This Privacy & Cookies Policy (the "Policy") explains how entities belonging to the G2A capital group (collectively referred to as "G2A", "we", "us" or "our") process personal data in connection with the use of the online marketplace platform available at www.g2a.com (hereinafter referred to as the "Platform"), including the website, related services, functionalities and tools.

This Policy applies to all natural persons interacting with the Platform, including buyers, sellers, visitors, business partners and affiliates, irrespective of whether they have created a registered account.

1.2 Legal Framework

Personal data are processed in accordance with applicable laws, including in particular:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR);
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), applicable to California residents, including amendments effective as of 1 January 2026;
The Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong (PDPO);
relevant U.S. federal and state privacy regulations, to the extent applicable to G2A's operations.

Where different legal regimes apply depending on the user's place of residence, G2A ensures compliance with the applicable standards for such users.

1.3 Relationship with the G2A Terms and Conditions

This Policy should be read together with the G2A Terms and Conditions governing the use of the Platform.

Certain personal data processing activities described in this Policy are necessary for the conclusion, performance and enforcement of the G2A Terms and Conditions, including but not limited to:

creation and administration of user accounts;
execution of marketplace transactions between buyers and sellers;
fraud prevention, abuse detection and security monitoring;
enforcement actions, including account suspension or termination.

In the event of any inconsistency between this Policy and the G2A Terms and Conditions, the G2A Terms and Conditions shall prevail with respect to contractual matters, while this Policy governs the processing of personal data.

1.4 Updates to the Policy

G2A may update this Policy from time to time to reflect changes in law, regulatory guidance, business practices or technological developments.

Where required by applicable law, users will be informed of material changes to this Policy and, where necessary, their consent will be obtained.

The most recent version of this Policy will always be published on the Platform.

2. Who We Are — Data Controllers

2.1 Data Controller

The entity acting as the controller of your personal data depends on your location (domicile, registered office, or habitual residence).

For the general use of the platform, the Data Controller is one of the following entities:

(a) G2A LLC, with its registered office in Carson City, address: 701 South Carson Street, Suite 200, Carson City, Nevada 89701, USA; – if you have your domicile, registered office, or habitual residence in one of the following countries/territories: Albania, Australia, Argentina, Bangladesh, Belarus, Canada, Colombia, Chile, European Union, Ghana, Iceland, India, Japan, Mexico, Moldova, New Zealand, Norway, Serbia, Singapore, South Africa, South Korea, Switzerland, Taiwan, Turkey, Thailand, or United Kingdom;

(b) GATE READY Limited, with its registered office in Hong Kong, address: 31/F, Tower Two, Times Square, 1 Matheson Street, Causeway Bay, Hong Kong – if you have your domicile, registered office, or habitual residence in the United States of America;(c) G2A.COM Limited, with its registered office in Hong Kong, address: 31/F, Tower Two, Times Square, 1 Matheson Street, Causeway Bay, Hong Kong – if you have your domicile, registered office, or habitual residence in any country or territory other than those specified in points (a) – (b) above.

If you use certain dedicated services on the Platform, the Data Controller for the personal data processed specifically in connection with those services is determined as follows:

G2A Plus: The controller is G2A LLC (for users in Australia, Singapore, or the UK), GATE READY Limited (for users in the USA), or G2A.COM Limited (for users in all other countries).
Dedicated Features: For the Newsletter, G2A Balance, Goldmine and Selected Offer, the controller is G2A.COM Limited, regardless of your location.
Physical Delivery Service: The controller is G2A LLC, regardless of your location.

Hereinafter, the relevant entity applicable to your location and the service used is referred to as the "Data Controller".

2.2 Joint Controllers (European Union)

Regardless of the designation of G2A LLC as the primary Data Controller for the European Union under Section 2.1(a), for the purposes of complying with the General Data Protection Regulation (GDPR) and ensuring effective protection of rights for users located in the European Union:

G2A LLC (USA), G2A.COM Direct B.V. (the Netherlands), G2A PL sp. z o.o. (Poland) and G2A.COM Limited (Honk Kong), act as joint controllers regarding specific processing activities within the EU, including:

handling of data subject requests from EU users;
marketing activities directed and EU markets;
local compliance and reporting.

The joint controllers have entered into an internal arrangement determining their respective responsibilities. You may contact G2A PL sp. z o.o. directly regarding GDPR matters, serving as a contact point for EU supervisory authorities and data subjects.

2.3 Controllers and Processing in the United States

For users located in the United States, including California residents, personal data may be processed by GATE READY Limited, acting as an independent controller or processor, depending on the nature of the processing activity.

Such processing may include, in particular, marketing activities, analytics, platform security, payment-related operations and customer support services.

Where applicable, personal data of California residents are processed in accordance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

2.4 Processing in Hong Kong

Personal data processed in connection with the operations of G2A.COM Limited in Hong Kong are processed in accordance with the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong (PDPO).

G2A ensures that personal data are collected for lawful purposes, processed fairly, and retained no longer than necessary for the fulfillment of those purposes, in line with PDPO requirements.

2.5 Processors and Sub-Processors

In the course of providing the Platform and related services, G2A may engage third parties acting as processors or sub-processors, including providers of:

hosting and cloud infrastructure;
payment processing services;
customer support and communication tools;
analytics, security and fraud-prevention solutions including but not limited to risk assessment providers, anti-fraud tools, and identity verification services.

Such processors act on the basis of written agreements ensuring appropriate safeguards for personal data and compliance with applicable data protection laws, including data processing agreements containing standard contractual clauses (SCCs) where required by GDPR Article 46, or other lawful transfer mechanisms as described in Section 9.2 of this Policy.

2.6 Contact Point and Data Protection Officer

For matters relating to the processing of personal data, users may contact G2A via the contact details provided on the Platform.

Where required by applicable law, G2A has appointed a Data Protection Officer (DPO) or designated person responsible within the organization to oversee compliance with data protection obligations:

For EU/EEA users and G2A PL sp. z o.o.: a Data Protection Officer is appointed and available for contact at dpo@g2a.com or via the postal address of G2A PL sp.zo.o.,
For Hong Kong users and G2A.COM Limited: Data protection compliance is overseen by designated personnel contactable at dpo@g2a.com or via the postal address of G2A.COM Limited,
For U.S. users: Data protection compliance is overseen by designated personnel contactable at dpo@g2a.com or via the postal address of G2A LLC.

