Privacy Policy

Effective date: 1st March 2026

1. Introduction

Serpverse ("we," "us," or "our") operates the Serpverse marketplace platform (the "Service"), accessible at https://serpverse.io. This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal information when you access or use our website, applications, and services.

We are committed to protecting your privacy and handling your personal data in a transparent and responsible manner. This Privacy Policy applies to all Users of the Service, including Buyers, Publishers, and visitors. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. Where we rely on your consent as a legal basis for processing, you may withdraw that consent at any time as described in Section 9.

Data Controller: Serpverse is the data controller responsible for processing your personal data as described in this Privacy Policy.

2. Information We Collect

We collect information that you provide directly, information collected automatically through your use of the Service, and information received from third-party sources. The specific categories of information we collect are detailed below.

2.1 Information You Provide Directly

Account Information

  • Name, email address, and profile picture provided through your OAuth sign-in with Google or Microsoft
  • Display name that you choose during onboarding
  • Optional biographical information (up to 500 characters)
  • Your selected role on the Platform (Buyer or Publisher)

Publisher Website Information

  • Website URL, domain name, and site name
  • Website description and niche categories
  • Content guidelines, accepted content types, and editorial policies
  • Pricing, estimated turnaround time, and sample post URLs
  • Content acceptance preferences (gambling, adult, cryptocurrency topics)
  • Supported languages, minimum word count, and maximum links allowed

Order and Transaction Information

  • Content requirements: content type (article or guest post), word count, anchor text, target URLs, and special instructions
  • Guest post content submissions: article titles and body text
  • Order reviews: ratings (1 to 5) and optional written comments (up to 200 characters)

Communications

  • Messages exchanged with other Users through the Platform's in-app messaging system
  • File attachments shared in conversations (images, documents, content files)
  • Support requests and contact form submissions (name, email, subject, message)

2.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain technical and usage information, including:

  • IP address, browser type and version, and operating system
  • Referral URLs, pages visited, and time spent on pages
  • Search queries and marketplace filtering parameters
  • Device information: screen resolution, language preferences, and time zone
  • Timestamps and frequency of access to the Service
  • Interaction data: clicks, navigation patterns, and feature usage

2.3 Information from Third Parties

  • OAuth Authentication Providers (Google, Microsoft): When you sign in using Google or Microsoft, these providers share your name, email address, profile picture, and email verification status with us. We do not receive your passwords from these providers.
  • Stripe (Payment Processor): Stripe shares limited transaction information with us, including the last four digits of your payment card, transaction amounts, payment and payout statuses, and related metadata necessary for Order tracking and account balance management.

2.4 Information We Do Not Collect

We do not directly collect, store, or process the following sensitive information:

  • Credit card numbers, CVVs, or full bank account details (handled exclusively by Stripe, which is PCI DSS Level 1 compliant)
  • Social Security numbers, government-issued identification numbers, or tax identification numbers (collected by Stripe Connect for publisher payouts where required)
  • Biometric data, health information, or genetic data
  • Racial or ethnic origin, political opinions, religious beliefs, or trade union membership

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or another jurisdiction that requires a legal basis for processing personal data, we process your information based on the following legal grounds:

Legal BasisProcessing Activities
Contract PerformanceAccount creation and management, Order processing and fulfillment, escrow and payment processing, in-platform messaging, content workflow management, Publisher payouts
Legitimate InterestsFraud detection and prevention, security monitoring, rate limiting, audit logging, platform improvement and analytics (using aggregated data), enforcing our Terms of Service
Legal ObligationFinancial record-keeping and tax compliance (7-year retention of transaction records), responding to lawful requests from law enforcement and regulatory authorities
ConsentNon-essential analytics cookies (where applicable), marketing communications (if introduced in the future). You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

Where we rely on legitimate interests, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may contact us to request details of this assessment.

