you connect third-party accounts to verify ownership or revenue associated with a listing, we collect OAuth tokens and related data from the following integrations: Google Analytics, Google AdMob, Google AdSense, App Store Connect, Google Play Console, Shopify, RevenueCat, Adapty, and DNS records. Sidemarket may add support for additional third-party verification integrations from time to time, which will be reflected on the Platform and in updates to this Privacy Policy. This data is used solely for the purpose of verifying listing claims and is handled in accordance with the applicable third-party terms of service. 

3.7 Compliance & Enforcement Data

In connection with our regulatory compliance obligations, dispute resolution processes, and Platform enforcement activities, we collect and process data including sanctions screening results (processed by Stripe), anti-money laundering (AML) verification data, non-payment strike records, account enforcement actions, dispute evidence and determinations, and reports filed through the Platform's reporting system. 

4. How We Collect Data

4.1 Data You Provide Directly

We collect personal data that you voluntarily provide when you create an account, complete identity verification, create or interact with listings, communicate with other users, connect third party integrations, submit dispute evidence, file reports through the reporting system, upload media (images in JPEG, PNG, or WebP format, up to 10 MB per file), or contact our support team. 

4.2 Data from Third Parties

We receive personal data from third-party services that you authorize, including Google (via OAuth authentication), Stripe (identity verification, sanctions screening, AML compliance, and payment processing via Stripe Connect), and the third-party platforms listed in Section 3.6 when you connect them for verification purposes. 

4.3 Data Collected Automatically

We automatically collect certain data when you use the Platform through cookies, web beacons, Cloudflare security and analytics services, server logs, and similar technologies. This includes usage data, device information, and information necessary for security and fraud prevention. For details on cookies and similar technologies, please see our Cookie Policy. 

Sidemarket honors Global Privacy Control (GPC) browser signals as a valid opt-out request under the California Consumer Privacy Act (CCPA/CPRA) and other applicable US state privacy laws. When we detect a GPC signal from your browser, we treat it as a request to opt out of the sale or sharing of personal information associated with that browser. We also recognize GPC signals as a valid means of withdrawing consent to the sale or sharing of personal information on behalf of the user. Sidemarket does not currently respond to Do Not Track (DNT) browser signals, as there is no industry-standard protocol for interpreting or responding to DNT signals. However, because Sidemarket does not engage in cross-context behavioral advertising or sell personal data to third parties, the practical effect is that your data is not tracked across third-party sites regardless of your DNT setting. 

5. Legal Bases for Processing

Where applicable under the GDPR, UK GDPR, and KVKK, we process your personal data on the following legal bases. 

5.1 Contractual Necessity

Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This includes processing required to provide the Platform's services, facilitate transactions, manage payout schedules through Stripe Connect, maintain your account, and administer dispute resolution processes as described in our Terms of Service. 

5.2 Legitimate Interests

Processing is necessary for the purposes of our legitimate interests or those of a third party, provided that such interests are not overridden by your fundamental rights and freedoms. We have conducted balancing assessments for each legitimate interest relied upon, weighing the necessity of the processing against the potential impact on your rights and freedoms. Our legitimate interests include fraud detection and prevention, platform security, service improvement, enforcement of our Terms of Service (including non-payment strike tracking and prohibited conduct enforcement), and the protection of the rights, property, and safety of Sidemarket, our users, and the public. You may request a copy of our legitimate interest assessments by contacting us at privacy@sidemarket.io. 

5.3 Legal Obligation

Processing is necessary for compliance with a legal obligation to which we are subject, including obligations under tax law, anti money laundering regulations, economic sanctions regulations (including OFAC compliance), mandatory reporting obligations (including reporting child sexual abuse material to the National Center for Missing & Exploited Children as required by 18 U.S.C. Section 2258A), and applicable consumer protection statutes. 

5.4 Obligation to Provide Data

Certain personal data is required as a contractual or regulatory necessity to use the Platform. Specifically, Account Data (name and email) is required to create an Account. Without it, you cannot access the Platform. KYC Verification Data is required to list Digital Assets or complete Transactions. Without it, these features will be unavailable. Transaction Data is required to process payments. Without it, transactions cannot proceed. Providing other data such as integration verification data, optional profile information, or messaging content is voluntary, but not providing it may limit your ability to use certain Platform features. 

5.5 Consent

Where required by applicable law, we process certain categories of personal data based on your freely given, specific, informed, and unambiguous consent. You may withdraw your consent at any time by contacting us at privacy@sidemarket.io, without affecting the lawfulness of processing based on consent before its withdrawal. 

