Privacy Policy

Last updated: October 2025

This Privacy Policy describes how Wealth Beacon OÜ ("Makso," "we," "us," or "our") collects, uses, and protects your personal data when you use the Makso platform and services. This Policy complies with the EU General Data Protection Regulation (GDPR) and Estonian data protection laws.

Data Controller: Wealth Beacon OÜ (registry code 16889317), Teaduse 17–10, Saku 75501 Harjumaa, Estonia

Our Role as Merchant of Record: Makso operates as a merchant of record (MoR) for transactions processed through our Platform. As MoR, we are the legal seller of record for all transactions, which means we have independent legal obligations for payment processing, tax compliance, and financial record-keeping. This affects how we process personal data, as explained in this Policy.

By using Makso, you agree to the data practices described in this Policy. If you do not agree, do not use the Platform.

1. Scope and Key Information

Who This Applies To:

Sellers: Individuals or businesses using Makso to sell digital products or services
Customers: Individuals purchasing from Sellers via Makso
Website Visitors: Anyone visiting our websites

Data Controller/Processor Roles:

As a merchant of record platform, Makso processes personal data in different legal capacities depending on the type of data and purpose:

For Seller Account Data: Makso is the data controller (we determine how and why we process Seller information)
For Payment, Transaction, and Tax Data: Makso is the data controller due to our merchant of record obligations. We have independent legal duties to payment networks, tax authorities, and financial regulators that require us to determine how this data is processed
For Customer Purchase Data: Makso and the Seller are independent controllers, each processing customer data for different purposes:
- Makso's purposes as independent controller: Payment processing, tax calculation/remittance, invoicing, financial record-keeping, chargebacks/refunds (merchant of record obligations)
- Seller's purposes as independent controller: Product/service delivery, customer support, product-related communications, fulfillment
- Responsibilities: Each controller is independently responsible for GDPR compliance for their respective processing purposes. Customers may exercise their GDPR rights with either controller depending on the type of data (see Section 8 for guidance)
For Seller Content and Product Data: Makso acts as a data processor on behalf of Sellers (the controllers) when processing product descriptions, content, and Seller-uploaded materials. See our Data Processing Agreement in Appendix 1 of the Terms of Service

Important: Sellers are responsible for their own GDPR compliance regarding their customers and the personal data they collect. Makso is NOT liable for Sellers' data processing practices or GDPR violations. Each party acts as an independent controller for their respective processing purposes and must comply with GDPR independently.

Important Limitations:

No Special Categories: We do not collect sensitive data (race, religion, health, biometrics, etc.). Do not provide such data
Age Requirement: Services are for users 18+. We do not knowingly collect data from minors and will delete such data if discovered
Third-Party Services: This Policy does not cover third-party services (Stripe, Veriff, etc.). See their privacy policies

Definitions: "Personal Data" means any information identifying you directly or indirectly. Terms not defined here have the meanings in our Terms of Service.

2. Personal Data We Collect

We collect the following categories of personal data:

Identity & Contact Data:

Name, email address, phone number, business name
Billing and shipping addresses
Account credentials (username, hashed password)

Identity Verification Data (Sellers only):

Date of birth, government ID numbers (passport, national ID)
ID document scans, selfies (for KYC/AML compliance)
Tax identification numbers
Collected via third-party services (Veriff, Stripe Identity)

Financial & Transaction Data:

Sellers: Bank account details (IBAN), payout records, subscription/billing history, platform fees paid
Customers: Purchase details, transaction amounts, taxes, payment method (last 4 digits, brand), payment status

Full card numbers are never stored by Makso. Payment card data is handled by our PCI-DSS compliant payment processors.

Communications Data:

Support emails, chat messages, phone calls (may be recorded)
Survey responses and feedback (voluntary)

Usage Data & Online Identifiers:

IP address, device type, operating system, browser type/version
Pages viewed, features used, clickstream data, session timing
Cookies and tracking technologies (see Section 9)
Analytics data collected via Google Analytics and similar tools

Collection Methods: Data is collected when you (a) register/use the Platform; (b) make or receive payments; (c) contact support; (d) visit our websites (automatically via cookies/logs); or (e) through third-party verification services.