Detailed contact information is provided in Section 18 of this Policy.

3. What Personal Data We Collect

3.1 Personal Data Provided Directly by Users

G2A may collect personal data that users provide directly when using the Platform, including in particular:

first and last name;
e-mail address;
username and account credentials;
date of birth or age confirmation;
contact details, including telephone number and correspondence address;
correspondence submitted via customer support channels including live chat, email and support tickets.

For registered users, this may also include information provided during account creation, account verification or profile management, including preferences, display name, and newsletter subscription settings. Where such data constitutes personal data, it is processed on the basis of the performance of a contract (GDPR Art. 6(1)(b)), user consent (GDPR Art. 6(1)(a)), or G2A legitimate interests in providing customer support and managing user accounts (GDPR Art. 6(1)(f)).

3.2 Account, Transaction and Marketplace Data

In connection with the use of the G2A marketplace, G2A processes personal data related to transactions and account activity, including:

purchase and order history;
information relating to digital products, keys or content purchased or sold;
seller account information, listings and transaction records;
dispute, complaint and chargeback information including communications between buyers and sellers, escalation records, and resolution outcomes.

Such data are processed to enable marketplace functionality, execute transactions between buyers and sellers, resolve disputes and enforce the G2A Terms and Conditions. Where such data constitutes personal data, it is processed on the basis of the performance of a contract (GDPR Art. 6(1)(b)), compliance with legal obligations (GDPR Art. 6(1)(c)), or G2A legitimate interests in resolving disputes and enforcing the G2A Terms and Conditions (GDPR Art. 6(1)(f)).

3.3 Payment and Financial Data

Payment transactions conducted via the Platform are processed through certified third-party payment service providers in compliance with appliable payment regulations.

G2A does not store full payment card data. However, G2A may process limited payment-related data, including but not limited to:

transaction identifiers;
payment status and timestamps;
masked payment instrument data (e.g., last 4 digits of card, card type, expiration date);
billing information, where required including billing address and tax identification numbers where provided.

Such data are processed for transaction execution, accounting, fraud prevention, chargeback handling and compliance with legal obligations, including anti-money laundering (AML) and tax regulations. Where payment data is processed by third-party payment service providers, such providers act as independent controllers or processors under separate terms and privacy notices. Where such data constitutes personal data, it is processed on the basis of the performance of a contract (GDPR Art. 6(1)(b)), compliance with legal obligations including accounting and AML regulations (GDPR Art. 6(1)(c)), or G2A legitimate interests in fraud prevention (GDPR Art. 6(1)(f)).

3.4 Technical, Usage and Device Data

When users access or use the Platform, G2A automatically collects certain technical and usage data, including but not limited to:

IP address and geolocation data derived from IP address;
device identifiers including device type, operating system, unique device IDs, and mobile advertising identifiers;
browser type and operating system including browser version, language settings, and time zone;
log files including access timestamps, page views, click paths, and referrer URLs;
access times and referring URLs as well as exit pages and interactions with Platform features.

This data may be collected through cookies and similar technologies and is used for security, analytics, performance monitoring and service optimization purposes. This data is used for security monitoring, fraud prevention, analytics, performance optimization, service improvement, and delivery of consistent user experience across devices and sessions. Where such data constitutes personal data, it is processed on the basis of G2A legitimate interests (GDPR Art. 6(1)(f)) or, where required, on the basis of user consent (GDPR Art. 6(1)(a)).

3.5 Data Collected Through Cookies and Similar Technologies

G2A uses cookies and similar technologies to collect information about users' interactions with the Platform.

This may include data relating to preferences, session identifiers, browsing behavior and interactions with content or advertisements, including information about products viewed, searches performed, and engagement with promotional materials. Where such data constitutes personal data, it is processed on the basis of user consent (GDPR Art. 6(1)(a)) or G2A legitimate interests in ensuring strictly necessary functionality and security of the Platform (GDPR Art. 6(1)(f)).

Further details are provided in Section 6 (Cookies and Similar Technologies).

3.6 Fraud Prevention, Security and Compliance Data

In order to protect the integrity of the Platform and comply with legal obligations, G2A processes personal data for fraud prevention, abuse detection and security purposes, including:

indicators of potentially fraudulent behavior such as unusual transaction patterns, velocity checks, device fingerprinting, and behavioral anomalies;
risk scores or alerts generated by automated systems including machine learning models and rule-based detection engines;
information related to account restrictions, suspensions or terminations including reasons for enforcement actions, investigation logs, and correspondence with affected users.

Where such data constitutes personal data, it is processed on the basis of G2A legitimate interests in preventing fraud and ensuring Platform security (GDPR Art. 6(1)(f)) or where required, compliance with legal obligations (GDPR Art. 6(1)(c)).

Such processing may involve profiling and automated analysis, as further described in Section 8 of this Policy.

3.7 Data Obtained from Third Parties

G2A may receive personal data from third-party sources, including:

payment service providers providing transaction verification, fraud alerts, and chargeback notifications;
fraud prevention and security partners including identity verification services, credit reference agencies (where legally permitted), and anti-fraud databases;
marketing and analytics providers including advertising networks, social media platforms, and analytics tools;
public authorities or publicly available sources, where permitted by law including public business registers, sanctions lists, and law enforcement databases.

Such data are processed only to the extent necessary for the purposes described in this Policy and in accordance with applicable law.

Where such data constitutes personal data, it is processed on the basis of G2A legitimate interests in business operations and security (GDPR Art. 6(1)(f)), compliance with legal obligations (GDPR Art. 6(1)(c)), or, where required, user consent (GDPR Art. 6(1)(a)).

3.8 Know Your Customer (KYC) and Verification Data

In accordance with the G2A Terms and Conditions, particularly Section 5.2.5 (Know-Your-Customer), G2A may collect additional data from Sellers and, where required, from Buyers, to verify identity, prevent fraud, and comply with legal obligations, including:

identitication details,
business registration documents (e.g., company registration certificates, VAT numbers, business licenses),
proof of address documents (e.g., utility bills, bank statements),
tax identification numbers (e.g., TIN, VAT ID),
beneficial ownership information,
source of funds documentation where required by anti-money laundering (AML) regulations.