6. How We Use Your Data

We use your personal data for the following purposes. We use your personal data to operate, maintain, and deliver the functionality of the Platform, including account creation, listing management, search, and matchmaking between buyers and sellers. We use your data to facilitate transactions through Stripe Connect, including managing payout schedules, processing the Platform Fee, and coordinating asset transfers between buyers and sellers. Sidemarket does not hold transaction funds in its own account; all funds are processed through Stripe's payment infrastructure, and Sidemarket controls only the timing of payouts from the Seller's Stripe Connect connected account to their external bank account. 

We use your data to conduct identity verification (KYC) through Stripe Identity and phone verification via SMS, and to verify listing claims through third-party integrations, in order to establish trust and reduce fraud. We send you service-related notices, transaction updates, security alerts, and support responses, and enable user-to-user messaging. We monitor for, detect, and prevent fraudulent activity, unauthorized access, and other harmful conduct, including through the use of Cloudflare security services and Stripe's compliance infrastructure. 

We analyze usage patterns, conduct research, and improve the features, functionality, and user experience of the Platform, including through analytics data collected via Cloudflare. We comply with applicable legal and regulatory requirements, including tax reporting obligations, anti-money laundering laws, economic sanctions regulations (including OFAC), mandatory reporting of child exploitation material to NCMEC and law enforcement, and lawful requests from governmental authorities. 

We enforce our Terms of Service, this Privacy Policy, and other agreements, including administering dispute resolution processes, maintaining non-payment strike records, enforcing prohibited conduct rules, and protecting the rights, property, and safety of Sidemarket, our users, and the public. We review evidence submitted by parties to a transaction dispute, issue binding dispute determinations for Platform purposes, and administer refund and asset-return processes as described in our Terms of Service. We send communications on behalf of verified users to facilitate connections between potential buyers and sellers, including notifications of buyer interest in listed or off-market Digital Assets. Such communications are sent only to registered Platform users and are based on Platform activity, listing preferences, or expressed acquisition interests. You may opt out of receiving introduction related communications at any time through your account settings or by using the unsubscribe mechanism included in each communication. 

The following table maps each processing purpose to its primary legal basis under the GDPR. Providing Services relies on Contractual Necessity (Art. 6(1)(b)). Processing Transactions relies on Contractual Necessity (Art. 6(1)(b)). Verifying Identities (KYC) relies on Legal Obligation (Art. 6(1)(c)) and/or Contractual Necessity (Art. 6(1)(b)). Communicating with You relies on Contractual Necessity (Art. 6(1)(b)). Detecting and Preventing Fraud relies on Legitimate Interests (Art. 6(1)(f)). Improving the Platform relies on Legitimate Interests (Art. 6(1)(f)). Complying with Law relies on Legal Obligation (Art. 6(1)(c)). Enforcing Our Terms relies on Legitimate Interests (Art. 6(1)(f)). Resolving Disputes relies on Contractual Necessity (Art. 6(1)(b)) and/or Legitimate Interests (Art. 6(1)(f)). Facilitating Buyer-Seller Introductions relies on Legitimate Interests (Art. 6(1)(f)) and/or Consent (Art. 6(1)(a)) where required.

6.1 Advertising and Marketing Communications

Sidemarket does not currently engage in interest-based advertising, share personal data with advertising networks, or use tracking pixels or SDKs from third-party advertising platforms such as Facebook Pixel, Google Ads, or similar services. We do not sell, share, or disclose personal data to third parties for cross-context behavioral advertising purposes. 

Sidemarket may send you service-related communications such as transaction updates, security alerts, and Platform announcements and, where you have opted in or where permitted under applicable law, marketing communications about Platform features, new listings matching your expressed interests, or buyer-seller introductions. You may opt out of marketing communications at any time through your account settings or by using the unsubscribe mechanism in each communication. Opting out of marketing communications does not affect service-related communications that are necessary for the operation of your Account. 

Should Sidemarket introduce advertising or third-party marketing integrations in the future, we will update this Policy, disclose the specific advertising partners and purposes, and obtain your consent where required by applicable law, including GDPR, UK GDPR, KVKK, and CCPA/ CPRA. 

7. Data Sharing & Third-Party Processors

We share personal data with third-party service providers who process data on our behalf, subject to contractual obligations that require them to protect your data in a manner consistent with this Policy. We do not sell your personal data to any third party. 

