Privacy Policy

1. Who we are

SellCardNow is operated by KolaCash Limited, a Hong Kong–registered company (Company Registration Number 78258768). We are a unified gift card resale service platform. We use global buyer and recycler demand, platform-scale pricing, and internal route comparison to offer competitive payout prices while SellCardNow remains the customer-facing party responsible for card checks, payout, support, and after-sales.

This privacy policy explains what information we collect, why, who we share it with, how long we keep it, and what choices you have. If anything here is unclear, contact us — details at the bottom.

2. Information you give us

When you use SellCardNow we collect information in two ways: information you provide directly, and information collected automatically when you visit the site. This section covers the first.

• Account information

  Email address (required), phone number, password (stored as a hashed value, never in cleartext), and the country / payout currency you select.

• Identity verification (KYC)

  Before we can release a withdrawal, we are legally required to verify your identity. We collect: legal name, government-issued ID number (e.g. BVN for Nigeria, national ID for Kenya), date of birth, and a selfie or document photo. Sensitive identity fields (legal name, ID number) are encrypted at the database column level with AES-256-GCM. Only authorized staff with the sensitive-identity capability can view decrypted values, and every view is audit-logged.

• Card submissions

  Card type, region, denomination, code or photo of the card, and any details you share so SellCardNow can check the card and process the payout.

• Payout details

  Bank account, M-PESA / Mobile Money number, account-holder name, and other payout-rail data needed to send your money. Stored encrypted at rest.

• Communications

  Messages you send us through WhatsApp, the contact form, email, or any in-app chat. These are stored for support history and audit.

3. Information collected automatically

When you visit sellcardnow.com or interact with our pages, certain information is captured automatically by us or by service providers we use.

• Device + connection

  IP address, browser type and version, operating system, device type, screen size, referring URL, language preference, and time-zone offset.

• Usage analytics

  We use Google Analytics 4 and PostHog to understand how visitors use the site — pages visited, clicks, calculator interactions, conversion events. These tools set cookies and may collect a pseudonymous device identifier. We do not combine analytics IDs with your KYC identity unless you explicitly sign in.

• Session recordings (PostHog)

  We record a sample of visitor sessions as anonymized replays so we can debug issues and improve UX. All input fields, password boxes, and any element tagged sensitive are masked in the recording — we cannot see what you typed into them. We retain replays for up to 30 days by default and never sell or share them.

• Error tracking

  When our code throws an unexpected error in your browser, we capture the stack trace and the URL where it happened so we can fix it. We do not include form values, KYC data, or payout details in error reports.

• Cookies

  See Section 9 below for the full cookie list and what each one does.

4. How we use your information

We use the information we collect for these specific purposes:

• Provide the service

  Process gift card trades, verify your identity for KYC, check card details, compare internal payout routes, calculate and send payouts, show you trade history and wallet balance.

• Comply with the law

  Anti-money-laundering (AML) and counter-terrorist-financing (CTF) checks, sanctions screening, tax reporting where applicable, and responding to lawful requests from regulators.

• Prevent fraud and abuse

  Detect duplicate accounts, stolen-card patterns, payout fraud, brute-force login attempts (login attempts are rate-limited per email and per IP), and other abuse signals.

• Customer support

  Look up your account history when you contact us, follow up on stuck submissions, troubleshoot bugs.

• Improve the product

  Analyze aggregate usage patterns, A/B test changes, and use session recordings to find UX problems.

• Operational audit

  We keep an internal audit log of every sensitive action staff takes on customer records (KYC reviews, withdrawal approvals, payout proof uploads) so that mistakes or misuse can be detected and corrected.

5. Legal basis for processing

Different categories of processing rest on different legal bases:

• Performance of a contract

  When you submit a card, we process your information to deliver the trade and payout you asked for. Without it, we cannot complete the service.

• Legal obligation

  KYC verification, AML monitoring, transaction record retention, and tax reporting are required under Hong Kong's Anti-Money Laundering and Counter-Terrorist Financing Ordinance and similar laws in markets we serve.

• Legitimate interest

  Fraud prevention, security monitoring, product analytics, and audit logging are based on our legitimate interest in running a safe and reliable service. We balance these against your privacy and use only the minimum data needed.

• Consent

  Marketing emails (if any), non-essential cookies, and session recordings rely on your consent. You can withdraw consent at any time without affecting the service.

6. Who we share information with

We do not sell your personal information. We do not share it with advertisers. The only parties who see your data are processors we use to deliver the service, and only the minimum each needs to function:

• Hosting and infrastructure

  Vercel Inc. (USA) hosts the website and serverless functions. Cloudflare R2 (global edge) stores card photos, KYC documents, and payout proofs. All transfers between us and these providers are encrypted in transit.

• Analytics

  PostHog Inc. (US Cloud) and Google LLC (Google Analytics 4) receive pseudonymous usage events. Neither receives your KYC fields, card codes, or payout details.

• Messaging

  Meta Platforms / WhatsApp Business processes the WhatsApp messages you exchange with our support team. We use the official WhatsApp Business API; we do not sell or forward your messages.

• Vetted card-processing partners

  Where a card-processing partner is needed to help validate or redeem a card, we share only the minimum card details required for that task (type, region, value, photo or code). We do NOT share your name, email, phone number, KYC data, or payout details with those partners. SellCardNow remains responsible for the customer relationship and sends the payout through our official route.

• Legal requests

  If a court order, subpoena, or lawful request from a competent regulator requires us to disclose information, we will, after verifying that the request is valid and proportionate.

