LootWaveMarket
All legal documents

Legal

Privacy Policy

What we collect, why, how we protect it and how to exercise your rights.

Last updated: 2026-05-18

1. Data controller

The controller of your personal data is LootWave Market, Inc., a Florida (USA) corporation with principal office at 6353 Adriana Ave Apt 2103, Orlando, FL 32819, USA and Federal EIN EIN 17-2836293, as identified in our Legal Notice. For privacy matters, contact us at privacy@lootwavemarket.com.

2. What we collect

We process the following categories of personal data:

  • Account data: email, bcrypt-hashed password and name when you register.
  • Guest session: a cookie identifier so you can open boxes and keep an inventory without an account.
  • Order data: name, shipping address, billing address, phone, tax ID (when provided), order details and shipping status.
  • Payment data: handled directly by Stripe, Inc. We only receive a transaction reference, card brand, last 4 digits and operation status. We never store the full PAN, CVV or expiry date.
  • Box openings: server seed, hash, client seed, nonce, roll, prize and date.
  • Technical data: IP address, browser type, OS, pages visited, referrer and approximate country (GeoIP).
  • Communications: the contents of any emails or support tickets you send us.

3. Purposes

  • Contract performance: account creation and management, opening processing, order tracking, delivery and customer support.
  • Legal obligations: invoicing, tax record retention as required by US and Florida law, response to lawful requests from authorities.
  • Legitimate interests: platform security, fraud prevention, audit logging, service improvement based on aggregate metrics.
  • Consent: non-essential cookies (analytics, marketing) and commercial email. You can withdraw consent at any time.

4. Who we share data with

We use the following processors to run the service, always under a data processing agreement:

  • Cloud hosting (USA) — application and database servers.
  • Stripe, Inc. (USA) — payment processing.
  • International carriers (USPS, UPS, FedEx, DHL) — order shipping.
  • Transactional email — order confirmation, password reset, shipment notices.

We do not sell your personal data to third parties for marketing purposes. We may disclose data when required by law, court order, or to protect rights, property or safety.

5. International transfers

Our servers and most providers are located in the United States of America. If you contact us from another country, your data will be transferred for processing in the USA. By using the Service you authorise this transfer. We apply appropriate contractual safeguards with every processor and limit access to staff with a legitimate need to know.

6. Retention

  • User account: while the account is active, plus 1 year after inactivity or closure.
  • Invoicing data: 7 years, per US tax retention rules.
  • Box openings and verifiability proofs: 5 years for audit and complaint response.
  • Technical and security logs: 6 months, unless longer required by an ongoing incident.
  • Guest session: 30 days after last activity.
  • Support communications: 3 years after the ticket is closed.

7. Your rights

Regardless of your country of residence, we provide:

  • access to your data and a copy of it;
  • correction of inaccurate or incomplete data;
  • deletion, subject to legally required retention;
  • objection to direct-marketing use;
  • withdrawal of consent at any time;
  • data portability in a structured format.

California residents have additional rights under the California Consumer Privacy Act (CCPA/CPRA): the right to know which categories of personal information are processed, to request deletion, and to opt out of the sale or sharing of personal information.

European Union / EEA residents have additional rights under the GDPR, including the right to lodge a complaint with their national supervisory authority.

To exercise these rights, write to privacy@lootwavemarket.com. We respond within 30 days (45 days in complex cases).

8. Security

We apply technical and organisational measures appropriate to the risk: TLS 1.2+ in transit; bcrypt-hashed passwords; session cookies HttpOnly + Secure + SameSite=Lax with __Host- prefix in production; least-privilege admin access; regular backups; audit logs. No system is 100% secure; we will notify any personal data breach affecting your rights.

9. Children and minors

The Service is for users aged 18 or older. We comply fully with the Children's Online Privacy Protection Act (COPPA) and do not knowingly collect data from children under 13. If we learn we have collected data from a minor, we delete it immediately. Legal guardians who notice such a case should contact privacy@lootwavemarket.com.

10. Changes to this policy

We may update this Privacy Policy. For material changes we notify you by email or a prominent service notice with at least 30 days' advance notice. The “last updated” date appears at the top of this document.

If you have questions, contact us at legal@lootwavemarket.com.

LootWave Market, Inc. Not affiliated with or endorsed by Apple Inc., Amazon.com, Inc. or eBay Inc.