PREAMBLE

This privacy policy applies to all users of afarhub.com and the Afar Discord application.

Afar is wholly owned and operated by UnifiedCentury Limited (unifiedcentury.com).

UnifiedCentury Limited possesses the right to modify this privacy policy at any time. Material changes, such as the adjustment of policies and procedures, will be posted 30 days in advance of its effectiveness. We will attempt to notify users via a notice on our website and, where feasible, using the communication method(s) they have provided at least 14 days in advance of its effectiveness. Non-material changes, such as updating links, correcting typos, reformatting, or updating our data processor list may be made at any time without notification. It is recommended that you regularly check this privacy policy for any modifications, as sometimes filters, spam prevention, or other technological glitches may prevent you from receiving a notice.

DEFINITIONS

DATA CONTROLLER

UnifiedCentury Limited is the data controller for platform account management, order processing, product distribution, whitelist verification, security monitoring, and the operation of the Website and the Bot.

Merchants act as independent data controllers for data they collect or decide to process about their customers (for example, sales analytics, order fulfilment where they directly contact purchasers). UnifiedCentury acts as a processor for merchant instructions where we process purchaser data on a merchant’s behalf (e.g., transmitting purchase notifications to a Merchant). Where third parties (e.g., PayPal, Stripe) determine the purposes and means of processing, they act as independent controllers for payment data.

UnifiedCentury Limited is a company registered in England & Wales with company number 14173670.

Our company address is as follows:

124 City Road,

London, England, EC1V 2NX

UNITED KINGDOM

For privacy-related inquiries, or to contact our appointed Data Protection Officer, please email [email protected].

PERSONAL DATA WE COLLECT

DATA WE COLLECT AUTOMATICALLY

When you use our service, we may automatically collect, store, and/or process the following information:

1. IP addresses
2. Hardware and/or software details (such as your device type and browser)
3. Clicked links and/or content viewed
4. User IDs (as provided by Discord or ROBLOX when you interact with the Bot or the Game)
5. Place IDs and experience information (as collected by the embedded whitelist code within product files you may download)

DATA COLLECTED IN A NON-AUTOMATIC WAY

Of All Users:

1. Usernames
2. Email Addresses
3. Password Hashes
4. Purchase History
5. Product IDs
6. Payment Statuses
7. Communication History
8. Support Tickets
9. Discord Bot Commands, Messages, and or Interactions (to derive information and actions while using the Bot)

Of Merchants:

1. Merchant Profile Information
2. Hub Information
3. Product Information
4. Uploaded Products
5. API Keys
6. Client Communications
7. Client Support

EXAMPLES OF HOW DATA MAY BE COLLECTED

1. Interacting with the Website
2. Interacting with the Bot
3. Interacting with the Game
4. Creating Links or Accounts
5. Migrating Data from Third-Party Service(s)
6. Making a Purchase with a Payment Processor
7. Using Off-Platform Integrations
8. Contacting Us
9. Or by Otherwise Using The Service

LAWFUL BASES FOR PROCESSING

Our lawful bases for processing your data can be seen in the table below.

The contract we are fulfilling is the one set out in our Terms of Service located at afarhub.com/legal/terms-of-service.

You may withdraw your consent by contacting [email protected].

We balance the legitimate interests for the company against user rights, where relevant.

HOW WE USE YOUR PERSONAL DATA

We use your personal data for the following purposes:

1. Operating the Marketplace
2. Processing Payments
3. Delivering Digital Products
4. Managing Whitelists
5. Enforcing Terms and Preventing Abuse
6. Communicating with Users
7. Maintaining Security and Uptime
8. Legal and Regulatory Compliance

COOKIES AND TRACKING TECHNOLOGIES

At this time, the Website only uses essential cookies needed to allow the Service to work and ensure the security of the Service. We do not use any cookies to intentionally track or target you across the Internet.

Some essential cookies may be set by our data processors to aid with the services they provide to us.

DATA SHARING AND DISCLOSURE

We may share your personal data where necessary for the operation of the Service or to meet legal obligations.

We do not share or otherwise “sell“ your data with the intent to generate a profit.

DATA PROCESSORS

Where required, we have put a Data Processing Agreement in place with our following Data Processors.

INDEPENDENT DATA CONTROLLERS

We use the following Independent Data Controllers in certain parts of the Service. Please refer to their privacy policy for your region.

OUR RELATIONSHIP WITH MERCHANTS

At this time, Merchants are classified as Independent Data Controllers with access to limited data that we share with them. When you purchase a product from a Merchant, some of your purchase information may be shared with the Merchant in order to provide basic analytics and notification(s) of a sale. This data may include:

1. Transaction Information
2. Profile Information
3. Link Information (such as your ROBLOX/Discord Account)

UnifiedCentury Limited is the primary point of contact for data subject requests, security safeguards, or to exercise GDPR rights. Merchants are responsible for ensuring lawful use of purchaser data only within the Platform, and may not use, distribute, export, or share the data elsewhere.

INTERNATIONAL DATA TRANSFERS

In certain circumstances, your data may be processed outside of the UK/EU, such as in the United States or Canada. Some situations where this may occur include handling global support, redundancy, security, etc. In these situations, appropriate safeguards have been implemented, such as a UK International Data Transfer Agreement (IDTA) and/or EU Standard Contractual Clauses (SCCs).