7. International transfers

SellCardNow operates from Hong Kong but uses service providers headquartered in the United States (Vercel, PostHog, Google) and serves customers across multiple African countries (Nigeria, Kenya, Ghana, Bénin, Côte d'Ivoire, Cameroon). This means your data is transferred internationally as part of normal operation.

Wherever your data is processed, the protections in this policy apply. Our processors are bound by data-processing agreements and use industry-standard safeguards (encryption in transit, encryption at rest, access controls).

8. How long we keep data

Different categories of data have different retention periods:

• Account, KYC, transaction history

  Retained while your account is active and for at least 5 years after closure, to satisfy AML record-keeping requirements under Hong Kong law.

• Withdrawal records and payout proofs

  Retained for at least 5 years for the same regulatory reason.

• Card images and submission photos

  Retained for 12 months after the trade is complete, then deleted unless tied to an open dispute or investigation.

• Audit logs

  Retained for 2 years.

• Analytics (GA4 + PostHog)

  GA4: 14 months by default. PostHog autocapture events: 90 days. Session recordings: 30 days.

• Error tracking

  90 days.

• Marketing / WhatsApp messages

  Retained for 2 years from last interaction.

9. Cookies and similar technologies

We use cookies that are necessary for the service to work, plus a small set of analytics cookies. We do not use advertising cookies. The specific cookies set by sellcardnow.com:

• scn_session (necessary)

  Authenticates you when you are signed in as a customer. 30-day expiry. HttpOnly, Secure, SameSite=Lax. Without it, you cannot stay logged in.

• scn_staff_session (necessary)

  Authenticates staff and recycler users. 14-day expiry. Only set if you sign in to an operator account.

• scn_locale (functional)

  Remembers your language preference (English / French). 1-year expiry.

• scn_utm (functional)

  Remembers how you arrived at the site (campaign source) so we can credit referrals. 30-day expiry. No personal information.

• Google Analytics cookies (_ga, _gid)

  Set by GA4 for usage analytics. 13 months / 24 hours. Stops being set if you decline analytics in the cookie banner (once enabled).

• PostHog cookies (ph_*)

  Stores a pseudonymous device identifier used to thread together your visits into one anonymous session. 1-year expiry.

10. Security

We use industry-standard practices to protect your data:

• Encryption in transit

  All traffic to sellcardnow.com is HTTPS-only. HSTS is enforced; the browser refuses to talk to us over plain HTTP.

• Encryption at rest

  Sensitive KYC fields (legal name, identity number) are encrypted at the database column level using AES-256-GCM with a key stored in a managed secret service. Card images and KYC documents are stored in object storage that is not publicly listable, accessible only via short-lived access references issued to your account or authorized staff. Payout-rail data (bank, M-PESA, Mobile Money account numbers) is protected by the same access controls and audit trail.

• Access controls

  Staff access to customer data is gated by role-based capabilities. KYC documents are visible only to staff with the sensitive-identity capability; every view is logged. Recyclers never see seller PII.

• Authentication

  Passwords are stored as scrypt hashes with per-user salt; we never see your password. Login and registration are rate-limited per email and per IP to stop brute-force attempts. Sessions expire automatically (30 days for customers, 14 days for staff); signing in from a new device does not invalidate other sessions.

• Disclaimer

  No online service is 100% secure. We work hard to protect your data but cannot guarantee absolute security. If we ever discover a breach affecting you, we will notify you within 72 hours and tell you what we know and what we're doing about it.

11. Your rights

You have meaningful control over the data we hold about you. To exercise any of these rights, contact us at the address in Section 13 — we respond within 30 days.

• Right to access

  Ask for a copy of the personal data we hold about you. We provide it as a JSON or CSV download, free of charge, once per year.

• Right to correction

  Ask us to fix anything that is wrong or out of date — name, contact details, payout information.

• Right to deletion

  Ask us to delete your account. We will mark your account for deletion with a 30-day grace period (so you can recover it if you change your mind), then delete or anonymize your data. We may need to retain some records (KYC, transaction history, audit logs) for the AML retention period — these will be retained in a sealed legal-hold state, not used for any operational purpose.

• Right to portability

  Ask us to export your data in a structured, machine-readable format you can take elsewhere.

• Right to object / restrict

  Object to processing for analytics, session recording, or marketing. We will stop those activities for your account.

• Right to withdraw consent

  Where processing is based on your consent (e.g. marketing emails), you can withdraw it at any time without affecting the service.

• Right to complain

  If you think we have mishandled your data, you can complain to Hong Kong's Office of the Privacy Commissioner for Personal Data (PCPD), or to your local data protection authority.

12. Children

SellCardNow is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has used SellCardNow, contact us and we will delete the account.

13. Changes to this policy

We may update this privacy policy from time to time. When we make material changes — for example, when we add a new analytics provider, change how long we keep data, or introduce a new processing purpose — we will:

(a) update the "Last updated" date at the top of this page; (b) notify all registered customers by email or by an in-product banner before the change takes effect; (c) where required by law, ask for fresh consent.

If you continue to use SellCardNow after a change to this policy, you accept the updated policy. If you do not accept the change, you can stop using the service and request deletion of your account under Section 11.

14. Contact

For any privacy question, request, or complaint:

• Email

  support@sellcardnow.com — use the subject line "Privacy request" so we can route it to the right team.

• WhatsApp

  +852 5587 5078 — our verified support number. We respond within 24 hours on business days.

• Postal address

  KolaCash Limited, Unit R2, Factory D, 10/F, Kin Ga Industrial Building, 9 San On Street, Tuen Mun, New Territories, Hong Kong.