ENDNGO
PRIVACY POLICY
MARKOEU OÜ | Effective: 06 April 2026
1. Introduction
This Privacy Policy (“Policy”) describes how MARKOEU OÜ (trading as “endngo”, “we”, “us”, or “our”, “Company”) collects, uses, stores, and protects personal data of individuals who access or interact with https://endngo.com. The Company acts as a Data Controller under Article 4(7) of Regulation (EU) 2016/679 (“GDPR”) and processes personal data in conformity with GDPR and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).
The Company has assessed its processing activities. No statutory obligation to appoint a Data Protection Officer (DPO) arises under Article 37 GDPR at the current scale and nature of processing. Data protection enquiries may be directed to: [email protected]. A current list of sub-processors engaged by the Company is available upon written request to [email protected].
The Company processes only personal data that is necessary and proportionate for the purposes described in this Policy.
2. Personal Data We Collect
2.1 Registration and Account Data
In practice, most Users provide only basic account information such as their email address and country of residence. Additional data is not required unless necessary for specific services or compliance purposes.
2.2 Social Login Data
If the User registers or authenticates via a third-party OAuth provider (e.g. Google), the Company receives only the email address and publicly available display name associated with that provider account. The Company does not receive or store third-party account passwords. Users who elect to use social login are subject to the privacy policies of the relevant third-party provider in addition to this Policy.
2.3 Transaction and Order Data
Order identifiers, product descriptions, purchase amounts, currency, payment method type (not full card details), transaction timestamps, delivery confirmation records, and records of any chargeback or refund requests.
2.4 Identity Verification Data
The Company does not routinely perform identity verification. Such verification is carried out only in limited cases where required by applicable law, payment providers, or where necessary to prevent fraud or misuse of the Website.
2.5 Technical and Device Data
IP address, approximate geolocation derived from IP, browser type and version, device type and operating system, session identifiers, cookies and similar technologies, pages accessed, navigation paths, and session duration. This data is collected automatically during normal use of the Website and is primarily used to ensure proper functionality, security, and performance.
2.6 Communications Data
Records of customer support requests, correspondence, complaint records, and any information provided voluntarily by the User in connection with a support interaction or rights request. In practice, Users typically provide only information necessary to resolve their request. The Company does not request or require sensitive personal data in support communications.
2.7 Fraud, Risk, and AML Data
Transaction risk scores, fraud indicator flags, velocity data, and outputs of automated sanctions and adverse media screening tools.
2.8 Third-Party Sourced Data
Payment status, transaction flags, and risk signals received from payment service providers; identity and sanctions screening outputs from KYC/AML providers if any; publicly available registry data for business entity verification.
2.9 Anonymised Analytics Data
The Company may generate anonymised or aggregated statistical data derived from usage information. Once properly anonymised in accordance with Article 4 GDPR, such data does not constitute personal data and is not subject to GDPR. Anonymised analytics data may be shared with third parties for platform development and performance purposes.
2.10 Special Categories and Children’s Data
The Company does not collect or process special categories of personal data as defined in Article 9 GDPR (including health data, biometric data, genetic data, racial or ethnic origin, political opinions, or religious beliefs). The Company does not knowingly collect personal data from individuals under the age of eighteen (18). If the Company becomes aware that personal data of a person under 16 has been inadvertently collected, it will delete such data within seventy-two (72) hours. Parents or legal guardians should contact [email protected] immediately.
3. Lawful Bases and Purposes for Processing
Performance of Contract (Art. 6(1)(b))
Data: Account, transaction, delivery data
Purpose: Account creation and management; order processing and fulfilment; Game Key delivery; post-sale support and communications
Legal Obligation (Art. 6(1)(c))
Data: KYC, AML, tax, financial records
Purpose: Where required by applicable law or justified by fraud risk, the Company may process identity verification data on a risk-based basis.
Legitimate Interests (Art. 6(1)(f))
Data: Technical, fraud, risk, and communications data
Purpose: Fraud detection and prevention; platform and network security; IT infrastructure operation; service quality improvement; defence of legal claims
Consent (Art. 6(1)(a))
Data: Cookie preferences; marketing communications; social login session
Purpose: Non-essential cookie placement; optional marketing email communications; social login (withdrawable at any time without penalty)
In most cases, the processing of personal data is necessary to provide the requested service, such as completing a purchase or delivering a Game Key. Where possible, the Company limits processing to what is strictly necessary for these purposes.
The Company ensures that such processing is subject to a balancing test and does not override the fundamental rights and freedoms of the data subject.
4. Automated Processing
The Company uses automated tools for transaction fraud scoring and sanctions screening. Where a transaction is declined or an account restricted wholly or substantially on the basis of automated processing, the User has the right to request human review of that decision by contacting [email protected]. The Company does not engage in automated profiling for marketing or advertising targeting purposes.
Automated fraud checks are used as an initial screening tool. In practice, only a small number of transactions are subject to additional review, and significant decisions are not made solely on the basis of automated processing.
5. Sharing of Personal Data
5.1 Internal Access
Access to personal data within the Company is restricted on a strict need-to-know basis. All personnel with access are bound by confidentiality obligations.
5.2 Third-Party Processors (Article 28 GDPR)
Personal data is shared with third-party service providers acting as data processors under binding Data Processing Agreements that require compliance with GDPR and implementation of appropriate security measures. Processor categories include:
- Payment service providers (for transaction processing, 3D Secure authentication, and fraud scoring);
- Cloud hosting and IT infrastructure providers;
- Identity verification and AML/sanctions screening service providers;
- Transactional and marketing email delivery providers;
- Customer support platform providers;
- Web analytics and performance monitoring providers (operating on pseudonymised data where feasible);
- Third-party OAuth authentication providers (activated only when the User initiates social login).
