Privacy Policy
Hifiverse.io — Last updated: 7 May 2026 · Version 1.0
Quick summary
- We are Timelapse Games EOOD, a Bulgarian company. We run hifiverse.io.
- We collect only the data we need to run the Service.
- We never sell your personal data.
- We share data with named processors (Stripe, our hosting provider, our email provider, our analytics provider, and a few others, all listed in section 7).
- If you sell on Hifiverse and cross EU tax-reporting thresholds, we are required to share your tax information with the Bulgarian National Revenue Agency, which forwards it to your country's tax authority.
- You have full GDPR rights (access, correction, deletion, portability, objection, restriction, complaint to a regulator). Section 11 explains how to use them.
- Children under 16 may not use the Service.
1. Who we are
The data controller is Timelapse Games EOOD, registered in the Republic of Bulgaria under UIC 207599711 ("Hifiverse", "we", "us" or "our"). We operate the Service at hifiverse.io.
For privacy questions, requests and complaints:
- Email: info@hifiverse.io
- Postal: Timelapse Games EOOD, Privacy Team, Bulgaria
- Data Protection Officer: info@hifiverse.io (subject line "DPO")
Our supervisory authority is the Bulgarian Commission for Personal Data Protection (CPDP), Prof. Tsvetan Lazarov 2, 1592 Sofia, Bulgaria, https://www.cpdp.bg/. You have the right to lodge a complaint with the CPDP or with the supervisory authority of your country of residence.
2. Scope
This policy explains what personal data we process when you visit hifiverse.io, create a Hifiverse account, subscribe to a paid plan, post a listing, contact a seller, purchase an Authentication, run a dealer storefront, use our API, sign up for our newsletter or otherwise interact with us.
3. The data we collect
Account data. Email address, hashed password, display name, country, language preference, date of registration.
Profile data. Optional: full name, profile photo, bio, social-media handles, location at city level, audiophile communities you participate in.
Subscription and payment data. Plan purchased, price, billing cycle, payment method type, last four digits and brand of card, billing address, VAT/tax number. We never store full card numbers; payment details are tokenised by Stripe.
Collection and listing data. Components you add to your collection tracker; listings you create (title, description, photos, price, condition, location, status); wishlist items; system-page settings.
Communication data. Messages sent through the Platform when contacting a seller or a dealer; messages to support; reviews, ratings, comments, forum posts.
Authentication data. Item submitted, photos, serial numbers, claimed condition, technician partner, inspection result and certificate.
Dealer data. Legal entity name, registered address, company registration number, VAT number, beneficial owner details, KYC documents, bank details.
Tax-reporting data (DAC7). Full legal name, primary residence address, date of birth (individuals), business registration number (entities), Tax Identification Number, VAT number where applicable, IBAN, consideration paid per quarter.
Usage data. Pages visited, listings viewed, searches, device type, browser type, screen resolution — collected through cookies in line with the Cookie Policy.
Technical data. Server logs: IP address, user-agent, request URL, response status, timestamps; fraud and security signals.
API and developer data. API key (associated with your account), application name and intended use, request volumes, error rates.
Marketing and consent data. Newsletter opt-in status; marketing email opt-in status; Cookie Policy version accepted; consent records.
We do not collect special-category data (health, race, ethnicity, religion, sexual orientation, political opinions, trade-union membership, biometrics or genetic data).
4. Why we process your data and on what legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Create and maintain your account | Contract performance, Art. 6(1)(b) |
| Deliver the Service (collection tracking, listings, valuations) | Contract performance, Art. 6(1)(b) |
| Process subscriptions, Authentications, API plans | Contract performance, Art. 6(1)(b) |
| Verify dealer identity under DSA Article 30 | Legal obligation, Art. 6(1)(c) |
| Collect and report DAC7 information | Legal obligation, Art. 6(1)(c) |
| Keep accounting records (7 years) | Legal obligation, Art. 6(1)(c) |
| Detect and prevent fraud, abuse, security incidents | Legitimate interest, Art. 6(1)(f) |
| Moderate content and enforce Acceptable Use Policy | Legal obligation + Legitimate interest, Art. 6(1)(c) and (f) |
| Improve the Service through anonymised analysis | Legitimate interest, Art. 6(1)(f) |
| Send newsletter and marketing emails | Consent, Art. 6(1)(a) |
| Send transactional emails (receipts, alerts) | Contract performance, Art. 6(1)(b) |
| Respond to lawful requests from public authorities | Legal obligation, Art. 6(1)(c) |
| Enforce our Terms and defend legal claims | Legitimate interest, Art. 6(1)(f) |
5. Automated decision-making and the Price Index
We use machine-learning techniques to power the Price Index and the AI-valuation feature. No automated decision we take has a legal effect on you within the meaning of GDPR Article 22. Authentication outcomes, dealer KYC verification, content-moderation decisions and DAC7 reporting decisions are reviewed by a human.
