Privacy Policy
Last updated: 2026-05-18
DRAFT — pending legal review. Generated from the codebase data inventory. Not legal advice. Must be reviewed and approved by a qualified lawyer before publication. Placeholders in {{ }} must be filled by the business.1. Who we are
Bubweb (“we”, “us”) operates the Bubweb application. The data controller is {{ legal entity name }}, {{ registered address }}. For any privacy question, contact {{ privacy contact email }}.
2. Personal data we collect
- Account data — email address (required), name and profile image (optional), role, and your appearance/notification preferences.
- Authentication data — a hashed password (if you sign up with email/password) and, if you sign in with Google, OAuth tokens and the Google account identifier.
- Session & technical data — session tokens, IP address, and browser user-agent, recorded when you are signed in.
- Content you create — conversations and messages (including content sent to our AI feature), briefings, projects, notifications, and related items, all linked to your account.
3. Why we use it and our legal basis (Art. 6 GDPR)
- To create and operate your account and provide the service — performance of a contract (Art. 6(1)(b)).
- To secure the service and prevent abuse (session/IP logging) — legitimate interests (Art. 6(1)(f)).
- To send transactional email (invites, password resets, email-change verification) — performance of a contract.
- To send optional product/notification emails — consent (Art. 6(1)(a)), which you can withdraw in Settings at any time.
4. AI processing
When you use the Discovery AI feature, the content of your conversation is sent to our AI sub-processor (OpenAI) to generate responses. Do not enter information you do not wish to be processed this way.
5. Cookies
We use strictly necessary cookies for authentication and session management. We do not use advertising or analytics cookies. See our cookie banner and {{ link to cookie section / settings }} for details.
6. Sub-processors and international transfers
We share personal data with the following processors. Some are located in the United States; transfers rely on the EU Standard Contractual Clauses and/or an adequacy mechanism.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel | Application hosting, logs | United States |
| Turso | Production database | United States |
| Google sign-in (OAuth) | United States | |
| Resend | Transactional email delivery | United States |
| Cloudflare R2 | Avatar / project-logo storage | United States / global |
| OpenAI | AI features (Discovery AI) | United States |
7. Data retention
We keep account data for as long as your account exists. When you request account deletion, your data is permanently erased after a 30-day grace period (see §9). Server logs are retained for the limited period set by our hosting platform and then deleted; no personal data is written to logs beyond that window. Session records expire and are removed automatically. Our internal data-retention reference (docs/references/data-retention.md) records the retention window for each data category.
8. Security
Passwords are stored hashed. Connections use HTTPS. Session cookies are secure, HTTP-only, and same-site protected. OAuth tokens are encrypted at rest.
9. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing. In the app you can: edit your name and email and avatar (Settings → Account); export all your data (Settings → Account → Export); and request account deletion with a 30-day grace period. To exercise any other right, contact {{ privacy contact email }}. You also have the right to lodge a complaint with your supervisory authority.
10. Children
Bubweb is not directed at children under 16. We do not knowingly collect their data.
11. Changes
We may update this policy. Material changes will be communicated in-app or by email. The “Last updated” date above always reflects the current version.
12. Contact
{{ legal entity name }} — {{ registered address }} — {{ privacy contact email }} — Data Protection Officer: {{ DPO name / email, or "not appointed" }}.
See also: Terms of Service · Legal Notice.