1. Data we collect
Account data (email, hashed password, optional name); user content (projects, milestones, proofs, messages); technical metadata (IP, browser, login dates); payment data (handled by Stripe · we never store card numbers).
2. Purposes of processing
Provide the service; enable collaboration; send email notifications; bill; improve quality; detect abuse and fraud; respond to your requests.
3. Legal basis
Contract performance (Art. 6.1.b GDPR) for the service; legitimate interest (6.1.f) for security and improvement; consent (6.1.a) for marketing emails; legal obligation (6.1.c) for billing and accounting retention.
4. Data sharing
Your data is NEVER sold. Limited sharing to necessary subprocessors: Supabase (DB/file hosting), Resend (transactional emails), Stripe (payments). All under GDPR agreement with EU hosting.
5. Retention period
Active account: throughout usage. Account deletion: erased within 30 days, except legal obligations (billing: 10 years). Technical logs: 12 months max.
6. Your rights
You have rights of access, rectification, erasure, portability, opposition and limitation. Exercise them at dpo@oyeba.com or via Settings → Privacy. Response within 1 month.
7. Cookies
See our dedicated Cookie Policy. In summary: strictly necessary cookies (session, security) without consent; analytics cookies with explicit consent.
8. Security
TLS 1.3 in transit, AES-256 at rest. Hashed passwords (bcrypt). User data access restricted to technical team with strong authentication. Regular audits.
9. International transfers
No transfers outside the EU by default. If necessary (e.g. CDN), only to countries deemed adequate under GDPR, or via standard contractual clauses.
10. Contact & complaint
Data Protection Officer (DPO): dpo@oyeba.com. You can also file a complaint with your local data protection authority if you believe your rights are not respected.
11. KYC data for the marketplace
As part of the Oyeba marketplace, users wishing to become service providers are subject to a mandatory KYC (Know Your Customer) procedure. This procedure involves collecting the following data: (a) ID document (national ID, passport or other official document with photo), front and back if applicable; (b) selfie photo of the person holding their ID; (c) proof of address less than 3 months old (utility bill, accommodation certificate, etc.); (d) GPS coordinates at submission time (latitude, longitude, resolved country code). These data are stored encrypted in a private bucket on our self-hosted Supabase instance located in Germany (European Union), and are only accessible to the Oyeba administrator team via time-limited signed URLs (5 minutes). KYC documents are retained for 30 days after approval or rejection of the application, then automatically purged. Decision metadata (who decided, when, reason) is retained for 5 years for accounting and regulatory compliance purposes. The provider has at any time access, rectification, deletion and portability rights (see article 7).
12. Sharing with payment partners
To process marketplace payments, certain data is necessarily transmitted to our payment partners: (a) Stripe (UK / Ireland), a regulated Electronic Money Institution, receives the amount, currency, booking identifier, client's billing zip code, and the returned payment_intent_id; (b) PawaPay or Onafriq (depending on the provider's country), a mobile money aggregator, receives the provider's mobile money phone number, the net amount to pay, the local currency (XOF, CDF, etc.), and the booking identifier. No KYC document is transmitted to them. Stripe is PCI-DSS Level 1 compliant and applies its own privacy policy (stripe.com/privacy). PawaPay and Onafriq are pan-African companies authorized by local regulators (BCEAO, BCC, etc.) and apply their own policies. No other third party has access to the personal data of the client or the provider.
13. Cookies and marketplace tracking
The marketplace does not use additional cookies beyond those described in article 9. Stripe Checkout sessions are managed in redirect mode (no iframe or third-party browser tracker). For fraud prevention, a lightweight browser fingerprint may be collected during KYC submission (User-Agent, language, time zone, screen resolution). These data are anonymized after 30 days.
14. Self-Hosted Supabase data and sovereignty
Since 2026-06, Oyeba self-hosts its Supabase instance (PostgreSQL database, file storage, authentication) on a VPS based in Germany (Hostinger / Hetzner). This choice aims to guarantee user data sovereignty within the European Economic Area, in accordance with GDPR obligations. No user data (including KYC, project proof photos, messages, payments) is transferred to third-party services outside the EU, with the exception of the payment partners described in article 12 and Sentry (error monitoring, based in Germany) which does not receive PII (Authorization headers, cookies and identifiers are filtered before sending).