Requirement to Provide Data: Providing identification and contact data is necessary to create an account and use the Platform (contractual requirement). For Sellers, providing KYC/identity verification data is required by law (Estonian Money Laundering and Terrorist Financing Prevention Act). Failure to provide required data means we cannot provide the Services. Providing other data (e.g., marketing consent, feedback) is voluntary.

3. How We Use Your Data and Legal Bases

We process personal data for various purposes depending on our relationship with you (Seller, Customer, or website visitor). Under the GDPR, we rely on the following legal bases for processing:

Performance of Contract (GDPR Art. 6(1)(b)): Processing necessary to fulfill our contract with you or to take steps at your request before entering into a contract
Legal Obligation (GDPR Art. 6(1)(c)): Processing required to comply with legal obligations under Estonian, EU, or other applicable laws
Legitimate Interests (GDPR Art. 6(1)(f)): Processing necessary for our legitimate business interests, balanced against your rights and freedoms
Consent (GDPR Art. 6(1)(a)): Processing based on your freely given, specific, and informed consent

The specific purposes for which we process your personal data, the legal basis for each purpose, and the categories of data involved are set out in detail in Appendix 1 at the end of this Privacy Policy.

Communications: We send transactional emails (receipts, security alerts, service updates) as necessary for service provision. Marketing emails are sent only with consent and include unsubscribe options.

Data Minimization: We only use data for purposes disclosed in this Policy. If we need to use data for a new purpose incompatible with the original, we will notify you and obtain consent where required.

4. Data Sharing and Recipients

We do NOT sell or rent your personal data. We share data only as necessary to provide services and comply with legal obligations.

Understanding the Three-Party Relationship:

When a transaction occurs on our Platform, there are three parties involved:

Makso (Merchant of Record): Processes payment and acts as legal seller; controls payment/transaction/tax data
Seller: Provides the product/service; controls product delivery and customer support data
Customer: Purchases from Seller via Makso; their data is processed by both Makso and Seller for different purposes

Data flows between these parties as described below.

Service Providers (Data Processors):

Payment Processing: Payment processors such as Stripe (receive payment data, names, emails, billing addresses). Payment processors have independent controller obligations under payment regulations. See their respective privacy policies
Identity Verification: Identity verification providers such as Veriff, iDenfy (receive ID documents, selfies for KYC/AML checks)
Infrastructure: Cloud hosting providers (e.g., AWS) for data storage and processing
Communications: Email service providers (e.g., SendGrid, AWS SES), customer support tools, chat providers
Analytics: Analytics tools such as Google Analytics (receive usage data, IP addresses, cookies)
Accounting: Financial record-keeping and invoicing software

All processors are contractually bound to use data only for specified purposes and maintain appropriate security measures.

Data Sharing with Sellers (Three-Party Transaction):

When a Customer purchases from a Seller through Makso:

Makso shares with Seller: Customer order data (name, email, purchase details, delivery information) necessary for the Seller to fulfill the order and provide customer support
Customer sees: Seller information (business name, support contact) on receipts and order confirmations. Customer also sees that Makso is the merchant of record on their credit card statement
Independent Controller Roles:
- Makso is the independent data controller for payment, transaction, tax, and financial record data
- Seller is the independent data controller for product delivery, customer support, and product-related communications
- For customer order data (name, email, purchase details), both Makso and Seller act as independent controllers for their respective purposes as described in Section 1
Important: Sellers are responsible for their own GDPR compliance regarding their customers. Makso is NOT liable for Sellers' data processing practices or GDPR violations. Customers should review Sellers' privacy policies separately

Legal Disclosures:

Law enforcement or government requests (court orders, subpoenas)
Enforce Terms of Service or investigate violations
Fraud prevention and security (sharing with fraud prevention networks, banks, card networks)
Protect rights, property, or safety of Makso, users, or public

Corporate Transactions: In case of merger, acquisition, or asset sale, your data may be transferred to the new entity, subject to this Policy or with notice of changes.

