Telegram

Privacy Policy

Last updated: 2026-01-15 · Effective: 2026-01-15 · Version 2.0

1. Plain-language summary

  • We collect only the personal data we need to run the service: contact details, payment metadata, and minimal server logs.
  • Verified account holders are subject to a separate, stricter Data Processing Agreement covering their identity verification data.
  • We do not sell personal data. We do not use it for ad retargeting. We do not run third-party advertising cookies.
  • You can request access, correction, deletion, or portability of your data at any time by emailing info@500accs.com.
  • This policy is GDPR-aligned (EU/UK) and CCPA-aligned (California).

2. Data controller

500accs
Community Federal Savings Bank
89-16 Jamaica Ave, Woodhaven
NY 11421, United States
Data inquiries: info@500accs.com

For EU/UK data subjects, we act as Data Controller under Article 4(7) of the GDPR. For California residents, we act as a “Business” under CCPA §1798.140(c).

3. Categories of personal data we process

3.1 From customers (renters)

  • Contact data: email address, Telegram handle, company name, billing address
  • Payment metadata: payment method type, last 4 of card, transaction ID (we do not store full card numbers; payment is processed by Stripe)
  • Account credentials you create with us (passwords are hashed and salted)
  • Server logs: IP address, user agent, timestamps, requested paths (retained 90 days for security)
  • Communication content: messages you send to support via email or Telegram

3.2 From verified account holders (suppliers)

  • Full legal name and date of birth (from passport NFC chip)
  • Passport number and expiry (from NFC chip)
  • Biometric photo (from NFC chip)
  • Nationality and country of issue (from NFC chip)
  • Signed lease agreement (PDF)
  • Contact details and bank/payout information

Account holder data is treated as special category data under GDPR Article 9 and is subject to a separate Data Processing Agreement (DPA) signed with each account holder.

3.3 From site visitors

  • Anonymized analytics (no cross-site tracking, no third-party advertising trackers)
  • Server logs (90-day retention)

4. Why we process your data

  • Service delivery: provisioning rentals, managing replacement workflows, communicating with you
  • Account holder verification: NFC passport scan to confirm identity and enable recovery flows
  • Billing and payment: processing transactions through Stripe and bank wire
  • Fraud prevention: detecting and blocking suspicious activity
  • Security: protecting our systems and your accounts from unauthorized access
  • Legal compliance: meeting our obligations under tax, anti-money-laundering, and sanctions laws
  • Service improvement: aggregating non-personal metrics about how the Service performs

5. Lawful basis for processing (GDPR)

For EU and UK data subjects, we rely on the following lawful bases:

  • Article 6(1)(b) — contract: processing necessary to perform the rental agreement.
  • Article 6(1)(c) — legal obligation: tax, AML, and sanctions compliance.
  • Article 6(1)(f) — legitimate interests: fraud prevention and security.
  • Article 9(2)(a) — explicit consent: for account holders' biometric and passport data.

Where consent is the basis, you may withdraw it at any time; withdrawal does not affect lawful processing that took place before withdrawal.

6. Where the data comes from

  • Directly from you when you sign up, place an order, or message support.
  • Directly from account holders during the verification flow (NFC chip read + signed agreement).
  • Automatically from your device when you visit the Site (server logs, anonymized analytics).
  • From payment processors when you transact (Stripe, our banking partner).

We do not buy personal data from data brokers or third-party marketers.

7. Sharing with third parties

We share personal data only with:

  • Payment processors (Stripe, bank wire partners) — to process transactions
  • Infrastructure providers (Vercel for hosting, Supabase for database, AWS S3 for encrypted storage) under signed Data Processing Agreements
  • Identity verification tooling (NFC reader vendor) under contract
  • Professional advisors (legal, accounting) bound by professional confidentiality
  • Law enforcement or regulators if we are legally compelled — and only the minimum data required

We do not sell personal data. We do not share data with advertising networks.

8. International data transfers

We are based in the United States. EU/UK data subjects' data may be transferred to the US under appropriate safeguards: Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary technical measures (encryption in transit and at rest), and Transfer Impact Assessments where required.

For EU-resident account holders, biometric NFC data is stored in EU-jurisdiction infrastructure where applicable, with copies retained encrypted at rest in US-jurisdiction backups under SCCs.

9. Retention schedule

CategoryRetention periodBasis
Customer contact detailsDuration of active rental + 24 monthsContract, legitimate interest in customer relationship
Billing records7 yearsTax and accounting compliance
Server logs90 daysSecurity, fraud prevention
Support communications3 yearsDispute resolution, service improvement
Account holder NFC scansDuration of lease + 12 monthsRecovery support, AML compliance
Anonymized analyticsIndefinite (no personal identifiers)Service improvement

10. Security measures

  • Encryption at rest: AES-256 for all NFC scans and credential storage.
  • Encryption in transit: TLS 1.3 across all customer-facing channels.
  • Access control: role-based access with audit logs for any access to sensitive data.
  • Network isolation: account-holder data isolated from customer-accessible systems.
  • No plaintext credentials on the wire — all credentials handed over through encrypted channels.
  • Penetration testing: annual third-party security assessments.
  • Incident response: documented playbook with 72-hour notification commitment.

No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you within 72 hours as required by GDPR Article 33.

11. Your rights

11.1 Under GDPR (EU/UK data subjects)

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — correct inaccurate personal data
  • Right to erasure — request deletion (subject to legal retention requirements)
  • Right to restriction of processing
  • Right to data portability — receive your data in a machine-readable format
  • Right to object — to processing based on legitimate interests
  • Right to withdraw consent — where consent is the lawful basis
  • Right to lodge a complaint — with your local data protection authority

11.2 Under CCPA (California residents)

  • Right to know what personal information we collect and how we use it
  • Right to delete personal information (subject to exceptions)
  • Right to opt out of the sale or sharing of personal information (we do not sell)
  • Right to correct inaccurate personal information
  • Right to limit use of sensitive personal information
  • Right to non-discrimination for exercising any of these rights

11.3 How to exercise your rights

Email info@500accs.com with the subject line “Data Subject Request”. We respond within 30 days (extendable by an additional 60 days for complex requests, with notice). We may ask for identity verification before we act on a request.

12. Cookies and analytics

The Site uses two categories of cookies:

  • Essential cookies — session cookies for the admin dashboard, theme preferences, and basic site functionality. No consent required.
  • Anonymized analytics cookies — to understand aggregate usage patterns. No cross-site tracking, no third-party ad networks.

We do not deploy Google Analytics for behavioural tracking, Facebook Pixel, or any third-party advertising cookies.

13. Children

The Service is intended for business use by adults aged 18 or older. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, contact us and we will delete it.

14. Verified account holders — additional terms

Account Holders sign a separate Data Processing Agreement (DPA) covering:

  • The scope of biometric NFC data processed and stored
  • The purposes for which the data may be used (recovery flows only — never marketing)
  • The retention schedule (duration of lease + 12 months)
  • Specific consent for sharing with LinkedIn during ID-challenge recovery
  • The right to revoke participation and have data deleted
  • The right to receive payment for the lease arrangement

Account Holder data is never shared with renters. Renters receive operational credentials only.

15. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in legal requirements, the Service, or our data practices. Material changes will be notified to active customers and account holders by email at least 14 days before they take effect.

16. Contact

For any privacy questions or to exercise your rights:

500accs — Privacy Inquiries
Community Federal Savings Bank
89-16 Jamaica Ave, Woodhaven
NY 11421, United States
info@500accs.com
@outzeach on Telegram