Privacy Policy

BEARER · Rajendran — Bhirannavan Rajendran, Neufeldstrasse 116, 3012 Bern, Switzerland.

Email: rajendran.bhirannavan@gmail.com

Due to the small size, there is no obligation to appoint a data protection advisor (Art. 10 revDPA).

• Account data: email, password hash (bcrypt), handle, language, skills, bio.
• Project data: title, description, budget, status, ratings.
• Payment data: Stripe checkout session IDs, amounts, currencies. Credit card data is processed exclusively by Stripe — we do not store it.
• Technical data: IP address (truncated), user agent, timestamps, API logs (for abuse detection, rate-limiting).
• Cookies: only functional cookies (login token, language choice, banner dismissal). No tracking, no analytics, no advertising cookies.

• Contract performance (Art. 31(2)(a) revDPA / Art. 6(1)(b) GDPR): account management, project and escrow processing, payment processing.
• Legitimate interest (Art. 31(1) revDPA / Art. 6(1)(f) GDPR): IT security, abuse prevention, logs, rate-limiting.
• Legal obligation (Art. 31(1) revDPA / Art. 6(1)(c) GDPR): tax and accounting retention obligations (10 years under Swiss CO).
• Consent (Art. 6(6) revDPA / Art. 6(1)(a) GDPR): optional newsletter / marketing emails (currently inactive).

We use the following providers. Data processing agreements (DPAs) are in place with all of them:

• Stripe Payments Europe Ltd. (Irland) — Zahlungsabwicklung. Privacy: stripe.com/privacy
• MongoDB Atlas (EU-Region) — Datenbank-Hosting.
• Emergent Labs Inc. (USA) — Application Hosting & LLM Gateway.
• CoinGecko (Singapur) — öffentliche Wechselkurse (keine Personendaten übermittelt).
• OpenAI / Anthropic / Google (via Emergent LLM Gateway) — AI-Match-Scoring (anonymisierte Skill-Strings, keine Identifikatoren).

Data transfer to third countries (USA): based on EU Standard Contractual Clauses and/or adequacy decision.

• Account data: until deletion by the user.
• Invoice and payment data: 10 years (Art. 958f Swiss CO / § 147 AO).
• Server logs: 90 days, then automatic deletion.
• Inactive accounts: deletion after 24 months of inactivity (with prior notice).

You have the following rights at any time (Art. 25 et seq. revDPA / Art. 15 et seq. GDPR):

• Access to data stored about you.
• Rectification of inaccurate data.
• Erasure ("right to be forgotten") — unless legal retention obligations apply.
• Restriction of processing.
• Data portability (machine-readable format).
• Objection to processing based on legitimate interests.
• Withdrawal of consent (with effect for the future).
• Complaint to the FDPIC (Switzerland) or an EU data protection authority.

In the dashboard you will find endpoints for self-service data export and account deletion.

We use only technically necessary cookies and localStorage entries:

• sc_token — JWT-Login-Token (Session)
• sc_lang — Sprachwahl (DE/EN)
• sc_beta_dismissed — Banner-Status
• sc_cookie_consent — Cookie-Banner-Zustimmung

No advertising cookies, no tracking, no third-party analytics.

• Transport encryption (TLS 1.3) via HTTPS.
• Password hashing with bcrypt (cost factor 12).
• JWT with short lifetime and token rotation.
• Rate-limiting and brute-force protection on all auth endpoints.
• Idempotency keys on financial endpoints to prevent double-bookings.

We reserve the right to update this privacy policy. The current version is always available on this page.