Privacy Policy
x402ratings.com · Last updated: February 2026 · Effective: February 2026
This Privacy Policy explains how x402ratings.com ("we", "us", "our") collects, uses, stores, and shares your personal data. We comply with GDPR (EU) 2016/679 and applicable Finnish data protection legislation.
// 01 — Who We Are
Data controller: x402ratings.com, individual operator, Åland Islands, Finland.
Contact: hello@x402ratings.com
// 02 — Data We Collect
Email address — responding to support requests (GDPR Art. 6(1)(b)(f))
Payment data — processing payments via Stripe (GDPR Art. 6(1)(b))
Device fingerprint — sybil resistance, one vote per device (GDPR Art. 6(1)(f))
IP address — security and fraud prevention (GDPR Art. 6(1)(f))
Service listing content — displaying your service (GDPR Art. 6(1)(b))
Browser/session data — basic site functionality and vote state (GDPR Art. 6(1)(f) or consent)
Server access logs — security monitoring (GDPR Art. 6(1)(f))
We do not collect sensitive personal data, data from children under 16, or data through deceptive means.
// 03 — Device Fingerprinting
We generate a non-identifying device fingerprint from browser and device signals to enforce one-vote-per-device. It is stored as a hashed value and used solely for platform integrity — never for advertising or cross-site tracking. Legal basis: legitimate interest (GDPR Art. 6(1)(f)). You may object — see Section 09.
// 04 — Cookies and Storage
We use strictly necessary storage (session management, CSRF protection) and functional storage (remembering vote state). We use consent-based analytics only if explicitly enabled. We do not use advertising cookies. Your vote state is stored in localStorage to prevent duplicate votes — this requires your consent under ePrivacy rules, which we obtain via our cookie banner.
// 05 — Payment Processing
All payments are handled by Stripe, Inc. (PCI-DSS compliant). We never store your card number or CVV. Stripe processes payment data under their own Privacy Policy.
// 06 — Third-Party Processors
Stripe, Inc. — payment processing (USA, SCCs apply)
Vercel — website hosting and CDN (EU/USA, SCCs apply)
ImprovMX — email forwarding (EU preferred)
Sentry — error monitoring (USA, SCCs apply)
We do not sell your data or share it for third-party marketing.
// 07 — International Transfers
Some processors are US-based. All transfers outside the EEA rely on Standard Contractual Clauses (SCCs). GDPR applies in full — Åland Islands are EU territory for GDPR purposes.
// 08 — Data Retention
Payment records — 7 years (Finnish Accounting Act)
Email correspondence — 2 years from last contact
Service listing data — duration of listing + 12 months
Device fingerprint hash — 12 months rolling
Server access logs — 90 days
Vote records — duration of listing existence
// 09 — Your GDPR Rights
You have the right to access, rectify, erase, restrict, port, and object to processing of your data. To exercise any right, email hello@x402ratings.com. We respond within 30 days.
You may also lodge a complaint with the Finnish Data Protection Ombudsman at tietosuoja.fi.
// 10 — Children
Our service is not directed at children under 16. We do not knowingly collect their data. Contact us immediately if you believe a child has submitted data.
// 11 — Security
We use HTTPS/TLS, access controls, and PCI-DSS compliant payment infrastructure. No system is 100% secure — we cannot guarantee absolute security of internet-transmitted data.
// 12 — Changes
We update this policy as needed. Material changes update the "Last updated" date above. Continued use constitutes acceptance.
// 13 — Contact
Email: hello@x402ratings.com
Finnish Data Protection Ombudsman: tietosuoja.fi · tietosuoja@om.fi · PO Box 800, FI-00521 Helsinki