Legal
Privacy Policy
Last updated: 2026-05-24
How 6LY Store collects, uses, and protects your personal data — including your rights under GDPR and UK GDPR.
On this page
Who we are
6LY Store operates this storefront for FiveM scripts and related digital products. We are based in the Kingdom of Saudi Arabia and serve customers worldwide, including in the EU/EEA and the UK.
We act as the data controller for the personal data described below under:
- Saudi Arabia's Personal Data Protection Law (PDPL) — for customers based in the Kingdom or whose data is processed here
- The EU General Data Protection Regulation (GDPR) — for customers in the EU/EEA
- The UK GDPR — for customers in the United Kingdom
Tebex Limited is a separate controller for the payment-related data they collect during checkout.
What we collect
The data we process falls into a few buckets:
- Cart and order data— when you add a product, a cart identifier is stored in your browser's local storage. After purchase, we receive a confirmation from Tebex linking you (by your Tebex username / CFX account) to the products you bought, so we can grant access to them.
- Discord identifier — if a script requires your Discord ID (for in-script features, Discord role grants, etc.) we collect your Discord user id, username, and avatar hash via Discord OAuth, with your explicit consent at purchase time.
- Support communications — when you contact us by email or Discord, we keep the messages and any attachments you send so we can help you and improve our products.
- Technical data — our hosting providers automatically receive your IP address, browser user-agent, and request timestamps as part of normal HTTP traffic. We use this only for security, abuse prevention, and aggregate analytics.
We do not collectyour payment card details, billing address, or banking information — that data goes directly to Tebex's checkout, which is processed under Tebex's own privacy policy.
Why we use it (legal bases under GDPR)
- Performing your purchase contract (Art. 6(1)(b)) — to grant you access to the products you bought, deliver updates, and provide support.
- Your consent (Art. 6(1)(a)) — when you connect your Discord account for scripts that require it. You can disconnect at any time.
- Our legitimate interests (Art. 6(1)(f)) — fraud prevention, abuse handling, and ensuring the site stays available and secure.
- Legal obligations (Art. 6(1)(c)) — record-keeping required by tax, accounting, or consumer protection law.
International transfers
Because we're based in Saudi Arabia and use international service providers, your data may be transferred outside the EU/EEA, UK, or your country of residence. Where we transfer EU/UK personal data outside those regions, we rely on the providers' Standard Contractual Clauses or equivalent safeguards.
How long we keep it
- Cart data: until you clear your browser's local storage or after 30 days of inactivity.
- Order records: for as long as your license to the product is active, plus the period required by law (typically 5–7 years for tax records).
- Discord identifiers: kept only while a connected script needs them, or until you disconnect.
- Support tickets: 24 months from last reply, then deleted.
Your rights (GDPR / UK GDPR)
If GDPR or UK GDPR applies to your data, you have the right to:
- Access — request a copy of the data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data, subject to legal retention obligations.
- Restriction — ask us to pause processing while a request is reviewed.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on our legitimate interests.
- Withdraw consent — withdraw consent at any time (e.g. disconnect Discord).
- Complain to a supervisory authority — your local data-protection regulator.
To exercise any of these rights, email us via the contact channels listed below. We respond within 30 days.
Your rights (KSA PDPL)
If you are based in the Kingdom of Saudi Arabia or your personal data is processed in the Kingdom, the Personal Data Protection Law (PDPL) grants you the following rights:
- Right to be informed — of the legal basis and purpose for processing your data.
- Right to access — request a copy of the personal data we hold about you.
- Right to request correction — of inaccurate, incomplete, or outdated data.
- Right to request destruction — of your personal data when it is no longer required, subject to legal retention obligations (e.g. tax records).
To exercise any of these rights, contact us using the details in the Contact section. We respond within 30 days as required by the PDPL.
If you believe we are not handling your data lawfully, you may also file a complaint with the Saudi Data & AI Authority (SDAIA), the regulator responsible for PDPL enforcement, or with the National Data Management Office (NDMO).
Children
Our store isn't directed at children under 16. If you believe a minor has provided us with personal data, contact us and we will delete it.
Security and breach notification
We use industry-standard measures (HTTPS, encrypted storage, principle-of-least-privilege access to back-office tools) to protect your data. No system is 100% secure; in the event of a breach affecting your personal data, we will notify:
- Affected customers — without undue delay, as required by GDPR / UK GDPR and PDPL.
- The Saudi NDMO via their personal-data-breach reporting form, in line with the PDPL.
- The Saudi Ministry of Commerce, as required by the Implementing Regulations of the E-commerce Law (2020).
- EU / UK supervisory authorities — within 72 hours of becoming aware, where GDPR / UK GDPR notification thresholds are met.
Changes to this policy
We may update this Privacy Policy. The “Last updated” date reflects the most recent change. Material changes will be highlighted on the homepage or via Discord announcement.
Contact
For privacy questions or to exercise your rights, contact us or on Discord.