XureTrade

Legal

Privacy Policy

Last updated: 25 May 2026  ·  Effective: 25 May 2026

1. Who We Are

XureTrade is operated by BYTECRAFT SOFTWARE DEVELOPMENT SERVICES ("ByteCraft", "we", "us", "our"). ByteCraft operates the XureTrade platform at xuretrade.gg — a peer-to-peer marketplace for in-game items and gaming services in Southeast Asia. ByteCraft is the data controller for the personal data described in this policy.

Contact: privacy@xuretrade.gg

2. What Data We Collect

Data When collected Required?
Email address Account signup Yes
Date of birth Account signup Yes — age verification (18+)
Country Account signup Yes — currency & eligibility
Full name (optional) Profile setup No
Government-issued ID photo Trade identity verification Yes — per trade
Selfie holding ID Trade identity verification Yes — per trade
Facebook profile URL Trade identity verification Yes — per trade
Trade messages In-trade secure chat Yes — trade record
Transaction records Payments, escrow, payouts Yes — financial record

3. Why We Collect It

  • Account operation — to create and manage your account, verify your email, and provide platform features.
  • Age verification — to confirm you are 18 or older before you can trade, as required by law in our markets.
  • Identity verification per trade — to protect both parties from fraud. Your government ID and selfie are collected once per trade and are never shared with your trading partner. They are only accessible to XureTrade moderators if a dispute is raised on that specific trade.
  • Dispute resolution — to allow moderators to verify identities and evidence when a trade dispute is raised.
  • Payment and escrow processing — to hold funds securely during a trade and release or refund them based on the trade outcome.
  • Platform safety — to detect fraud, enforce bans, and protect the community.

4. Who Can See Your Data

Government ID photo & selfie

Never shown to your trading partner at any stage. Only accessible to XureTrade moderators during an active dispute on that specific trade. Not shared with any third party.

Facebook profile URL

Shown to your trading partner during the mutual consent stage — after both parties have submitted their identity. This is intentional: it allows both parties to verify each other before committing to the trade.

Trade messages

Visible only to you, your trading partner, and XureTrade moderators during a dispute. Not shared with third parties.

Payment providers

Paymongo (Philippines) and Xendit (Malaysia, Thailand, Singapore) process payments on our behalf. They receive the data necessary to process your transaction under their own privacy policies and regulatory licenses.

5. How Long We Keep Your Data

Data Retention period
Account data (email, country, DOB) Until you delete your account, plus 30 days
Government ID photo & selfie Kept only as long as needed for verification, fraud prevention, dispute handling, payment-provider review, legal, tax, accounting, and compliance purposes. Disputed or legally relevant records may be retained longer where required or permitted by law.
Facebook profile URL Kept with the related verification or trade record while needed for the purposes above.
Trade messages Indefinitely — trade history is retained for dispute and safety purposes
Transaction records As required by applicable financial regulations in your country (up to 6 years).

6. Your Rights

Depending on your country, you may have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request correction of inaccurate data.
  • Deletion — request deletion of your data, subject to legal retention obligations.
  • Withdrawal of consent — withdraw consent for identity verification. Note: this means you will not be able to complete trades that require verification.
  • Complaint — lodge a complaint with your national data protection authority (PH: NPC · SG: PDPC · MY: PDPD · TH: PDPC · HK: PCPD).

To exercise any right, email us at privacy@xuretrade.gg. We will respond within 30 days.

7. How We Protect Your Data

  • Government ID photos and selfies are stored with AES-256 server-side encryption on private cloud storage. No public URL exists for these files.
  • Files are accessible only via time-limited pre-signed URLs (15 minutes) issued only to authorised moderators during active disputes.
  • All data is transmitted over HTTPS/TLS.
  • Access to production systems is restricted to authorised personnel only.

8. Applicable Laws

We comply with the following data protection laws in our supported markets:

Country Law
PhilippinesData Privacy Act 2012 (RA 10173)
SingaporePersonal Data Protection Act 2012 (amended 2020)
MalaysiaPersonal Data Protection Act 2010
ThailandPersonal Data Protection Act 2019
Hong KongPersonal Data (Privacy) Ordinance (Cap. 486)

9. Changes to This Policy

We may update this policy as the platform evolves or as laws change. Material changes will be notified via email or an in-app notice at least 7 days before taking effect. The "Last updated" date at the top of this page always reflects the current version.