⚠️ Informational template. This document is a preliminary version pending review by counsel in each applicable jurisdiction (US + EU/Spain). It does not constitute binding legal advice.
Data controller and service operator:
- Gold Silver Global LLC (LLC). Tax ID / VAT: 41-4225071. 8 The Green STE B, 19901 DE, Dover, denver, US.
- {{commercialRegistry}}
- Data Protection Officer (DPO): dpo@goldsilverglobal.net.
- General legal contact: legal@goldsilverglobal.net.
1. Legal framework
We process personal data under:
- Regulation (EU) 2016/679 (GDPR).
- Organic Law 3/2018 (LOPDGDD) — Spain.
- Directive 2002/58/EC (ePrivacy) — electronic communications and cookies.
- CCPA/CPRA — California Consumer Privacy Act / California Privacy Rights Act.
- VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah).
- Section 5 FTC Act and CAN-SPAM Act.
2. Categories of data we collect
- Identity — name, date of birth, nationality, ID document/SSN (KYC).
- Contact — email, phone, postal address.
- Professional — CIF/EIN, business name, tax address.
- Transactional — purchases, bids, offers, custody events.
- Technical — IP, user-agent, session IDs (see Cookie Policy).
- Sensitive categories (GDPR art. 9 / CPRA SPI) — only when KYC requires limited processing (e.g., ID document image), under explicit legal basis.
3. Legal bases (GDPR art. 6)
| Purpose | Basis |
|---|---|
| Contract performance (sale, custody) | Art. 6.1.b |
| Legal obligations (KYC, AML, tax) | Art. 6.1.c |
| Fraud prevention / service improvement | Art. 6.1.f (legitimate interest) |
| Marketing and analytics cookies | Art. 6.1.a (consent) |
4. Retention
| Category | Period |
|---|---|
| KYC / AML | 6 years after account closure (Law 10/2010, BSA) |
| Transactions / accounting | 10 years (Spain) / 7 years (US) |
| Marketing | Until consent withdrawal |
| Security logs | 12 months |
5. Disclosures to third parties
- Payment processors (e.g., Stripe Connect).
- Shippers selected per delivery.
- External verifiers when applicable.
- Tax, AML and judicial authorities when required by law (FinCEN, AEAT, OFAC, SEPBLAC).
We never sell or share personal data with third-party advertisers without consent.
6. International transfers
Data may be processed in the US and EU. We apply European Commission Standard Contractual Clauses (Decision (EU) 2021/914) and, where applicable, the EU-US Data Privacy Framework.
7. Your rights
For users in the European Union / Spain
Under GDPR arts. 15-22 and LOPDGDD, you have rights of access, rectification, erasure, restriction, portability and objection, and the right not to be subject to fully automated decisions with significant effects (GDPR art. 22). You may complain to the Spanish Data Protection Agency (AEPD) at www.aepd.es.
For users in California (CCPA/CPRA)
You have:
- Right to know — what data we collect, sources, purposes, recipients.
- Right to delete.
- Right to correct.
- Right to opt-out of sale/sharing — GSG does not sell personal information within the CCPA meaning.
- Right to limit use of sensitive personal information.
- Right to non-discrimination.
For users in other US states with privacy laws
VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut) and UCPA (Utah) grant analogous rights of access, deletion, correction, portability and opt-out of sale or targeted advertising.
For users in the US generally
Although there is no comprehensive federal law equivalent to the GDPR, we honor reasonable requests under best practices and FTC Act § 5.
8. How to exercise your rights
From My account → My data or by emailing dpo@goldsilverglobal.net. We respond within 30 calendar days (EU) or 45 days (CCPA, extendable by 45 days with notice).
9. Security
TLS 1.3 in transit and AES-256-GCM at rest for API keys. Role-based access with full audit logs.
10. Automated decisions and AI
Under GDPR art. 22, no legal or similarly significant decision on KYC, blocks, disputes or escrow release is made solely by automated means. See AI usage policy. CCPA/CPRA users may opt out of automated decision-making where applicable.
11. Minors
The service is restricted to users 18+. We do not knowingly process data of minors. In the US, we comply with COPPA, removing any data from minors under 13 once detected.
12. Changes
We notify by email 30 days in advance. Last updated: 2026-06-01.