VRCommissions
Legal

Privacy Policy.

What information VRCommissions collects, why we collect it, and what you can do about it.

Last updated: May 3, 2026

This Privacy Policy explains how VRCommissions (the "Platform", "we", "us", "our") collects, uses, discloses, and retains personal information about Users of the Platform. It is intended to comply with the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy legislation in jurisdictions in which the Platform is offered. The Platform is not offered to residents of the Province of Quebec; see section 2 of our Terms of Service.

1. Privacy Officer and how to contact us

We have designated a Privacy Officer who is accountable for our compliance with PIPEDA. You can reach the Privacy Officer by sending an email with the subject "Privacy Officer" to:

2. Scope

This policy applies to personal information collected through the Platform's website and any associated services that link to it. It does not apply to third-party websites, wallets, blockchains, or services we integrate with; those are governed by their own privacy policies (see section 7).

3. What we collect

We collect the following categories of personal information:

Account and identity

  • Email address (required)
  • Password (stored as a salted PBKDF2 hash; the plaintext password is never stored or visible to us)
  • Display name and other public profile attributes you choose to provide (bio, avatar image, banner image)
  • Two-factor authentication enrolment data, if you enable 2FA
  • Phone number, only if you enable phone-based 2FA

Sign-in via Discord (optional)

  • Discord user ID, username, email address registered with Discord, and avatar URL
  • This data is only collected if you choose to sign in or link your account through Discord

Wallet and on-chain data

  • The wallet address you provide for sending or receiving funds in connection with an Order
  • Transaction hashes and amounts associated with deposits, releases, and refunds
  • If you fund an Order with BTC: the SideShift shift identifier and the deposit address

Orders and content you create

  • Order details (price, scope, status, deadlines)
  • Messages exchanged with the other party
  • Files uploaded or delivered through the Platform
  • Reviews and ratings you write
  • Dispute submissions and the supporting evidence you provide

Technical and usage data

  • IP address and approximate location derived from it
  • Browser user-agent string and device characteristics
  • Session cookies and anti-XSRF tokens
  • Page views, feature interactions, and error/exception logs

Support correspondence

  • Emails and messages you send to support, disputes, or legal addresses, and our replies

4. How we collect it

  • Directly from you, when you register, complete a profile, place or accept an Order, exchange messages, upload files, or contact us.
  • Automatically, through cookies, server logs, and similar technologies as you use the Platform.
  • From third parties, when you choose to connect them: Discord (if you sign in with Discord), and SideShift (if you fund an Order with BTC).

5. Why we use it

We use personal information for the following purposes:

  • to provide the Platform, including processing Orders, displaying Listings, and routing messages and files between Users;
  • to authenticate you and protect the Platform from fraud, abuse, and unauthorized access;
  • to operate the dispute process: when a dispute is opened, our Arbiter reviews the relevant conversation, files, and Order metadata to determine whether the Escrow Contract should release or refund;
  • to send transactional and security emails (account verification, password resets, order status, dispute notifications);
  • to send marketing or promotional emails, only with your express consent under Canada's Anti-Spam Legislation ("CASL"), and with one-click unsubscribe in every message;
  • to comply with legal obligations, respond to lawful requests, and enforce our Terms of Service;
  • to detect and prevent fraud, off-Platform circumvention, and prohibited conduct;
  • to improve the Platform through aggregate analytics that do not identify individual Users.

6. Consent

Under PIPEDA, we rely on your knowledge and consent to collect, use, and disclose personal information. For uses that are necessary to operate the Platform and fulfill an Order (account management, order processing, security, dispute review), consent is implied by your decision to register and use the Platform. For marketing communications and any materially new use of personal information, we ask for express consent.

You may withdraw consent at any time, subject to legal and contractual restrictions. Withdrawing consent for uses essential to operating your account will mean we can no longer provide the Platform to you, and your account will be closed in accordance with section 18 of the Terms of Service.

7. Who we share it with

(a) Other Users

Your display name and public profile are visible to other Users. Within an Order, the other party sees your messages, the files you share, and the wallet address you transact from. Reviews you write are public.

(b) Service providers

We share personal information with vendors that help us operate the Platform:

  • Microsoft Azure: database and infrastructure hosting
  • Google as an SMTP email provider: for delivery of transactional and security email
  • Discord: only if you choose to sign in or link your account through Discord
  • SideShift: only if you fund an Order with BTC
  • A Base-network RPC provider (e.g., Alchemy or Infura): for reading and broadcasting on-chain transactions
  • Privy: only if you use an embedded wallet feature, where available

Service providers are bound by contract to process personal information only on our instructions and for the purpose of providing their service to us.

