This Privacy Policy describes how XXSCAM ("we", "us") handles personal data you provide when using our website, purchasing products or contacting customer service. It is drafted to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the Personal Data Protection Acts of Singapore and Malaysia (PDPA).
1. Data Controller
The website operator is XXSCAM. Email: privacy@xxscam.com If you reside in an EU member state you may also contact our designated GDPR representative at the same address. We do not currently appoint a mandatory DPO; all GDPR matters route through privacy@xxscam.com.
2. Personal Data We Collect
We collect four categories of data: • Account data: name, email, password hash, language preference; • Order data: shipping address, phone, order contents, value, timestamp; • Payment data: tokenized payment info handled by Stripe — we never see or store raw card numbers; • Browsing data: IP address, browser type, pages visited, time on page (via cookies — disable any time).
3. Lawful Basis (GDPR Art. 6)
We rely on the following lawful bases: • Contract performance: order fulfilment, shipping, support (Art. 6(1)(b)); • Your consent: marketing emails, non-essential cookies (Art. 6(1)(a) — withdrawable any time); • Legitimate interest: fraud prevention, site analytics, product improvement (Art. 6(1)(f)); • Legal obligation: tax records, lawful enforcement requests (Art. 6(1)(c)).
4. How We Use Your Data
We use your personal data to: • Process orders, ship internationally and provide after-sales support; • Authenticate logins and manage your account; • Prevent fraud and meet anti-money-laundering / sanctions screening obligations where applicable; • Send promotional emails with your prior consent (unsubscribe any time); • Improve site performance and content via anonymous analytics.
5. Third-Party Sharing
We never sell your personal data. We share the minimum necessary data with the following processors: • Stripe Inc. (payment, US HQ, PCI-DSS Level 1); • International couriers (DHL / FedEx / USPS / EMS — destination-dependent); • Cloud hosting (Cloudflare, Zeabur — operational data only); • Email delivery (Resend — transactional notifications); • Lawful enforcement requests. All processors are bound by contract to use your data solely for the assigned purpose.
6. International Data Transfers
Our servers are primarily located in Hong Kong. If you are in the EU, UK, Singapore or another jurisdiction, your data may be transferred to processors located outside your country. For EU/UK transfers we rely on the EU Standard Contractual Clauses (SCCs, 2021) or the UK International Data Transfer Agreement (IDTA) as the legal mechanism. PDPA data is processed under equivalent-protection principles.
7. Retention Period
• Account data: retained until you delete the account; idle for 24 months we may delete proactively; • Order records: retained 7 years per most jurisdictions' tax law; • Marketing consent log: retained 12 months after consent withdrawal for proof of compliance; • Server logs: auto-deleted after 90 days; • Cookies: 30 to 365 days depending on category — see Cookie Settings.
8. Your Rights (GDPR Art. 15-22)
You have the right to: • Access — request a copy of personal data we hold about you; • Rectification — request correction of inaccurate or incomplete data; • Erasure — request deletion (right to be forgotten); • Restriction — request that we suspend processing; • Portability — receive your data in a structured machine-readable format; • Object — to processing based on legitimate interest or for marketing; • Withdraw consent — at any time without affecting lawful prior processing; • Lodge a complaint — EU users may complain to their national supervisory authority. Email privacy@xxscam.com to exercise any right. We respond within 30 days.
9. California Resident Rights (CCPA / CPRA)
If you reside in California you have the following additional rights: • Right to know — what personal data we collect, use and disclose; • Right to delete — request deletion of your personal data; • Right to opt out of sale or sharing — we do not sell personal data and do not receive any "sale" proceeds; • Right to non-discrimination — exercising any right will not result in fees or denial of service. We respond to verifiable requests within 45 days (we may extend by 45 more days with notice). Email privacy@xxscam.com with subject "CCPA Request".
10. Singapore / Malaysia PDPA Terms
If you are in Singapore PDPA 2012 or Malaysia PDPA 2010 jurisdiction: • You may withdraw consent for our processing at any time; • You have the right to access and correct your personal data; • Withdraw marketing consent: email privacy@xxscam.com or click "unsubscribe" in any marketing email; • If unsatisfied with our handling, Singapore users may complain to PDPC (pdpc.gov.sg); Malaysian users may complain to JPDP (pdp.gov.my).
11. Cookie Use
We use three cookie categories: • Necessary — required for site operation (cart, login state). Cannot be disabled; • Analytics — anonymous visitor stats. Disable via "Cookie Settings" link in the footer; • Marketing — personalised promotions. Off by default. A consent banner is shown on first visit; choices can be changed any time via the footer link. Consent records are retained 12 months for compliance proof.
12. Contact Us
For questions about this policy or to exercise any right above: • Email: privacy@xxscam.com • General inquiry: via the "Contact Us" page on this site. We may update this policy from time to time. Material changes will be notified by email or site banner. The current version is always shown by the "Last updated" date above.