⚠️ Legal content placeholder — not yet reviewed by counsel
NZ Privacy Act 2020 compliance is mandatory. Do not publish to users until reviewed by a NZ-qualified privacy practitioner.
Privacy Policy
Last updated: [DATE — to be populated after legal review]
1. Who We Are
Merchant Scroll NZ is an online marketplace operating in New Zealand for the buying, selling, and trading of Magic: The Gathering trading cards. We collect and use personal information in accordance with the New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs). This Privacy Policy works alongside our Terms of Service.
[TODO: Operating entity name, registered address, and designated Privacy Officer name and contact — pending operator input.]
2. Information We Collect
We collect personal information in the following governed categories:
- Account identifiers: a unique account ID, your username, your email address, your role on the platform, and account state fields (locked status, lock reason, locked-at timestamp).
- Listing data: the cards you list for sale or trade, including condition, price, pricing mode, and any photo evidence you upload.
- Order and trade data: records of transactions you participate in as buyer, seller, initiator, or receiver. Includes order status, payment and payout timestamps, tracking information, and the fair-value snapshots used to lock a Value Trade.
- Credit ledger and subscription data: records of credits issued, reserved, consumed, or purchased; subscription tier and period information.
- Dispute and dispute evidence data: dispute records you raise or are subject to, including evidence notes and storage references you submit during dispute review.
- KYC verification state: your verification status (one of
unverified,pending, orverified) and KYC flag metadata (flag type, status, who raised and resolved flags, timestamps). We do not store the underlying identity documents — see the KYC Provider Statement. - Audit log data: an append-only record of governed lifecycle transitions and admin actions attributed to your account.
- Inventory import data: CSV or plaintext inventory imports you submit, while a batch is in staged review. See Section 6 for retention.
- Payment processor references: identifiers issued by Stripe to link your account, orders, and subscription to payment processing. The platform stores these references only. Card numbers, expiry dates, and CVCs are not stored by Merchant Scroll NZ — those details are collected and held by Stripe under their own privacy obligations.
Public identifier rule. Under the platform’s governed compliance posture, username is the only field the platform may display to identify one user to another, and email must not be returned in any public-facing API response or rendered on any public-facing UI surface. Your real name, email address, and internal account identifier are never visible to other users.
KYC documents. Raw uploaded identity document payloads must not become part of governed platform storage. Where identity verification is required, document verification is performed by our identity-verification provider, and Merchant Scroll NZ stores only the resulting verification status and audit metadata.
Connection data. Cloudflare’s edge infrastructure processes every request and may log connection metadata including IP address, request timestamps, and coarse geolocation derived from IP as part of standard edge network operation. The platform does not deploy browser fingerprinting, session replay, or third-party analytics trackers.
3. How We Use Your Information
We use the information described above for the following governed purposes:
- Facilitating buying, selling, and Value Trade transactions between users on the platform.
- Performing identity verification (KYC) where governed value thresholds require it, and managing the resulting verification state.
- Administering Held Payout — holding seller funds until the buyer confirms receipt, the buyer’s action window closes, or any active dispute on the order is resolved.
- Resolving disputes raised under the governed dispute triggers, including evidence review and admin handling.
- Account-lock handling where a governed lock trigger applies (negative credit balance, active chargeback, incomplete identity verification, or repeated unresolved disputes).
- Sending match notifications to users with a matching Chase List entry when a relevant listing is published. Match notifications are bounded by the governed notification rules and are not described as guaranteed transaction opportunities.
- Retaining an append-only audit log of governed lifecycle transitions and admin actions for operational and audit purposes.
4. Disclosure to Third Parties
We disclose information to the following categories of third parties strictly for the purposes described above:
- Payment processor — Stripe. Stripe processes card payments and seller payouts. Stripe acts as a separate data controller for the payment data it collects directly and handles that data under its own privacy policy.
- Identity verification provider. Where identity verification is required, an external verification provider processes the underlying identity-document data on our behalf. The specific provider and its data-handling commitments are described in the KYC Provider Statement. Merchant Scroll NZ stores only the resulting verification status and audit metadata.