(c) Legal and regulatory disclosure

We may disclose personal information in response to a valid court order, subpoena, or other legal process; to law enforcement; to comply with reporting obligations under applicable law; or where we reasonably believe disclosure is necessary to protect our rights, property, or safety, or those of our Users or the public.

(d) Business transfers

If we are involved in a merger, acquisition, financing, reorganization, or sale of all or substantially all of our assets, personal information may be transferred to the successor entity, subject to the same protections in this policy or those required by law.

(e) On-chain disclosure (please read carefully)

Wallet addresses, deposit transactions, release transactions, and refund transactions are written to the Base public blockchain. Once written:

  • they are permanent and cannot be deleted, by us or by anyone else;
  • they are publicly visible to anyone using a block explorer;
  • they are linkable to other on-chain activity from the same wallet, including activity on other services such as DeFi protocols, NFT marketplaces, or other dApps;
  • they may be analyzed by third-party blockchain-analytics tools we do not control.

If you want stronger separation between your Platform activity and your other on-chain activity, use a fresh wallet for the Platform.

8. Cross-border data transfers

Personal information may be processed in Canada and outside Canada by the service providers listed in section 7. When information is processed outside Canada, it becomes subject to the laws of that jurisdiction, which may include access by foreign government authorities under those laws.

9. Retention

We retain personal information only as long as needed for the purposes for which it was collected, plus any period required by law:

  • Active account data: retained while your account is open.
  • Closed-account data: retained for 7 years after closure for tax, legal, dispute-evidence, and fraud-prevention purposes.
  • Order communications and exchanged files: retained for a minimum of 2 years to support possible dispute review.
  • Marketing-consent records: retained for the period required to demonstrate CASL consent.
  • On-chain data: cannot be deleted; persists indefinitely on the Base blockchain and is outside our control.

10. Security

We use a combination of administrative, technical, and physical safeguards to protect personal information:

  • passwords are stored as salted PBKDF2 hashes; the plaintext is never stored or visible to us;
  • communication with the Platform is encrypted in transit using TLS;
  • database credentials and signing keys are stored in environment variables, not in source code;
  • production database access is restricted to operational personnel on a need-to-know basis;
  • anti-XSRF tokens are required on form submissions;
  • we do not store private keys or seed phrases for User-controlled wallets at any time.

No system is perfectly secure. You are responsible for keeping your password, 2FA device, and wallet credentials confidential, and for notifying us promptly if you suspect unauthorized access (see Terms section 5).

11. Your rights

Subject to limits permitted or required by law, you have the right to:

  • Access the personal information we hold about you and request information about how it has been used and to whom it has been disclosed.
  • Correct personal information that is inaccurate or incomplete.
  • Withdraw consent for uses to which you previously consented, subject to legal or contractual restrictions.
  • Complain to our Privacy Officer and, if not satisfied with our response, to the Office of the Privacy Commissioner of Canada.

Residents of British Columbia and Alberta have analogous rights under their respective Personal Information Protection Acts.

To exercise any of these rights, write to our Privacy Officer at the address in section 1. We will respond within the time period required by applicable law (under PIPEDA, generally 30 days).

12. Cookies and similar technologies

The Platform uses the following cookies and similar technologies:

  • Authentication cookies issued by ASP.NET Identity to keep you signed in.
  • Anti-XSRF cookies used together with form tokens to prevent cross-site request forgery.
  • Preference cookies for non-default settings you choose (for example, theme).

The Platform does not currently use third-party advertising cookies or third-party cross-site analytics cookies.

13. Children

The Platform is not directed at, and may not be used by, persons under 18 (or the age of majority in their jurisdiction, whichever is greater). We do not knowingly collect personal information from children. If you believe we hold information about a child, contact our Privacy Officer and we will delete it.

14. Marketing communications and CASL

Transactional messages (account verification, password resets, order status updates, security alerts, dispute notifications) are sent on the basis of implied consent arising from your use of the Platform and are not subject to CASL's unsubscribe requirements. We honour preference choices where practical.

Marketing or promotional messages (newsletters, feature announcements, and similar) are sent only with your express consent. Every such message includes an unsubscribe mechanism that takes effect within ten business days, as required by CASL. You can also manage your preferences from your account settings.

15. Automated decision-making

Automated moderation tools are limited to content moderation. Dispute outcomes are determined by human review by our Arbiter.

16. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by in-Platform notice and, where practicable, by email in advance of taking effect. The "Last updated" date at the top of this page reflects the latest version. You are encouraged to periodically review this page.

17. How to reach us

Privacy questions, access or correction requests, withdrawals of consent, and complaints should be addressed to our Privacy Officer at mail@vrcommissions.com. For general support, see our Contact page.

Users have the right to contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.