Effective Date: February 22, 2026 Owner and Data Controller: Matej Bumbera (IČO: 23676825) Registered Address: Děčínská 552/1, 180 00, Praha 8 - Střížkov, Czechia Contact Email: matejbumbera@miaco.app | Phone: +420 736 447 699
Welcome to the Privacy Policy for Miaco ("the App"). We operate a peer-to-peer marketplace facilitating the exchange of cosplay items. This document explains what data we collect, how it is processed, and your rights under global privacy laws, including the GDPR (EU/UK), US State Laws (CCPA), and the Australian Privacy Act 1988.
Important Marketplace Notice: Miaco is a platform provider only. We do not process payments or handle shipping. All financial transactions and shipping arrangements are conducted externally and directly between users. Users are solely responsible for their own transactions.
1. Definitions
Personal Data: Any information that directly, indirectly, or in connection with other information allows for the identification of a natural person.
Data Controller: The natural person (Matej Bumbera) who determines the purposes and means of the processing of Personal Data.
Usage Data: Information collected automatically through this App (e.g., IP addresses, device operating systems, app interaction logs).
2. Information We Collect and Visibility
We collect information to operate our marketplace, secure your account, and allow you to connect with other users. The provision of Account Data (Email, Username, Password) is a mandatory contractual requirement; failure to provide it makes it impossible to create an account or verify age eligibility.
A. Publicly Visible Data
Basic Profile (Mandatory): Username.
Seller Content (Mandatory only if you choose to list items): Product listings (including, but not limited to, images, titles, descriptions, prices, and condition) and your designated selling location/currency.
Profile Enhancements (Optional): Information you choose to provide to customize your experience, such as a profile picture, bio, pronouns, preferred display currency, preferred country/region, and linked social media handles (e.g., Instagram, TikTok).
Platform Generated Records: Public feedback, including user reviews and ratings submitted by other members of the community.
B. Private / Shared Between Specific Users
Account Data: Email address (for registration and verification) and Hashed Password.
Communications: Direct messages (text and images) are visible only to the conversation participants.
Processed & System Data:
Technical information necessary for security and app performance, such as your Device ID and IP address.
Derived data used for marketplace functionality, such as currency-normalized prices to facilitate search and sorting.
Transaction status records (e.g., Active, Reserved, Sold).
No Tracking or Advertising: Miaco does NOT use Google Analytics, Facebook Pixels, or third-party advertising networks. We do not sell your personal information or share it with third parties for their direct marketing purposes.
3. Legal Basis for Processing (EU/UK GDPR)
Contract Performance (Art. 6.1.b): To create accounts, enable messaging, and display listings.
Legitimate Interest (Art. 6.1.f): To maintain platform safety, prevent fraud, and handle dispute resolution.
Legal Obligation (Art. 6.1.c): For tax compliance or responding to lawful requests from public authorities.
Consent (Art. 6.1.a): For optional profile details. Where processing is based on consent, you may withdraw it at any time; however, withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
4. Data Storage, Security & System Logs
We take appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.
Data Infrastructure: Core user data, communications, and marketplace records are stored on secure servers provided by Hetzner in Germany (EU). All data in transit is protected via HTTPS/TLS encryption.
Authentication Security: Temporary data, such as verification codes and session tokens, are stored in a short-term memory cache. This information is automatically deleted once its specific purpose is fulfilled.
Image Storage: Product and profile images are stored on Backblaze B2 in the Netherlands (EU) using UUID-based filenames for privacy.
System Logs: For operation and maintenance, the App may collect files that record interactions (System logs) or use Usage Data (such as IP addresses) to ensure platform stability, performance, and security.
5. Third-Party Services & International Transfers
While our servers are in the EU, some infrastructure providers are headquartered in the USA. Transfers are conducted in accordance with applicable laws.
Service
Provider HQ
Purpose
Processing Location
Resend
USA
Sending Emails
Ireland (EU)
Backblaze B2
USA
Image Hosting
Netherlands (EU)
Hetzner
Germany
Core Infrastructure
Germany (EU)
International Safeguards: Transfers to US-based entities (Resend, Backblaze) are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission. You may request a copy of these clauses by contacting us.
6. How to Exercise Your Rights
You can manage your data directly within the App's Settings menu:
Rectification: Update your profile and listings at any time via your Profile settings.
Erasure: You can initiate account deactivation through the "Delete Account" button in Settings.
Access & Portability: To request a copy of your data in a machine-readable format or exercise other rights, please contact us at matejbumbera@miaco.app. We will respond within 30 days and without charge, unless requests are manifestly unfounded or excessive.
7. Global User Rights
A. Users in the EU & UK (GDPR)
You have the right to access, rectify, or erase your data (subject to our 12-month security hold). In the event of a high-risk data breach, we will notify the competent authority (ÚOOÚ in Czechia, ICO in the UK) and affected users within 72 hours. You have the right to lodge a complaint with your local Data Protection Authority.
B. Users in the United States (CCPA/CPRA)
You have the right to Know, Correct, and Delete your Personal Information. We do not sell your data or share it for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals. For California residents, we also comply with "Shine the Light" requirements regarding third-party marketing.
C. Users in Australia (Privacy Act 1988)
You have the right to access and correct your data. Complaints regarding data handling should be directed to matejbumbera@miaco.app. If unsatisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).
8. Data Retention and Deletion
Active Accounts: Data is retained for the duration of the account's activity.
Account Deletion: Upon request, your account will be immediately deactivated and hidden from public view.
12-Month Security Hold: To prevent fraud and facilitate marketplace dispute resolution, personal data is retained for 12 months post-deactivation.
Anonymization: After 12 months, identifiers are permanently removed. Anonymized records may be kept for historical analysis and platform integrity.
9. Legal Action & Disclosure
We may be required to disclose personal data upon lawful request by public authorities or for legal purposes in Court if improper use of the App occurs.
10. Children's Privacy
The App is not intended for children under 13. We do not knowingly collect personal information from children under 13 (COPPA compliance). Users between 13 and 18 years of age must have parental or guardian consent and supervision to use the App.
11. Changes to this Policy
We reserve the right to modify this policy. Significant changes will be communicated via the App or email. Please refer to the "Effective Date" at the top of this document.