Supabase is used for authentication (Google OAuth) and database hosting. Stripe is used for payment processing via Stripe Connect (including payout schedule management), identity verification (KYC via Stripe Identity), sanctions screening (OFAC), and anti-money laundering (AML) compliance. Stream.io is used for real-time user-to-user messaging and chat functionality. Cloudflare is used for website hosting, content delivery network (CDN), media storage, rate limiting, bot management, and analytics. Sendly is used for SMS verification for phone number verification. Resend is used for transactional email delivery. Google APIs are used for OAuth authentication, Google Analytics, Google AdMob integration, Google AdSense integration, and Google Play Console verification. Apple is used for App Store Connect verification for listing claims. Shopify is used for revenue and store verification for listing claims. RevenueCat is used for revenue verification for subscription-based listing claims. Adapty is used for revenue verification for subscription-based listing claims. This list of service providers may be updated from time to time as we integrate additional platforms or replace existing ones. Any material changes to the processors we use will be reflected in this Policy in accordance with Section 14. 

Escrow and Transaction Facilitation Services 

Sidemarket currently facilitates all Transaction payments exclusively through Stripe Connect, as described in Section 9.1 of our Terms of Service. Sidemarket does not currently use a separate escrow service provider. If Sidemarket introduces escrow or additional transaction facilitation services in the future, the relevant service providers will be added to the processor list above, and this Policy will be updated to disclose the categories of personal data shared with such providers, the purposes of sharing, and the applicable safeguards. Any such changes will be communicated in accordance with Section 14 (Changes to This Policy). 

7.1 Data Sharing Between Transaction Parties

As part of the buying and selling process on the Platform, Sidemarket facilitates the sharing of certain personal data between the Buyer and Seller involved in a Transaction. By initiating or accepting an Offer, you direct Sidemarket to share your information with the other party as necessary to facilitate the Transaction. 

Data shared with the transaction counterparty may include your display name, account verification status, and communication data exchanged through the Platform's messaging system. Upon completion of a Transaction, the Buyer may also receive access to Digital Asset credentials, analytics data, financial records, and other information associated with the transferred asset, as described in the Listing. 

Sidemarket will not disclose your email address, phone number, physical address, government identification details, payment method details, or Stripe account information to the other party in a Transaction, unless you voluntarily share such information through the Platform's messaging system. 

Your use of any personal data received from a transaction counterparty is governed by the confidentiality obligations set forth in Section 17 of our Terms of Service and must be limited to purposes related to the Transaction. Unauthorized use of another user's personal data, including for unsolicited communications or purposes unrelated to the Transaction, is a violation of our Terms of Service. 

7.2 Independent Data Controllers

For the purposes of applicable data protection law, including the GDPR, UK GDPR, KVKK, and CCPA/CPRA, transaction counterparties who receive personal data through the Platform, including Buyers who acquire Digital Assets containing customer data, user accounts, subscriber lists, or other personal data, are independent data controllers with respect to any personal data they receive. This means that once a Transaction is completed and personal data has been transferred to the counterparty, the counterparty is solely responsible for determining the purposes and means of processing any personal data received, complying with all applicable data protection laws in connection with their processing of that data, providing their own privacy notices to data subjects as required by applicable law, and responding to data subject rights requests concerning data in their possession. 

Sidemarket is not responsible for the data protection practices of transaction counterparties following the completion of a Transaction. We encourage you to review any privacy-related obligations before acquiring a Digital Asset that includes personal data of third parties. 

We may also disclose your personal data where required by law, in response to valid legal process such as a subpoena or court order, or to comply with mandatory reporting obligations, including reporting to NCMEC and law enforcement. We may disclose your personal data to protect our rights or the rights of others, or to prevent imminent harm. In connection with a merger, acquisition, reorganization, or sale of all or substantially all of Sidemarket's assets, your personal data may be among the assets transferred to the acquiring entity. In such an event, Sidemarket will notify you by email or by posting a prominent notice on the Platform before your personal data becomes subject to a materially different privacy policy. Where permitted by applicable law, you will be afforded an opportunity to opt out of the transfer of your personal data to the successor entity. The successor entity will be bound by the commitments made in this Policy with respect to your personal data until such time as they provide you with an updated privacy policy. We also disclose data to Stripe for the purposes of sanctions screening, AML compliance, and regulatory obligations in connection with payment processing on the Platform. 

Where we engage sub-processors, we maintain contractual data processing agreements consistent with applicable data protection law. For information about our Data Processing Addendum, please contact us at privacy@sidemarket.io. 