Aggregated/Anonymized Data: We may share non-identifiable aggregated statistics publicly or with partners.

Processor List: Available upon request at privacy@makso.io

5. International Data Transfers

Makso is based in Estonia (EEA), but we use global service providers. Your data may be transferred to and processed in countries outside the EEA, including the United States.

Safeguards for EEA Users:

Transfers to EU-adequate countries (per European Commission adequacy decisions)
Standard Contractual Clauses (SCCs) with non-EEA processors as required by GDPR
Transfer Impact Assessments (TIAs) conducted for transfers to countries without adequacy decisions (including the United States) to assess risks and implement supplementary measures where necessary
Additional technical measures: encryption in transit (TLS) and at rest, pseudonymization where appropriate
Contractual requirements for processors to comply with GDPR and uphold user rights

For information on specific transfer mechanisms, copies of SCCs, or our Transfer Impact Assessments, contact privacy@makso.io

6. Data Security

We implement industry-standard technical and organizational measures to protect personal data:

Encryption: Data encrypted in transit (TLS/HTTPS) and at rest (sensitive fields hashed/encrypted)
Payment Security: Payment processors handle payment data (PCI-DSS compliant). We do NOT store full card numbers
Access Controls: Role-based access, authentication/authorization, audit logging. Sensitive data access requires multiple approvals
Monitoring: Firewalls, intrusion detection, anomaly detection, regular security audits and penetration testing
Staff Training: Data protection training and secure handling policies
Secure Development: Code reviews, secure coding practices, prompt security updates
Encrypted Backups: Regular backups with disaster recovery procedures

Your Responsibility: Use strong passwords and keep credentials confidential. Report unauthorized access or security issues immediately.

Breach Notification: In case of a data breach posing risk to your rights, we will notify the relevant supervisory authority within 72 hours where feasible (GDPR Article 33). If the breach poses high risk to your rights and freedoms, we will also notify you without undue delay (GDPR Article 34).

Disclaimer: No internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security but will use reasonable measures to protect your data.

7. Data Retention

We retain personal data only as long as necessary for the purposes collected or to comply with legal obligations:

Account Data: Active accounts: retained while account is active. Deleted accounts: 60-90 days after deletion (except data required for legal compliance)
Transaction & Financial Records: 7 years from end of fiscal year (Estonian Accounting Act and tax law requirement). This applies even if you delete your account
Identity Verification Data (KYC): Duration of merchant relationship + 5 years after account closure (Estonian AML regulation requirement)
Communications: Support emails/chats retained 2-3 years. Call recordings: 6 months (necessary for quality assurance, dispute resolution, training, and fraud prevention purposes)
Usage Data & Logs: Web logs with IP addresses: few months. Cookies: expire per settings (essential cookies: session duration; analytics/functional cookies: up to 2 years necessary for continuous improvement and user experience optimization). Analytics: aggregate form indefinitely
Legal Holds: Data related to disputes/investigations retained until matter is resolved

Deletion: After retention periods, data is securely deleted or anonymized. Backups are cycled out and overwritten.

Anonymized Data: Aggregated/anonymized data (no longer personal data) may be retained indefinitely for business analytics.

8. Your Rights (GDPR)

If you are in the EU/EEA, you have the following rights regarding your personal data:

For Customers - Important Note on Exercising Rights:

Because Makso and Sellers act as independent controllers for different types of data, where you submit your rights request depends on the type of data:

For payment, transaction, billing, or tax-related data: Contact Makso at privacy@makso.io (we are the independent controller)
For product delivery, customer support, product content, or Seller communications: Contact the Seller directly (they are the independent controller)
For order data (name, email, purchase details): Both Makso and the Seller are independent controllers. You may contact either party depending on your request purpose. If your request relates to both controllers' processing, we will coordinate as needed

If you're unsure where to direct your request, contact us at privacy@makso.io and we will assist.