KYC and verification documents are retained for the duration of the account relationship and for a subsequent period required by applicable laws.

Failure to provide such data may result in account restrictions or inability to access certain Platform functionalities, particularly Seller Store operations and high-value transactions.

Where such data constitutes personal data, it is processed on the basis of compliance with legal obligations (GDPR Art. 6(1)(c)), the performance of a contract (GDPR Art. 6(1)(b)), or G2A legitimate interests in risk assessment and Platform protection (GDPR Art. 6(1)(f)).

3.9 Obligation to Provide Personal Data

Providing certain personal data is necessary for the conclusion and performance of contracts under the G2A Terms and Conditions.

Failure to provide such data may result in the inability to create an account, complete transactions, or access certain functionalities of the Platform.

4. Purposes and Legal Bases for Processing

4.1 General Purposes and Legal Basis Under GDPR (EU Users)

Purpose of Processing	Legal Basis (Article 6 GDPR)	Description / Examples
Creation and management of user accounts	Performance of a contract (Art. 6(1)(b))	Necessary to register, maintain, and authenticate user accounts on the Platform.
Execution and administration of transactions	Performance of a contract (Art. 6(1)(b))	Includes processing orders, payments, and delivery of goods or services.
Provision of customer support and communication with users	Performance of a contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f))	Responding to user inquiries, resolving issues, and providing service updates.
Enforcement of the G2A Terms and Conditions	Legitimate interests (Art. 6(1)(f))	Ensuring compliance with Platform rules, investigating misuse or violations.
Prevention of fraud, abuse, illegal activity, and platform misuse	Legal obligation (Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f))	Detection and prevention of fraudulent behavior, ensuring platform integrity and user safety.
Platform security, risk management, and monitoring	Legitimate interests (Art. 6(1)(f))	Maintaining IT and data security, conducting audits and risk assessments.
Service improvement, analytics, and performance evaluation	Legitimate interests (Art. 6(1)(f))	Analyzing usage data to enhance user experience and service functionality.
Marketing communications and personalized content delivery (including targeted advertising and promotions)	Consent (Art. 6(1)(a))	Sending newsletters, personalized offers, and showing relevant content, where consent is given.
Compliance with legal obligations (e.g., tax, AML/KYC, regulatory reporting, record-keeping)	Legal obligation (Art. 6(1)(c))	Meeting obligations under EU and national law, including cooperation with authorities.
Processing of special categories of personal data (e.g., accessibility features, age verification)	Explicit consent (Art. 9(2)(a)); Compliance with legal exemptions	Processed only where strictly necessary and with explicit consent or under legal exemptions.

4.3 Legal Bases Under CCPA/CPRA (California Residents)

For California residents, personal information is processed for purposes consistent with the CCPA and CPRA, including amendments and additional requirements effective as of 1 January 2026:

Business purposes: to provide services, maintain platform functionality, process transactions, prevent fraud and ensure security,
Consent-based processing: for marketing and behavioral advertising, with the ability to opt out,
Disclosure rights: users may request information about categories and purposes of personal information collected, shared, or sold,
Correction and deletion rights: users may request correction or deletion of personal information where applicable subject to exceptions for legal compliance, fraud prevention, and contractual obligations,
Limit Use and Disclosure of Sensitive Personal Information: Users may limit G2A's use of sensitive personal information (including social security numbers, precise geolocation, racial/ethnic origin, religious beliefs, union membership, genetic data, and health information) to purposes strictly necessary to provide the services requested or as otherwise permitted by law,
Right to Correct: Users may request that G2A correct inaccurate personal information based on information provided by the consumer,
Opt-Out Confirmation: G2A shall acknowledge receipt of opt-out requests within 15 days of submission and implement such requests within 45 days.

G2A ensures that California residents can exercise their rights under CCPA/CPRA, including the Do Not Sell/Share My Personal Information request. G2A does not sell personal information as defined under CCPA, but may share personal information with third-party advertising partners for targeted advertising purposes ("sharing" under CPRA), which California residents may opt out of.

4.4 Processing Under Hong Kong PDPO

For users located in Hong Kong, G2A processes personal data in accordance with the Personal Data (Privacy) Ordinance (PDPO), ensuring that:

data are collected for lawful purposes directly related to the services consistent with Data Protection Principles (DPPs) under PDPO,
processing is fair and necessary for the identified purposes,
retention periods are limited to what is required for operational, legal or regulatory purposes,
data subject access and correction rights are respected with responses provided within 40 days of request as required by PDPO.

4.5 Specific Marketplace and Fraud-Related Purposes

Processing of personal data for fraud prevention, risk scoring, abuse detection, and dispute resolution constitutes a legitimate interest under GDPR and a business purpose under CCPA/CPRA.

Such processing is necessary to:

protect users from fraudulent transactions and identity theft,
detect and prevent money laundering and terrorist financing,
enforce G2A Terms and Conditions and Marketplace integrity,
comply with Intermediate Body Scheme Rules (as defined in G2A Terms and Conditions, Section 2.14) including payment card network regulations, chargeback procedures, and acquirer requirements.

G2A has implemented risk assessment procedures for high-impact processing activities, including automated decision-making and profiling, as required under GDPR (Data Protection Impact Assessment) where applicable, and under CPRA for California residents.

Automated profiling and decision-making for these purposes are described in Section 8 of this Policy.

5. Marketplace-Specific Processing (Buyers and Sellers)

5.1 Buyer Accounts

When a user registers as a buyer on the G2A platform, G2A collects and processes personal data necessary to enable transactions and account management, including:

identification and contact details,
account credentials including password hash (passwords are stored using industry-standard encryption),
transaction history including items purchased, transaction amounts, dates, and associated sellers,
communication preferences including marketing opt-ins, newsletter subscriptions, and notification settings,
activity logs and browsing behavior for security and fraud prevention including wish lists, shopping cart contents, search queries, and product views.

Such data are processed to facilitate the execution of transactions, provide digital goods, monitor account activity for compliance with the G2A Terms and Conditions, and prevent fraudulent or unauthorized activity.

Buyers may also participate in optional programs such as G2A PLUS, G2A Discount program, Goldmine, and Reflink programs as described in the G2A Terms and Conditions. Participation in these programs may involve additional data processing for program administration, benefits delivery, and personalized offers.