8. International Data Transfers

Sidemarket operates from the United States, and your personal data may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction. Where we transfer personal data from the European Economic Area ("EEA"), the United Kingdom, or Switzerland, we rely on the following safeguards. We enter into European Commission-approved Standard Contractual Clauses with our service providers to ensure that appropriate safeguards are in place for cross-border transfers. Where applicable, we rely on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss U.S. Data Privacy Framework as a basis for transfers of personal data to the United States. 

For transfers of personal data from Türkiye, we implement the safeguards required under the KVKK, including obtaining appropriate commitments from data processors and, where necessary, seeking approval from the Turkish Personal Data Protection Board for cross border transfers. 

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. 

Account Data is retained for the duration of your active account, plus 2 years following account closure or deletion. Transaction Data is retained for 7 years from the date of the transaction, as required for tax and financial record-keeping obligations. Dispute Evidence is retained for 7 years from the date of dispute resolution, or until the conclusion of any related arbitration or legal proceeding, whichever is later. Verification Data is retained for the duration of the associated listing, plus 1 year following listing removal or expiration. Usage Data is retained for 2 years from the date of collection. Communication Data is retained for 1 year after the last message in a conversation thread, except where messages are relevant to an active or pending dispute, in which case they are retained until dispute resolution and for 7 years thereafter. KYC Data held by Sidemarket is retained in the form of verification results, name, and date of birth for the duration of your active Account, plus 5 years following Account closure, as required by applicable AML regulations. Biometric data including facial imagery and ID document images is processed and stored exclusively by Stripe Identity. Sidemarket does not receive, store, or have direct access to biometric data at any point. For details on Stripe's retention of biometric data, please refer to Stripe's Privacy Policy (https://stripe.com/privacy). Compliance & Enforcement Data is retained for 7 years from the date of the relevant event, or as required by applicable law. 

Upon expiration of the applicable retention period, personal data is securely deleted or anonymized. In certain cases, we may retain data for longer periods where required by law or where necessary for the establishment, exercise, or defense of legal claims. 

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to: all data is encrypted in transit using TLS/SSL protocols and at rest using industry-standard encryption algorithms. We deploy HTTP security headers to mitigate common web vulnerabilities. We use Cloudflare rate limiting to enforce rate limits across the Platform, protecting against brute-force attacks, credential stuffing, and other automated threats. Access to personal data is restricted to authorized personnel on a need-to-know basis, with role-based access controls and audit logging in place. Cloudflare bot management is used to distinguish legitimate users from automated bots and to prevent abuse of the Platform. Our infrastructure is hosted on Cloudflare, which provides DDoS protection, web application firewall capabilities, and continuous security monitoring. While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security. 

10.1 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Sidemarket will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by GDPR Article 33 and UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay, providing a description of the nature of the breach, the likely consequences, the measures taken or proposed to address the breach, and the contact point for further information. For California residents, we will provide notification in accordance with the timelines and requirements of the California Consumer Privacy Act and California Civil Code Section 1798.82. For Turkish residents, we will notify the Turkish Personal Data Protection Board within 72 hours and affected individuals as soon as possible thereafter, as required by KVKK. 

Breach notifications will be sent to the email address associated with your Account or, where email notification is not feasible, through a prominent notice on the Platform. 

11. Your Rights

Depending on your jurisdiction, you may have specific rights with respect to your personal data. This section outlines the rights available under applicable data protection laws. 

Exercising Your Rights 

Where available, you may access, correct, export, or delete certain personal data directly through your account settings on the Platform. Account settings are the primary mechanism for managing your data, and we encourage you to use them for routine requests. For rights requests that cannot be fulfilled through account settings, including requests requiring manual review, complex data portability requests, or requests submitted on behalf of another person by an authorized agent, please contact us at privacy@sidemarket.io. We will respond to all legitimate requests within the timeframes required by applicable law. 

11a. GDPR Rights (EU/EEA)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation. You have the right of access: you may request confirmation as to whether your personal data is being processed and, if so, to obtain access to that data along with information about the processing. You have the right to rectification: you may request the correction of inaccurate personal data and the completion of incomplete personal data. You have the right to erasure: you may request the deletion of your personal data where there is no compelling reason for its continued processing, subject to applicable legal exceptions. You have the right to restrict processing: you may request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where the processing is unlawful. You have the right to data portability: you may receive your personal data in a structured, commonly used, and machine-readable format, and transmit that data to another controller without hindrance. You have the right to object: you may object to the processing of your personal data where such processing is based on our legitimate interests, including profiling based on those interests. You have the right to withdraw consent: where processing is based on your consent, you may withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You have the right to lodge a complaint: you may lodge a complaint with your local supervisory authority if you believe that the processing of your personal data infringes the GDPR. 

