Table of Contents
Who We Are & Scope of This Policy
Citadel Shield LLC is a Delaware limited liability company that operates the CitadelWay platform ("Platform") — a SaaS solution for e-commerce operators. Our registered agent is Legalinc Corporate Services Inc., located at 131 Continental Dr, Suite 305, Newark, DE 19713, USA.
We do not maintain a physical office. For GDPR Article 27 purposes, we have appointed an external representative in the EU (see Section 14).
This Privacy Policy applies to all individuals who interact with CitadelWay, including:
- Operators — individuals or businesses who register and manage client projects on the Platform.
- Buyers — end customers who purchase goods or services from Operators through Platform-hosted storefronts.
- Partners — Operators who have achieved Level 8 ELO status.
- Website Visitors — anyone who accesses citadelway.com without registering.
This policy is published in compliance with the EU General Data Protection Regulation (GDPR — Regulation 2016/679), the California Consumer Privacy Act (CCPA/CPRA), Brazil's Lei Geral de Proteção de Dados (LGPD), and other applicable data protection laws.
Information We Collect
| Category | Specific Data Points | Who Provides It |
|---|---|---|
| Account Registration | Full legal name, email address, username, password (hashed), phone number, country of residence | Operators |
| Business Information | Company name, business address, tax identification number (VAT/EIN), business registration documents, business type | Operators |
| KYC / Identity Verification | Government-issued photo ID (passport, national ID), proof of address (utility bill, bank statement), selfie/liveness check | Operators (mandatory for payouts) |
| Payment Information | Bank account details for payouts. Card details are processed directly by Stripe or Cryptomus — CitadelWay does not store full card numbers or CVVs. | Operators |
| Buyer Order Data | Buyer name, email, shipping address, phone number, order details, payment confirmation token | Buyers (via Operator storefronts) |
| Support Communications | Messages, attachments, dispute evidence submitted to our support team | All users |
| Profile Information | Profile photo, biography, LinkedIn profile URL (optional, for certification display) | Operators |
- Device & Technical Data: IP address, browser type and version, operating system, device type and identifiers, screen resolution, language settings.
- Usage Data: Pages visited, features used, click events, time spent on each page, navigation paths, session duration, error logs.
- Transaction & ELO Data: Order values, payment timestamps, dispute outcomes, response times, fulfilment records — used to calculate and update your ELO score.
- Log Data: Server access logs including API calls, timestamps, response codes, and request metadata.
- Cookies & Similar Technologies: See Section 9 for full details.
- Payment Processors (Stripe, Cryptomus): Transaction confirmation, payment status, chargeback notifications.
- KYC / AML Verification Services: Identity verification outcomes, watchlist screening results.
- LinkedIn: When you choose to display your CitadelWay certification, we receive confirmation of your LinkedIn profile identity.
- Fraud Prevention Services: Risk signals and device fingerprinting data to prevent fraudulent account creation.
Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions requiring a legal basis for data processing, we rely on the following grounds:
| Legal Basis | GDPR Article | Processing Activities Covered |
|---|---|---|
| Contract Performance | Art. 6(1)(b) | Creating and managing your account, processing payments, delivering platform services, calculating ELO scores, enabling project cloning and analytics |
| Legal Obligation | Art. 6(1)(c) | AML/KYC compliance, tax reporting, responding to lawful requests from authorities, retaining financial records |
| Legitimate Interests | Art. 6(1)(f) | Fraud prevention and detection, platform security monitoring, improving our services, enforcing our Terms, direct marketing to existing customers |
| Consent | Art. 6(1)(a) | Non-essential cookies, marketing emails to non-customers, LinkedIn certification display, participation in case studies or testimonials |
| Vital Interests | Art. 6(1)(d) | Preventing imminent fraud or harm in exceptional circumstances |
How We Use Your Information
- Creating and authenticating your account; enforcing single-account rules.
- Providing, maintaining, and improving all platform features including multi-client management, project cloning, analytics, and the API.
- Processing payments, calculating commissions, and managing payouts.
- Calculating and updating your ELO score based on defined platform events.
- Sending transactional communications (receipts, order updates, account alerts, security notifications).
- Conducting KYC/AML screening as required by applicable law and our internal compliance program.
- Detecting, investigating, and preventing fraud, abuse, or violations of our Acceptable Use Policy.