Your GDPR Rights:

Right of Access: Request confirmation of whether we process your data and obtain a copy of it
Right to Rectification: Request correction of inaccurate or incomplete data. Many details can be updated directly in your account settings
Right to Erasure ("Right to be Forgotten"): Request deletion of your data where no longer necessary, consent withdrawn, or unlawfully processed. This right is not absolute where we have legal obligations to retain data (e.g., 7-year retention requirement for financial records under Estonian law)
Right to Restrict Processing: Request restriction of processing if you contest data accuracy, object to processing, or data needed for legal claims
Right to Object: Object to processing based on legitimate interests. For direct marketing, you have an absolute right to object (we will stop immediately)
Right to Data Portability: Request data in machine-readable format (JSON/CSV) for transfer to another service (applies to data you provided, where processing is based on consent or contract)
Right to Withdraw Consent: Withdraw consent at any time (e.g., unsubscribe from marketing). Does not affect lawfulness of prior processing
Right to Human Review: Not subject to solely automated decisions with legal or similarly significant effects. We may use automated fraud detection systems for security purposes, but these do not make solely automated decisions affecting you. If we implement automated decision-making with legal or similarly significant effects, you have the right to human intervention, to express your point of view, and to contest the decision
Right to Complain: File complaints with supervisory authority:
- Estonia: Data Protection Inspectorate (Andmekaitse Inspektsioon) - aki.ee
- Other EU states: Your local data protection authority

Exercising Rights (for Sellers and other users):

Email: privacy@makso.io (or legal@makso.io for legal matters)
Identity Verification: We may verify your identity before fulfilling requests to protect your data security. If we have reasonable doubts about your identity, we may request additional information necessary to confirm your identity (GDPR Art. 12(6))
Response time: 1 month (may extend to 3 months for complex requests with notice)
Requests are free unless manifestly unfounded or excessive
Some rights can be exercised via account settings (for Sellers)
Note for Customers: See above regarding which controller to contact (Makso or Seller) depending on data type

9. Cookies and Tracking

We use cookies and similar tracking technologies to provide, personalize, and improve our Services:

Cookie Types:

Essential: Required for site functionality (authentication, session management). Cannot be disabled
Analytics: Google Analytics and similar tools to measure site usage and performance
Functional: Remember preferences (language, currency, tutorial status)
Advertising: May use third-party cookies (Google, Facebook) for campaign measurement and retargeting

Your Choices:

Cookie Banner: On first visit, you can accept or reject non-essential cookies. Non-essential cookies are only set after you accept them via our cookie banner. You can use essential features of the Platform without accepting non-essential cookies
Consent Method: Consent boxes are never pre-ticked. You must actively accept non-essential cookies
Browser settings: block or delete cookies (may impact functionality)
Google Analytics opt-out: Use Google's browser add-on
DNT signals: Currently not supported due to lack of industry standard
Email tracking pixels: Disable images in email client

Compliance Note: We comply with the ePrivacy Directive and Estonian Electronic Communications Act § 128 regarding cookie consent.

Embedded third-party content (YouTube videos, social media widgets) may set their own cookies governed by their respective privacy policies.

10. Third-Party Services and Links

Our Platform may contain links to third-party websites or integrate with third-party services. This Privacy Policy does NOT cover those third parties, which have their own privacy policies. We are not responsible for third-party data practices.

Examples: Payment processor privacy policies (e.g., Stripe), identity verification provider privacy policies (e.g., Veriff, iDenfy), third-party APIs integrated by Sellers.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be notified via:

Updated "Last updated" date on this page
Email notification to account holders (for material changes)
In-app alerts where appropriate

Your continued use after changes constitutes acceptance. If changes require new consent, we will obtain it separately. If you disagree with changes, discontinue use and request data deletion per Section 8.

12. Contact Us

For privacy questions, rights requests, or concerns:

Email (Preferred):

Privacy & Data Protection: privacy@makso.io
Legal Matters: legal@makso.io

Postal Mail:
Wealth Beacon OÜ
Privacy & Data Protection
Teaduse 17–10, Saku 75501 Harjumaa, Estonia

For questions about our data protection practices or the appointment of a Data Protection Officer, contact privacy@makso.io

Response Time: Typically within 30 days (1 month for GDPR requests)

Complaints: If we do not adequately address your concern, you may file a complaint with:

Estonia: Data Protection Inspectorate (Andmekaitse Inspektsioon) - aki.ee
Your EU country: Local data protection authority

Appendix 1

The details for the lawful bases for processing data

Performance of Contract

We process your personal data when it's necessary to fulfill our contract with you or to take steps at your request before entering into a contract.

