Privacy Policy

Last updated: 2026-05-18

DRAFT — pending legal review. Generated from the codebase data inventory. Not legal advice. Must be reviewed and approved by a qualified lawyer before publication. Placeholders in {{ }} must be filled by the business.

1. Who we are

Bubweb (“we”, “us”) operates the Bubweb application. The data controller is {{ legal entity name }}, {{ registered address }}. For any privacy question, contact {{ privacy contact email }}.

2. Personal data we collect

  • Account data — email address (required), name and profile image (optional), role, and your appearance/notification preferences.
  • Authentication data — a hashed password (if you sign up with email/password) and, if you sign in with Google, OAuth tokens and the Google account identifier.
  • Session & technical data — session tokens, IP address, and browser user-agent, recorded when you are signed in.
  • Content you create — conversations and messages (including content sent to our AI feature), briefings, projects, notifications, and related items, all linked to your account.

3. Why we use it and our legal basis (Art. 6 GDPR)

  • To create and operate your account and provide the service — performance of a contract (Art. 6(1)(b)).
  • To secure the service and prevent abuse (session/IP logging) — legitimate interests (Art. 6(1)(f)).
  • To send transactional email (invites, password resets, email-change verification) — performance of a contract.
  • To send optional product/notification emails — consent (Art. 6(1)(a)), which you can withdraw in Settings at any time.

4. AI processing

When you use the Discovery AI feature, the content of your conversation is sent to our AI sub-processor (OpenAI) to generate responses. Do not enter information you do not wish to be processed this way.

5. Cookies

We use strictly necessary cookies for authentication and session management. We do not use advertising or analytics cookies. See our cookie banner and {{ link to cookie section / settings }} for details.

6. Sub-processors and international transfers

We share personal data with the following processors. Some are located in the United States; transfers rely on the EU Standard Contractual Clauses and/or an adequacy mechanism.

Sub-processorPurposeLocation
VercelApplication hosting, logsUnited States
TursoProduction databaseUnited States
GoogleGoogle sign-in (OAuth)United States
ResendTransactional email deliveryUnited States
Cloudflare R2Avatar / project-logo storageUnited States / global
OpenAIAI features (Discovery AI)United States

7. Data retention

We keep account data for as long as your account exists. When you request account deletion, your data is permanently erased after a 30-day grace period (see §9). Server logs are retained for the limited period set by our hosting platform and then deleted; no personal data is written to logs beyond that window. Session records expire and are removed automatically. Our internal data-retention reference (docs/references/data-retention.md) records the retention window for each data category.

8. Security

Passwords are stored hashed. Connections use HTTPS. Session cookies are secure, HTTP-only, and same-site protected. OAuth tokens are encrypted at rest.

9. Your rights

Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing. In the app you can: edit your name and email and avatar (Settings → Account); export all your data (Settings → Account → Export); and request account deletion with a 30-day grace period. To exercise any other right, contact {{ privacy contact email }}. You also have the right to lodge a complaint with your supervisory authority.

10. Children

Bubweb is not directed at children under 16. We do not knowingly collect their data.

11. Changes

We may update this policy. Material changes will be communicated in-app or by email. The “Last updated” date above always reflects the current version.

12. Contact

{{ legal entity name }}{{ registered address }} {{ privacy contact email }} — Data Protection Officer: {{ DPO name / email, or "not appointed" }}.

See also: Terms of Service · Legal Notice.