Privacy Policy

Last updated:

This Privacy Policy explains what personal data Chort ("we", "us") collects when you use our websites, applications, and related services (together, the "Service"), why we collect it, who we share it with, and your rights regarding it. If anything is unclear, email us at privacy@chort.com.

1. Who we are

Chort is based in the British Virgin Islands. We are the controller of the personal data described in this notice. Where this notice refers to "the Service", it means our websites (including chort.com), our applications, and the platform features described in our Terms of Service.

2. What we collect

The data we collect depends on how you use the Service. Categories include:

Account information. When you create an account, we collect your name, email address, an optional username, a password hash (we never store your password in plain text), and account preferences. If you sign in using a third-party identity provider (see Single sign-on below), we receive the information that provider releases to us.

Single sign-on (Google). If you choose to sign in with Google, we receive a unique account identifier from Google, your email address, and (depending on your settings) your name or profile picture. We do not receive your password. Your use of Google sign-in is also subject to Google's privacy policy.

Identity verification. Certain users and certain features, including those that involve receiving payments, publishing content for sale, or accessing higher-value or otherwise restricted activities, may require us to verify your identity. Where this is required, we may collect your full legal name, date of birth, residential address, nationality, government-issued photographic identification, proof of address, tax identification numbers, and other information reasonably necessary for us to comply with our anti-money-laundering ("AML"), counter-terrorist-financing ("CTF"), sanctions, and know-your-customer ("KYC") obligations. This information is typically processed by a third-party verification provider on our behalf.

Payment information. When you make or receive payments through the Service, our third-party payment processor collects and processes your payment details. We do not store full payment card numbers. We retain a record of your transactions (amount, currency, date, counterparty, status) for accounting, tax, and AML purposes.

User Content. If you submit content to the Service (for example posts, comments, messages, watchlists, analysis, or material offered through our marketplace), we store that content and any associated metadata so that we can make it available through the Service.

Communications. If you contact us, for example by email, support form, or in-product messaging, we keep a record of that correspondence so we can respond and improve our service.

Technical and usage data. When you use the Service, we automatically collect: your IP address, device and browser characteristics (user-agent, operating system, language, time zone), session identifiers, approximate location derived from your IP, the pages or screens you view, the actions you take, the time and duration of those actions, error and diagnostic data, and security-related events.

Marketing signups. If you submit your email address through a signup form on chort.com, we store the email address you provided, the consent text shown to you at the time and the fact that you confirmed it, the date and time of submission, and the IP address and browser user-agent of the device that submitted the form (used solely for abuse prevention).

Analytics. Where you provide consent, we use Google Analytics cookies to understand how the Service is used. Google Analytics typically collects: which pages or screens you visit, how long you spend on each, how you arrived at the Service, the actions you take, and approximate (anonymised) location data. We have configured Google Analytics to minimise personal data collection and we do not combine analytics data with other data we hold in a way that directly identifies you.

3. Why we collect it (and our lawful basis)

For users in the EU and UK, we are required to identify a lawful basis under the EU General Data Protection Regulation ("GDPR") and the UK GDPR for each purpose for which we process your data. The list below summarises our purposes and the lawful basis we rely on for each.

  • To provide the Service to you (creating and operating your account, providing features you request, processing your User Content and transactions): performance of our contract with you (GDPR Art. 6(1)(b)).
  • To verify your identity and meet our AML, CTF, sanctions, and KYC obligations: compliance with a legal obligation (GDPR Art. 6(1)(c)) and, where applicable, our legitimate interest in preventing fraud and abuse (Art. 6(1)(f)).
  • To process payments and operate the marketplace: performance of our contract with you and legal obligation for record-keeping.
  • To keep the Service secure, prevent abuse, fraud, and unauthorised access: our legitimate interests (Art. 6(1)(f)) and, where applicable, legal obligation.
  • To send service emails (for example security alerts, transactional notifications, changes to these terms): performance of our contract with you.
  • To send marketing emails about the Service: your consent (Art. 6(1)(a)), which you may withdraw at any time.
  • To run analytics and improve the Service: your consent for cookie-based analytics (Art. 6(1)(a)); legitimate interest for first-party usage analytics that do not rely on cookies.
  • To comply with legal requests and to establish, exercise, or defend legal claims: legal obligation or legitimate interest.

We do not sell your personal data, and we do not "share" your personal data for cross-context behavioural advertising as those terms are defined under California law.

4. Who we share it with

We share personal data only as described below. Our service providers act as our processors and are contractually required to handle personal data on our instructions and to keep it secure.