Certain Platform enforcement actions, including Account suspension following repeated non-payment, may involve automated processing that produces legal effects. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such decision is necessary for the performance of a contract between you and Sidemarket, is authorized by applicable law, or is based on your explicit consent. Where automated decisions are made, you have the right to obtain human intervention, to express your point of view, and to contest the decision by contacting us at privacy@sidemarket.io. 

11b. CCPA/CPRA Rights (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act. 

We collect the following categories of Personal Information in the preceding 12 months. Identifiers such as name, email address, phone number, Google account ID, and IP address are collected directly from you, through Google OAuth, and automatically. 

Personal Information under Cal. Civ. Code Section 1798.80 such as name, bank account details (via Stripe), and government ID (via Stripe) are collected directly from you and from Stripe. Commercial Information such as transaction history, listing details, and purchase/sale records are collected directly from you and through Platform activity. Internet or Network Activity such as browsing history, pages visited, clickstream data, and session data are collected automatically via Cloudflare. Geolocation Data such as IP-derived approximate location is collected automatically. Sensitive Personal Information such as government-issued ID (for example, driver's license or passport), account credentials (login), and biometric information (facial geometry used for identity matching, which is collected, processed, and stored exclusively by Stripe Identity; Sidemarket does not receive or store biometric data) are collected directly from you and from Stripe Identity (biometric data processed exclusively by Stripe). 

We do not sell or share personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes other than those permitted under CPRA Section 1798.121. 

You have the right to know: you may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting it, and the categories of third parties with whom it is shared. You have the right to delete: you may request the deletion of personal information we have collected from you, subject to certain exceptions provided by law. You have the right to correct: you may request the correction of inaccurate personal information we maintain about you. You have the right to opt out of sale or sharing: you may opt out of the sale or sharing of your personal information. However, Sidemarket does not sell or share personal data for cross-context behavioral advertising, and therefore this right does not require any action on your part. You have the right to limit use of sensitive personal information: you may limit the use and disclosure of your sensitive personal information. Sidemarket uses sensitive personal information only as necessary to provide the Platform's services and for the purposes described in this Policy. You have the right to non-discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge you different prices, or provide you with a different level or quality of services for exercising your rights. You may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authority and your identity before processing such requests. 

11c. KVKK Rights (Türkiye)

If you are located in Türkiye, you have the following rights under Article 11 of the Personal Data Protection Law (KVKK, Law No. 6698). You have the right to learn: you may request to learn whether your personal data is being processed. You have the right to request information: you may request information about the processing of your personal data, including the purposes and methods of processing. You have the right to learn the purpose: you may learn the purpose of processing and whether your personal data is used in accordance with that purpose. You have the right to know third parties: you may know the domestic and foreign third parties to whom your personal data has been transferred. You have the right to request correction or deletion: you may request the correction of incomplete or inaccurate personal data and request the deletion or destruction of your personal data under the conditions set forth in Article 7 of the KVKK. You have the right to object to automated processing: you may object to any result that arises exclusively from the automated processing of your personal data and that is to your detriment. You have the right to claim damages: you may claim compensation for damages arising from the unlawful processing of your personal data. You have the right to lodge a complaint: you may lodge a complaint with the Turkish Personal Data Protection Board (Kişisel Verileri Koruma Kurumu, "KVKK Board") if you believe that the processing of your personal data infringes the KVKK. The KVKK Board can be contacted at (https://kvkk.gov.tr). Under Article 14 of the KVKK, you must first apply to the data controller (Sidemarket) before lodging a complaint with the KVKK Board. If you do not receive a response within 30 days or are dissatisfied with the response, you may then apply to the KVKK Board within 30 days of the data controller's response (or within 60 days of your initial application if no response is received). 

Under KVKK Article 6, special categories of personal data, including biometric data such as facial imagery used for identity matching and data derived from government-issued identification documents, may only be processed with the explicit consent of the data subject, unless an exception under KVKK Article 6(3) applies. To the extent that the identity verification (KYC) process conducted through Stripe Identity involves the processing of biometric data or government-issued identification data that constitutes a special category under the KVKK, such processing is carried out on the basis of your explicit consent, which is obtained at the time you initiate the verification process. You may withdraw your explicit consent at any time by contacting us at privacy@sidemarket.io. Please note that withdrawal of consent for KYC-related special category data may result in the inability to complete identity verification and the loss of access to features that require verification, including the ability to list Digital Assets or complete Transactions, as described in Section 5.4 of this Policy. Biometric data including facial imagery and ID document images is collected, processed, and stored exclusively by Stripe Identity. Sidemarket does not receive, store, or have direct access to biometric data at any point. For details on Stripe's processing of biometric data, please refer to Stripe's Privacy Policy (https://stripe.com/privacy). 

