PRIVACY POLICY

Your privacy matters. Learn how we protect your personal data

Effective Date: May 22, 2025


Data Security

PCI DSS Level 1 compliant, encrypted storage

GDPR Compliant

Full compliance with EU protection regulations

Minimal Collection

We only collect data necessary for service

Your Rights

Access, rectify, erase, and securely port your data



Controller / Supplier

MRCODA GLOBAL LLC
254 Chapman Rd, Ste 208 #22928, Newark, Delaware 19702, USA

Security contact: [email protected]


Section 01

Who We Are and What This Notice Covers


This Privacy Policy explains how we collect, use, disclose, retain and protect personal data when you use mrcoda.com to purchase and receive digital products, including:

  • Digital gift codes
  • Stored value vouchers
  • Game currency codes

Our core business activity is the online sale of digital gift codes via our website.



Section 02

Personal Data We Collect


We collect only what is necessary to operate the service and meet legal obligations:

  • Account data: Name, email address, contact number
  • Transaction metadata: Order ID, timestamp, payment status (excluding full card numbers)
  • Service logs: IP address and device identifiers
  • Balance data: Account balance transactions, deposits, usage, and expiration records

Payment Data Security

Card payments are processed by a PCI DSS Level 1–compliant payment gateway using hosted fields/redirect. Card data is entered on the provider’s secure page and does not traverse our servers. We receive only payment tokens and masked PAN (last four digits) and never store full PAN or sensitive authentication data.

We maintain an account balance ledger for customer purchases on mrcoda.com. Account balances are not e-money, bank deposits, or regulated stored-value instruments. Balances cannot be withdrawn, transferred to third parties, or converted to cash. We process balance-related data (deposits, usage, expiration) as part of our service delivery and retain balance transaction records in accordance with our data retention schedule.

We do not intentionally collect special category data. If such data is received inadvertently, we protect and handle it under applicable law and our policies.



Section 03

Sources of Personal Data


  • Directly from you – Account creation, checkout, support requests
  • Automatically via our systems – Security and access logs
  • From processors – Payment, fraud prevention, email delivery and hosting services (subject to contracts and data protection terms)


Section 04

Purposes and Lawful Bases (GDPR)


We process personal data for:

  • Contractual necessity – Provide the service, deliver codes, customer support
  • Legitimate interests – Fraud prevention, service security, troubleshooting, analytics consistent with privacy expectations
  • Legal obligations – Tax/audit record keeping; responding to lawful requests
  • Consent – Where required (e.g., marketing emails; non-essential cookies)
  • Account balance administration — Processing deposits, usage, refunds to balance, and expiration in accordance with our Terms of Use (contractual necessity and/or legitimate interests)


Section 05

Cookies and Similar Technologies


We use essential cookies to operate the site and, where applicable, non-essential cookies (e.g., analytics) with opt-in controls for EU users.

Our cookie banner and notice are reviewed semi-annually.



Section 06

Disclosures and Processors


We may share personal data with:

  • Payment processors – For authorization/refunds (operating as independent controllers or processors as applicable)
  • Service providers – Hosting, security, support, email delivery, logging/monitoring, and analytics (subject to DPAs and security obligations)
  • Authorities – Where legally required or to protect rights, safety and security
  • Corporate transactions – Merger, acquisition (with safeguards and notice as required)

Our architecture routes card data directly to the PCI L1 gateway; we receive tokens/last 4 only.



Section 07

International Transfers


Our primary operating location is the United States. We may transfer data internationally using appropriate safeguards (e.g., standard contractual clauses) when required by law.



Section 08

Security Measures


We maintain layered technical and organizational controls, including:


Encryption

Enforced TLS (1.2+) for web/API traffic, encryption of sensitive data at rest

Access Control

MFA for administrative/sensitive access, salted cryptographic password hashing

Monitoring

Centralized logging and monitoring, vulnerability management


Testing

Quarterly external ASV scans, annual penetration testing

Backup

Encrypted off-site backups with documented restore tests

Data Protection

We never log sensitive card authentication data



Section 09

Data Retention


We retain data only as long as necessary for the purposes above and to meet legal obligations:


Data Type
Retention Period
Customer account (name/email/phone)
Active period + 24 months
Transaction records (no full PAN)
7 years
Support tickets
24 months
IP/device logs
12 months

Upon expiry, data is securely deleted or anonymized per policy.



Section 10

Your Rights


Depending on your location, you may have the following rights:


Access

Request a copy of your personal data

Rectification

Correct inaccurate personal data

Erasure

Request deletion of your data


Restriction

Limit processing of your data

Portability

Receive your data in a portable format

Object/Withdraw

Object to processing or withdraw consent


How to Exercise Your Rights

To exercise your rights, contact [email protected]. We verify identity before fulfilling requests and respond within statutory timeframes (typically ≤30 days in the EU; ≤45 days under CCPA). We may request additional information to verify your identity and to secure your account.



Section 11

Children’s Privacy


Age Restriction

Our services are intended solely for individuals who are at least 18 years of age or the age of legal majority in their jurisdiction, whichever is higher. Our website and services are not directed to children under 18.

No Knowing Collection

We do not knowingly collect, use, or disclose personal data from individuals under 18 years of age. We do not knowingly sell or share personal information of minors.

Parental Notification

If you are a parent or legal guardian and believe that your child has:

  • Created an account on mrcoda.com
  • Provided personal information to us
  • Made a purchase without your authorization

Please contact us immediately at [email protected]. Upon verification, we will:

  • Delete the child’s personal data from our systems
  • Terminate the associated account
  • Cancel any pending orders
  • Process refunds where appropriate and legally required

Parental Responsibility

Parents and guardians are responsible for supervising their children’s online activities. We are not liable for any unauthorized use of our services by minors or for any purchases made by minors without parental consent.



Section 12

Complaints


If you have concerns about our handling of personal data, please contact us first.

You may also have the right to lodge a complaint with a supervisory authority in your country of residence.



Section 13

Updates to This Policy


We may update this notice from time to time. Material changes will be posted here with a new effective date.



Contact Our Privacy Team


General Inquiries
[email protected]
24-48 hours response
Partnership
[email protected]
B2B opportunities
Security
[email protected]
24/7 monitored