1. Data we collect
Account data (email, hashed password, optional name); user content (projects, milestones, proofs, messages); technical metadata (IP, browser, login dates); payment data (handled by Stripe — we never store card numbers).
2. Purposes of processing
Provide the service; enable collaboration; send email notifications; bill; improve quality; detect abuse and fraud; respond to your requests.
3. Legal basis
Contract performance (Art. 6.1.b GDPR) for the service; legitimate interest (6.1.f) for security and improvement; consent (6.1.a) for marketing emails; legal obligation (6.1.c) for billing and accounting retention.
4. Data sharing
Your data is NEVER sold. Limited sharing to necessary subprocessors: Supabase (DB/file hosting), Resend (transactional emails), Stripe (payments). All under GDPR agreement with EU hosting.
5. Retention period
Active account: throughout usage. Account deletion: erased within 30 days, except legal obligations (billing: 10 years). Technical logs: 12 months max.
6. Your rights
You have rights of access, rectification, erasure, portability, opposition and limitation. Exercise them at dpo@oyeba.com or via Settings → Privacy. Response within 1 month.
7. Cookies
See our dedicated Cookie Policy. In summary: strictly necessary cookies (session, security) without consent; analytics cookies with explicit consent.
8. Security
TLS 1.3 in transit, AES-256 at rest. Hashed passwords (bcrypt). User data access restricted to technical team with strong authentication. Regular audits.
9. International transfers
No transfers outside the EU by default. If necessary (e.g. CDN), only to countries deemed adequate under GDPR, or via standard contractual clauses.
10. Contact & complaint
Data Protection Officer (DPO): dpo@oyeba.com. You can also file a complaint with your local data protection authority if you believe your rights are not respected.