GDPR Policy

GDPR Policy

Effective Date: April 11, 2026

This GDPR Policy describes how Infinite Market ("we," "us," or "our"), the operator of the multi-author digital product marketplace at https://infinitemarket.org (the "Platform"), collects, processes, stores, and protects personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

This policy applies to all individuals in the European Economic Area (EEA), United Kingdom, and any other jurisdiction where GDPR or equivalent data protection legislation applies. Even if you are not located in the EEA, we are committed to upholding these standards for all our users globally.

If you have any questions or concerns about how we handle your personal data, please contact our Data Protection Officer (DPO) using the details provided at the end of this document.

1. Data Controller Information

The data controller responsible for your personal data is:

• Company Name: Infinite Market
• Website: https://infinitemarket.org
• Email: contact@infinitemarket.org
• Phone: +91-452-4304851
• Mailing Address: Infinite Market, 67, VRD Towers, Simmakal, Madurai-1, Tamil Nadu, India

As the data controller, we determine the purposes and means of processing your personal data. Where we engage third-party processors to handle personal data on our behalf, we ensure they comply with GDPR through appropriate contractual safeguards.

2. Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Identity and Contact Data

• Full name, username, and display name
• Email address
• Phone number (where provided)
• Profile photo and biography

2.2 Financial and Transaction Data

• Payment method details (processed by third-party payment processors; we do not store full card numbers)
• Billing address and payout/withdrawal information
• Transaction history, purchase records, and invoices
• Tax identification numbers and related tax information

2.3 Identity Verification Data (KYC)

• Government-issued identification documents
• Selfie or biometric data submitted for identity verification
• Verification status and related compliance records

2.4 Technical and Usage Data

• IP address, browser type, device type and identifiers
• Operating system and screen resolution
• Pages visited, links clicked, search queries, and time spent on the Platform
• Log files and error reports

2.5 Communications Data

• Messages exchanged between buyers and sellers on the Platform
• Support tickets and correspondence with our team
• Product reviews and public comments

2.6 Cookie and Tracking Data

• Cookie identifiers and session tokens
• Analytics data collected via cookies and similar technologies
• Preference and consent records

3. Legal Basis for Processing

Under the GDPR, we are required to have a lawful basis for each processing activity. We rely on the following legal bases:

• Performance of a Contract (Art. 6(1)(b)): Processing necessary to provide our services, including account management, processing purchases and payments, delivering digital products, and managing seller payouts.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, including KYC/AML requirements, tax reporting obligations, and court orders.
• Legitimate Interests (Art. 6(1)(f)): Processing for fraud prevention, security monitoring, improving our services, and communicating about Platform updates — provided our interests are not overridden by your rights and freedoms.
• Consent (Art. 6(1)(a)): Where you have given us explicit consent, such as for marketing emails, non-essential cookies, or optional data collection. You may withdraw your consent at any time without affecting the lawfulness of prior processing.
• Vital Interests (Art. 6(1)(d)): In exceptional circumstances where processing is necessary to protect the vital interests of you or another person.

For special categories of personal data (e.g., biometric data used in KYC), we rely on your explicit consent (Art. 9(2)(a)) or legal obligations as applicable.

4. Purposes of Data Processing

We process your personal data for the following purposes:

• Creating and managing user accounts and authenticating your identity
• Facilitating purchases, sales, and digital product delivery
• Processing payments and managing seller payouts and withdrawals
• Conducting KYC/AML identity verification as required by law
• Providing customer support and responding to enquiries
• Detecting, preventing, and investigating fraud, abuse, and security incidents
• Sending transactional communications (order confirmations, download links, payment receipts)
• Sending marketing communications where you have consented
• Personalising your experience on the Platform
• Complying with legal, regulatory, and tax obligations
• Enforcing our Terms of Use and other Platform policies
• Improving and developing our Platform through analytics and user feedback

5. Data Sharing and Third-Party Processors

We do not sell your personal data. We may share your personal data with the following categories of recipients:

• Payment Processors: Such as PayPal and Stripe, to process payments and payouts securely.
• Identity Verification Providers: For KYC compliance and fraud prevention.
• Cloud Hosting and Infrastructure Providers: To store data and operate the Platform securely.
• Email Service Providers: To send transactional and marketing communications.
• Analytics Providers: Such as Google Analytics, to understand Platform usage (data is anonymised where possible).
• Legal and Regulatory Authorities: Where required by applicable law, court order, or regulatory requirement.
• Professional Advisors: Including lawyers and accountants, under obligations of confidentiality.
• Business Successors: In the event of a merger, acquisition, or asset sale, your data may be transferred to the successor entity.

All third-party processors are bound by Data Processing Agreements (DPAs) that require them to process personal data only on our instructions and in compliance with GDPR.