- Enforcing our Terms & Conditions, Community Rules, and other policies.
- Cooperating with law enforcement and regulatory authorities when legally required.
- Responding to your support requests and dispute submissions.
- Sending product updates, feature announcements, and platform news (you may opt out at any time).
- Sending marketing communications where you have consented or where permitted under soft opt-in rules for existing customers.
- Analysing aggregated, anonymised usage patterns to improve the platform.
- Conducting internal research into platform performance, feature adoption, and user experience.
- Testing new features with consenting users.
Data Sharing & Disclosure
We share your data only in the following defined circumstances. We do not sell personal data.
When a Buyer places an order on an Operator-managed storefront, their order and personal data are shared with the relevant Operator to fulfil the transaction. The Operator becomes the primary Data Controller for that data.
| Provider | Purpose | Location | Data Transferred |
|---|---|---|---|
| Amazon Web Services | Cloud hosting and infrastructure | EU (Ireland, eu-west-1) | All platform data |
| Stripe Inc. | Payment processing | USA (EU SCCs applied) | Payment card data, transaction details |
| Cryptomus | Cryptocurrency payment processing | International | Wallet addresses, transaction hashes |
| Twilio SendGrid | Transactional and marketing email | USA (EU SCCs applied) | Email address, message content |
| KYC Verification Partner | Identity verification and AML screening | EU | ID documents, facial images |
We may disclose your data when required by: court order or judicial process; subpoena from a regulatory authority; applicable law or legal obligation; or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of CitadelWay, our users, or the public.
In connection with a merger, acquisition, sale of all or substantially all assets, or other corporate restructuring, your data may be transferred to the acquiring entity. We will provide notice and, where required by law, seek your consent.
We may share aggregated, anonymised statistics (e.g., "X% of operators are at Level 5") that cannot reasonably be used to identify any individual.
International Data Transfers
Citadel Shield LLC is a Delaware (USA) entity with its primary operations and personnel in Spain (EU). Our primary infrastructure is hosted in the EU (AWS Ireland). Where data is transferred to or processed in countries outside the EEA, we apply the following safeguards:
- EU Standard Contractual Clauses (SCCs): We execute SCCs (Commission Decision 2021/914) with all third-country sub-processors, including Stripe and SendGrid.
- Adequacy Decisions: Where the European Commission has issued an adequacy decision for the destination country, we rely on that decision.
- UK IDTA: For transfers from the UK, we use the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs as applicable.
As CitadelWay's primary business operations and DPO are based in Spain (EU), our data processing activities are primarily governed by GDPR. The Delaware incorporation is for legal entity purposes; EU privacy standards apply to all data subjects in the EEA.
Data Retention
We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law. Our standard retention periods are:
| Data Category | Retention Period | Reason |
|---|---|---|
| Active account data | Duration of account + 6 years after closure | Contractual claims limitation period |
| Transaction records & invoices | 10 years from transaction date | Tax and accounting legal requirements (EU/US) |
| KYC / AML documents | 5 years after account closure | Anti-money laundering regulations (AMLD5/6) |
| ELO history and audit logs | Duration of account + 3 years | Dispute resolution and audit purposes |
| Server access and security logs | 24 months | Security incident investigation |
| Marketing communications | Until unsubscribe + 3 years | Proof of consent / legitimate interest |
| Support ticket history | 5 years from ticket closure | Quality assurance and legal defence |
| Buyer order data (on Operator stores) | As directed by Operator, up to 7 years | Consumer protection and contract law |
When data is no longer required, it is securely deleted or anonymised using industry-standard methods. Backups containing personal data are purged on the same schedule.
Security Measures
We implement comprehensive technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration.
- Encryption at Rest: All databases and file storage encrypted using AES-256.
- Encryption in Transit: All data transmitted over TLS 1.3; HTTP Strict Transport Security (HSTS) enforced.
- Authentication: Mandatory two-factor authentication (2FA) for all Operator accounts. 2FA required for all destructive actions (deletions, payout requests).
- Access Controls: Role-based access control (RBAC) with least-privilege principles. Staff access to production data is logged and audited.
- Infrastructure: Hosted on ISO 27001-certified AWS infrastructure (eu-west-1 region).
- Payment Security: PCI DSS Level 1 compliance maintained through Stripe. We do not store full card numbers, CVV codes, or card magnetic stripe data.
