Skip to content
RuleSell
Sign up

Legal

Privacy Policy

Last updated 2026-04-08

Notice

This is a placeholder template prepared for product review. Final legal text must be reviewed by qualified counsel before public launch. It does not constitute legal advice.

This Privacy Policy explains what personal data RuleSell collects, why we collect it, who we share it with, and the rights you have over it. It covers all RuleSell websites, applications, and APIs.

Who this applies to

This policy applies to anyone who visits RuleSell or uses an account, regardless of where they live. The GDPR (Regulation 2016/679, Art. 3) applies to all processing of personal data of users in the European Union or European Economic Area. The CCPA and CPRA (Cal. Civ. Code § 1798.100 et seq.) apply to residents of California. We voluntarily extend these protections to all users.

Who is the data controller

RuleSell is the controller for the personal data we process for our own purposes. Our EU legal representative will be appointed before public launch under DSA Art. 13 and named here. The compliance contact is privacy@rulesell.example.

What we collect

We collect: account data (name, username, email, password hash); profile data (bio, avatar, preferred environments); content data (rulesets, reviews, comments); commerce data (purchase records, payout details handled by Stripe); technical data (IP address, device, browser, language, referer); and consent data (cookie choices, GPC signal, age and country self-declaration). We do not deliberately collect special categories of personal data.

Why we use it and on what legal basis

Account creation, marketplace operation, payments, fraud prevention, security, and legal compliance are processed on the basis of contract performance (GDPR Art. 6(1)(b)) or legal obligation (Art. 6(1)(c)). Optional analytics, advertising measurement, and personalisation are processed on the basis of your consent (Art. 6(1)(a)). Legitimate interest (Art. 6(1)(f)) is used for service improvement, debugging, and security telemetry.

How long we keep it

Account data is kept for the lifetime of your account. After deletion, anonymised review data may be retained. Tax and accounting records are kept for the period required by applicable law (typically 7-10 years). Security logs are kept for 90 days. Consent records are kept for 24 months.

Who we share it with

We share data only with vetted processors under signed Data Processing Agreements (GDPR Art. 28): hosting (Vercel), database (Neon Postgres), payments (Stripe Connect), email (Resend), error monitoring (Sentry). A current vendor list is maintained internally and available on request. We do not sell or share personal data for cross-context behavioural advertising; this is reflected in the "Do Not Sell or Share" footer link (CCPA § 1798.120, CPRA add).

International data transfers

Some processors are established in the United States. Transfers from the EEA to the US rely on the EU-US Data Privacy Framework where the processor is certified, or on the European Commission's Standard Contractual Clauses (SCCs) supplemented by a transfer impact assessment (post-Schrems II).

Your rights

You can exercise the following rights at any time from /dashboard/settings/privacy: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21). California residents have parallel rights to know, delete, correct, and limit the use of their personal information (CCPA § 1798.100). We respond within 30 days (GDPR Art. 12(3)) or 45 days (CCPA), and free of charge.

Honoring the Global Privacy Control

RuleSell honors the Sec-GPC: 1 browser signal as a valid opt-out of sale and sharing of personal information under CCPA/CPRA. When detected, we set the gpc_honored cookie and apply the opt-out automatically.

Children

RuleSell is not directed to anyone under 18. We do not knowingly collect personal data from children under 18. The 18+ age gate at signup is an active block, and we will delete any account that turns out to belong to a minor (COPPA, 16 CFR Part 312, updated 22 April 2026 to cover biometric data).

Security and breach notification

We use industry-standard technical and organisational measures to protect personal data: TLS in transit, AES-256 at rest, role-based access control, audited dependency baseline, and two-factor authentication for staff. If we become aware of a personal data breach that poses a risk to rights and freedoms, we will notify the supervisory authority within 72 hours (GDPR Art. 33) and affected users without undue delay where required by Art. 34.

Automated decisions

We do not use solely automated decisions that produce legal or similarly significant effects on you. Quality scores and ranking signals influence display order, not access. A detailed Automated Decision-Making assessment (CPRA § 1798.121) will be published before we cross 1,000 monthly active users.

Changes to this policy

Material changes are announced at least 30 days in advance. The current version is always reachable from this URL with the "Last updated" date in the header.

How to contact us

Privacy questions: privacy@rulesell.example. EU representative: to be appointed before public launch (DSA Art. 13). Data Protection Officer: not appointed at launch — RuleSell does not meet the GDPR Art. 37 mandatory thresholds at this scale; an external DPO will be engaged before crossing 1,000 monthly active users.

Back to top