Compliance and customer verification

As an Estonian company that accepts payments through EU-regulated processors, we are required to apply customer due diligence measures. The legal basis is the EU 5th AML Directive (2018/843), the Estonian Money Laundering and Terrorist Financing Prevention Act, and the guidelines issued by the Estonian Financial Intelligence Unit.

These checks also help you: they reduce fraud, keep your account out of reach of third parties, and let payment processors release funds without holds when everything is in order.

Every account requires email verification through a confirmation link and the activation of two-factor authentication using an authenticator app (Google Authenticator, Authy or similar). This happens once, at account creation.

On every purchase we cross-check the country you declared with the geolocation of your IP and the country of the payment instrument. If we detect a suspicious country change we will ask you to clear the two-factor challenge again before continuing.

EDD applies when your cumulative purchases exceed 1,000 euros in a 30-day window, when a single custom-amount transaction exceeds 500 euros (for example large manual Tibia Coins orders), when you are classified as a Politically Exposed Person, when your IP or payment instrument is registered in an EU high-risk jurisdiction, or when we detect unusual patterns such as many failed payments in a row or IPs in countries very different from the one declared.

In those cases we ask for a photo of your government-issued ID. The image is processed through Stripe Identity, a specialised identity verification provider. It is not stored on our servers in viewable form: we only keep the verification result (approved or rejected) and an opaque identifier.

If you are a Politically Exposed Person, a close family member or business associate of one, EU rules require us to apply enhanced measures and to have the decision to start or continue the business relationship approved by senior management. That does not mean we automatically refuse the account, just that it goes through extra review. Your information is treated with the same level of confidentiality as that of any other customer.

We do not sell to persons or entities appearing on the sanctions lists of the European Union, the United Nations, the US Office of Foreign Assets Control (OFAC), the UK Office of Financial Sanctions Implementation (OFSI), or the Estonian national list.

For the same reason we block purchases from IPs in Cuba, Iran, North Korea, Syria, the non-government-controlled areas of Ukraine and, for certain products, Russia. This list is updated whenever the applicable sanctions regimes change.

If we detect reasonable grounds to suspect that a transaction is connected to money laundering or the financing of terrorism, we are legally required to report it to the Estonian Financial Intelligence Unit. We cannot tell you if you are the subject of such a report; doing so would be a criminal offence known as tipping-off under Estonian law.

If your operation turns out to be legitimate and the FIU confirms it, the case is closed and no public mark is left on you. If, on the contrary, there are signs of a criminal offence, the FIU may order the freezing of funds and cooperation with broader investigations.

By law, we keep identification and transaction records for 5 years from the end of the business relationship or the date of the transaction, whichever is later. Sensitive records are encrypted at rest in our PostgreSQL database hosted in Germany, receipts and documents live in Cloudflare R2 storage, and AES-256 encrypted backups go to a Hetzner Storage Box on a 7-day rotation.

Only the compliance officer, the Board and personnel with administrator role have full access. Support agents only see the tickets and orders assigned to them, and every access to a record leaves a trace in an immutable audit log.

You have the right to know what data we ask for and why. If you do not understand a requirement, write to [email protected] and an agent will explain it.

If you believe a verification is disproportionate to the amount involved, you can request a written review. If you disagree with the final decision, you can file a complaint with the Data Protection Authority or the FIU of Estonia, depending on the case.

We cannot delete records subject to a legal retention obligation (5 years AML), but we can delete data not covered by that obligation, in line with the privacy policy.

The Money Laundering Reporting Officer (MLRO) of Tonyzales is Juan Eduardo Gonzalez Sarmiento, Managing Director, designated by the Board of the company. He is responsible for coordinating the AML/CTF programme, receiving internal escalations and maintaining contact with the Estonian FIU.

For compliance-specific questions, write to [email protected].