Skip to content Skip to footer
Escrow buyer protection Anonymous & discreet Support 7 days
0

Data protection declaration

We appreciate your interest in SecretUndies .com, a C2C platform operated by SecretUndies Ltd. for discreet trade in worn underwear. The protection of your personal data is a high priority for us. Below we provide you with comprehensive information about the nature, scope and purposes of the processing of personal data as well as your rights under the General Data Protection Regulation (GDPR), the provisions of the Republic of Cyprus and the mandatory consumer rights of your country of residence. Status: 17. February 2026

1. Entity responsible

SecretUndies Ltd
Pentadaktilou Street 35
7081 Larnaca, Republic of Cyprus
Telephone: +357 94 049233
Email: (see imprint)

Authorised representatives and commercial registration information shall be provided upon request. For data protection requests, please use the above-mentioned contact data with the subject “Data Protection”.

2. Scope of application

This privacy policy applies to all online offers of SecretUndies .com, including connected domains, subpages, mobile applications, communication and payment functions. It describes the processing of personal data of visitors: inside, registered users: inside (sellers: inside, buyers: inside), affiliates and other contractual partners: inside.

3. Legal bases

We process personal data on the basis of the GDPR, the Cypriot data protection law, the Digital Services Act (DSA), the Digital Markets Act (DMA), the E-Commerce Directive and the applicable national consumer protection laws. Depending on the processing operation, we rely in particular on the following legal bases:
  • Article 6(3) 1 lit. a GDPR (consent)
  • Article 6(3) 1 lit. b GDPR (performance of contracts or implementation of pre-contractual measures)
  • Article 6(3) 1 lit. c GDPR (legal obligation)
  • Article 6(3) 1 lit. f GDPR (legitimate interest, e.g. platform operation, IT security, fraud prevention)

4. Categories of processed data

Depending on the use of the platform, we process in particular the following categories of personal data:
  • Master data (name or pseudonym, contact details, proof of age)
  • Account details (Login, password hashes, account ID, rank status, coin balances)
  • Transaction data (item information, selling prices, order history, fee statements, refund/chargeback information)
  • Communication data (Chat content, support requests, DSA messages including metadata)
  • Payment and settlement data (in principle only pseudonymised references/tokens, payment status, booking and billing information)
  • Payment/verification data of sellers: inside (e.g. account holder, IBAN/BIC or other withdrawal data, address, date of birth, tax/identification data, verification status; also ID/Selfie checks depending on the withdrawal model) as required for withdrawals/KYC/AML
  • Technical data (IP address, time stamp, device information, cookies, log files)

5. Purposes of data processing

We process personal data for the following purposes:
  1. Provision and personalization of platform functions
  2. Implementation of registration, account management and ranking system
  3. Processing of C2C transactions including coin services and fees
  4. Moderation, misuse detection and enforcement of the Terms of Use
  5. Fulfilment of legal obligations (tax, commercial, DSA and consumer protection law)
  6. Ensuring IT security, error analysis and product improvement
  7. Communication with users: inside, support and dispute resolution
  8. Marketing communication to the permitted extent (e.g. newsletter, if allowed)

6. Hosting and operation

Our platform is hosted on servers of IONOS SE, Elgendorfer Str. 57, 56410 Montabaur (Germany). With IONOS there is a contract for order processing in accordance with art. 28 GDPR. IONOS processes server log files (IP address, access time, user agent, referrer) to ensure operation and security.

7. Registration and Age Verification

The use of SecretUndies .com requires a minimum age of 18 years. If necessary, we process proofs of age and identity to fulfil legal obligations and protect minors. Legal bases are kind. 6 par. 1 lit. b and lit. c GDPR.

8. Coins System & Digital Additional Services

When purchasing coins, we process order information, payment references and usage data of the activated functions. Payment data is generally processed by the integrated payment service provider. We only receive transaction-related tokens/references, status messages and billing-related information, but not complete card data.

9. Payment processing (especially Stripe)

9.1 Payment service provider used

For payment processing (buyer payments) and – if provided – Payments to sellers: Inside we use Stripe as a payment service provider. Depending on the payment method, country and product, the processing can be carried out by companies of the Stripe Group.

9.2 Distribution of roles (GDPR)

Stripe regularly processes buyer payment data as part of payment processing As a processor (Art. 28 GDPR) on our behalf, so that payments can be technically carried out and allocated.

Important: Insofar as Stripe processes certain data for the fulfilment of its own legal obligations (e.g. financial, tax or money laundering/KYC obligations) or for independent fraud prevention/risk assessment, Stripe may Also as own responsible action. In these cases, the privacy policy of Stripe applies in addition.

9.3 Buyer data: Processing by Stripe

When making a payment, Stripe processes in particular:
  • Payment data (e.g. card data, bank/wallet data, expiration date, CVC, tokenised payment identifiers)
  • Billing data (e.g. name, billing address, e-mail/phone if applicable)
  • Transaction data (amount, currency, time, payment status, refunds/chargebacks, if applicable)
  • Technical data for security and fraud prevention (e.g. device/browser information, IP address, risk signals)
We do not store complete map data ourselves. We typically only store references/tokens, payment status, booking information, and information required for support, reconciliation, and billing.