DATA RETENTION

When not feasible to delete the information, it will be anonymized, such as in the case of accounts who have a Hub or have sold products.

If needed, we may hold on to data for a longer period in accordance with statutory retention requirements.

SECURITY MEASURES

When possible, all data stored encrypted at rest and is encrypted during transit when sent through the Internet. All information and files sent to Google Cloud Secrets Manager and Cloudflare R2 are encrypted on our end before being stored there.

We implement strict access control and filters to help prevent unauthorized access. Monitoring and logging is also implemented in order to help detect anomalies. DDoS and other cyber attack filtering is also implemented through our data processors.

Although we have all of these security measures in place, there is no way to be completely sure that the software powering these measures is without errors or vulnerabilities. In the case of a breach, we will notify the affected users and regulators where required by law. We will notify the ICO (or appropriate supervisory authority) without undue delay and, where required, within 72 hours of becoming aware of a notifiable personal data breach. Where there is a high risk to individuals, we will communicate to affected data subjects without undue delay.

Our standard incident response begins the moment that we can confidentially say there has been internal access from a device that we do not recognize. We will then begin taking immediate backups of logs and systems, and then investigate further to come to a conclusion within 72 hours of the incident response beginning.

DISCORD BOT DISCLOSURE

When interacting with the Bot, or when the Bot sends a notification, the following information may be collected:

1. Message(s)
2. Profile Information (including usernames, roles, user IDs, etc.)
3. Action(s) Taken (such as button presses)
4. Server Information (such as who is in the server, roles, channels, etc. as provided by the Discord API)

Some information may be logged, for example, if you are sending a message when the Bot has asked you for a product description, or when using support features provided through the Bot.

To remove the Bot from your server, you may navigate to Server Settings → Integrations (Apps Category), click on “Manage“ for the Afar listing, scroll to the bottom, then click the button labeled “Remove App“.

ROBLOX DISCLOSURE

When you are using experience(s) provided by us on the ROBLOX platform, we may automatically collect your user ID in order to match it to your account linked on the ROBLOX platform.

In the case of performing a migration, we may reach out to to a competitor’s service within the ROBLOX experience to obtain your information. In these situations, your ROBLOX user ID may be provided, when you initiate the migration, to retrieve the information required.

When using product files on the ROBLOX platform within your own experiences, an embedded whitelist may collect some information from your game including:

1. Place ID(s)
2. Experience ID(s)
3. Script Environment Information

When the embedded whitelist reaches out with the collected information to the Service to verify that you have a license to use the product, we may log the request’s details and information on our servers for validation and fraud monitoring.

USER RIGHTS

All users of the Service who do not live in the EU or UK have GDPR rights extended to them contractually through this privacy policy, in accordance with the UK’s law surrounding the GDPR. The method of executing these extended rights may differ procedurally from as if you were a resident of the UK, but you will be able to execute the extended rights in a substantially similar manner.

We guarantee the following rights for all users of our platform:

1. Right of Access
2. Right to Rectification
3. Right to Erasure
4. Right to be Informed
5. Right to Restrict Processing
6. Right to Data Portability
7. Right to Object
8. Right to Object to Automated Decision-Making
9. Right to Withdraw Consent
10. Right to Lodge a Complaint

EXERCISING YOUR RIGHTS

To exercise your GDPR rights, please contact [email protected].

Please note, the timeframe for a response may take up to one month (30 days) and some form of identity verification may be required. Where requests are complex or numerous, we may extend the timeframe by up to two further months (60 days) and will inform you of the extension and reasons within one month of you exercising your right.

AUTOMATED DECISION-MAKING

Automated decisions do occur at times, such as in fraud prevention. In these situations, your access may be limited or revoked and possibly lead to suspension. If you believe an error has been made, you have the right to request a human review by contacting [email protected].

CHILDREN AND MINORS

The Service is intended for users age 13 or older. Users under the age of 13 may not, under any circumstances, use the Service. We will comply with EU member-state age thresholds for EU users, where known.

Users may be required to provide or verify their age in order to ensure they are of age to use the Service.

If we become informed or otherwise learn that a user under the age of 13 has been using the Service, their personal data will be deleted as soon as possible. In the case that they have purchases or licenses made, a parent or legal guardian may be able to sign a transfer form, allowing the parent or legal guardian to take control of the account and its ownership, provided they do not allow their child to use it until they have reached the age of 13.

Users under the age of 16 who have not reached the digital age of consent must have permission from a parent or legal guardian to use the Service. We rely on the user to self declare, by accepting this policy, that consent has been obtained. Should an account be flagged or if that belief otherwise becomes questioned, we may need to contact a parent or legal guardian to do additional verification. If you believe your child has used the Service or has provided personal information without your consent, please contact [email protected].

CONTACT INFORMATION AND COMPLAINTS

At any time, for any reason, including inquiries and to exercise your rights, you may contact our privacy team or our data protection officer at [email protected].

You may also file a complaint with the UK Information Commissioner's Office as well. Our registration reference is ZB997267 and you can make a complaint at https://ico.org.uk/make-a-complaint/.

You may also contact your local supervisory authority, if applicable.