Privacy Policy
Divergent Market

The controller of personal data within the meaning of Regulation (EU) 2016/679 (GDPR) and similar laws in other jurisdictions is Divergent Digital Holdings Ltd., registered in Saint Vincent and the Grenadines. Data requests go to privacy@divergent.market.

This Policy applies to all Service interfaces of Divergent Market — the website, Telegram bot and API. Using the Service without agreeing to this Policy is not possible.

2.1 Registration data

• Username — chosen by you and publicly visible to others.
• Password hash — Argon2id derivative with a per-user salt. The original password is never returned to the server and cannot be recovered.
• Telegram ID (optional) — a numeric identifier provided by Telegram via the deep-link authorisation flow. No other Telegram profile attributes (name, photo, username) are stored long-term.
• Interface language (ru / en).
• Account role (buyer / seller / admin).

2.2 Session technical data

• IP address of the latest session — for anti-fraud checks and bruteforce protection.
• Browser User-Agent — for compatibility and anti-fraud.
• Session identifier (httpOnly cookie gm_session) — 30-day lifetime.
• Preferred language (cookie lang).

2.3 Transactional data

• Balance top-up and spend history (internal records).
• NOWPayments invoice IDs — for payment reconciliation.
• Crypto address generated by the payment processor for a specific invoice. We do not store addresses of your personal wallets.
• The fact of a specific listing purchase and the moment of credential delivery.

2.4 Support ticket data

• Ticket text and attachments voluntarily provided by you.
• Internal notes of the support agent.

We process personal data on the following GDPR art. 6 grounds:

• Performance of a contract (art. 6(1)(b)) — everything necessary for your account, purchase and credential delivery.
• Legitimate interests (art. 6(1)(f)) — fraud prevention, infrastructure protection, operation audit. Your interest is weighed against ours; you may object (Section 10).
• Legal obligation (art. 6(1)(c)) — mandatory requirements in the Operator's jurisdiction.
• Consent (art. 6(1)(a)) — for optional features such as Telegram linking or notifications.

• Providing the Service: registration, authentication, purchase, credential delivery, tickets.
• Security: bruteforce detection, multi-accounting, fraud attempts, DDoS protection.
• Payments: invoice reconciliation, payment-processor anti-fraud.
• Service improvement: aggregated catalog usage statistics (not linked to an individual).
• Legal defence: evidence in disputes, complaints and regulatory enquiries.

We use functional cookies plus anonymous web analytics (Yandex.Metrica and Google Analytics) to understand how many visitors arrive and from which sources. No advertising pixels or ad-network trackers.

• gm_session — session identifier. HttpOnly, Secure (in production), SameSite=Lax. 30 days.
• lang — stored interface language. 1 year.
• NEXT_LOCALE — next-intl internal cookie. Session-only.
• _ym_* — Yandex.Metrica: anonymous visit statistics (visit uniqueness, traffic source). Up to 1 year. We do not run session recording (Webvisor).
• _ga, _ga_* — Google Analytics: anonymous visit statistics (distinguishing visits, traffic source). Up to 2 years.

Disabling cookies makes the Service unusable — without a session identifier you cannot stay authenticated. You may delete cookies in your browser settings.

We share the minimum amount of data only with counterparties that make the Service work:

• NOWPayments OÜ (Estonia) — crypto invoice creation and reconciliation. We send: internal order ID, USD amount. We do not send: username, IP, purchase history.
• Telegram Messenger Inc. — bot messaging and deep-link authorisation. We send the minimum required for bot operation. Telegram's own privacy policy applies.
• Hosting provider — the infrastructure running the servers. Bound to confidentiality by contract.
• Anti-DDoS / CDN provider (where used) — basic request routing.
• Competent authorities — only on an official request under the law of the Operator's jurisdiction.

The Service infrastructure is located outside the European Economic Area. Transfers of personal data to third countries are made under the Standard Contractual Clauses (Commission Decision 2021/914) and/or adequacy decisions.

Transfers to the crypto processor comply with the processor's data-protection rules applicable in its jurisdiction (Estonia / EU).

• Registration data — until account deletion or 24 months after last login, whichever comes first.
• Sessions — 30 days or until explicit logout.
• Transactional data — 5 years from the date of transaction (anti-fraud/tax audit requirement).
• Support tickets — 12 months after ticket closure.
• Security audit logs — 24 months.
• Credentials of sold accounts — stored encrypted, accessible to the buyer in the dashboard. On buyer request or after 24 months — deleted.

After expiry, data is either irreversibly deleted or anonymised to prevent reconstruction.

• Argon2id with per-user salt and current parameters — for password storage.
• AES-256-GCM with a versioned key — for credential storage. The key is not stored in the DB.
• HTTPS/TLS enforced on all public endpoints. HSTS preload.
• HTTP security headers: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin, Permissions-Policy (camera/microphone/geolocation off).
• Rate-limiting on sensitive endpoints (login, registration, order creation) against bruteforce.
• Least-privilege principle: processes have only the rights they strictly need.
• Separate admin plane — not mixed with user traffic.
• Regular off-site encrypted backups.

Regarding your personal data, you have the following rights:

• Right of access (GDPR art. 15) — to a copy of the data we hold.
• Right to rectification (art. 16) — to correct inaccurate information.
• Right to erasure / to be forgotten (art. 17) — to delete your account and related data, except where retention is required by our legitimate interest or obligation.
• Right to restriction of processing (art. 18).
• Right to portability (art. 20) — to receive your data in a machine-readable format.
• Right to object (art. 21) to processing based on legitimate interest.
• Right to withdraw consent at any time, where processing was based on consent.
• Right to lodge a complaint with the data-protection supervisory authority in your country.

Send requests to privacy@divergent.market. We respond within 30 calendar days. To verify your identity, we may ask for account ownership confirmation (e.g. a message from the linked Telegram).

The Service is not intended for persons under 18 years of age, and we do not knowingly collect their data. If you are a parent or guardian and learn that a child has registered on the Platform, write to privacy@divergent.market — we will delete the account and related data without further questions.

We do not make decisions producing legal effects for you solely on the basis of automated processing. Anti-fraud heuristics (rate-limit, anomaly flags) are auxiliary; the final decision on blocking or refund is taken by a human operator on your appeal.

Upon detecting an incident creating a risk to the rights and freedoms of data subjects, we notify the supervisory authority within 72 hours and affected users without undue delay, via the Telegram bot or the login page. The notification will describe the incident, likely consequences and measures taken.

We may update this Policy from time to time. The current version is always at /privacy with a date. Material changes are highlighted as a banner on the next login and take effect 7 calendar days after publication.

For any question regarding personal data: privacy@divergent.market. For general legal matters: legal@divergent.market. Support is also available on Telegram: @divergentmarket_bot.