5.2 Seller Accounts

Users registering as sellers provide additional information, including:

business registration and tax details including company name, registration number, VAT ID, business address, and tax residence,
product listings and digital content including item descriptions, pricing, inventory data, and promotional materials,
transaction and payout data including sales records, refund requests, payout methods, and financial account details,
account verification and KYC documentation as required under Section 5.2.5 of the G2A Terms and Conditions, including identity verification documents, proof of business legitimacy, and beneficial ownership information.

G2A processes this data to verify seller identity, manage payouts, enforce marketplace rules, detect policy violations, and ensure compliance with applicable laws.

This data may also be used to perform risk assessments, fraud detection, and enforcement actions such as account suspension or restriction in accordance with Section 5.2.4 and 5.2.6 of the G2A Terms and Conditions.

Sellers are also subject to the G2A Marketplace Rating System (Section 5.6 of G2A Terms and Conditions), which processes feedback and ratings from Buyers to maintain marketplace quality and transparency.

5.3 Transaction Processing

All transactions on the Platform, including the sale and purchase of digital products, are processed using secure mechanisms in accordance with applicable law.

Personal data processed during transactions include:

payment information and transaction identifiers including order IDs, payment gateway references, and transaction timestamps,
details of purchased digital content including item codes, activation keys, and delivery methods (instant or manual),
timestamps and transaction logs recording each stage of transaction processing from initiation to completion,
related communications between buyer and seller including pre-sale inquiries, post-sale support, and dispute resolution correspondence.

This processing is necessary to execute contracts, deliver digital products, resolve disputes, prevent fraud, and comply with legal obligations (e.g., tax, anti-money laundering, payment card network regulations).

Transactions involving export or import of items through G2A API (as described in Section 5.5 of G2A Terms and Conditions) may involve additional processing to synchronize inventory, validate payments, and enforce Automated Payment mechanisms.

5.4 Fraud Prevention, Security, and Enforcement

G2A collects and processes personal data for the purpose of protecting the integrity of the Platform and preventing fraud or other unlawful activities.

This may include:

monitoring user behavior patterns including transaction frequency, item categories, geographic patterns, and device consistency,
automated risk scoring and alerts generated through machine learning models, rule-based systems, and third-party fraud detection services,
verification of suspicious transactions including additional identity checks, transaction holds, and manual review procedures,
logging account activity and enforcement actions including warnings, restrictions, suspensions, and permanent bans, along with supporting evidence and investigation records.

Such processing is considered a legitimate interest under GDPR, a business purpose under CCPA/CPRA, and is necessary for compliance under PDPO and Intermediate Body Scheme Rules.

5.5 Customer Support and Dispute Resolution

Personal data collected from buyers and sellers may be processed for customer support and dispute resolution purposes, including:

responding to inquiries and complaints through multiple channels including email, live chat, support tickets, and phone support where available,
investigating unauthorized transactions including account takeovers, fraudulent purchases, and payment disputes,
resolving disputes in accordance with the G2A Terms and Conditions including disputes managed through the Dispute Management Tool (Section 5.6.3 of G2A Terms and Conditions), chargebacks, refund requests, and feedback disputes.

Processing in this context ensures contractual performance and legal compliance and may involve sharing data between G2A entities and external service providers engaged for customer support operations.

6. Artificial Intelligence Tools in Customer Support

6.1 Overview

We develop and operate artificial intelligence (AI)-based tools to support customer communication and service delivery. These tools include:

Stanley Bot – an AI-powered customer support chatbot available to authenticated (logged-in) users,
AI Buddy – an AI-powered chatbot available to all visitors, including unauthenticated users,
Manychat – an AI-assisted tool supporting our communication via social media profiles

6.2 Scope of Data Processed

The following categories of personal data may be processed through the above tools:

content of messages and queries submitted by the user,
user identification data to the extent voluntarily provided (account details, username, public social media profile),
technical session data (IP address, session identifier, timestamp),
interaction history within a given session or account.

Users must not submit to AI tools any special categories of data within the meaning of GDPR Art. 9 (including health data, religious beliefs, biometric data) or personal data of third parties. The Administrator bears no liability for consequences arising from a user's voluntary disclosure of such data.

6.3 Purpose and Legal Basis

Data is processed for the purpose of handling user enquiries, providing technical and commercial support, and maintaining service quality. The applicable legal bases are:

GDPR Art. 6(1)(b) — for authenticated users, where processing is necessary for the performance of a contract or pre-contractual steps,
GDPR Art. 6(1)(f) — legitimate interest of the Administrator in ensuring efficient customer service, including unauthenticated users.

6.4 Retention Periods

Data processed through AI tools is retained in accordance with the general retention schedule set out in Section 11 of this Policy. In particular:

conversation records constituting customer support interactions are retained for 6 years in accordance with contract enforcement and dispute resolution requirements,
technical session logs are retained for up to 12 months,
data of unauthenticated users is anonymized after 90 days from the end of the session and may thereafter be used solely in aggregated, non-identifiable form for analytical and service improvement purposes.

6.5 Liability and Limitations

Responses generated by AI tools are provided for informational purposes only and do not constitute legal, technical, or commercial advice. The Administrator bears no liability for decisions made by users on the basis of AI-generated content.

The Administrator reserves the right to modify, update, or replace the AI tools referred to in this Section. Where any such change materially affects the scope or manner of data processing, users will be informed via an updated Policy published at least 14 days prior to the change taking effect.

6.6 Exercise of Rights

Users may exercise their rights under GDPR (access, rectification, erasure, restriction, portability, objection) by contacting Data Protection Officer at: dpo@g2a.com.

7. Cookies and Similar Technologies

7.1 What Cookies Are

Cookies are small text files or similar technologies (including local storage, pixels, beacons, tags, or scripts) that are placed on your device when you access the Platform.

G2A uses cookies and similar technologies to enhance user experience, enable functionality, improve service performance, and deliver personalized content and advertising.