- Penetration Testing: Annual third-party penetration testing of platform infrastructure and application code.
- Vulnerability Management: Continuous monitoring for known vulnerabilities; security patches applied within defined SLAs.
- Staff data protection training on hire and annually thereafter.
- Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
- Incident response plan and breach notification procedures (72-hour GDPR notification window).
- Vendor security assessments for all sub-processors.
Cookies & Tracking Technologies
We use cookies and similar technologies (web beacons, pixel tags, local storage) on citadelway.com and Platform-hosted storefronts. Here is a breakdown of what we use and why:
| Cookie Type | Purpose | Consent Required? | Retention |
|---|---|---|---|
| Strictly Necessary | Session management, authentication tokens, CSRF protection, 2FA state, load balancing | No — Essential | Session / up to 30 days |
| Functional | Language preferences, dashboard layout preferences, notification dismissals | Optional | Up to 1 year |
| Analytics | Anonymised page view counts, feature usage statistics, performance monitoring | Yes — Consent | Up to 2 years |
| Security | Fraud detection, bot prevention, device fingerprinting for suspicious login detection | No — Essential | Up to 90 days |
You can manage cookie preferences through the cookie banner displayed on your first visit, or through your browser settings. Note that disabling strictly necessary cookies will impair Platform functionality.
CitadelWay does not use third-party advertising cookies or participate in cross-site tracking for advertising purposes.
Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data. To exercise any right, email [email protected] with your account email and the right you wish to exercise. We will respond within 30 days (extendable by 60 days for complex requests, with notice).
| Right | What It Means | Applies Under |
|---|---|---|
| Access (Art. 15 GDPR) | Obtain a copy of your personal data and information about how we use it | GDPR, CCPA, LGPD |
| Rectification (Art. 16 GDPR) | Correct inaccurate or incomplete personal data | GDPR, CCPA, LGPD |
| Erasure (Art. 17 GDPR) | Request deletion of your data where we have no legitimate reason to retain it | GDPR, CCPA ("Right to Delete"), LGPD |
| Restriction (Art. 18 GDPR) | Request that we restrict processing while you contest accuracy or our legal basis | GDPR, LGPD |
| Portability (Art. 20 GDPR) | Receive your data in a structured, machine-readable format (CSV/JSON) | GDPR, LGPD |
| Objection (Art. 21 GDPR) | Object to processing based on legitimate interests or for direct marketing | GDPR, LGPD |
| Withdraw Consent | Withdraw consent at any time without affecting prior processing | GDPR, CCPA, LGPD |
| Non-Discrimination (CCPA) | We will not discriminate against you for exercising your CCPA rights | CCPA/CPRA |
| Opt-Out of "Sale" | We do not sell personal data. This right is therefore already satisfied. | CCPA/CPRA |
Exceptions: Some rights are subject to exceptions, e.g., we cannot erase data we are legally required to retain (such as KYC records or financial transactions).
Children's Privacy
CitadelWay is not directed at, and does not knowingly collect personal data from, children under the age of 18. Our platform is a professional B2B SaaS service intended solely for adults conducting lawful business activities.
If you believe a person under 18 has provided us with personal data, please contact us immediately at [email protected]. We will promptly delete such data upon verification.
Third-Party Links & Integrations
The Platform may contain links to third-party websites, or you may integrate third-party services (e.g., LinkedIn for certification display). CitadelWay is not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing your data.
Operator-managed storefronts are controlled by the Operator. CitadelWay provides the technical infrastructure but does not control the content, terms, or privacy practices of individual stores beyond enforcing our platform policies.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make significant changes, we will:
- Update the "Last Updated" date at the top of this policy.
- Send an email notification to all registered Operators at least 14 days before the changes take effect.
- Display a prominent notice in the Platform dashboard.
- For material changes affecting your rights, we will seek fresh consent where required by law.
Your continued use of the Platform after the effective date of any changes constitutes acceptance of the updated policy.
Contact & Privacy Inquiries
For any privacy-related questions, to exercise your rights, or to contact us regarding data protection matters, please use the details below. We aim to respond within 72 hours and resolve requests within 30 days.
We are committed to resolving privacy concerns promptly. If you are in the EU and wish to speak directly with our GDPR representative, please email us and we will provide the contact details.