Privacy Policy

Last updated: April 25, 2026

1. Information We Collect

1.1 Account Information

When you register, we collect your name, email address, and password (hashed with bcrypt). If you sign in via GitHub or Google OAuth, we receive your public profile information from those providers.

1.2 Professional Profile

Facilitators provide skills, bio, portfolio URL, AI tooling stack, availability, hourly rate, and years of experience during onboarding. Clients provide company name, type, and project preferences.

1.3 Financial Information

Payment processing is handled entirely by Stripe. We store your Stripe Account ID and Stripe Customer ID for payment routing. We do not store credit card numbers, bank account details, or other sensitive financial data.

1.4 API Keys (BYOK)

Users who opt into the Bring Your Own Key feature provide API keys for third-party AI providers. These keys are encrypted at rest using AES-256-GCM with a master key stored in environment variables. Keys are only decrypted in-memory at the moment of API invocation.

1.5 Usage Data

We collect standard server logs including IP addresses, browser type, and pages visited for security and performance monitoring.

2. How We Use Your Information

  • Providing and operating the marketplace platform
  • Processing payments via Stripe Connect
  • Generating AI-assisted Statements of Work and bid scorecards (using your BYOK keys or platform-level API access)
  • Vector-matching Facilitators to projects using expertise embeddings
  • Sending transactional emails (escrow funded, milestone approved, dispute opened)
  • Dispute resolution and AI fact-finding analysis
  • Security monitoring and fraud prevention

3. Third-Party Processors

We share data with the following processors, strictly for operational purposes:

  • Stripe — Payment processing, escrow, and identity verification
  • Resend — Transactional email delivery
  • Vercel — Application hosting and edge rendering
  • OpenAI / Anthropic / Google— AI model inference (only when triggered by user actions, using the user's own API keys or platform keys)
  • Supabase / PostgreSQL — Database storage (encrypted at rest)

4. Data Retention

Account data is retained for the duration of your active account. Project data, milestone records, and payment references are retained for 7 years to comply with financial record-keeping obligations. You may request account deletion at any time (see Section 5).

5. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you have the right to:

  • Access — Request a copy of all personal data we hold about you
  • Rectification — Correct inaccurate personal data
  • Deletion — Request deletion of your account and personal data
  • Portability — Receive your data in a structured, machine-readable format
  • Objection — Object to processing of your data for specific purposes

To exercise any of these rights, contact us at privacy@beuntethered.com. We will respond within 30 days.

6. Cookies

We use essential cookies onlyfor authentication session management (NextAuth.js session tokens). We do not use advertising cookies, analytics cookies, or third-party tracking scripts. Your cookie consent preference is stored in your browser's local storage.

7. Security

We implement industry-standard security measures including: encrypted data at rest, AES-256-GCM encryption for API keys, bcrypt password hashing with 12 salt rounds, HTTPS-only communication, and regular security audits.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users. The “Last updated” date at the top of this page reflects the most recent revision.

9. Contact

For privacy-related inquiries, contact our Data Protection team at privacy@beuntethered.com.