7.2 Categories of Cookies

G2A classifies cookies into the following categories:

Strictly Necessary Cookies — essential for the operation of the Platform and execution of transactions. These cannot be disabled without affecting service functionality and include cookies for authentication, session management, load balancing, security, and fraud prevention,
Functional Cookies — allow the Platform to remember user preferences, settings, and login sessions including language selection, currency preferences, and personalized interface settings,
Performance/Analytics Cookies — collect information about Platform usage to improve functionality, detect errors, and analyze trends including page views, bounce rates, navigation paths, and feature usage statistics. G2A uses both first-party and third-party analytics tools including Google Analytics, with appropriate data processing agreements in place,
Advertising/Targeting Cookies — enable delivery of personalized content or advertising based on browsing behavior, including cookies from third-party advertising partners such as Google Ads, Facebook Pixel, and other advertising networks. These cookies may track users across websites to deliver targeted advertising and measure campaign effectiveness,

All cookies other than strictly necessary require user consent where applicable under GDPR, ePrivacy Directive, CCPA/CPRA, or PDPO.

7.3 Consent Management and Withdrawal

G2A provides a Cookie Preference Center that allows users to accept, reject or modify their cookie preferences at any time.

Consent can be managed per category of cookies,
Users may withdraw consent at any time without affecting the lawfulness of processing conducted prior to withdrawal,
Consent settings are stored and remain valid until the user withdraws consent or updates preferences. G2A does not apply automatic expiration dates to consent, in accordance with EDPB guidelines. Users will be informed of material changes to cookie practices through appropriate notification mechanisms,
Users may access the Cookie Preference Center at any time via the 'Cookie Settings' link in the Help section of the website www.g2a.com or through their account settings.

7.4 Third-Party Cookies and Tracking

G2A allows third-party providers, including analytics, advertising, and social media services, to place cookies on the Platform.

These third parties may collect personal data in accordance with their own privacy policies. G2A is not responsible for the content or practices of third-party providers but ensures that such third-party processing is disclosed to users where required by law.

Third-party cookies used on the Platform may include:

Google Analytics (analytics and performance tracking);
Google Ads and DoubleClick (advertising and remarketing);
Facebook Pixel (advertising and conversion tracking);
Other advertising networks and social media plugins.

Users can learn more about third-party cookies and opt out through industry tools such as the Network Advertising Initiative (NAI) opt-out page, Digital Advertising Alliance (DAA) opt-out page, or European Interactive Digital Advertising Alliance (EDAA) Your Online Choices page.

7.5 Retention Periods

Cookies and similar technologies are retained for different periods depending on their purpose:

Session Cookies: These are temporary files that are erased when you close your browser. They are used primarily for strictly necessary functions like keeping you logged in during your visit,
Persistent Cookies: These remain on your device until they expire or are manually deleted by you. G2A sets retention periods reasonably necessary to fulfill the purpose of the cookie, typically ranging from 30 days up to 24 months (e.g., for analytics or remembering your language preferences between visits).

You can manage or delete cookies at any time via your browser settings.

8. Automated Decision-Making and Profiling

8.1 Automated Processing

G2A uses automated processing and profiling systems to support various Platform operations, including:

detection and prevention of fraud and abuse,
security monitoring and risk management,
personalized content, recommendations, and offers,
analysis of user behavior to improve Platform functionality and service quality including A/B testing, conversion optimization, and feature development.

Such processing may involve the use of algorithms, machine learning models, and rule-based systems.

8.2 Legal Basis

Under GDPR (EU users), automated decision-making is conducted on the following bases:

Legitimate interests: for fraud prevention, security, platform integrity, and service improvement,
Consent: where automated processing produces personalized marketing or advertising effects,
Contract performance: where automated processing is necessary to fulfill contractual obligations (e.g., account verification, transaction execution).

Under GDPR (art. 22), users have the right to obtain human intervention, express their point of view, and contest decisions based solely on automated processing that produce legal or similarly significant effects, including:

account suspension or termination,
transaction blocking or restriction,
refusal of high-value transactions,
credit or eligibility determinations affecting access to services.

G2A shall inform users of their rights under Article 22 GDPR, including contact information for exercising such rights (via dpo@g2a.com or the contact channels in Section 18).

For California residents, automated decision-making may constitute a business purpose under CCPA/CPRA. Users may exercise rights to know the categories of information used, opt out of targeted marketing, or request information about automated decisions. CPRA grants additional rights to limit use of sensitive personal information and to request human review of automated decisions within 45 days of submission.

Under Hong Kong PDPO, users retain rights to access and correct personal data processed automatically.

8.3 Profiling

Profiling may involve combining data from multiple sources (account data, transaction history, device identifiers, browsing behavior) to create risk or interest scores.

Such profiling is used to:

detect unusual or high-risk activity including account takeover attempts, payment fraud, stolen payment instruments, and policy violations,
prevent fraudulent transactions or policy violations by assigning risk scores to users, transactions, and activities,
deliver relevant offers or content where consent is obtained including personalized product recommendations, targeted promotions, and dynamic pricing where legally permitted,
optimize Platform performance and user experience through segmentation, cohort analysis, and behavioral targeting.

Profiling may result in different treatment of users based on risk assessment, purchase history, geographic location, or engagement patterns. Users have the right to:

Object to profiling under GDPR (Art. 21) for marketing purposes,
Request information about profiling logic under GDPR (Art. 13-15) by contacting G2A at the addresses provided in Section 18,
Opt-out of interest-based advertising by managing preferences in the cookie preference center or submitting requests for California residents.

8.4 Safeguards

G2A implements appropriate safeguards to mitigate risks associated with automated decision-making and profiling, including:

periodic review of algorithms and models including fairness audits, bias testing, and accuracy validation,
human oversight and intervention in cases affecting legal rights or significant user interests with trained personnel reviewing high-impact automated decisions,
transparency through this Policy regarding automated processes,
enabling users to exercise rights to access, correction, objection, and withdrawal of consent where applicable including dedicated channels for contesting automated decisions and requesting human review (contact via dpo@g2a.com or support channels in Section 18).

G2A ensures that automated systems do not discriminate on the basis of protected characteristics including race, ethnicity, religion, nationality, disability, or other protected categories under applicable law.

9. Data Sharing and Recipients

9.1 Internal Sharing

G2A may share personal data within the G2A group of companies for purposes consistent with this Policy, including:

provision of Platform services,
account management and support,
fraud prevention and risk management,
marketing and personalized content delivery,
compliance with legal and regulatory obligations.