11d. General US Privacy Rights

If you are a resident of a US state that provides additional privacy rights, such as Virginia, Colorado, Connecticut, Utah, or other states with comprehensive privacy legislation, you may have rights similar to those described in Sections 11a and 11b, including the right to access, correct, delete, and port your personal data, and the right to opt out of certain processing activities. To exercise any such rights, please contact us at privacy@sidemarket.io. 

11e. UK GDPR Rights (United Kingdom)

If you are located in the United Kingdom, you have the following rights under the UK General Data Protection Regulation and the Data Protection Act 2018. You have the right of access: you may request confirmation as to whether your personal data is being processed and, if so, to obtain access to that data and related information about the processing. You have the right to rectification: you may request the correction of inaccurate personal data and the completion of incomplete personal data. You have the right to erasure: you may request the deletion of your personal data where there is no compelling reason for its continued processing, subject to applicable legal exceptions. You have the right to restriction of processing: you may request that we restrict the processing of your personal data in certain circumstances. You have the right to data portability: you may receive your personal data in a structured, commonly used, and machine-readable format, and transmit that data to another controller. You have the right to object: you may object to the processing of your personal data where such processing is based on our legitimate interests. You have the right to withdraw consent: where processing is based on your consent, you may withdraw that consent at any time, without affecting the lawfulness of prior processing. You have the right to lodge a complaint: you may lodge a complaint with the UK Information Commissioner's Office (ICO) at (https://ico.org.uk) if you believe that the processing of your personal data infringes the UK GDPR. You have the same rights regarding automated decision-making as described in Section 11a above, including the right to obtain human intervention, to express your point of view, and to contest automated decisions. 

12. Children's Privacy

The Platform is intended solely for users who are 18 years of age or older. We do not knowingly collect, solicit, or process personal data from individuals under the age of 18. If we become aware that we have collected personal data from a person under 18, we will take prompt steps to delete that data. 

If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at privacy@sidemarket.io so that we can take appropriate action. 

13. User-to-User Communications

The Platform provides a messaging feature that allows buyers and sellers to communicate directly with one another. Please be aware of the following: Messages sent through the Platform are processed and stored by Stream.io on our behalf. Message content, metadata, and timestamps are retained in accordance with the retention periods set forth in Section 9. Conversation data is retained for 1 year after the last message in a thread. Where messages are relevant to an active or pending dispute, retention is extended until the dispute is resolved

and for the applicable retention period thereafter. Upon expiration, messages are deleted in accordance with our data retention practices. We reserve the right to monitor, review, or moderate user-to-user communications for the purposes of fraud prevention, enforcement of our Terms of Service (including enforcement of messaging conduct rules and prohibited conduct), dispute resolution, and compliance with applicable law. Moderation may be conducted through automated means or manual review. You are solely responsible for the content of messages you send through the Platform. Do not share sensitive personal information such as full bank account numbers, passwords, or government identification numbers through the messaging system. 

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes to this Policy, we will provide you with at least 30 days' prior notice before the changes take effect, through one or more of the following means: a prominent notice on the Platform, or an email notification sent to the address associated with your account. 

For changes that do not alter the purposes or legal bases of processing, your continued use of the Platform after the effective date constitutes your acceptance of the updated Policy. Where we materially change the purposes for which we process your personal data, introduce new categories of processing, or change the legal basis on which we process your data, we will seek your active acknowledgment before implementing such changes. If you do not accept material changes to processing purposes, you may delete your Account in accordance with the Terms of Service. We encourage you to review this Policy periodically. 

The "Last Updated" date at the top of this Policy indicates when the most recent revisions were made. 

15. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, you may contact us using the following information: 

Sidemarket LLC 
131 Continental Dr Suite 305 
Newark, DE 19713 
United States of America 
Privacy Inquiries: privacy@sidemarket.io 

We will endeavor to respond to all legitimate inquiries within a reasonable timeframe and, where required by applicable law, within the statutorily prescribed period. 

Copyright 2026 Sidemarket LLC. All rights reserved.