Privacy Policy

Last updated: June 1, 2026
Version: 1
Operator: Gydrus SAS, a sociedad por acciones simplificada organized under the laws of the República Oriental del Uruguay.
RUT: 219827060010

Gydrus SAS ("we", "us") is the data controller for the personal data you provide on the Platform. This Policy explains what we collect, why, who we share it with, and your rights.

Applicable regimes: Uruguay Ley N° 18.331; GDPR for EU residents; LGPD for Brazilian residents.

1. Data we collect

• Account data, email, username, hashed password, and — if you choose to sign in with a third-party single-sign-on option — an opaque identifier returned by that provider.
• Profile data, full name, phone, country, address (only if you fill it in).
• Verification data, government ID photo, proof-of-address document. Encrypted at rest; visible only to reviewing admins via short-lived signed URLs.
• Transactional data, orders, payments, wallet balance, loyalty coins, ratings, dispute history, messages.
• Technical data, IP address (for rate limiting + audit), device user-agent, language preference cookie.
• Cookies, see § 6.

2. Why we process it (lawful basis)

• Performance of contract, running your account, orders, escrow, payouts.
• Legal obligation, anti-money-laundering checks, tax reporting, responding to lawful requests.
• Legitimate interest, fraud prevention, audit logs, rate limiting, security.
• Consent, marketing emails (only with your opt-in).

3. Who we share it with

We rely on a small number of trusted service providers ("data processors") to operate the Platform. We share only the minimum data each one needs to do its job, under written contracts that forbid them from using your data for their own purposes:

• Payment service providers, who process the deposits, payouts and refunds you initiate. Your card or wallet details go directly to them; we receive a token and the outcome.
• Email delivery providers, who send transactional messages (account, order, security, dispute notifications) on our behalf.
• Fraud, abuse and bot-prevention services, used mainly at sign-up and on sensitive actions to keep automated accounts off the Platform.
• Identity providers, only if you choose to sign in via a third-party single-sign-on option. They tell us you authenticated and return a stable identifier; we do not see your password.
• Cloud hosting and infrastructure providers, who run the servers, databases and object storage behind the Platform.
• Professional advisors (auditors, accountants, lawyers) and, where relevant, prospective acquirers in the context of a corporate transaction — all under confidentiality.
• Law enforcement and regulatory authorities, when compelled by a valid legal request, or where strictly necessary to investigate fraud, abuse, or violations of these Terms.

On written request to [email protected] we will tell you the category of processor handling a particular piece of your data. We do not sell your personal data and we do not share it with advertisers.

4. International transfers

Some of our service providers operate from outside Uruguay. Where required by applicable law, those transfers are covered by Standard Contractual Clauses or equivalent safeguards.

5. How long we keep your data

• Account data, for the life of your account + a retention period required by law (typically up to 7 years for financial records).
• Verification documents, only while needed for review; deleted promptly after the decision.
• Audit logs, for a reasonable period to support security investigations and audit obligations.

6. Cookies

The Platform sets a small number of first-party cookies:

• gydrus_locale, your preferred language. Year-long, no PII.
• The session token is held in localStorage, not a cookie.

We do not use third-party advertising or analytics cookies today.

7. Your rights

You may, at any time, request:

• access to the personal data we hold about you,
• correction of inaccurate data,
• deletion of your data (subject to retention obligations),
• export of your data in a portable format,
• withdrawal of consent (for processing based on consent).

Email [email protected] to exercise any of these rights. We will respond within the timeframes required by the applicable regime (one month for GDPR; comparable for LGPD and Ley 18.331).

8. Children

The Platform is not intended for users under 18. If we discover we have collected data from a minor we will delete it.

9. Security

We apply industry-standard technical and organisational measures to protect your data, including salted password hashing, encryption in transit and at rest for sensitive material, role- based access controls on the admin tools, and audit logging. Payment card data is handled exclusively by PCI-DSS-compliant payment providers and is never stored on our servers.

No system is perfectly secure: if you become aware of a vulnerability or a possible breach affecting your account, please contact us at [email protected].

10. Contact and complaints

Privacy contact: [email protected].

Uruguayan users may also contact the Unidad Reguladora y de Control de Datos Personales (URCDP) for complaints. EU residents may contact their local supervisory authority.