Privacy Policy

1. Data Controller

Bernard Zitzer

Email: info@bernard.so

We respect your privacy and are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

2. Data We Collect

2.1 Account Information

• Email address (required for account creation)
• Username and display name
• Profile information (bio, location, avatar image)
• Your "orbitals" (favorite problems/questions you share publicly)

2.2 Usage Data

• Pages visited and features used
• Time and date of access
• Browser type and version
• IP address (anonymized)
• Referring website

2.3 Payment Information

Payment processing is handled by Stripe. We do not store your credit card information. Stripe collects and processes payment data according to their privacy policy.

3. Legal Basis for Processing

We process your personal data based on:

• Contract performance: To provide our services (GDPR Art. 6(1)(b))
• Legitimate interests: To improve and secure our platform (GDPR Art. 6(1)(f))
• Consent: For optional features like marketing communications (GDPR Art. 6(1)(a))
• Legal obligations: To comply with applicable laws (GDPR Art. 6(1)(c))

4. How We Use Your Data

• Provide and maintain our service
• Create and manage your user account
• Display your public profile and orbitals to other users
• Connect you with other users exploring similar questions
• Send service-related notifications (account updates, security alerts)
• Analyze usage patterns to improve the platform
• Prevent fraud and abuse
• Comply with legal obligations

5. Data Sharing

5.1 Public Information

Your profile, username, bio, and orbitals (questions) are publicly visible by default. This is the core functionality of the platform - making your questions discoverable to attract relevant connections.

5.2 Service Providers

We share data with trusted third-party processors:

• Vercel: Hosting and infrastructure (US-based, GDPR-compliant)
• Supabase: Database and authentication services (GDPR-compliant)
• Stripe: Payment processing (GDPR-compliant)

5.3 Analytics

We use Vercel Analytics for aggregate traffic insights. This service is privacy-friendly and does not use cookies or collect personal identifiers.

6. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Processing by service providers certified under recognized data protection frameworks
• Adequate levels of protection as determined by the European Commission

7. Data Retention

We retain your personal data:

• Active accounts: As long as your account remains active
• Deleted accounts: 30 days after deletion (for recovery purposes)
• Legal obligations: Longer if required by law (e.g., tax records)
• Analytics data: Aggregated and anonymized permanently for service improvement

8. Your Rights (GDPR)

If you are located in the EEA or UK, you have the following rights:

• Right to access: Request a copy of your personal data
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure: Request deletion of your data ("right to be forgotten")
• Right to restrict processing: Limit how we use your data
• Right to data portability: Receive your data in a machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw consent for optional processing
• Right to lodge a complaint: Contact your local data protection authority

To exercise these rights, contact us at info@bernard.so. We will respond within 30 days.

9. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect and how we use it
• Request deletion of your personal information
• Opt-out of the sale of your personal information (we do not sell your data)
• Non-discrimination for exercising your privacy rights

10. Cookies and Tracking

We use essential cookies for authentication and service functionality. See our Cookie Policy for details.

11. Security

We implement industry-standard security measures including encryption, secure hosting, regular security audits, and access controls. However, no method of transmission over the internet is 100% secure.

12. Children's Privacy

Our service is not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on our service. Continued use after changes constitutes acceptance.