Purpose of processing	Categories of personal data
Providing the Platform and Services, including merchant of record services, payment processing, tax calculation, invoicing, and facilitating transactions between Sellers and Customers.	Identification data, contact data, financial data, transaction data, data related to the use of the Platform.
Creating and managing Seller and Customer accounts.	Identification data, contact data, account credentials.
Processing payments, handling payouts to Sellers, and managing chargebacks and refunds as merchant of record.	Identification data, contact data, financial data, transaction data.
Generating invoices, receipts, and transaction records as required for merchant of record obligations.	Identification data, contact data, financial data, transaction data.
Contacting you regarding the Platform and Services, including customer support.	Identification data, contact data, communications data.

Legal Obligation

We process personal data on this legal ground where the legal obligation for processing arises from Estonian, EU, or other applicable laws.

Purpose of processing	Categories of personal data
Identity verification, KYC/AML compliance, and customer due diligence for Sellers as required by anti-money laundering regulations.	Identification data, identity verification data, financial data.
Tax calculation, collection, and remittance to tax authorities across multiple jurisdictions as merchant of record.	Identification data, contact data, financial data, transaction data.
Bookkeeping and financial record retention (7 years from end of fiscal year as required by Estonian Accounting Act and tax laws).	Identification data, contact data, financial data, transaction data.
Responding to lawful requests from government authorities, regulators, and law enforcement.	Identification data, contact data, communications data, financial data, data related to the use of the Platform.

Legitimate Interest

We sometimes process your personal data based on our legitimate business interests. These interests are balanced against your rights and freedoms. We have conducted Legitimate Interests Assessments (LIAs) for each processing purpose listed below, documenting how we balance our legitimate interests against your rights. If you want to know more about this processing or request details of our balancing test, you can contact us as outlined in Section 12.

Purpose of processing	Categories of personal data
Safeguarding our rights, including establishing, exercising, and defending legal claims. This includes retention of contracts and records after termination or expiry.	Identification data, contact data, communications data, financial data, data related to the use of the Platform.
Fraud detection and prevention, protecting users and platform integrity, and security monitoring.	Identification data, contact data, financial data, transaction data, data related to the use of the Platform.
General business administration and operations.	Identification data, contact data, communications data, financial data, data related to the use of the Platform.
Provision of core services of the website and Platform (data processed via technical cookies necessary to provide services online).	Data related to the use of the Platform.
Recording of communications between you and us (including video calls, telephone calls, support requests) for quality assurance, training, fraud prevention, and dispute resolution.	Identification data, contact data, communications data, voice or video recordings.
Development and improvement of services provided on the website and Platform. We retain and evaluate information on your visits for analytics purposes to improve functionality and user experience. We also process analytical cookies for this purpose.	Data related to the use of the Platform.
Processing publicly given or Platform-provided feedback for quality assurance, customer success, improving experience, and referral purposes.	Identification data, contact data, feedback data.
Complying with payment network requirements (Visa, Mastercard, etc.) and contractual obligations to payment processors as necessary for our merchant of record operations.	Identification data, financial data, transaction data.

Consent

We process personal data based on your freely given, specific, informed, and unambiguous consent. You may withdraw consent at any time.

Purpose of processing	Categories of personal data
Direct marketing communications (newsletters, product updates, promotional offers). Sellers may opt out at any time via unsubscribe links.	Identification data, contact data.
Non-essential cookies and tracking technologies for analytics, personalization, and advertising purposes. Consent obtained via cookie banner.	Data related to the use of the Platform, online identifiers.
Targeted advertising via third-party platforms (Google, Facebook, etc.).	Identification data, contact data, data related to the use of the Platform.
Voluntary surveys, feedback collection, and market research.	Identification data, contact data, feedback data.

/ End of Appendix 1 /