Post was originally published on Alphabay’s forum at this link: http://pwoah7foa6au2pul.onion/forum/index.php?threads/alphabay-updated-privacy-policy.76749/
Alphabay Market places a strong emphasis on the security of its users and takes the best possible measures to mitigate risks associated with data leaks, server seizures, and account infiltration. This will detail how each of your information is kept. If you accidentally post incriminating information, refer to the section below to know the associated risks.
When information gets deleted after a certain number of days, it is always hard deleted and unrecoverable. We do not keep any trace of information that claims to have been deleted. Additionally, we keep no record of user movement, and all access logs show IP 127.0.0.1.
User accounts are kept indefinitely and cannot be deleted. However, we do not keep records of previous profile or password / PIN edits. While deleting an account is not possible, editing your profile or contact information will make the previous versions unrecoverable as it will get overwritten in the database.
Private messages (PM) sent by users are, by default, kept indefinitely. However, if both users delete their copy of the conversation, or decide to leave the conversation using the Leave Conversationbutton, the whole conversation, including the messages, will be hard deleted and unrecoverable. No trace of the conversation will be kept, and no analysis can prove that it ever existed.
Sale Order Data
The buyer and seller notes in an order are kept for 30 days after completion of the order. Completion occurs either when the dispute is resolved, the order finalized, or the order cancelled. When an order is archived, the notes are still subject to the 30-day rule. The following information will be retained indefinitely:
– Buyer and seller username
– Listing refund policy
– Price, and postage price
– Creation, shipping, and finalization dates
Deposit and withdrawal information
When you make a deposit, or withdraw coins, the following information will be kept for 10 days:
– Deposit or withdrawal address
– Bitcoin transaction ID
Deposit addresses are kept for 8 days following the first deposit. Every 72 hours, we have an automated task that fetches required addresses from the database (deleted addresses are not included), and recreates the wallet files from scratch. This ensures that once an address expires, no forensics analysis on the Bitcoin servers can prove that this address has ever been under our control. This process ensures true tumbling and ensures that no service can profile our wallets.
The following information will be kept indefinitely, for accounting purposes:
– Deposit or withdrawal amount
– Execution date and time (timestamp gets randomly altered to prevent blockchain correlation)
Data sold in the autoshop is retained for as long as it is not sold. If the seller deletes its data from the autoshop, no record is kept. Sold cards will be retained for 30 days after the sale date, and will then be permanently deleted. We retain the following information for accounting purposes:
– Sale date and time
– Sale price
Listings are kept indefinitely, even after deletion, for consistency purposes. We do not keep records of previous edits, however each sale will include a copy of the refund policy to prevent edit-scams, which will be retained indefinitely. Previous postage options will be retained forever for accounting purposes.
We do not keep track of API calls. There is no way to find out if a request was made through the site or through the API. We do not keep records of deleted API keys.
Favorites / Blacklists / Reports
When you remove a listing from your favorites, no record is kept. When you remove a user from your blacklist, no record is kept. Once a listing report gets resolved, no record is kept.
Feedback is retained indefinitely, however only 2 characters from the username are visible, and the price is hidden. Staff members can view the full feedback data on a user profile.
Contract data is kept indefinitely in the database, in order to keep it possible to be referred to in the future.
One-time passwords (OTP)
Once a OTP has been used once, deleted, or expired, no record is kept.
Notifications are deleted after 14 days, whether they are read or not. Notifications sent over Jabber are kept in our database for 3 days.
Support ticket message content will be kept for 15 days. The following information is retained permanently:
– Support ticket title
– Username and date
Staff members need the approval of administration before accessing order notes or taking over a dispute. This ensures that a rogue staff member cannot scrape the whole marketplace sale data to use it for malicious purposes. Once an administrator grants access to a staff member to a specific sale number, the staff member can read the notes, or take over the dispute, depending on the access level requested.