Privacy Policy

1. Introduction

Welcome to HiMarket ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, store, and share your data when you use our Magic: The Gathering trading platform.

By using HiMarket, you agree to the collection and use of information in accordance with this policy.

2. Data We Collect

2.1 Information You Provide

When you use HiMarket, you provide us with the following information:

• Account Creation: Email address, display name, and authentication credentials (when you sign up with Google or email)
• Profile Information: Optional WhatsApp number for cash-out notifications
• Card Listings: Card details (name, set, condition, finish, language), selling prices, and listing preferences
• Transactions: Purchase and sales transaction details, store credit balances
• Cash-Out Requests: Payment method details (FPS or PayMe information) for credit withdrawals
• Customer Support: Email communications and any information you provide when contacting us

2.2 Google User Data

Important: Google OAuth is Used ONLY for Login Authentication

We use Google OAuth solely as a convenient and secure login method. We do not seek to access your Google data. The only information we receive is the minimal basic profile data necessary for account creation and authentication.

When you sign in with Google, only the following basic profile information is accessed through Firebase Authentication:

Google OAuth Scopes Requested:

• openid - OpenID Connect authentication (standard login protocol)
• email - Your email address (for account identification only)
• profile - Your basic profile information (name only)

Specific Data Points Accessed (Minimal Basic Profile Data Only):

• Email Address: Your Google Account email address - used only to create and identify your HiMarket account
• Display Name: Your name from your Google profile - used only to personalize your HiMarket profile
• User ID: A unique identifier for authentication purposes (Firebase UID derived from your Google Account)

We do NOT access ANY of your Google data or services:

We do NOT access any other Google services, including but not limited to: Gmail, emails, messages, Google Drive files or documents, Google Calendar or events, contacts, address book, location data, maps, YouTube data or history, search history, or any other Google services beyond the basic profile information (email and name) required for login authentication.

2.3 Automatically Collected Data

When you use our platform, we automatically collect certain information:

• IP Addresses: Collected by Google Analytics but automatically anonymized to protect your privacy
• Browser Information: Browser type, version, and language preferences
• Device Information: Device type, operating system, and screen resolution (via Google Analytics)
• Usage Data: Pages visited, features used, time spent on pages, click patterns, and navigation paths
• Session Information: Login times, session duration (session cookies valid for 14 days)
• Performance Data: Page load times and technical errors to improve service quality

2.4 Transaction Data

We collect and store the following transaction-related information:

• Payment Processing: Transaction IDs, amounts in HKD and USD, payment timestamps. Note: Credit card details are securely processed and stored by Stripe (our payment processor) - we never store your full card numbers or CVV codes on our servers
• Purchase History: Records of cards purchased and sold, transaction dates, parties involved (buyer/seller IDs), and transaction amounts
• Store Credits: Your store credit balance, gift credit balance, credit purchase history, and cash-out requests
• Card Listings: Details of cards you've listed for sale, including prices, conditions, and availability status
• Drop-Off Records: Information about physical card deliveries, storage IDs, and fulfillment status

3. How We Use Your Data

3.1 Purpose of Data Collection

We use the collected data for the following purposes:

• Service Provision: To provide and maintain our Magic: The Gathering card trading platform
• Authentication: To authenticate users and manage user accounts securely
• Transaction Processing: To process card purchases and sales, manage store credits, and handle cash-out requests
• Platform Features: To facilitate card trading between users, manage card collections, and provide marketplace functionality
• Communication: To send you transaction confirmations, account notifications, cash-out updates, and important service announcements
• Platform Improvement: To analyze usage patterns, identify popular features, and improve user experience
• Security: To detect and prevent fraud, abuse, security incidents, and protect user accounts
• Legal Compliance: To comply with applicable laws, regulations, and legal processes
• Customer Support: To respond to your inquiries and provide technical assistance

3.2 How We Use Google User Data

Purpose: Login Authentication Only

The sole purpose of using Google OAuth is to provide a convenient and secure login method for our users. We do not aim to obtain or use your Google data for any other purpose. The minimal basic profile data (email and name) we receive during the authentication process is used exclusively for account management on HiMarket:

• Email Address: Used only to create and uniquely identify your HiMarket account, enable secure authentication, and send essential transaction notifications (purchase confirmations, cash-out updates, important service communications)
• Display Name: Used only to personalize your HiMarket profile, display your identity on card listings and transactions within our marketplace platform
• User ID: Used only as a secure unique identifier to link your account data within our system (your card collection, transaction history, store credits)

Limited Use Compliance:

We use the basic profile data received from Google OAuth solely for user authentication and account management on HiMarket. This data is used exclusively for providing user-facing features visible in our application's user interface. We strictly comply with the Google API Services User Data Policy Limited Use requirements. Specifically:

• We use Google OAuth ONLY for login authentication - we do not seek access to any Google services or data
• We do NOT use Google user data for serving advertisements
• We do NOT sell or transfer Google user data to third parties for advertising or data brokering
• We do NOT use Google user data for credit-worthiness determinations or lending purposes

3.3 AI/ML Model Training

We do NOT use your data for AI or machine learning purposes.

