rustsupply

Privacy policy

Last updated: 2026-05-20

1. Data controller

The controller of personal data processed in connection with the RustSupply service (the "Service") is I.E. Artem Shits, State Registration Number 286.1573426, registered at N. Zaryan Street, Building 22A, Arabkir District, Yerevan, Armenia. For any data-protection request, including the rights described below, contact RustSkinPay@proton.me.

This policy describes what personal data we collect, the purposes for which we process it, the legal bases on which we rely, with whom we share it, how long we keep it, and the rights you have. We process personal data in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the data protection law of the Republic of Armenia.

2. Personal data we collect

We collect the following categories of data:

  • Steam profile data — your public 64-bit Steam ID, display name, and avatar URL, received from Valve via Steam OpenID when you sign in. We do not receive your Steam password.
  • Steam trade URL — the URL you submit so that we can dispatch purchased Skins. The URL includes a numeric partner ID and a short token issued by Steam.
  • Email address — collected at checkout by our payment processor and stored by us against your order. We use it to send transactional notices (order confirmation, refund notice, delivery notice).
  • Order data — the Skin you bought, the price, the time of purchase, the payment method category (e.g. card / cryptocurrency), the payment processor's transaction identifier, and the status of delivery.
  • Technical data — IP address, user-agent string, approximate geolocation derived from IP, request timestamps. Collected and held in server logs.
  • Security and anti-fraud signals — login history, trade-URL change history, rate-limit counters, and similar markers used to detect account-takeover and payment fraud.

We do not collect: your Steam password, your real name (unless you choose to provide it in support correspondence), your residential address (unless required by mandatory anti-money-laundering rules above the applicable threshold), government identifiers, biometric data, or special categories of data within the meaning of GDPR Article 9.

Card numbers, CVV, and other payment instrument data are collected and processed by our payment processor (currently Stripe Payments Europe, Limited) directly through their hosted checkout. We never see them.

3. Why we process your data, and on what legal basis

Under GDPR Article 6, each purpose for which we process personal data has a legal basis. The principal purposes are:

  • Performance of the contract with you (Art. 6(1)(b)): processing your order, dispatching the Skin to your trade URL, issuing refunds where applicable, communicating order updates by email.
  • Compliance with our legal obligations (Art. 6(1)(c)): retaining transactional records for tax purposes, responding to lawful requests from competent authorities, complying with anti-money-laundering obligations applicable to us.
  • Our legitimate interests (Art. 6(1)(f)), where these are not overridden by your rights: preventing fraud and account takeover, securing the Service against attack, defending and pursuing legal claims, producing aggregated statistics to operate and improve the Service.
  • Your consent (Art. 6(1)(a)), where required — for example, non-essential cookies if and when we introduce them. We do not currently set marketing or tracking cookies. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4. Who we share your data with

We share personal data only with the processors and recipients necessary to operate the Service:

  • Payment processors (Stripe; and, where you choose crypto payment, our crypto payment processor). They process card and payment data on our behalf under their own privacy policies and applicable data-protection law.
  • Inventory partners (currently Waxpeer) — to deliver the Skin we share your Steam trade URL (which contains a numeric ID and short token) and the Skin reference. We do not share your name, email, or payment data with the inventory partner.
  • Hosting and infrastructure providers — the services on which the Service runs, our managed database, our managed cache, and our transactional email provider.
  • Valve Corporation — by design, since authentication is via Steam OpenID and delivery is a Steam trade offer. We exchange the minimum data necessary.
  • Public authorities — where compelled by a valid legal request from a competent authority. We do not voluntarily disclose user data to third parties for their own purposes.

5. International transfers

Some of our processors are established outside the European Economic Area or the Republic of Armenia (for example, Stripe processes some data via its US affiliate). Where we transfer personal data outside the EEA, the transfer is made under the European Commission's Standard Contractual Clauses or another transfer mechanism recognised by GDPR. You may request a copy of the safeguards by writing to RustSkinPay@proton.me.

6. Retention

We retain personal data only for as long as necessary for the purpose for which it was collected, and in any event:

  • Account data (Steam ID, trade URL, email): for as long as you have an active account, plus the longer of (i) the period during which a related claim can be brought against us under applicable limitation periods and (ii) any period imposed by mandatory record-keeping rules.
  • Order and payment records: for the period required by tax law applicable to us (under Armenian tax rules typically 5 years from the end of the tax year of the transaction).
  • Server logs: typically up to 90 days, longer if needed for a specific security investigation.
  • Marketing consents: until you withdraw consent, and a short period thereafter to evidence withdrawal.

After the retention period we delete or anonymise the data so that it can no longer be associated with you.

7. Your rights

Subject to the conditions and exceptions set out in GDPR and Armenian data-protection law, you have the right to:

  • Access the personal data we hold about you and obtain a copy;
  • Rectify inaccurate or incomplete data;
  • Erase your data in certain circumstances (for example, where the data is no longer necessary for the purpose for which it was collected, or where you have withdrawn consent and there is no other legal basis);
  • Restrict processing in certain circumstances (for example, where you contest the accuracy of the data);
  • Object to processing carried out under our legitimate interests (including profiling based on those interests);
  • Receive your data in a portable format where the processing is based on consent or on the performance of the contract and is carried out by automated means;
  • Withdraw any consent you have given, at any time;
  • Lodge a complaint with a competent supervisory authority — for users in the European Union, the supervisory authority of the EU Member State in which you reside, work, or where the alleged infringement occurred; for users in Armenia, the Personal Data Protection Agency.

To exercise any of these rights, email RustSkinPay@proton.me from the email address associated with your purchases. We may ask you to confirm your identity before acting on a request. We will respond within one month of receipt of the request; in complex cases we may extend that period by a further two months and will tell you why.

8. Automated decision-making

We use automated rules to detect suspicious orders (for example, velocity checks, mismatched trade URLs, suspect IP ranges). Where an order is automatically blocked, you may request human review by contacting RustSkinPay@proton.me. We do not carry out profiling that produces legal effects in respect of you within the meaning of GDPR Article 22.

9. Cookies

The Service uses one strictly necessary cookie to keep you signed in between page loads. We do not currently set tracking, analytics, advertising, or third-party marketing cookies, and we do not embed third-party social-media trackers. If we introduce any such cookie in the future we will request your consent first via a cookie banner.

10. Security

We protect personal data using appropriate technical and organisational measures, including transport-layer encryption (TLS) for all traffic, encryption at rest of sensitive credentials, strict access controls, rate limiting and bot-protection controls, audit logging of sensitive actions (such as trade URL changes), and software-supply-chain monitoring. No system can be guaranteed to be impervious to attack, but we apply industry-standard practice. If we become aware of a personal data breach affecting your data we will notify you and the competent supervisory authority as required by GDPR.

11. Children

The Service is not directed at, and not offered to, persons under the age of 18 (or the higher local age of majority). We do not knowingly process personal data of children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. The "Last updated" date at the top of the page indicates when the policy was last revised. Material changes will be brought to your attention by a prominent notice on the Service and, where we have your email address, by email before they take effect.

13. Contact

Data controller: I.E. Artem Shits, State Registration Number 286.1573426, N. Zaryan Street, Building 22A, Arabkir District, Yerevan, Armenia. Privacy contact: RustSkinPay@proton.me.