Privacy Policy
Last updated: [PLACEHOLDER: date]
Draft — requires professional legal review
1. Who we are
This Privacy Policy explains how [Company legal name] (“BackerCove”) collects, uses, shares, and protects personal data when you use the Service. For the purposes of applicable data-protection law, BackerCove is the controller of the personal data described here. If you have questions, contact us at [Legal/contact email].
2. Data we collect
We collect the following categories of personal data:
- Account data — name, email address, password (stored only as a salted hash; we never store passwords in plain text), role (Backer or Creator), country, and verification status.
- Profile data — display name, photo, interests, preferred categories and platforms, and, for creators, business/brand name, website, and campaign experience.
- Submission data — the campaign information, media, promotion details, and messages you provide when submitting or managing a project.
- Payment data — when you buy a Boost package or the paid Campaign Strategy Session, payment is handled by Stripe. We receive limited billing and transaction metadata (such as amount, status, and a payment reference) but not your full card number.
- Discord connection data — if you connect Discord via OAuth, we store your Discord user ID and connection status and hold OAuth access/refresh tokens in encrypted form to manage your server role. We do not receive or store your Discord password.
- Usage, device, and support data — log data, IP address, browser/device information, actions taken on the Service, cookie identifiers, and the contents of messages you send us.
3. How we use data
We use personal data to: create and secure your account; operate the directory, dashboards, and community features; process and track paid purchases and refunds; provision Discord roles; schedule and manage consultations; send transactional messages and, where permitted, announcements; provide support; personalize recommendations; measure and improve the Service with privacy-conscious analytics; prevent fraud and abuse; and comply with legal obligations. We do not sell your personal data.
4. Legal bases for processing
Where data-protection law (such as the GDPR or UK GDPR) applies, we rely on: performance of a contract (to provide the Service you request); legitimate interests (to secure, operate, analyze, and improve the Service and prevent abuse, balanced against your rights); consent (for non-essential cookies and certain communications, which you may withdraw at any time); and legal obligation (to meet tax, accounting, and other legal requirements).
5. Sharing & service providers
We share personal data only as needed to run the Service, with processors bound by contract to protect it, including:
- Stripe — payment processing and billing.
- Resend — transactional and community email delivery.
- Cal.com — consultation scheduling and bookings.
- Discord — community server access and role assignment.
- Hosting, storage, and media/upload providers — to run the application and store uploaded files.
- Privacy-conscious analytics providers — to understand aggregate usage.
We may also disclose data to comply with law, enforce our Terms, protect rights and safety, or in connection with a merger, acquisition, or asset sale (with notice where required). We do not sell your personal data and do not share it for cross-context behavioral advertising.
6. Cookies
We use cookies and similar technologies for authentication, preferences, and analytics. See our Cookie Policy for the categories we use and how to control them.
7. Data retention
We keep personal data only as long as needed for the purposes described here — for the life of your account and afterward as required to meet legal, tax, accounting, dispute-resolution, and security obligations, or in limited backups. When data is no longer needed, we delete or anonymize it. Deleting your account triggers a two-phase deletion (an initial removal followed by a purge of residual data), subject to any retention the law requires.
8. Security
We use technical and organizational measures appropriate to the risk, including encryption in transit, hashed passwords, encrypted storage of sensitive tokens, access controls, CSRF protection, rate limiting on authentication endpoints, and server-side validation of uploads. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect your data and to notify affected users and regulators of breaches where the law requires.
9. International transfers
We and our processors may process personal data in countries other than your own, including the United States and the [Governing law jurisdiction] region. Where we transfer personal data across borders, we rely on appropriate safeguards, such as standard contractual clauses or an adequacy decision, as required by applicable law.
10. Your rights
Depending on where you live, you may have rights to access, correct, delete, restrict, or object to the processing of your personal data, to data portability, and to withdraw consent. BackerCove provides self-service tools in your account settings to export your data and to delete your account. To exercise other rights, or if you are unable to use the self-service tools, contact us at [Legal/contact email]. You also have the right to complain to your local data-protection authority. We will not discriminate against you for exercising your rights.
11. Children's privacy
The Service is intended for adults and is not directed to children under the age required to consent to online services in your jurisdiction. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.
12. Contact & data protection
For any privacy question or request, contact us at [Legal/contact email], or write to [Registered / notice address]. [Data Protection Officer / EU or UK representative details, if required — to be confirmed by the owner.]
Questions about this policy? Contact us.