4. How We Use Your Information

Service Delivery and Operations

  • Create and manage your account, authenticate your identity, and maintain your session
  • Facilitate marketplace transactions between Buyers and Publishers, including Order processing, escrow management, and payout disbursement
  • Display Publisher listings with relevant website details and metrics to enable marketplace browsing and order placement
  • Track Order status, manage content workflows, revision requests, and review deadlines
  • Enable in-platform messaging and file sharing between transaction parties

Communication

  • Send transactional email notifications related to your Orders, payments, and account activity (including but not limited to: new Orders, acceptance/rejection notifications, content submissions, publication confirmations, payment receipts, earnings releases, review reminders, and auto-completion notices)
  • Respond to your support requests, contact form submissions, and inquiries
  • Send service-related announcements, including updates to our Terms of Service and this Privacy Policy

Security and Fraud Prevention

  • Detect, investigate, and prevent fraudulent transactions, abuse, and unauthorized access to the Service
  • Enforce our Terms of Service and protect the rights, property, and safety of our Users and the Platform
  • Monitor usage patterns for suspicious activity, including IP-based rate limiting, session validation, and anomaly detection
  • Maintain audit logs of account activity for security, compliance, and dispute resolution purposes

Platform Improvement and Analytics

We use aggregated and anonymized usage data to understand how the Service is used, identify areas for improvement, optimize performance, and develop new features. This analytical processing does not identify individual Users and is conducted on the basis of our legitimate interest in improving the Service.

Legal Compliance

We may process your information as necessary to comply with applicable legal obligations, including financial reporting, tax compliance, and responding to valid legal process such as subpoenas, court orders, or regulatory investigations.

5. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We share your information only in the following circumstances:

Between Platform Users

Limited information is shared between Buyers and Publishers as part of a transaction. Publishers see the Buyer's display name and Order requirements. Buyers see the Publisher's display name, website details, and content submissions. Both parties can exchange messages and files within the Order conversation.

Service Providers and Data Processors

We share information with trusted third-party service providers who process data on our behalf. These providers are contractually obligated to use your information only as necessary to perform the specific services we engage them for and are bound by data processing agreements that require them to protect your data.

ProviderPurposeData Shared
StripePayment processing, escrow management, Publisher payouts via Stripe ConnectTransaction amounts, payout details, account identifiers
GoogleOAuth authenticationAuthentication confirmation requests; receives back: name, email, profile picture
MicrosoftOAuth authenticationAuthentication confirmation requests; receives back: name, email, profile picture
ResendTransactional email deliveryRecipient email address, rendered email content (HTML and plain text)

Legal and Compliance Disclosures

We may disclose your information if required or permitted by law, regulation, legal process, or governmental request, including in response to subpoenas, court orders, or regulatory investigations. We may also disclose information when we believe in good faith that disclosure is necessary to: (a) protect our rights, property, or safety; (b) protect the safety of our Users or the public; (c) detect, prevent, or address fraud, security issues, or technical problems; or (d) comply with applicable law.

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service prior to your personal information becoming subject to a different privacy policy.

6. Data Security

We implement industry-standard technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit: All connections to the Service use TLS/SSL encryption with HTTP Strict Transport Security (HSTS) headers
  • Encryption at rest: Sensitive data is stored using encrypted storage mechanisms
  • Access controls: Role-based access controls (RBAC) limit internal access to personal data on a need-to-know basis
  • Session security: JWT-based sessions with httpOnly, Secure, and SameSite=Lax cookie attributes; 30-day maximum session lifetime with periodic status revalidation
  • Security headers: Content Security Policy (CSP), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers are enforced
  • Rate limiting: Tiered rate limiting on all API endpoints to prevent abuse, with stricter limits on authentication and financial endpoints
  • Webhook verification: Cryptographic signature verification on all incoming Stripe webhooks
  • Security monitoring: Regular security assessments, automated vulnerability scanning, and monitoring for suspicious activity

While we strive to protect your personal information, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining safeguards that meet or exceed industry standards and promptly addressing any security incidents.

Data Breach Notification: In the event of a confirmed data breach that is likely to result in a risk to your rights and freedoms, we will notify affected Users and relevant supervisory authorities within seventy-two (72) hours of becoming aware of the breach, as required by GDPR Article 33 and applicable data protection laws. Notifications will include the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Service, maintain your session, remember your preferences, and improve your experience. A cookie is a small data file stored on your device by your web browser.

