Privacy Policy

Data Controller

BlueBear GmbH, registered in Vienna, Austria, is the controller responsible for personal data processed through Haiati. Contact: digital@bluebear.at.

Categories of Data We Collect

We collect the following categories of personal data:

• Account data — name, email address, password hash, preferred language, authentication provider (Google/email).
• Profile data — for service providers: business name, descriptions, category, phone, WhatsApp, website, images, address and location coordinates.
• Content data — listings, questions, job posts, market items, messages and reviews you create on the platform.
• Usage data — pages viewed, clicks, search queries and device information collected via privacy-respecting analytics.
• Transaction data — when you pay for a paid listing, Stripe processes your payment; we store only the transaction ID and subscription status, never card details.

Purposes and Legal Basis

We process your personal data for the following purposes, each with a specific legal basis under Art. 6 GDPR:

• Providing the platform and your account (Art. 6(1)(b) — contract performance).
• Sending transactional emails (verification, password reset, notifications) (Art. 6(1)(b) — contract performance).
• Debugging, security monitoring and platform improvement (Art. 6(1)(f) — legitimate interest in a stable and secure service).
• Compliance with legal obligations such as tax and accounting (Art. 6(1)(c) — legal obligation).
• Optional features (e.g. location-based search) where you give explicit consent (Art. 6(1)(a) — consent, which you may withdraw at any time).

Data Processors

We use carefully selected processors bound by Data Processing Agreements (DPAs). Where possible we choose EU-based infrastructure:

• Vercel Inc. — hosting and content delivery (EU edge).
• Neon (Databricks) — database and authentication, hosted in Frankfurt, Germany.
• Stripe Payments Europe Ltd. — payment processing for paid listings (Ireland).
• Resend — transactional email delivery.
• Sentry — error monitoring and performance tracking.
• Google Ireland Ltd. — Gemini AI for AI-assisted content features; Maps for address search.
• Upstash (Redis) — caching + rate-limit state, via Vercel KV (EU region).

International Data Transfers

Core user data is stored in the EU (Frankfurt). Some processors (e.g. Stripe, Sentry, Google) may transfer data to the United States under the EU-US Data Privacy Framework and Standard Contractual Clauses, which provide GDPR-equivalent protection.

Data protection officer

Haiati has not appointed a designated Data Protection Officer (GDPR Art. 37 does not require one for our current scale of processing). For all data-protection questions, contact us at digital@bluebear.at.

Retention Periods

We keep your data only as long as necessary:

• Account data — while your account is active, deleted within 30 days after closure.
• Public content — kept while published, removed within 30 days after deletion.
• Invoices and transaction records — 7 years (Austrian tax law, §132 BAO).
• Security and audit logs — up to 12 months.
• Inactive accounts are flagged after 24 months; we contact you before any deletion.

Automated Processing and AI

We use Google Gemini to generate AI suggestions (provider descriptions, answers, tips). AI output is clearly labelled and you remain in control — nothing is published on your behalf without your review. No significant automated decision-making (Art. 22 GDPR) takes place on Haiati.

Cookies and Local Storage

Haiati uses only strictly necessary cookies and local storage (authentication session, language preference, theme). We do not use advertising cookies or third-party trackers. A cookie banner is not legally required when only essential cookies are used.

Cookie preferences

Your Rights

Under Articles 15–22 GDPR you have the right to:

• Access — request a copy of your personal data (also available as a one-click export in your account settings).
• Rectification — correct inaccurate data (you can edit most fields directly in your profile).
• Erasure — delete your account and associated data from your settings page.
• Portability — export your data in a structured, machine-readable format (JSON/PDF).
• Restriction and objection — restrict processing or object to processing based on legitimate interest.
• Withdraw consent — at any time for processing based on consent, without affecting prior lawful processing.
• Lodge a complaint with a supervisory authority (see below) if you believe your rights have been infringed.

Security

Personal data is encrypted in transit (HTTPS/TLS) and at rest. Passwords are hashed. Access to production systems is restricted and logged. Security incidents affecting personal data are reported to the supervisory authority within 72 hours, as required by Art. 33 GDPR.

Children

Haiati is not directed at children under 16. We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data, contact us and we will delete it.

Changes to This Policy

We may update this Privacy Policy to reflect changes in the service or legal requirements. We will post the new policy on this page and update the 'Last updated' date. Material changes will be announced via email or in-app notice.

Contact and Supervisory Authority

For any privacy question or to exercise your rights, contact: digital@bluebear.at. You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna, Austria — dsb@dsb.gv.at, www.dsb.gv.at.