Such sharing is conducted under contractual arrangements and internal policies to ensure confidentiality, integrity, and lawful processing in accordance with GDPR (processor agreements), CCPA service provider requirements, and PDPO data transfer principles.

9.2 External Service Providers

G2A may disclose personal data to external service providers acting as processors or sub-processors, including:

Payment processors and financial institutions to execute transactions and comply with legal obligations including banks, payment gateways, card networks (Visa, Mastercard, etc.), and alternative payment providers (PayPal, Skrill, cryptocurrency processors),
Cloud hosting, IT infrastructure, and software providers including Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform, and content delivery networks (CDNs),
Analytics and monitoring service providers for performance and security purposes including Google Analytics, fraud detection platforms, and system monitoring tools,
Marketing, advertising, and communications providers for consented promotional purposes and service improvement, including email service providers, SMS gateways, advertising networks, marketing automation platforms and market research agencies conducting user surveys and UX studies,
Customer support providers including live chat services, helpdesk platforms, and customer relationship management (CRM) systems,
Postal services, couriers, and logistics operators for the physical delivery of products, documents, or promotional items (e.g., prizes won in contests).

All processors are bound by contracts containing data protection clauses consistent with GDPR (Art. 28), CCPA/CPRA (service provider agreements), and PDPO, including confidentiality and security obligations.

9.3 Public Authorities and Legal Obligations

G2A may disclose personal data to public authorities or law enforcement agencies where required by law or to protect legal rights, including:

responding to lawful requests, subpoenas, or court orders including search warrants, production orders, and regulatory investigations,
fraud investigations and prevention including cooperation with financial crime units, anti-fraud consortia, and payment card networks,
compliance with anti-money laundering, tax, or other regulatory obligations including reporting suspicious transactions, tax audits, and regulatory filings.

Such disclosures are made only to the extent necessary and proportionate, in accordance with applicable legal procedures and data protection laws. Where legally permitted, G2A will notify affected users of such disclosures unless prohibited by law, court order, or directive from a competent authority. Notifications shall be provided as soon as reasonably practicable after the legal prohibition is lifted.

9.4 Third-Party Platforms and Partners

G2A may share personal data with third-party platforms or partners in connection with integrated services, including delivery, digital product provisioning, and authorized marketing partners.

This may include:

Game publishers and platform operators for product activation and license verification,
Affiliate and referral partners participating in the Reflink program (definition in Section 2.26 of G2A Terms and Conditions),
Business partners offering co-branded services or promotions,
Social media platforms where users connect their G2A account with social media profiles or participate in social sharing features.

G2A ensures that any third-party recipient processes personal data only for the purposes specified, under contractual terms consistent with applicable privacy laws.

9.5 Transaction Parties (Buyers and Sellers)

As G2A operates a marketplace Platform, personal data must be shared between the respective parties to a transaction to facilitate the contract between them. This includes sharing the Seller’s business and contact details with the Buyer, as well as sharing the Buyer’s essential transaction data (and, where applicable for physical delivery or dispute resolution, contact and shipping details) with the Seller.

Such sharing is strictly limited to the data necessary for the execution of the transaction, and post-sale support. Both Buyers and Sellers act as independent controllers of the data they receive from one another and are bound by their respective privacy obligations.

9.6 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, personal data may be transferred to the acquiring or successor entity. Users will be notified of any such transfer and any changes to this Policy resulting from the transfer. The acquiring entity will be bound by the commitments in this Policy or will seek user consent for any material changes.

9.7 Data Minimization and Purpose Limitation

Data shared with internal or external recipients are limited to the minimum necessary for the specified purpose.

Recipients are prohibited from using personal data for purposes other than those explicitly permitted in this Policy or by applicable law.

10. International Transfers of Personal Data

10.1 General Policy

G2A may transfer personal data collected from users across international borders, including from the European Economic Area (EEA) to the United States, Hong Kong, or other jurisdictions.

Such transfers are conducted only when necessary for the provision of the Platform, execution of transactions, enforcement of the Terms and Conditions, fraud prevention, or compliance with legal obligations.

10.2 Transfers from the EU/EEA

For users located in the EU/EEA:

Transfers to non-EEA countries are based on lawful mechanisms under GDPR (Chapter V), including Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914),
Additional safeguards are implemented where required, including encryption, access control, pseudonymization, and restricted data processing agreements,
Transfers may also be justified under derogations set forth in Article 49 GDPR (e.g.performance of contract, consent, legal claims), but only when no other lawful transfer mechanism is applicable.

G2A conducts Transfer Impact Assessments (TIAs) as required by EDPB guidance and European Commission decisions to ensure adequate safeguards.

10.3 Transfers to the United States

G2A acknowledges that transfers of personal data to the United States, including to cloud infrastructure providers and payment processors located in the USA, are subject to potential access by U.S. federal authorities under applicable U.S. legislation, including the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) and related provisions.

Where personal data are transferred to U.S. service providers, G2A has implemented supplementary measures to ensure appropriate safeguards, including:

Contractual provisions requiring processors to challenge government access requests and notify G2A where legally permitted,
Encryption of personal data both in transit and at rest,
Technical measures limiting U.S. government access, where legally and technically feasible,
Careful selection of service providers with demonstrated commitment to data protection and privacy safeguards.

Users located in the EU/EEA may request details regarding supplementary safeguards applied to their personal data transferred to the USA by contacting G2A at dpo@g2a.com.

10.4 Transfers to Hong Kong

Transfers of personal data to Hong Kong are conducted in accordance with GDPR adequacy requirements and PDPO standards. G2A.COM Limited, as the Hong Kong controller, is subject to PDPO requirements ensuring appropriate data protection.

10.5 Standard Contractual Clauses (SCCs)

Where required by GDPR, G2A relies on Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914) for international transfers.

10.6 Other Transfer Mechanisms

In addition to SCCs, G2A may rely on other lawful transfer mechanisms recognized under GDPR Article 46, including:

Adequacy decisions issued by the European Commission,
Binding corporate rules (BCRs) approved by competent data protection authorities,
Approved codes of conduct and certifications.

11. Data Retention

11.1 General Principle

G2A retains personal data only for as long as necessary to fulfill the purposes for which they were collected and processed, unless a longer retention period is required or authorized by applicable law.