  • Cloud infrastructure: Amazon Web Services, Inc. ("AWS"). We host the Service on AWS, primarily in the EU.
  • Identity sign-in providers: Google LLC, where you choose to use Google sign-in.
  • Identity verification provider: a specialist KYC and AML provider that processes identity documents and verification data on our behalf.
  • Payment processor: a third-party payment processor that handles card and payout details and processes transactions through the Service.
  • Email and communications provider: used to send transactional emails (verification, password reset, security alerts) and, with your consent, marketing emails.
  • Analytics: Google LLC (Google Analytics), where you have consented to analytics cookies.
  • Other users: where you choose to publish content, list items for sale, comment, message another user, or otherwise make information available through the Service, that information will be visible to other users in line with the visibility settings you have chosen.
  • Professional advisers: our auditors, accountants, lawyers, and insurers, on a need-to-know basis.
  • Authorities and third parties: where we are required to do so by law, regulation, court order, or a valid legal process, or where we believe disclosure is necessary to investigate fraud, protect the rights and safety of Chort or our users, or enforce our Terms of Service.
  • Successors in a corporate transaction: if Chort is involved in a merger, acquisition, financing, restructuring, or sale of assets, personal data may be transferred as part of that transaction, subject to confidentiality and to this Privacy Policy.

A current list of the specific providers we use is available on request from privacy@chort.com.

5. International transfers

Chort is based in the British Virgin Islands and uses service providers based in various jurisdictions, including the United States. Where we transfer personal data of users in the EU, EEA, or UK to a country that has not received an adequacy decision from the relevant authority, we rely on appropriate safeguards, including:

  • For our US-based providers (including Google), the EU-US Data Privacy Framework and the UK-US Data Bridge, where the provider is certified.
  • The European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum (or successor mechanisms) for providers that are not Data Privacy Framework certified.

You may request a copy of the safeguards we have in place by emailing privacy@chort.com.

6. How long we keep it

We retain personal data only for as long as is necessary for the purposes set out in this notice, after which we delete or anonymise it. Indicative retention periods are:

  • Account data: for the lifetime of your account, plus a limited period after you close it to handle any outstanding obligations, disputes, or legal claims.
  • User Content: until you delete it or close your account, except to the extent it has been shared with or relied upon by other users, or where we are required to retain it for legal reasons.
  • Identity verification and AML records: typically five to seven years from the end of our business relationship with you (or longer where required by applicable law), in line with our anti-money-laundering obligations.
  • Payment and transaction records: typically seven years, in line with tax and accounting record-keeping requirements.
  • Security logs and abuse-prevention data: typically up to twelve months, longer where required to investigate a specific incident.
  • Marketing signups and consent records: until you unsubscribe or ask us to delete the data, plus a short period to evidence the unsubscribe.
  • Analytics data: in line with the retention period configured in Google Analytics (currently no longer than 14 months for user-level data).

7. Cookies and similar technologies

We use the following types of cookies and similar technologies:

  • Strictly necessary cookies: required for the Service to function, including session cookies to keep you signed in and CSRF tokens to protect against cross-site request forgery. These do not require consent.
  • Performance and technical artefacts: placed by our content delivery network, AWS CloudFront, to route requests and optimise performance.
  • Analytics cookies: placed by Google Analytics, only where you have consented through our cookie banner.

You can withdraw your consent at any time through the cookie controls on the Service, or by adjusting your browser settings to refuse cookies. Refusing strictly necessary cookies may prevent parts of the Service from functioning.

8. Your rights

The rights you have over your personal data depend on where you live. To exercise any of the rights below, email privacy@chort.com from the address on file, or use the in-product controls where available. We may need to verify your identity before responding to a request. We aim to respond promptly and within the timeframes required by applicable law.

If you are in the EU, EEA, or UK (GDPR and UK GDPR): you have the right to:

  • Request a copy of the personal data we hold about you (access).
  • Ask us to correct data that is inaccurate or incomplete (rectification).
  • Ask us to delete your data, subject to legal exceptions (erasure, or the "right to be forgotten").
  • Ask us to restrict our processing of your data in certain circumstances.
  • Receive a copy of certain data in a portable format (data portability).
  • Object to processing carried out on the basis of our legitimate interests, including direct marketing.
  • Withdraw any consent you have given us at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Lodge a complaint with your national data protection authority. In the UK this is the Information Commissioner's Office.

If you are a California resident (CCPA and CPRA): subject to applicable thresholds and exceptions, you have the right to:

  • Know what personal information we have collected about you, the sources, the purposes for collection, and the categories of third parties with whom we share it.
  • Request a copy of the personal information we have collected.
  • Request correction of inaccurate personal information.
  • Request deletion of personal information we have collected from you.
  • Opt out of any "sale" or "sharing" of your personal information, as those terms are defined under California law. As noted above, we do not sell or share your personal information for cross-context behavioural advertising.
  • Not be discriminated against for exercising any of these rights.

If you are a resident of another US state with a comprehensive privacy law (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and others), you may have rights similar to those described above. We will honour valid requests in line with applicable law.

If you are in the British Virgin Islands, you have rights under the BVI Data Protection Act 2021, including the right to access and correct your personal data and to lodge a complaint with the BVI Information Commissioner.

If you are elsewhere, you may have similar rights under your local privacy law. Contact us and we will respond in line with applicable law.

9. Security

We use technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or loss, including encryption in transit and at rest, access controls and authentication, network segregation, logging and monitoring, and restricted administrative access. No system is perfectly secure; you can help us by using a strong, unique password and by enabling any additional security features we offer.

10. Children

The Service is not intended for, and is not directed at, individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will take appropriate steps to delete it.

11. Changes to this notice

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated through the Service or by email where appropriate.

12. Contact

Chort
British Virgin Islands
privacy@chort.com