Privacy Policy

BlueberryS Digital s.r.o. (hereinafter the „operator" or „we") operates the OnlineHelp platform available via the web app (onlinehelp.vercel.app) and the OnlineHelp mobile app.

Registered office: (to be filled in from company register) Company ID: (to be filled in) Email: privacy@blueberrysdigital.com

On registration and use:

• Name, email, phone (if you provide them)
• Password — stored as a bcrypt hash; never in plain text
• Country, city, profession (optional profile fields)
• Bio, certifications, social links (optional)

In communication:

• Ticket and chat message content between you and the expert
• Attachments (photo, video, audio)
• Payment history (amount, date, type — not card numbers)

Collected automatically:

• IP address (for rate-limiting and security)
• Device info (model, OS, app version)
• Push notification tokens (if you allow notifications)
• Activity logs for security audit

Credit card numbers are stored exclusively by our payment partner Stripe (PCI DSS Level 1 certified). We only see anonymized Stripe IDs — never the card number, CVC, or expiry.

Processing happens on these legal bases (GDPR Art. 6):

• Performance of a contract (Art. 6 (1) (b)) — without data you can't use the service. Email + password for sign-in, provider IBAN for payouts, etc.
• Legal obligation (Art. 6 (1) (c)) — accounting records for payments must be kept for 10 years.
• Legitimate interest (Art. 6 (1) (f)) — protection against abuse (audit logs, IP rate limiting).
• Consent (Art. 6 (1) (a)) — push notifications, marketing emails. You can withdraw at any time.

Third parties we transfer necessary data to in order to operate:

• Stripe Inc. (USA, EU office in Dublin) — payment processing. Adequate protection via Standard Contractual Clauses.
• Resend (USA) — sending email notifications.
• Railway (USA) — backend and database hosting. Data is in the EU region (Frankfurt).
• Vercel (USA) — web app hosting. Edge nodes globally.
• Expo (USA) — push notifications for the mobile app.

We do not share or sell your personal data to anyone else — including advertising networks.

• Active profile — as long as you have an account (you can delete it any time in your profile).
• After account deletion — personal data is deleted (or anonymized); transactional records remain anonymized for 10 years (legal obligation).
• Magic link tokens — 30 minutes.
• Session tokens — 30 days.
• Audit logs — 12 months.

As a data subject you have the right to:

• Access (Art. 15) — request a copy of all data we hold about you. Email privacy@blueberrysdigital.com.
• Rectification (Art. 16) — you can edit your profile data at any time.
• Erasure (Art. 17) — via the „Delete account" button in your profile. We anonymize transaction records that we cannot delete (Accounting Act).
• Restriction of processing (Art. 18) — contact us.
• Data portability (Art. 20) — request an export of your data.
• Objection (Art. 21) — especially to marketing.
• Withdrawal of consent at any time (push notifications, emails).
• Lodge a complaint with the Slovak Office for Personal Data Protection.

We apply these measures:

• HTTPS for all communications
• Passwords as bcrypt hashes (cost 10), checked against the database of known breaches (Have I Been Pwned)
• Magic links and session tokens stored as SHA-256 hashes
• Rate limiting on sign-in attempts
• HttpOnly + SameSite cookies on the web
• Hardware-protected token storage on mobile (Keychain / Keystore)
• No credit card numbers on our servers (handled by Stripe)

We use minimal cookies — only those essential for sign-in (HttpOnly session cookie). No tracking or ad cookies. Details in the cookie policy.

We will notify you of any material change by email and in the app. The most recent version is always available here.

Questions or requests about your data: privacy@blueberrysdigital.com. We respond within 14 days (statutory deadline 30 days).