A current list of sub-processors is available upon written request to [email protected].
5.3 Disclosure to Public Authorities
Personal data may be disclosed to the Estonian Financial Intelligence Unit (Rahapesu Andmebüroo), Estonian Tax and Customs Board (EMTA), law enforcement authorities, courts, or other competent regulatory bodies, where the Company is required to do so by applicable law or pursuant to a binding lawful order. The Company will not notify the User of such disclosures where notification is prohibited by law.
5.4 International Transfers (GDPR Chapter V)
Where personal data is transferred to recipients located outside the European Economic Area (EEA), the Company ensures that appropriate safeguards are in place in accordance with GDPR Chapter V, including: (a) European Commission Standard Contractual Clauses (SCC) pursuant to Decision 2021/914/EU; (b) Transfer Impact Assessments where required; or (c) transfer to third countries covered by a European Commission adequacy decision. No personal data is transferred outside the EEA without appropriate safeguards.
6. Data Retention Schedule
| Data Category | Retention Period | Legal Basis |
| Transaction and order records | 7 years from the transaction date | Estonian Accounting Act (§ 12) |
| AML and KYC verification records if any | 5 years from the end of the business relationship | MLTFPA § 47 |
| Active account data | Duration of account + 3 years following permanent closure | Contract performance / Legitimate interest |
| Support and complaints records | 3 years from closure of the matter | Legitimate interest / Legal claims |
| Technical and access logs | 12 months (extendable for active security investigations) | Legitimate interest |
| Fraud and risk data | Up to 5 years where necessary | Legal obligation / Legitimate interest |
| KYC-declined or rejected records | 2 years from the date of the decision | AML/CTF compliance obligation |
| Marketing consent records | 5 years from the date of consent grant or withdrawal | Legal obligation (ePrivacy Directive) |
| Anonymised analytics data | Indefinite (not personal data post-anonymisation) | No GDPR restriction applicable |
7. Rights of Data Subjects
All requests for the exercise of rights under this Section should be submitted in writing to [email protected]. The Company will acknowledge requests within five (5) business days and provide a substantive response within one (1) calendar month of receipt. In complex cases, this period may be extended by a further two (2) months, and the User will be notified of any extension within the initial one-month period.
7.1 Right of Access (Article 15 GDPR)
The right to obtain confirmation of whether personal data is being processed and, if so, to receive a copy together with supplementary information about the processing.
7.2 Right to Rectification (Article 16 GDPR)
The right to request the correction of inaccurate personal data and the completion of incomplete personal data without undue delay.
7.3 Right to Erasure (Article 17 GDPR)
The right to request deletion of personal data where it is no longer necessary for the purposes for which it was collected, consent has been withdrawn, or processing is otherwise unlawful. Erasure may be refused or deferred where retention is required by applicable law, including AML/CTF and accounting obligations.
7.4 Right to Restriction of Processing (Article 18 GDPR)
The right to request a temporary suspension of processing in defined circumstances, including where the accuracy of the data is contested or the lawfulness of processing is under examination.
7.5 Right to Data Portability (Article 20 GDPR)
The right to receive personal data provided by the User in a structured, commonly used, machine-readable format, and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.
7.6 Right to Object (Article 21 GDPR)
The right to object at any time to processing based on the Company’s legitimate interests. The Company will cease such processing unless it can demonstrate compelling legitimate grounds that override the User’s rights and interests, or where processing is necessary for the establishment, exercise, or defence of legal claims.
7.7 Rights in Relation to Automated Decision-Making (Article 22 GDPR)
The right to request human review of any automated processing decision that produces legal or similarly significant effects on the User. Contact: [email protected].
7.8 Right to Withdraw Consent
Where processing is based on consent, the User may withdraw consent at any time by: (a) using the one-click unsubscribe link included in every marketing email; (b) adjusting cookie preferences via the Website’s Consent Management Platform; or (c) submitting a written request to [email protected]. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
7.9 Right to Lodge a Complaint
Users have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): Tatari 39, 10134 Tallinn, Estonia. Email: [email protected]. Website: https://www.aki.ee.
8. Security
The Company implements technical and organisational security measures appropriate to the risk of processing, including: HTTPS/TLS encryption for all data in transit; encryption of sensitive personal data at rest; role-based access controls; regular security assessments; and incident response procedures consistent with the obligation under Article 33 GDPR to notify the Data Protection Inspectorate of notifiable personal data breaches within seventy-two (72) hours of becoming aware of the breach, and to notify affected data subjects under Article 34 GDPR where required.
9. Cookies
Use of cookies and similar technologies is governed by the Company’s Cookie Policy at https://endngo.com/cookie-policy.
10. Policy Amendments
Material amendments to this Policy will be notified to registered Users by email at least fourteen (14) days before taking effect. The date of the most recent revision is displayed at the top of this Policy.
11. Contact Us
Data Controller: MARKOEU OÜ
Registry Code: 17421421
Address: Harju maakond, Tallinn, Pirita linnaosa, Lodjapuu tee 101, 12113, Estonia
Data Protection Contact: [email protected]
Legal: [email protected]
Supervisory Authority: Andmekaitse Inspektsioon, [email protected], https://www.aki.ee
Effective Date: 06 April 2026