Legal
Privacy & GDPR
Last updated:
Reliq (“we”, “our”, “the platform”) is committed to protecting your personal data. This notice explains what we collect, why, and what rights you have under the General Data Protection Regulation (GDPR, EU 2016/679) and applicable national data protection laws.
1. Data Controller
The data controller for personal data processed through Reliq is Reliq AS (organisation number pending), Norway. You can reach us at privacy@reliq.cloud.
2. Personal Data We Collect
2.1 Account data
- Email address and full name (from sign-up or GitHub OAuth)
- Username and profile information (bio, website, social handles)
- Avatar image
- Authentication credentials (stored securely via Supabase Auth)
2.2 Listing and transaction data
- Details of digital assets you list for sale
- Transaction records, offer history, and escrow data
- Due diligence reports you request or are associated with
- Seller representations & warranties attestations
2.3 Identity verification (KYC)
- For transactions above $500, identity documents are processed by our KYC partner Persona (Persona Identities, Inc.). We receive a verified status and reference only — we do not store copies of your identity documents.
2.4 Usage and technical data
- IP address, browser type, and device information (server logs)
- Pages visited, clicks, and feature usage (analytics, with your consent)
- Cookies and similar technologies (see Section 6)
2.5 Payment data
Payment details are processed by Stripe. We store only your Stripe Customer ID — no card numbers or bank details are held on Reliq servers.
3. Legal Bases for Processing
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Operating your account and the marketplace | Art. 6(1)(b) — Performance of contract |
| Processing payments and escrow | Art. 6(1)(b) — Performance of contract |
| KYC / identity verification | Art. 6(1)(c) — Legal obligation |
| Fraud prevention and platform security | Art. 6(1)(f) — Legitimate interests |
| Analytics and usage tracking | Art. 6(1)(a) — Consent |
| Marketing communications | Art. 6(1)(a) — Consent |
| Legal and financial record retention | Art. 6(1)(c) — Legal obligation |
| Dispute resolution | Art. 6(1)(f) — Legitimate interests |
4. Data Retention
| Data type | Retention period |
|---|---|
| Account / profile data | Until account deletion, then anonymised immediately |
| Transaction records | 7 years (tax / financial compliance) |
| Due diligence reports | 90 days from generation (basic); 2 years (enhanced/comprehensive) |
| Message content | Until account deletion, then redacted to "[deleted]" |
| Server logs (IP, browser) | 90 days |
| Analytics events | 24 months from collection |
| KYC reference (Persona) | Until account deletion; underlying documents held by Persona per their policy |
5. Your Rights
Under GDPR, you have the following rights. To exercise any of them, email privacy@reliq.cloud or use the self-service options in your account settings. We will respond within 30 days.
Right of access (Art. 15)
You can request a copy of all personal data we hold about you, including how it is used and with whom it is shared.
Right to rectification (Art. 16)
You can correct inaccurate or incomplete personal data at any time from your profile settings.
Right to erasure (Art. 17)
You can request deletion of your account and associated personal data. We will anonymise your profile, soft-delete your listings, and redact your messages. Transaction records are retained for 7 years to meet legal obligations. Note: code repositories you transferred as part of a sale may contain personal data from your users — it is your responsibility as the original data controller to inform the buyer of their obligations.
Right to restriction (Art. 18)
You can request that we restrict processing of your data while a dispute or correction request is pending.
Right to data portability (Art. 20)
You can request an export of your personal data in a machine-readable format (JSON). Email us to request this.
Right to object (Art. 21)
You can object to processing based on legitimate interests (e.g. fraud prevention analytics). We will assess your objection and stop processing unless we have compelling grounds.
Right to withdraw consent
Where processing is based on your consent (analytics, marketing), you can withdraw it at any time using the cookie preferences banner or by emailing us. Withdrawal does not affect the lawfulness of prior processing.
Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority. In Norway: Datatilsynet (www.datatilsynet.no). In your EU member state: your national DPA.
6. Cookies & Tracking
We use cookies and similar browser storage to operate the platform and (with your consent) to improve it. You can manage your preferences at any time using the cookie banner or by clearing your browser storage.
| Category | Purpose | Consent required |
|---|---|---|
| Necessary | Session management, CSRF protection, auth tokens | No |
| Functional | Saved search preferences, personalisation | Yes |
| Analytics | Aggregate usage statistics (no cross-site tracking) | Yes |
| Marketing | Relevant product updates and re-engagement | Yes |
7. Digital Asset Transfers & GDPR
When a seller transfers a digital asset that contains personal data (e.g. a SaaS user database, email list), this constitutes a data transfer under GDPR. As a seller, you are responsible for:
- Having had a lawful basis to collect the data originally
- Disclosing in your listing whether user data is included in the transfer
- Documenting the transfer in the transaction record
- Notifying affected users where required under Art. 14 (change of data controller)
By signing the Representations & Warranties, you confirm that any included user data will be transferred in compliance with applicable privacy law and that the buyer will be informed of their obligations as the new data controller.
Reliq facilitates the transfer but does not assume data controller obligations for third-party user data contained within the transferred asset. Reliq acts as a data processor only for the purposes of hosting listing metadata.
8. Third-Party Data Processors
| Processor | Purpose | Data location |
|---|---|---|
| Supabase | Database and authentication | EU (AWS eu-west-1) |
| Vercel | Application hosting and CDN | EU + US (edge network) |
| Stripe | Payment processing | US (EU SCCs in place) |
| Escrow.com | Transaction escrow | US (EU SCCs in place) |
| Persona | KYC / identity verification | US (EU SCCs in place) |
| Cloudflare | DNS and DDoS protection | Global edge |
| Sentry | Error monitoring | US (EU SCCs in place) |
Data Processing Agreements (DPAs) are in place with all processors. Standard Contractual Clauses (SCCs) cover transfers to processors outside the EEA.
9. Changes to This Notice
We may update this notice to reflect changes in our practices or applicable law. Material changes will be communicated via email or an in-platform notification at least 30 days before taking effect. The “Last updated” date at the top of this page always reflects the current version.
10. Contact
For any privacy-related enquiries, to exercise your rights, or to report a concern:
Reliq — Privacy & Data Protection
Email: privacy@reliq.cloud
Supervisory authority: Datatilsynet — datatilsynet.no