πŸ”’
Data Security
PCI DSS Level 1 compliant, encrypted data storage
πŸ›‘οΈ
GDPR Compliant
Full compliance with EU data protection regulations
⚑
Minimal Collection
We only collect data necessary for service
πŸ‘€
Your Rights
Access, rectify, erase, and port your data
Controller / Supplier

MRCODA GLOBAL LLC
254 Chapman Rd, Ste 208 #22928, Newark, Delaware 19702, USA
Security contact: security@mrcoda.com

1

Who We Are and What This Notice Covers

This Privacy Policy explains how we collect, use, disclose, retain and protect personal data when you use mrcoda.com to purchase and receive digital products, including:

  • Digital gift codes
  • Stored value vouchers
  • Game currency codes

Our core business activity is the online sale of digital gift codes via our website.

2

Personal Data We Collect

We collect only what is necessary to operate the service and meet legal obligations:

  • Account data: Name, email address, contact number
  • Transaction metadata: Order ID, timestamp, payment status (excluding full card numbers)
  • Service logs: IP address and device identifiers
Payment Data Security

Card payments are processed by a PCI DSS Level 1–compliant payment gateway using hosted fields/redirect. Card data is entered on the provider's secure page and does not traverse our servers.

We receive only payment tokens and masked PAN (last four digits) and never store full PAN or sensitive authentication data.

We also maintain a minimal store-credit ledger (consumer: non-cash, non-reloadable; B2B: invoice credits/prepayments) for accounting purposes; we do not maintain customer e-money balances and we do not support card-funded top-ups.

We do not intentionally collect special category data. If such data is received inadvertently, we protect and handle it under applicable law and our policies.

3

Sources of Personal Data

  • Directly from you - Account creation, checkout, support requests
  • Automatically via our systems - Security and access logs
  • From processors - Payment, fraud prevention, email delivery and hosting services (subject to contracts and data protection terms)
4

Purposes and Lawful Bases (GDPR)

We process personal data for:
  • Contractual necessity - Provide the service, deliver codes, customer support
  • Legitimate interests - Fraud prevention, service security, troubleshooting, analytics consistent with privacy expectations
  • Legal obligations - Tax/audit record keeping; responding to lawful requests
  • Consent - Where required (e.g., marketing emails; non-essential cookies)
  • Store credit administration - Administering optional store credit and B2B invoice credits/prepayments (legitimate interests and/or contractual necessity)
5

Cookies and Similar Technologies

We use essential cookies to operate the site and, where applicable, non-essential cookies (e.g., analytics) with opt-in controls for EU users.

Our cookie banner and notice are reviewed semi-annually.

6

Disclosures and Processors

We may share personal data with:

  • Payment processors - For authorization/refunds (operating as independent controllers or processors as applicable)
  • Service providers - Hosting, security, support, email delivery, logging/monitoring, and analytics (subject to DPAs and security obligations)
  • Authorities - Where legally required or to protect rights, safety and security
  • Corporate transactions - Merger, acquisition (with safeguards and notice as required)

Our architecture routes card data directly to the PCI L1 gateway; we receive tokens/last 4 only.

7

International Transfers

Our primary operating location is the United States. We may transfer data internationally using appropriate safeguards (e.g., standard contractual clauses) when required by law.

8

Security Measures

We maintain layered technical and organizational controls, including:

πŸ”
Encryption
Enforced TLS (1.2+) for web/API traffic, encryption of sensitive data at rest
πŸ”‘
Access Control
MFA for administrative/sensitive access, salted cryptographic password hashing
πŸ“Š
Monitoring
Centralized logging and monitoring, vulnerability management
πŸ›‘οΈ
Testing
Quarterly external ASV scans, annual penetration testing
πŸ’Ύ
Backup
Encrypted off-site backups with documented restore tests
🚫
Data Protection
We never log sensitive card authentication data
9

Data Retention

We retain data only as long as necessary for the purposes above and to meet legal obligations:

Data Type Retention Period
Customer account (name/email/phone) Active period + 24 months
Transaction records (no full PAN) 7 years
Support tickets 24 months
IP/device logs 12 months

Upon expiry, data is securely deleted or anonymized per policy.

10

Your Rights

Depending on your location, you may have the following rights:

πŸ“‹
Access
Request a copy of your personal data
✏️
Rectification
Correct inaccurate personal data
πŸ—‘οΈ
Erasure
Request deletion of your data
🚫
Restriction
Limit processing of your data
πŸ“€
Portability
Receive your data in a portable format
βœ‹
Object/Withdraw
Object to processing or withdraw consent
How to Exercise Your Rights

To exercise your rights, contact support@mrcoda.com. We verify identity before fulfilling requests and respond within statutory timeframes (typically ≀30 days in the EU; ≀45 days under CCPA).

We may request additional information to verify your identity and to secure your account.

11

Children

Our service is intended for users 18+ and is not directed to children. We do not knowingly collect data from children.

If you believe a child has provided us data, contact us and we will take appropriate action.

12

Complaints

If you have concerns about our handling of personal data, please contact us first.

You may also have the right to lodge a complaint with a supervisory authority in your country of residence.

14

Updates to This Policy

We may update this notice from time to time. Material changes will be posted here with a new effective date.

Privacy Questions?

Contact us for any questions about your privacy and data protection

Support Email
support@mrcoda.com
Security Incidents
security@mrcoda.com