11.2 Specific Retention Periods

The following table sets forth specific retention periods for different categories of personal data:

Category of Personal Data	Retention Period	Legal Basis
Account and authentication data	Duration of account + 6 years	GDPR Art. 6(1)(c), Polish Accounting Act
Transaction records and order history	6 years	Tax regulations (VAT, CIT)
Payment and billing information	6 years	Accounting and tax law requirements
KYC and identity verification documents	5-6 years (see Section 3.8), depending on jurisdiction	AML/CFT regulations, EU Directive 2015/849
Customer support and dispute records	6 years	Contract enforcement and potential disputes
Fraud prevention and risk assessment data	5 years	Legitimate interest in protecting the platform
Cookies and tracking data	As specified in Section 6.5	User consent or legitimate interest
Marketing and communications preferences	Until consent withdrawn	GDPR Art. 6(1)(a)
Log files and access records	6-12 months	Security and performance monitoring
Backup and archived data	As specified in data retention policy (maximum 1 year from deletion)	Disaster recovery requirements

11.3 Deletion and Pseudonymization

Upon expiration of the applicable retention period, personal data shall be securely deleted or pseudonymized in accordance with applicable law.

G2A may retain anonymized or aggregated data indefinitely for analytics, service improvement, and statistical purposes where data cannot be linked to an individual.

11.4 Right to Erasure (Right to be Forgotten)

Users may request erasure of their personal data where:

the data are no longer necessary for the purposes collected,
the user withdraws consent on which processing was based,
the user objects to processing and there is no overriding legitimate interest,
personal data have been unlawfully processed,
erasure is required by law.

G2A shall respond to erasure requests within one month (with a possible extension of two further months where necessary) as required by GDPR Art. 12(3). Erasure may be restricted where retention is required by law, including for fraud prevention, legal claims, or regulatory compliance. Users will be informed of any restrictions.

12. Data Security

12.1 Security Measures

G2A implements appropriate technical and organizational security measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:

encryption of personal data in transit (TLS/SSL) and at rest (AES-256 or equivalent),
secure authentication mechanisms including password hashing (bcrypt, PBKDF2, or equivalent) and multi-factor authentication (MFA),
access controls and role-based permission systems limiting data access to authorized personnel,
regular security testing including penetration testing, vulnerability assessments, and security audits,
incident response and breach notification procedures,
employee data protection training and confidentiality agreements,
regular backup and disaster recovery procedures.

12.2 Processor Security Requirements

G2A requires all processors and sub-processors to implement equivalent security measures, verified through:

contractual data processing agreements (DPAs) containing comprehensive security obligations,
periodic security audits and certifications (ISO 27001, SOC 2, or equivalent),
incident notification requirements within 24 hours of discovery of a personal data breach affecting G2A or its users.

12.3 Incident Reporting

In the event of a personal data breach, G2A shall:

Notify affected data subjects without undue delay(where breach poses high risk to their rights and freedoms), providing timely information to allow them to take necessary precautions,
Notify competent supervisory authorities without undue delay and no later than 72 hours as required by GDPR Art. 33,
Provide breach notifications in clear, understandable language including the nature of the breach, data affected, likely consequences, and mitigation measures,
Maintain records of all breaches for supervisory authority inspection.

13. Rights of Data Subjects

13.1 Rights Under GDPR (EU/EEA Users)

Users located in the EU/EEA have the following rights under GDPR:

Right of Access (Art. 15): Users may request access to their personal data and information about how G2A processes it.
Right to Rectification (Art. 16): Users may request correction of inaccurate personal data.
Right to Erasure (Art. 17): Users may request deletion of personal data under specific circumstances (see Section 11.4).
Right to Restrict Processing (Art. 18): Users may request that G2A limit processing of their data pending verification of accuracy or legal challenge.
Right to Data Portability (Art. 20): Users may request a copy of their personal data in a structured, commonly-used, machine-readable format and request transfer to another controller.
Right to Object (Art. 21): Users may object to processing based on legitimate interests or for marketing purposes.
Rights Related to Automated Decision-Making (Art. 22): Users have the right to human intervention, explanation, and contestation of decisions based solely on automated processing with legal or significant effects.
Right to Lodge a Complaint: Users may lodge a complaint with the competent supervisory authority in their Member State of habitual residence, place of work, or place of the alleged infringement (e.g., the Polish Office for Personal Data Protection (Urząd Ochrony Danych Osobowych — UODO) for users in Poland).

To exercise any of these rights, users may contact G2A at the details provided in Section 18.

13.2 Rights Under CCPA/CPRA (California Residents)

California residents have the following rights:

Right to Know: Right to request what personal information is collected, used, shared, or sold,
Right to Delete: Right to request deletion of personal information collected, with exceptions for legal compliance,
Right to Correct: Right to request correction of inaccurate personal information,
Right to Opt-Out of Sale/Sharing: Right to opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising. G2A shall acknowledge and implement opt-out requests within 15 business days,
Right to Limit Use and Disclosure of Sensitive Personal Information : Right to limit G2A's use of sensitive categories of personal information (e.g., SSN, geolocation, race, religion, health data) to purposes strictly necessary to provide services or as otherwise permitted by law,
Right to Non-Discrimination: G2A will not discriminate against users for exercising their CCPA/CPRA rights by denying goods/services, charging different prices, or providing different service quality (except where differences relate to the value of data provided),
Right to Human Review of Automated Decisions: Users may request that G2A provide human review of a decision based on automated processing that has legal or similarly significant effects. G2A shall provide such human review within 45 days of request.

To exercise rights, California residents may contact G2A at the details in Section 18.

13.3 Rights Under Hong Kong PDPO

Hong Kong users have rights including:

Right of Access: Right to access personal data and obtain information about how data are used,
Right to Correction: Right to request correction of inaccurate personal data,
Right to Request Cessation: Right to request cessation of use of personal data for direct marketing,
Responses shall be provided within 40 days as required by PDPO.

To exercise rights, users may contact G2A at the details provided in Section 18.

14. Children and Minors

14.1 Age Restrictions

The G2A Platform is generally intended for users capable of forming legally binding contracts under applicable law (typically 18 years and older). G2A does not knowingly collect or process personal data from children under 13 years of age.

