Privacy Policy

1. Controller and scope

BeLocal is operated by DIGITALWIND LTD, a company registered in Cyprus under registration number HE 454186. For the purposes of the General Data Protection Regulation (EU) 2016/679, DIGITALWIND LTD acts as the controller for personal data processed through the BeLocal marketing site, application, account area, and related support and billing workflows.

This notice covers personal data relating to visitors, account users, prospective customers, customer contacts, and individuals whose data is included in support or billing interactions. It does not change your separate obligations when you use BeLocal to process your own end-user content.

2. Contact details

You can contact us about privacy matters at any time:

• Email: bobredobre@belocal.dev
• Postal address: Makariou III & Vyronos, P. LORDOS CENTER, BL B, Floor 2, Office 203, 3105 Limassol, Cyprus

If we need to confirm your identity before acting on a request, we may ask for limited additional information for that purpose.

3. Categories of personal data we collect

• Account and identity data: email address, account identifiers, authentication status, and profile details made available through sign-in methods you choose.
• Authentication and security data: session information, login attempts, OTP events, JWT-based access cookie data, IP address, user agent, and security logs.
• Service usage data: project names, project descriptions, translation requests, managed translation content, usage counters, error logs, and operational metadata.
• Billing and commercial data: selected plan, subscription status, invoices, payment method setup status, billing history, and related Stripe metadata. We do not store full payment card numbers.
• Communication data: messages sent to support, sales, or other contact channels and the contact details included in those messages.
• Preference data: appearance preference stored locally in your browser only after you explicitly change the color theme in the app.

4. Sources of personal data

• Directly from you when you create an account, sign in, contact us, or use the service.
• From third-party sign-in providers if you choose them, for example Google OAuth.
• Automatically from your device and browser when you access the website or app, such as IP address, user agent, and authentication/session events.
• From payment service providers and processors, including Stripe, in connection with billing and subscription administration.

5. Purposes of processing and legal bases

Where we rely on legitimate interests, those interests include securing the service, preventing abuse, supporting customers, and operating the business efficiently.

6. Whether you must provide data

Some data is necessary for us to provide the service. For example, without an email address or another supported sign-in method we cannot create or maintain your account, and without billing-related data we cannot provide paid subscriptions. If you choose not to provide required information, parts of the service may be unavailable.

7. Recipients and categories of recipients

• Hosting, infrastructure, storage, and CDN providers acting on our instructions.
• Authentication and email-delivery providers used for account access workflows.
• Payment and billing service providers, including Stripe.
• AI and language-processing providers used to complete translation requests, such as OpenAI, where applicable to the requested processing flow.
• Professional advisers, auditors, regulators, and authorities where required.

We require processors to act under contract and to process personal data only on documented instructions where they act on our behalf.

8. International transfers

Our primary service operations are designed around infrastructure in the European Union. Some providers we use, particularly for AI or payments, may process data outside the European Economic Area, including in the United States. When this occurs, we use an appropriate transfer mechanism under the GDPR, such as an adequacy decision where available or the European Commission's Standard Contractual Clauses together with supplementary measures where appropriate.

9. Retention

• Account data is kept while your account remains active and for a limited period afterward where reasonably necessary.
• Project and translation data is kept until you delete it or ask us to remove it, subject to backup and legal retention constraints.
• Authentication and security logs are retained for as long as reasonably necessary to secure the service and investigate incidents.
• Billing and invoice records are retained for the period required by applicable tax, accounting, and corporate law.
• Support correspondence is retained for as long as necessary to resolve the matter and maintain an auditable support history.

We may retain limited information longer where required to establish, exercise, or defend legal claims.

10. Cookies and similar technologies

We use a small number of cookies and browser storage mechanisms to keep users signed in and, if the user explicitly chooses, remember a visual theme preference. For more detail, including retention and purpose, see our Cookie Notice.

11. Your rights

Subject to the GDPR and applicable limitations, you may have the right to:

• request access to your personal data;
• request correction of inaccurate or incomplete data;
• request deletion of personal data;
• request restriction of processing;
• object to processing based on legitimate interests;
• receive a portable copy of data you provided to us where applicable;
• withdraw consent where processing depends on consent.

You can exercise these rights by emailing bobredobre@belocal.dev.

12. Complaints

If you believe your data protection rights have been infringed, we encourage you to contact us first so we can try to resolve the issue. You also have the right to lodge a complaint with your local supervisory authority. Our lead supervisory authority is generally expected to be the Cyprus Office of the Commissioner for Personal Data Protection. Information is available at www.dataprotection.gov.cy .

13. Automated decision-making

We do not use your personal data to make decisions producing legal or similarly significant effects solely by automated means within the meaning of Article 22 GDPR.

14. Security

We use measures appropriate to the risk, including HTTPS, access controls, authentication safeguards, logging, and routine operational updates. No system is completely immune from risk, so we cannot guarantee absolute security.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we make a material change, we will update the date above and, where appropriate, provide additional notice in the service or through another reasonable channel.