Cookies We Use

Cookie NameTypePurposeDuration
authjs.session-tokenEssentialStores your encrypted session (JWT) for authentication30 days
authjs.csrf-tokenEssentialProvides CSRF protection for form submissionsSession
authjs.callback-urlEssentialStores the redirect URL during OAuth sign-in flowSession
themePreferenceStores your light/dark mode selection1 year
cookie-consentEssentialRecords your cookie preference choices1 year
_gaAnalyticsGoogle Analytics — distinguishes unique users2 years
_ga_*AnalyticsGoogle Analytics — maintains session state2 years
_clckAnalyticsMicrosoft Clarity — unique user identifier1 year
_clskAnalyticsMicrosoft Clarity — current session data1 day

Third-Party Analytics

We use the following third-party analytics services to understand how visitors interact with our platform. These services are only activated after you provide consent via our cookie banner.

Google Analytics (GA4) — operated by Google LLC. Collects anonymised usage data including pages visited, session duration, device type, and geographic region. We enable IP anonymisation so your full IP address is never stored. You can learn more in Google's Privacy Policy.

Microsoft Clarity — operated by Microsoft Corporation. Records anonymised session replays and generates heatmaps to help us improve usability. Clarity does not collect personally identifiable information. You can learn more in Microsoft's Privacy Statement.

We do not use third-party advertising cookies and we do not participate in any advertising networks or serve targeted advertisements based on your browsing behaviour.

Managing Cookies

You can change your cookie preferences at any time using the cookie consent banner that appears at the bottom of the page. To see the banner again, clear the cookie-consent entry from your browser's local storage or use a private/incognito window.

Most web browsers also allow you to control cookies through their settings. You can configure your browser to refuse all cookies, accept only certain cookies, or notify you when a cookie is being set. However, disabling essential cookies may prevent you from using certain features of the Service, including authentication and session management.

Do Not Track

Serpverse does not currently respond to "Do Not Track" (DNT) browser signals, as there is no universally accepted standard for how to interpret and respond to DNT signals. We will update this policy if a standard is established and we adopt a responsive approach.

8. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods are as follows:

Data CategoryRetention PeriodBasis
Account DataLifetime of active account; deleted or anonymized within 30 days of deletion requestContract performance
Transaction RecordsMinimum 7 years after the transaction dateFinancial record-keeping, tax compliance, and audit requirements
Audit Logs7 years (immutable records)Financial audit trail and compliance
Usage and Log DataUp to 12 months, then aggregated or deletedSecurity monitoring and analytics
Support CorrespondenceUp to 3 years after last interactionContext for future inquiries and disputes
Messages and ConversationsLifetime of associated Order, plus 3 years after Order completionDispute resolution and compliance
Anonymized DataRetained indefinitelyStatistical and analytical purposes (cannot identify individuals)

When personal data is no longer needed for any legitimate purpose, we securely delete or irreversibly anonymize it. Where a deletion request conflicts with a legal retention obligation (e.g., financial transaction records), we will retain only the minimum data necessary to meet that obligation and restrict all other processing.

9. Your Privacy Rights

9.1 Rights for All Users

Regardless of your location, we provide the following rights with respect to your personal data:

  • Right of Access: You may request a copy of the personal data we hold about you. We will provide this information in a commonly used, machine-readable format.
  • Right to Correction: You may request that we correct any inaccurate or incomplete personal data. You can update much of your account information directly through your profile settings.
  • Right to Deletion: You may request the deletion of your personal data, subject to exceptions for data we are legally required to retain (such as completed transaction records for tax and audit purposes).
  • Right to Data Portability: You may request that we provide your personal data in a structured, commonly used, and machine-readable format, or that we transmit it directly to another controller where technically feasible.
  • Right to Withdraw Consent: Where we rely on consent as the legal basis for processing, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

9.2 Additional Rights for EEA and UK Residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have the following additional rights under the General Data Protection Regulation (GDPR) and the UK GDPR:

  • Right to Restrict Processing: You may request that we restrict the processing of your personal data in certain circumstances, such as while we verify the accuracy of data you have contested or while we assess a legitimate interest claim.
  • Right to Object: You may object to the processing of your personal data for purposes based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your rights.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not adequately addressed your concerns.

