1. Introduction
Layeh's Market ("we," "us," or "our") respects your privacy. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data when you use our website (layehmarket.com) and our Discord bot.
2. Data We Collect
We collect minimal data necessary to provide our services:
2.1 Data from Discord OAuth
When you log in with Discord, we receive and store the following through Discord's OAuth2 system (scopes: identify, guilds):
- Discord user ID — unique identifier for your account
- Username — your Discord display name
- Avatar — your Discord profile picture reference
We do not request access to your email address, friend list, or private messages.
2.2 Order and Payment Data
When you place an order, we store:
- Order details (product, quantity, price, date)
- Payment method selected (PayPal or cryptocurrency type)
- Payment reference ID (transaction ID from PayPal or NOWPayments)
We do not store credit card numbers, bank account details, or PayPal login credentials. All payment processing is handled by third-party providers (PayPal, NOWPayments).
2.3 Support Ticket Data
When you open a support ticket via Discord, the conversation history is recorded as a transcript upon ticket closure. Transcripts include message content, timestamps, and participant identifiers.
2.4 Bot Interaction Data
Our Discord bot stores your Discord user ID in connection with:
- Daily reward claims and reward inventory
- Spending history and customer rank progression
- Transaction records (seller-customer interactions)
- Translation preferences (if you use the auto-translation feature)
2.5 Data We Do NOT Collect
- Email addresses
- Phone numbers or physical addresses
- IP addresses (no server-side logging)
- Browsing behavior or analytics data
- Location data
3. How We Use Your Data
The table below lists each use, its legal basis under GDPR Art. 6, and how it applies globally:
| Purpose | Legal basis (GDPR) |
|---|---|
| Processing orders and fulfilling services | Contract performance (Art. 6(1)(b)) |
| Storing account data (Discord ID, username, avatar) | Contract performance (Art. 6(1)(b)) |
| Customer rank progression and leaderboard | Contract performance (Art. 6(1)(b)) |
| Daily reward claims and inventory | Contract performance (Art. 6(1)(b)) |
| Audit logs (order and payment events) | Legitimate interests (Art. 6(1)(f)) — fraud prevention and dispute resolution |
| Ticket transcripts | Legitimate interests (Art. 6(1)(f)) — service quality and dispute evidence |
| Testimonials (public username and avatar) | Legitimate interests (Art. 6(1)(f)) — you may object at any time via a support ticket |
4. Data Shared with Third Parties
We share the minimum data necessary with these service providers:
| Provider | Data Shared | Purpose |
|---|---|---|
| PayPal | Order amount, product name, order reference ID | Payment processing |
| NOWPayments | Order amount, cryptocurrency type, order ID | Cryptocurrency payment processing |
| Discord | OAuth authentication tokens | User authentication |
| Vercel | Website hosting (no PII shared directly) | Website hosting and delivery |
| Supabase | All stored data (database provider) | Database hosting |
We do not sell, rent, or share your data with any other parties for marketing or advertising purposes.
4a. California Residents — CCPA
We do not sell or share your personal information for monetary or other consideration, as defined under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
California residents have the right to:
- Know what personal information we have collected about them
- Request deletion of their personal information
- Non-discrimination for exercising these rights
To exercise these rights, open a support ticket in our Discord server. We will respond within 45 days as required by CCPA.
5. Cookies
We use only essential session cookies required for login functionality. These cookies are:
- httpOnly and secure — cannot be accessed by client-side scripts
- Session-based — deleted when you close your browser or your session expires
We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party tracking scripts. No cookie consent banner is required as our cookies are strictly necessary for the service to function (per GDPR Article 5(3) exemption).
6. Data Retention
- Account data (Discord ID, username, avatar) — retained until you request deletion
- Order records — retained for 5 years for tax, legal, and dispute resolution purposes
- Ticket transcripts — retained for 1 year after ticket closure, then deleted
- Daily reward data — retained while your account is active
7. Your Rights (GDPR & Global Privacy Rights)
Regardless of where you are located, you have the right to:
- Access — request a copy of all data we hold about you
- Rectification — request correction of inaccurate data
- Deletion — request deletion of your personal data (subject to legal retention requirements for order records)
- Data portability — receive your data in a structured, machine-readable format
- Withdraw consent — you may stop using our services at any time
- Object — object to processing of your data for specific purposes
To exercise any of these rights, open a support ticket in our Discord server. We will respond within 30 days.
EU / UK residents: You also have the right to lodge a complaint with your local data protection supervisory authority (e.g., AEPD in Spain, ICO in the UK, CNIL in France, BfDI in Germany). You can find your national authority at edpb.europa.eu.
Brazilian residents (LGPD):The rights listed above are equally granted under Brazil's Lei Geral de Proteção de Dados (LGPD). For complaints you may also contact Brazil's national data protection authority (ANPD) at gov.br/anpd.
8. Data Security
We protect your data through:
- Encrypted connections (HTTPS) for all web traffic
- Row-Level Security (RLS) policies on our database — users can only access their own data
- HMAC-SHA256 signatures on ticket transcripts for integrity verification
- Rate limiting on all API endpoints to prevent abuse
- No storage of payment credentials — all payment processing is handled by third-party providers
9. Children's Privacy
Our services are not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will promptly delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Material changes will be announced in our Discord server. Continued use of our services after changes take effect constitutes acceptance.
11. Contact
For privacy-related questions or to exercise your data rights, contact us through our Discord server by opening a support ticket.