We do not use your data, including any Google user data, for training artificial intelligence or machine learning models. Your personal information is used exclusively for the purposes explicitly stated in this Privacy Policy.

4. How We Store Your Data

4.1 Data Storage Location

Your data is securely stored using the following infrastructure:

• Cloud Provider: Google Firebase (Firestore and Realtime Database)
• Firebase Project ID: skff-61f5e
• Storage Region: asia-east2 (Hong Kong)
• Encryption at Rest: Yes - All data stored in Firebase is automatically encrypted at rest using AES-256 encryption
• Encryption in Transit: Yes - All data transmissions use HTTPS/TLS encryption to protect data during transfer

4.2 Data Security Measures

We implement industry-standard security measures to protect your data:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS protocols
• Encryption at Rest: All data stored in our databases is encrypted using AES-256 encryption
• Access Controls: Strict authentication and authorization controls limit data access to authorized personnel only
• Session Management: Secure session cookies with 14-day expiry and httpOnly flags to prevent unauthorized access
• Payment Security: Credit card data is processed through Stripe (PCI DSS Level 1 certified) and never stored on our servers
• Firebase Security Rules: Database-level security rules enforce data access permissions
• Regular Monitoring: Continuous monitoring for suspicious activities and security incidents
• Secure Infrastructure: Google Cloud Platform infrastructure with enterprise-grade security

While we implement industry-standard security measures to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but continuously work to protect your information.

4.3 Data Retention

We retain your data for the following periods:

• User Account Data: Retained indefinitely while your account is active. After account deletion is requested, data is retained for 30 days before permanent deletion
• Google User Data: Email and display name are retained for the same period as your account data (30 days after deletion request)
• Transaction Records: Retained indefinitely for accounting, tax compliance, and dispute resolution purposes, even after account deletion (as required by Hong Kong law)
• Session Cookies: Automatically expire after 14 days of inactivity
• Analytics Data: Aggregated and anonymized usage data may be retained indefinitely for platform improvement

Account Deletion Process: When you request account deletion, we initiate a 30-day retention period. During this time, your account is deactivated but data is retained to allow for recovery if the deletion was made in error. After 30 days, your personal data (email, display name, profile information) is permanently deleted. Transaction records are anonymized but retained for legal and compliance purposes.

5. Data Sharing and Disclosure

5.1 Third-Party Services

We share data with the following trusted third-party services that help us operate our platform:

• Stripe (Payment Processor): Processes credit card payments for store credit purchases. Stripe receives your payment card details, billing information, email address, and transaction amounts. Stripe is PCI DSS Level 1 certified. We do NOT store your full credit card numbers or CVV codes on our servers. Stripe Privacy Policy
• Google Analytics: Collects anonymized usage statistics, page views, and user behavior data to help us improve our platform. IP addresses are automatically anonymized, and ad personalization is disabled. Google Privacy Policy
• Google Firebase (Cloud Hosting & Database): Stores all user data, transactions, and platform information. Data is stored in the asia-east2 (Hong Kong) region. Firebase Privacy Policy
• Google Search Console: For website indexing and SEO purposes. No personal user data is shared - only sitemap and website structure information.

We only share data with third parties who are contractually obligated to protect your information and use it only for the specific purposes we specify. All third-party services comply with applicable data protection regulations.

5.2 Sharing Google User Data

We do NOT sell, rent, or share your Google user data with third parties except in the following limited circumstances:

• With your explicit consent: If you authorize us to share your information with a specific third party
• Service provision: With Firebase/Google Cloud for authentication and data storage (as necessary to operate our platform)
• Legal obligations: If required by law, court order, or government request
• Protection of rights: To protect our rights, property, safety, or that of our users in cases of fraud, security threats, or violations of our terms of service

We explicitly do NOT:

• Sell or transfer Google user data to advertising platforms or data brokers
• Share Google user data with any third parties for marketing purposes
• Use Google user data for credit checks or lending decisions
• Share Google user data with information resellers

5.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, government requests).

5.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of VIRTUALHI's assets, your personal information may be transferred as part of the transaction. We will provide notice via email and/or a prominent notice on our website before your personal information is transferred and becomes subject to a different privacy policy. You will have the opportunity to delete your account before any such transfer.