- Infrastructure providers. The platform runtime is hosted on Cloudflare’s edge network. Our database is provided by Supabase. These providers host the platform on our behalf and are bound by their own privacy and security obligations.
- External read-only references. The platform consults Scryfall for card identity and printing resolution, Frankfurter for daily NZD/USD exchange-rate data, and a Card Kingdom retail pricelist for benchmark pricing data. No user-identifying data is sent to these services; they are used only to enrich the platform with public reference data.
[TODO: Specific law-enforcement and regulatory-authority disclosure obligations under the AML/CFT Act 2009 — pending confirmation of the platform’s reporting-entity status by NZ legal counsel.]
5. Overseas Transfer of Information
Some of our third-party providers — including Stripe, our infrastructure providers (Cloudflare and Supabase), and our identity-verification provider — may store or process personal information outside New Zealand. Where this occurs, the disclosure is governed by Information Privacy Principle 12 of the Privacy Act 2020, which requires us to be satisfied that the receiving party is subject to comparable privacy safeguards before personal information is disclosed overseas.
Known data regions:
- Cloudflare Workers (platform runtime): Cloudflare operates a global edge network. Requests may be processed at any point of presence worldwide.
- Supabase (database): [PLACEHOLDER — data region to be confirmed by operator before publication.]
- Stripe (payment processing): Stripe operates data centres in the United States and European Union, subject to its own data-residency terms and privacy policy.
6. Data Retention
We retain personal information for the periods set out below, plus any additional period required by law.
- Inventory imports: a staged inventory import that you do not confirm within
Import_Session_Abandon_Hoursfrom the platform Constants Registry is automatically transitioned to an abandoned state. Abandoned imports do not produce any list entries and are not retained indefinitely. - Audit log: entries in the platform audit log are append-only by design. They record governed lifecycle transitions and admin actions and are retained as required for operational, security, and audit purposes.
- KYC verification state: verification status and KYC flag metadata are retained while your account is active. The platform does not store the underlying identity documents; document retention is governed by the verification provider’s own data- handling policy. See the KYC Provider Statement.
- Transaction Rating records: retained only to the extent operationally necessary for trust, dispute, and audit purposes. Removed records do not continue to appear on public-facing surfaces.
- Personal account data on closure: if you close your account, personal identifiers (username, email, profile fields) will be deleted or anonymised within 30 days of account closure, unless retention is required by law or a dispute is open at the time of closure.
- Transaction and audit records: order history, trade history, payment references, and audit log entries related to completed transactions are retained for 7 years following the relevant transaction, in accordance with standard commercial record-keeping obligations.
[TODO: Statutory retention periods under the AML/CFT Act 2009 if the platform is determined to be a reporting entity — pending NZ legal counsel confirmation.]
7. Your Rights
Under the Privacy Act 2020 you have:
- the right to access personal information we hold about you (Information Privacy Principle 6); and
- the right to request correction of personal information we hold about you (Information Privacy Principle 7).
If you believe we have not complied with our Privacy Act obligations, you may also make a complaint to the Office of the Privacy Commissioner at www.privacy.org.nz.
[TODO: Concrete access and correction request process, response timeframe, and account-deletion request handling — pending designation of the platform Privacy Officer.]
8. Cookies and Tracking
The platform sets an essential authentication session cookie (issued via NextAuth) to keep you signed in securely. Without this cookie, the signed-in surfaces of the platform cannot function.
No additional analytics, performance-monitoring, or marketing trackers are deployed. The only tracking technology in use is the NextAuth session cookie described above.
9. Contact and Complaints
If you have a privacy-related question, request, or complaint about how Merchant Scroll NZ handles your personal information, you may contact our designated Privacy Officer.
We will acknowledge privacy requests and complaints within 5 business days and aim to resolve them within 30 days of receipt. If further time is required, we will notify you.
[PLACEHOLDER — Privacy Officer contact email: to be confirmed by operator and published before platform goes live to the public.]
You may also escalate a privacy complaint to the Office of the Privacy Commissioner at www.privacy.org.nz.