6. International Data Transfers

Infinite Market is based in India. Your personal data may be transferred to and processed in countries outside the EEA, including India and other countries where our service providers operate. These countries may not have the same level of data protection as your home country.

Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions issued by the European Commission where applicable
• Binding Corporate Rules where applicable

You may request details of the safeguards we have in place for international transfers by contacting us at contact@infinitemarket.org.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

• Account Data: Retained for the duration of your account and up to 5 years after account deletion, for legal and dispute-resolution purposes.
• Transaction and Financial Records: Retained for a minimum of 7 years to comply with tax and financial reporting obligations.
• KYC / Identity Verification Data: Retained as required by applicable AML and KYC regulations (typically 5–7 years after the end of the business relationship).
• Support and Communications Data: Retained for 3 years after the closure of a support case.
• Marketing Consent Records: Retained for the duration of your consent and for 3 years thereafter as evidence of consent.
• Cookie and Analytics Data: Retained in accordance with our cookie settings, typically up to 13 months.

After the applicable retention period, personal data is securely deleted or anonymised so it can no longer be linked to an individual.

8. Your GDPR Rights

Under the GDPR, you have the following rights in respect of your personal data. These rights are not absolute and may be subject to certain exemptions or limitations under applicable law.

• Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you and information about how we process it.
• Right to Rectification (Art. 16): You have the right to request correction of inaccurate or incomplete personal data.
• Right to Erasure / Right to be Forgotten (Art. 17): You have the right to request deletion of your personal data where it is no longer necessary for the purpose it was collected, you have withdrawn consent, or processing is unlawful — subject to legal retention obligations.
• Right to Restriction of Processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as while a dispute is being resolved.
• Right to Data Portability (Art. 20): Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to Object (Art. 21): You have the right to object at any time to the processing of your personal data based on legitimate interests, including profiling. You also have an absolute right to object to processing for direct marketing purposes.
• Rights Related to Automated Decision-Making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, unless you have given explicit consent or it is necessary for a contract.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of your rights, please submit a request to us using the contact details in Section 12. We will respond within one month of receiving your request. In complex cases, we may extend this by a further two months, in which case we will notify you. We will not charge a fee for exercising your rights unless the request is manifestly unfounded or excessive.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve the Platform. Under GDPR, we require your consent for any cookies that are not strictly necessary for the Platform to function.

9.1 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for the Platform to operate (e.g., session authentication, security). These do not require consent.
• Performance and Analytics Cookies: Used to collect information about how visitors use the Platform (e.g., Google Analytics). Require consent.
• Functional Cookies: Remember your preferences and personalise your experience. Require consent.
• Marketing and Targeting Cookies: Used to deliver relevant advertisements. Require consent.

9.2 Managing Cookies

You can manage and withdraw your cookie consent at any time through our cookie consent tool or by adjusting your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or damage. These measures include:

• SSL/TLS encryption for all data transmitted between your browser and our servers
• Encryption of sensitive data at rest
• Role-based access controls limiting access to personal data to authorised personnel only
• Regular security assessments, penetration testing, and vulnerability management
• Two-factor authentication for account access
• Data minimisation and pseudonymisation practices where feasible
• Incident response procedures and data breach notification processes

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify you without undue delay.

11. Children's Data

The Platform is not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child without verified parental consent, we will take immediate steps to delete that information. If you believe a child has provided us with personal data, please contact us at contact@infinitemarket.org.

12. Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR or applicable data protection law, you have the right to lodge a complaint with your local supervisory authority. In the EU, you may contact the data protection authority in the EU member state where you reside, work, or where the alleged violation occurred.

A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

We would, however, appreciate the opportunity to address your concerns before you contact a supervisory authority, and invite you to contact us first.

13. Changes to This GDPR Policy

We may update this GDPR Policy from time to time to reflect changes in our data practices, legal requirements, or regulatory guidance. When we make material changes, we will notify you by:

• Updating the "Effective Date" at the top of this page
• Sending a notification to your registered email address
• Displaying a prominent banner on the Platform

We encourage you to review this policy periodically. Your continued use of the Platform after any changes constitutes your acknowledgment of the updated policy.

14. Contact Us / Data Protection Officer

For any questions, concerns, or requests regarding this GDPR Policy or the processing of your personal data, please contact our Data Protection Officer (DPO):

• Email: contact@infinitemarket.org
• Phone: +91-452-4304851
• Website: https://infinitemarket.org
• Mailing Address: Infinite Market, 67, VRD Towers, Simmakal, Madurai-1, Tamil Nadu, India

We are committed to handling all data protection enquiries promptly, transparently, and in full compliance with applicable data protection law.