6. Your Rights and Choices

6.1 Access and Update

You have the right to access and update your personal information at any time:

• Profile Settings: You can view and update your display name, email address, and WhatsApp number by visiting your profile page after logging in
• Transaction History: You can view your complete purchase and sales history, store credit transactions, and cash-out requests in your account dashboard
• Card Collection: You can manage your card collection, listings, and marketplace activities through your account
• Request Data Access: Contact us at hello@himarket.hk to request a complete copy of your personal data

6.2 Data Deletion

You have the right to request deletion of your personal data:

How to Request Account Deletion:

To delete your account and personal data, please email us at hello@himarket.hk with the subject line "Account Deletion Request" and include your registered email address.

What Happens During Deletion:

• Immediate Deactivation: Your account is immediately deactivated and you will no longer be able to log in
• 30-Day Retention Period: Your personal data (email, display name, profile information) is retained for 30 days in case you wish to recover your account
• Permanent Deletion: After 30 days, your personal identifying information is permanently deleted from our active databases
• Transaction Records: For legal and accounting compliance, anonymized transaction records (with personal identifiers removed) are retained as required by Hong Kong law
• Google User Data: Your email and display name from Google are deleted along with your account data after the 30-day retention period

Note: Account deletion is permanent after the 30-day retention period and cannot be undone. Please ensure you have withdrawn any remaining store credits before requesting deletion.

6.3 Revoking Google Access

You can revoke HiMarket's access to your Google account at any time by visiting your Google Account settings at https://myaccount.google.com/permissions.

6.4 Data Portability

You have the right to receive a copy of your personal data in a structured, commonly used format. To request an export of your data, please contact us at hello@himarket.hk. We will provide your data in JSON format within 30 days of your request.

6.5 Marketing Communications

We currently do not send marketing or promotional emails. We only send transactional emails related to your account activity, such as purchase confirmations, cash-out updates, and important service announcements. These transactional emails are necessary for the operation of our service and cannot be opted out of while your account is active.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our platform:

Types of Cookies We Use:

Managing Cookies:

You can manage cookies through your browser settings:

• Most browsers allow you to refuse cookies or delete existing cookies
• Warning: Disabling essential cookies will prevent you from logging in and using core platform features
• To opt out of Google Analytics, you can install the Google Analytics Opt-out Browser Add-on

8. Children's Privacy

Our service is intended for users aged 18 and above.

HiMarket is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If you are under 18 years of age, please do not use our service or provide any personal information.

If you are a parent or guardian and believe that your child under 18 has provided us with personal information, please contact us immediately at hello@himarket.hk. We will take steps to delete such information from our systems.

9. International Data Transfers

HiMarket is operated from Hong Kong by VIRTUALHI. Your information is primarily stored in Google Firebase servers located in the asia-east2 (Hong Kong) region.

However, some of our service providers operate globally and may process data in other countries:

• Stripe (Payment Processing): Based in the United States and may process payment data internationally in accordance with their global infrastructure
• Google Services: May process data across Google's global infrastructure while maintaining compliance with international data protection standards

When your information is transferred to other countries, we ensure appropriate safeguards are in place:

• All service providers comply with international data protection standards (SOC 2, ISO 27001)
• Data processing agreements are in place with all third-party processors
• Encryption is used for all data transfers
• Service providers adhere to the EU-US Data Privacy Framework and other international frameworks

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How We Notify You of Changes:

• Email Notification: We will send an email to your registered email address notifying you of significant changes
• Website Banner: We will display a prominent notice on our website when you log in
• Updated Date: The "Last Updated" date at the top of this policy will be revised

For material changes that affect how we use Google user data, we will obtain your consent before implementing the changes. You are advised to review this Privacy Policy periodically for any updates. Changes become effective when posted on this page, unless otherwise specified.

If you do not agree to the updated Privacy Policy, you may delete your account by contacting us at hello@himarket.hk.

11. Compliance with Google API Services

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Our Commitments:

• Minimum Necessary Access: We only request access to the minimum scopes necessary to provide our service (openid, email, profile)
• User Consent: We use Google user data only for purposes that users have explicitly consented to
• No Advertising Use: We do not use Google user data for serving advertisements, retargeting, or personalized advertising
• No Data Sales: We do not sell or transfer Google user data to third parties, advertising platforms, or data brokers
• No Credit Decisions: We do not use Google user data for credit-worthiness determinations or lending purposes
• No AI/ML Training: We do not use Google user data to train artificial intelligence or machine learning models
• Transparent Use: All uses of Google user data are clearly disclosed in this Privacy Policy and visible in our user interface
• Secure Handling: Google user data is stored securely with encryption at rest and in transit

We comply with all requirements under the Google APIs Terms of Service and applicable Google policies.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 14 business days. For urgent matters, please indicate "URGENT" in your email subject line.

For privacy-related requests including data access, correction, deletion, or portability, please email us with your request and we will guide you through the process.