9.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information.
  • Right to Delete: You may request deletion of your personal information, subject to legal exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt Out of Sale or Sharing: We do not sell your personal information, nor do we share it for cross-context behavioral advertising purposes.

Categories of Personal Information Collected (CCPA): In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA:

  • Identifiers: Name, email address, account ID, IP address
  • Commercial Information: Transaction records, Order history, account balance
  • Internet Activity: Browsing history on the Service, search queries, interaction data
  • Geolocation Data: Approximate location derived from IP address
  • Professional Information: Website ownership details, niche categories (Publishers)

We have not sold personal information in the preceding twelve (12) months and do not have plans to sell personal information.

How to Exercise Your Rights

To exercise any of the rights described above, please contact us. We will respond to your request within the timeframes required by applicable law (generally within thirty (30) days). We may need to verify your identity before processing your request. You may also designate an authorized agent to submit requests on your behalf, subject to verification.

10. Children's Privacy

The Service is not directed at and is not intended for use by children under the age of thirteen (13), or the applicable age of digital consent in your jurisdiction (sixteen (16) in most EEA member states and the UK). We do not knowingly collect personal information from children under these age thresholds.

If we become aware that we have collected personal data from a child under the applicable age without verified parental or guardian consent, we will take prompt steps to delete that information from our systems. If you are a parent or guardian and believe your child has provided personal information to us, please contact us so that we can take appropriate action.

11. International Data Transfers

Your personal information may be transferred to, stored in, and processed in The United Kingdom and other countries where our service providers operate. These countries may have data protection laws that differ from the laws of your jurisdiction.

When we transfer personal data from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we implement appropriate safeguards to ensure your data receives equivalent protection, including:

  • Relying on adequacy decisions issued by the European Commission or the UK Secretary of State where applicable
  • Implementing Standard Contractual Clauses (SCCs) approved by the European Commission for data transfers to countries without an adequacy decision
  • Ensuring that third-party service providers processing your data are bound by appropriate data processing agreements with equivalent protections

You may contact us to request information about the specific transfer mechanisms in place for your data.

12. Automated Decision-Making

The Service uses certain automated processes that may affect your use of the Platform. These include:

  • Rate Limiting: Automated systems that limit the frequency of API requests based on your User ID or IP address to prevent abuse and ensure fair access to the Service.
  • Account Status Enforcement: Your account status (active, suspended, or banned) is checked automatically during each session to enforce access restrictions in real time.
  • Order Auto-Completion: If a Buyer does not approve or request a revision within the 72-hour Review Period, the Order Item is automatically marked as approved and payment is released to the Publisher.
  • Earnings Hold and Release: Publisher earnings are automatically held for 14 days after Order completion and automatically transferred to the available balance upon expiration of the Hold Period.

These automated processes are essential to the operation of the Service. If you believe an automated decision has significantly and adversely affected you, you may contact us to request a review by a human. We do not use automated profiling to make decisions that produce legal effects or similarly significant effects on you.

13. Third-Party Links and Services

The Service may contain links to third-party websites, including Publisher websites listed in the marketplace, payment processor interfaces, and OAuth provider sign-in pages. These third-party websites are independent entities with their own privacy policies and practices.Serpverse is not responsible for the privacy practices, content, or security of any third-party website or service.

Publisher websites listed on the marketplace are operated independently by their respective owners. Content published on Publisher websites is subject to the Publisher's own terms and privacy practices, not this Privacy Policy. We encourage you to review the privacy policies of any third-party websites you visit through the Service.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the "Effective date" at the top of this page.

For material changes that significantly affect how we collect, use, or share your personal data, we will provide at least thirty (30) days' advance notice through one or more of the following channels: email to your registered account address, a prominent notice within the Service, or an in-application notification. What constitutes a material change will be determined at our sole discretion.

Your continued use of the Service after the effective date of any revised Privacy Policy constitutes your acknowledgment of the updated terms. If you do not agree with the updated Privacy Policy, you should discontinue use of the Service and contact us to request deletion of your data.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below:

General Support

Email: [email protected]

Website: Serpverse Contact Page

We will make every effort to respond to your inquiry within a reasonable timeframe, generally within thirty (30) days. If you are located in the European Economic Area or the United Kingdom and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

Privacy Policy | Serpverse