If G2A becomes aware that personal data of a child (under 13 in the US, or under 16 in the EEA, unless a lower age is provided by Member State law) has been collected without verifiable parental consent, G2A will take appropriate steps to delete such data.

Where minors (e.g., aged 13-17) are permitted to use the Platform under parental supervision, G2A shall::

Not rely on consent from minors without parental/guardian consent where required,
Implement age verification mechanisms where legally required,
Provide clear information regarding data processing in a manner comprehensible to minors,
Limit collection to data necessary for the service,
Not use profiling or automated decision-making affecting minors' access to services without safeguards.

14.2 Parental Control and Requests

Parents or legal guardians may request access, deletion, or correction of personal data of minors by contacting G2A at the details provided in Section 18 with proof of guardianship.

15. Marketing Communications

15.1 E-mail Marketing and Newsletters

G2A may send marketing communications (emails, newsletters, promotions) where:

the user has consented to receive such communications,
applicable law permits sending without prior consent (e.g., existing customer exception under ePrivacy Directive),
the communication includes an option to unsubscribe.

15.2 Right to Opt-Out

Users may unsubscribe from marketing communications by:

Clicking the unsubscribe link included in every marketing email,
Updating preferences in their account settings under "Communication Preferences";
Submitting an opt-out request via support contact in Section 18,

G2A shall process opt-out requests without undue delay and no later than 10 business days.

15.3 Behavioral Advertising and Targeting

G2A may use personal data for behavioral advertising and targeted marketing through third-party advertising networks, subject to user consent or applicable legal permission.

Users may opt-out of behavioral advertising by:

Using the Cookie Preference Center to reject advertising cookies,
Submitting a "Do Not Sell or Share My Personal Information" request (California residents),
Using industry opt-out tools (NAI, DAA, EDAA) as described in Section 7.4.

16. Third-Party Websites and Services

G2A is not responsible for the privacy practices of external websites or services linked from the Platform.

Users should review the privacy policies of third-party sites before providing personal data.

17. Changes to this Privacy & Cookies Policy

17.1 Updates and Notifications

G2A may update this Policy to reflect changes in law, regulatory guidance, or business practices.

Where material changes are made, G2A shall:

Notify users by email or prominent notice on the Platform,
Seek renewed consent where required by law,
Provide at least 30 days notice before material changes take effect (or such shorter period as required by law).

17.2 Continued Use

Continued use of the Platform following notification of changes constitutes acceptance of the updated Policy.

18. Contact Details

18.1 Contact Information for Data Protection Inquiries

For all data protection inquiries, rights requests, and complaints, users may contact:

G2A PL sp. z o.o. (Polish users):

E-mail: dpo@g2a.com (Data Protection Officer)
Postal Address: ul. Emilii Plater 53, 00-113 Warsaw, Poland
Response deadline: 1 month under GDPR

G2A LLC (users in Albania, Australia, Argentina, Bangladesh, Belarus, Canada, Colombia, Chile, European Union, Ghana, Iceland, India, Japan, Mexico, Moldova, New Zealand, Norway, Serbia, Singapore, South Africa, South Korea, Switzerland, Taiwan, Turkey, Thailand, or United Kingdom):

E-mail: dpo@g2a.com (Data Protection Officer)
Postal Address: 701 South Carson Street, Suite 200, Carson City, Nevada 89701, USA
Response deadline: 1 month under GDPR and UK GDPR; otherwise within the period required by applicable local law

GATE READY Limited (users in United States of America):

E-mail: dpo@g2a.com (Data Protection Officer)
Postal Address: 31/F, Tower Two, Times Square, 1 Matheson Street, Causeway Bay, Hong Kong
Response deadline: 45 days under CCPA/CPRA

G2A.COM Limited (all other users not specified above):

E-mail: dpo@g2a.com (Data Protection Officer)
Postal Address: 31/F, Tower Two, Times Square, 1 Matheson Street, Causeway Bay, Hong Kong
Response deadline: 1 month under GDPR; within 40 days under PDPO

18.2 Supervisory Authorities

Users may lodge complaints with competent supervisory authorities:

Poland (UODO): Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, www.uodo.gov.pl
European Union (EDPB): Contact the data protection authority in your member state
California: California Privacy Protection Agency (CPPA), www.cppa.ca.gov
Hong Kong: Office of the Privacy Commissioner for Personal Data (PCPD), www.pcpd.org.hk

Appendix no 1

LIST OF G2A.COM LIMITED BUSINESS PARTNERS AND/OR AFFILIATES

Global R&D sp. z o.o., with its registered office in Warsaw, Poland, address: ul. Emilii Plater 53, 00-113 Warsaw, Poland, registration number: KRS 0000692862;
G2A PL sp. z o.o., with its registered office in Warsaw, Poland, address: ul. Emilii Plater 53, 00-113 Warsaw, Poland, registration number: KRS 0000677012;
Tech sp. z o.o. with its registered office in Warsaw, Poland, address: ul. Emilii Plater 53, 00-113 Warsaw, Poland, registration number: KRS 0000691154;
G2A RE sp. z o.o. with its registered office in Rzeszow, Poland, address: ul. Adama Matuszczaka 14/2, 35-083 Rzeszów, Poland, registration number: KRS 0000659335;
G2A LLC with its registered office in United States of America, address: Carson City, Nevada, 701 South Carson Street, Suite 200, Nevada 89701, USA, registration no. E0627762014-7;
G2A.COM B.V. with its registered office in Amsterdam, the Netherlands, address: James Wattstraat 77/A3, 1097 DL Amsterdam, the Netherlands, registration no. KVK 65006674;
BDSF TECHNOLOGY B.V. with its registered office in Amsterdam, the Netherlands, address: James Wattstraat 77/A3, 1097 DL Amsterdam, the Netherlands, registration no. KVK 74293591;
G2A.COM Direct B.V. with its registered office in Amsterdam, the Netherlands, address: James Wattstraat 77/A3, 1097 DL Amsterdam, the Netherlands, registration no. KVK 89975561;
GATE READY LIMITED with its registered office in Hong Kong, address: 31/F, Tower Two, Times Square, 1 Matheson Street, Causeway Bay, registration no. 76175940.

Shopping? I’ve got you covered

Chat with Buddy