Privacy Policy
Last updated: June 2026
This Privacy Policy describes how GTA CREB ("we", "us", "our") collects, uses, shares, and protects personal information when you visit our website, create an account, or place a pre-order. We've written it to be readable. If anything is unclear, email privacy@gtacreb.com.
1. Who we are
GTA CREB is the data controller for personal information processed through this website. We are an independent online retailer of digital game codes and are not affiliated with Rockstar Games, Take-Two Interactive, Sony Interactive Entertainment, or Microsoft.
2. Information we collect
- β’ Account information β name, email address, password hash, and (if provided) phone number.
- β’ Order information β chosen edition, gaming platform, in-game account identifier (e.g. PlayStation ID, Xbox Gamertag), order notes.
- β’ Billing information β billing address, city, region, postal code, and country.
- β’ Payment information β card details are entered directly with our PCI-DSS Level 1 certified third-party payment providers and are tokenised before reaching our servers. We store only a payment reference, the last four digits of the card, the card brand, the transaction status, and the amount charged.
- β’ Technical information β IP address, device type, browser, operating system, referring URL, and session timestamps used for security, fraud prevention, and abuse detection.
- β’ Communications β support requests, chat transcripts, and feedback you send us.
- β’ Cookies and similar technologies β see our Cookie Policy.
3. How we use your information
- β’ Process pre-orders, deliver digital codes, generate invoices, and respond to support requests.
- β’ Prevent fraud, chargebacks, account takeover, and bot or spam activity (legitimate interest).
- β’ Send transactional emails β order confirmations, payment receipts, delivery notifications, and refund updates.
- β’ Send product or marketing communications only when you have opted in. You can unsubscribe at any time using the link in every marketing email.
- β’ Comply with legal obligations, including tax, accounting, and consumer-protection law.
- β’ Improve the site through aggregated, non-identifying analytics.
4. Legal bases for processing (EEA / UK)
We rely on the following legal bases under the GDPR and UK GDPR: (a) performance of a contract to fulfil your order; (b) legitimate interests to secure the service, prevent fraud, and improve the product; (c) consent for marketing emails and non-essential cookies; and (d) legal obligation for tax, accounting, and compliance records.
5. Sharing your information
We share personal information only with vetted service providers acting on our instructions under a written data-processing agreement. Categories of recipients:
- β’ Payment providers β to process your payment, run fraud checks, and handle refunds or chargebacks.
- β’ Cloud hosting and database β to host the website, store account data, and serve content.
- β’ Email delivery provider β to send transactional emails.
- β’ Analytics and error monitoring β privacy-respecting providers used to keep the site fast and reliable.
- β’ Professional advisors and authorities β when required by law, court order, or to defend our legal rights.
We never sell or rent personal information.
6. International transfers
Some of our providers operate outside your country. Where data leaves the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses, the UK International Data Transfer Addendum, or an adequacy decision, depending on the destination.
7. Data retention
- β’ Order and invoice records β retained for up to 7 years to comply with tax and accounting law.
- β’ Account data β kept while your account is active. Deleted within 30 days after account closure, except records we are legally required to keep.
- β’ Support communications β up to 24 months.
- β’ Server logs β up to 90 days, then deleted or fully anonymised.
8. Security
We protect data with TLS 1.2+ in transit, encryption at rest, row-level security on our database, hashed passwords (bcrypt/argon2), role-based access control, audit logging of administrative actions, rate limiting, and bot protection. No system is perfectly secure; we will notify you and any required regulator without undue delay if a breach affects your personal data.
9. Your rights
Depending on where you live, you may have the right to access, correct, delete, restrict, port, or object to our processing of your personal information, and to withdraw consent at any time. To exercise any of these rights, email privacy@gtacreb.com. We respond within 30 days. You also have the right to lodge a complaint with your local data-protection authority.
California residents (CCPA/CPRA): you have the right to know, delete, correct, and opt out of any "sale" or "sharing" of personal information. We do not sell personal information.
10. Children
The Service is intended for users 18 years and older. We do not knowingly collect personal information from children under 16. If you believe a child has provided us data, contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date above reflects the current version. Material changes will be communicated by email or a prominent notice on the site at least 14 days before they take effect.
12. Contact
Privacy questions: privacy@gtacreb.com. General support: support@gtacreb.com.