9.4 Seller data: Transfer to Stripe for withdrawals

In order for payouts to be made to Sellers:innen, we transmit – depending on the payout model – necessary Seller data to Stripe or arrange for Sellers:innen to enter them directly in an onboarding/verification route provided by Stripe. These may include:
  • Identity and contact details (e.g. name, address, date of birth, e-mail, telephone)
  • Withdrawal data (e.g. account holder, IBAN/BIC or local banking data)
  • Tax/verification data and evidence (e.g. tax ID, identification documents, selfie/verification status, if applicable) where regulatoryly required
  • Account status/payout information (e.g. Stripe account ID, verification status, withdrawal status)
The purpose is to carry out withdrawals as well as comply with regulatory requirements (in particular KYC/AML), abuse prevention and fraud protection.

9.5 Legal bases

The processing and transfer takes place depending on the case on the basis of:
  • Article 6(3) 1 lit. b GDPR (payment processing, performance of the user contract, execution of payments)
  • Article 6(3) 1 lit. c GDPR (legal obligations, e.g. money laundering/tax/commercial law, as applicable)
  • Article 6(3) 1 lit. f GDPR (legitimate interest in secure payment processing, fraud prevention, abuse prevention)

9.6 Order processing

If Stripe processes personal data on behalf, there is a corresponding agreement for order processing (Art. 28 GDPR) or the contractual conditions provided for this purpose are integrated.

10. Community, Chat & Moderation

Messages, reviews and community contributions are stored to carry out the communication service. Automated moderation is carried out using banner lists and algorithmic filters to identify unlawful content. Manual inspections shall take place on an occasional basis. The basis is Art. 6 para. 1 lit. b and lit. f GDPR as well as art. 14 and 17 DSA.

11. DSA-compliant procedures

  • Notice & Action System: Reports of unlawful content are documented, examined and linked to measures.
  • Statement of Reasons: Affected users: insiders receive a reasoned message about moderation decisions.
  • Internal complaint procedure: Within six months, a complaint can be filed against moderation decisions.
  • Trusted Flaggers: Messages from trusted whistleblowers: insides are processed prioritized.

12. Cookies & Tracking Technologies

We use technically necessary cookies for login, shopping cart, rank and coin management. We only use optional cookies (e.g. for statistics or marketing) with your consent. Settings can be adjusted via the consent management tool. Details on technologies used, storage periods and revocation options Please refer to the detailed cookie overview on the platform.

13. Communication and Newsletter

Contact requests, support cases or complaints are stored for processing. For newsletters or marketing e-mails, we only use your data with consent or on the basis of existing customer relationships in accordance with § 7 Abs. 3 UWG. A revocation is possible at any time, for example via the deregistration link.

14. Disclosure of data

We only pass on personal data if this is necessary for the performance of the contract, required by law or covered by consent. Categories of recipients:inside:
  • Hosting and IT service providers (e.g. IONOS)
  • Payment service providers (in particular Stripe) and participating banks/financial institutions
  • Logistics and shipping service providers (in the context of sales, if sellers use them)
  • Legal advisors:inside, tax advisors:inside, authorities
  • Trusted Flaggers and Dispute Resolution Bodies under DSA

15. Transmission of data to third countries

A transfer to third countries outside the EU or of the EEA only takes place if this is necessary for the provision of services or if you have consented. For service providers such as Stripe, processing/transmission to third countries (e.g. USA) cannot be excluded.

In such cases, we ensure appropriate guarantees under Chapter V GDPR, in particular:
  • EU Standard Contractual Clauses (SCCs) and, where applicable, supplementary measures
  • If applicable, Participation in recognised transfer mechanisms (e.g. EU-U.S. Data Privacy Framework), where applicable

16. Storage time

Personal data will be stored for as long as this is necessary to fulfill the respective purposes or there are statutory retention periods. Transactional and tax-related data is regularly kept for up to 10 years. Accounts that have been permanently blocked or closed will be anonymised as soon as there are no legal obligations.

17. Security

We use technical and organizational measures to protect your data against loss, alteration and unauthorized access. This includes encryption, access restrictions, security and update concepts and regular training.

18. Data subject rights

You have at any time the following rights according to art. 15–22 GDPR:
  • Information about the personal data we process
  • Correction of inaccurate or complete incomplete data
  • Deletion (“right to be forgotten”)
  • Restriction of processing
  • Data portability
  • Objection against processing referred to in Art. 6 para. 1 lit. e or lit. f DSGVO are based
  • Withdrawal of granted consent with effect for the future
Please make appropriate requests to us (contact details see imprint) or use the form in the user account. We will answer requests within one month.

19 Right of appeal

You have the right to complain to a data protection supervisory authority. In particular, the Cypriot Data Protection Authority (Office of the Commissioner for Personal Data Protection) is responsible. In addition, the supervisory authorities of your country of residence are available to you.

20. Minors

The platform is aimed exclusively at adults. If we are aware of unauthorized use by minors, we will block the account and delete personal data, unless there is a legal reason for retention.

21. Automated decisions

We do not use exclusively automated decisions in the sense of art. 22 GDPR, which would have legal effect or significantly affect you. Rank status decisions may contain algorithmic assessments but are manually reviewed on a case-by-case and/or random basis.

22. Amendment of the data protection declaration

We reserve the right to adapt this privacy policy in order to adapt it to changed legal situations, technical developments or new services. We inform registered users about significant changes: within at least 14 days before entry into force by notification on the platform or by e-mail.

23. Contact for Data Protection & DSA Requests

Data protection: (see imprint)
DSA contact point: (for authorities, users and trusted flagrs); See imprint/house rules
Complaints: (see imprint)
Security & Abuse: (see imprint)

24. Version history

08.11.2025 – Complete revision, integration of DSA processes, coin system, rank mechanics and updated contact channels.
17.02.2026 – Addition/Clarification Payment processing & withdrawals via Stripe (buyer payments, seller payments, roles/transfers).
Go to Top