6. How long we keep your data
| Category | Retention period |
|---|---|
| Account data | While your account is active, then 30 days for recovery, then deletion. Minimal record (email hash, deletion date) kept 5 years. |
| Subscription and payment records | 7 years after the transaction year (Bulgarian Accountancy Act) |
| Marketplace listing data | 24 months after the listing expires or is removed |
| Communication data with sellers and support | 24 months after the last interaction |
| Authentication certificates and dispute records | 7 years from issuance |
| Dealer KYC documents (DSA Art. 30) | Duration of dealer relationship plus 6 months |
| DAC7 records | 5 years after the end of the reportable period |
| Cookie and consent records | 12 months from the date of consent |
| Newsletter consent records | Until you unsubscribe, plus 5 years |
| Server logs and security telemetry | 90 days general; 12 months for fraud or security investigations |
| Analytics data | Anonymised at the earliest opportunity; raw event data deleted after 14 months |
7. Who we share your data with
We share data only with parties that need it to deliver the Service or to comply with a legal obligation. We do not sell your data.
7.1 Processors and sub-processors:
| Processor | Role | Location |
|---|---|---|
| Stripe Payments Europe Ltd / Stripe, Inc. | Payment processing, Stripe Tax, Stripe Identity (dealer KYC), Stripe Radar (fraud) | Ireland / United States |
| Hetzner Online GmbH (Germany) | Primary application hosting and database storage | Germany, Finland |
| Cloudflare, Inc. (United States) | CDN, DDoS mitigation, bot management | United States with EU edge nodes |
| SendGrid Inc. (Twilio, United States) | Transactional and newsletter email delivery | United States |
| Plausible Insights OÜ (Estonia) | Privacy-friendly, cookieless product analytics | Estonia |
| Sentry GmbH (Germany, EU instance) | Error monitoring and crash reporting | Germany |
| Backblaze, Inc. (United States) | Encrypted offsite backups | United States with EU buckets |
| DeepL SE (Germany) | Automated translation of dealer storefront content | Germany |
| OpenAI Ireland Ltd | Content moderation triage and editorial tooling; no personal data sent for training | Ireland / United States |
| Hifiverse Authentication Partner Network | Authentication inspections | Various (EU and US) |
7.2 Other recipients. Other users (when you make data public); buyers or sellers you contact; tax authorities (DAC7); regulatory and law-enforcement authorities (lawful requests); successor entities; professional advisors.
7.3 What we do not share. We do not sell or rent your personal data. We do not share it with advertisers for cross-site profiling.
8. International data transfers
Where data is transferred outside the EEA, we rely on adequacy decisions, Standard Contractual Clauses, or your explicit consent.
9. Marketplace transactions and our limited role
Hifiverse is not a party to any sale between users. Once parties continue the conversation off the Platform, Hifiverse is no longer a controller or processor of that conversation. Sellers become controllers of any data the buyer provides for shipping, payment and after-sales support.
10. Cookies and similar technologies
Our use of cookies is governed by the Cookie Policy and the choice you make in the cookie banner on first visit.
11. Your rights
Under GDPR you have the right to:
- Access (Art. 15) — ask for a copy of the personal data we hold about you.
- Correction (Art. 16) — ask us to correct inaccurate or incomplete data.
- Deletion (Art. 17) — ask us to delete your data, except where we are legally required to keep it.
- Restriction (Art. 18) — ask us to pause processing while a dispute is resolved.
- Portability (Art. 20) — ask for a structured, machine-readable copy of data you have given us. We export as JSON or CSV.
- Objection (Art. 21) — object to processing based on legitimate interest. You have an absolute right to object to direct-marketing processing.
- Withdraw consent (Art. 7) — where we rely on consent, you can withdraw it at any time.
- Lodge a complaint — with the CPDP or with the supervisory authority of your country of residence.
To exercise any right, write to info@hifiverse.io. We will reply within 30 days.
12. Security
We use TLS 1.3 encryption in transit and at rest, secret management, principle-of-least-privilege access controls, two-factor authentication for staff, regular dependency updates, security logging, periodic penetration testing and an incident-response plan.
We will notify you and the CPDP within 72 hours if a personal-data breach is likely to result in a risk to your rights and freedoms (GDPR Art. 33–34).
13. Children
The Service is not for children under 16. If you believe a child under 16 has registered, contact info@hifiverse.io.
14. California, the United Kingdom and other regions
California. To exercise CPRA rights, write to info@hifiverse.io with "California Privacy Rights" in the subject line. We do not sell or share personal information within the meaning of the CPRA.
United Kingdom. The UK GDPR and Data Protection Act 2018 apply. Our supervisory authority for UK matters is the Information Commissioner's Office (ICO).
Switzerland. Swiss residents have rights under the revised Federal Act on Data Protection (FADP).
15. Changes to this policy
For changes that affect your rights, we give at least 30 days' notice by email and on the Platform. We keep prior versions in our archive.
Contact
- Email: info@hifiverse.io (subject: "Privacy", "DSAR", "DPO" etc.)
- Postal: Timelapse Games EOOD, Bulgaria