Privacy Policy
Effective: 2 July 2026 (draft — under legal review) · Terms of Service
1. What we collect
- Account data: your Telegram ID, name and username (from Telegram Login) or your Google name and email; your language preference.
- KYC data (Sellers): phone number — stored encrypted at rest — and, for payouts, a masked card number (last 4 digits only; we never store full card numbers).
- Marketplace activity: gigs, orders, messages, reviews, payout requests, and an audit trail of money-related actions.
- Instagram (optional, Sellers): if you connect Instagram, we store your Instagram user ID and an encrypted access token, and copies of the media you already published, to show them as your portfolio.
- Technical data: logs necessary for security and abuse prevention (e.g. rate limiting). We do not run third-party advertising trackers.
2. Why we use it
To operate the marketplace (matching, orders, messaging, payments and payouts), verify Sellers, prevent fraud and abuse, meet accounting obligations, and send service notifications via Telegram, email and in-app (you control notification preferences in Settings).
3. Who we share it with
- Payment providers (e.g. Payme, Click, Uzum) — to process payments and payouts.
- Telegram — to authenticate you and deliver notifications you enabled.
- Meta / Instagram — only if you connect Instagram, to read your own media with your consent.
- Resend — to deliver transactional email.
- Infrastructure: our servers (currently hosted with Hostinger in the EU) and Cloudflare (traffic, media storage). We never sell personal data.
4. Security
Sensitive fields (phone numbers, Instagram tokens) are encrypted at rest; full card numbers are never stored; the database is not exposed to the internet; access to admin functions is allow-listed; money actions are audit-logged; nightly database backups are kept in private, access-controlled storage (encrypted at rest by the provider) on a 7-day rotation.
5. Your rights and controls
- Export: download everything we hold about you as JSON from Settings (or GET /api/me/export).
- Deletion: delete your account from Settings. Personal identifiers are removed; anonymized transaction records are retained as required for accounting and the other party's records.
- Instagram: disconnecting deletes the token and all synced media immediately.
- Corrections: profile data is editable in your dashboard at any time.
6. Retention
Account data is kept while your account is active. After deletion, anonymized order and ledger records are retained for the period required by accounting law; backups age out within 7 days.
7. Contact
Privacy requests: [email protected]. We will update this policy as the service evolves (e.g. when card payments go live); material changes will be announced on the Platform.