Privacy Policy

Effective Date: March 12, 2025

DataPurposeStorage MethodNameDisplay inside the apps and personalize support communications.Encrypted at rest in Supabase.Email addressCreate/login to your account; deliver essential service and policy-change emails.Encrypted at rest in Supabase.Password (hashed & salted)Authenticate your login. We never store the plain-text password.Hashed with bcrypt and encrypted at rest. 

We do not collect analytics, location, device identifiers, payment data, or user-generated content.

• Operate, secure, and maintain our applications and websites.
   
• Send strictly necessary service emails (e.g., password-reset, security notices, policy updates).
  We never use your information for advertising, profiling, or any secondary purpose.
   

We rely on Contract Necessity (providing the service you request) and Legitimate Interests (maintaining security and communicating critical changes). We do not perform automated decision-making or “profiling” as defined by the GDPR.

• No sales or rentals. We do not sell, rent, trade, or “share” personal information for cross-context behavioral advertising (as defined by the California CPRA).
   
• Service infrastructure. Data is processed solely on our own systems hosted in U.S. data centers managed by Supabase. Supabase staff may access data only to the extent necessary to operate the platform and are bound by contractual confidentiality and security obligations.
   
• Legal or safety requirements. We will disclose information only if required by law or to protect the rights, property, or safety of our users or others.
   

We retain name, email, and hashed password for up to five (5) years after your last activity, or until you request deletion—whichever comes first. Deleted data is removed from live systems within 30 days and from encrypted backups within 90 days.

We employ industry-standard safeguards—including TLS encryption in transit, AES-256 encryption at rest, role-based access controls, and Supabase row-level security—to protect your data from unauthorized access or alteration. We routinely audit access logs and vulnerability-scan our environment.

All users worldwide may exercise the rights below by emailing ourbestselfs@gmail.com. We will verify your request and respond within 30 days (45 days for some U.S. states, extendable once where legally permitted).

RightApplies toWhat it means for youAccess / KnowGDPR, CCPA/CPRA, VA VCDPA, CO CPA, CT DPA, UT UCPAReceive a copy of the personal data we hold.Delete / EraseSame as aboveHave your data permanently removed.CorrectGDPR, CPRA, VCDPA, CPA, CT DPAFix inaccurate information (e.g., new email).Data PortabilityGDPR, CPRAReceive your data in a machine-readable format (name and email are provided as plain text).Opt-out of Sale / SharingCPRA et al.Not applicable—we do not sell or share data.Non-discriminationCPRAWe will not deny service or change prices if you exercise your rights.Lodge a complaintGDPRContact your local Data Protection Authority. 

bestselfs.com and its apps are not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, email ourbestselfs@gmail.com and we will delete it.

If you reside outside the United States, you consent to your information being transferred to and processed in the U.S., where privacy laws may differ from those in your jurisdiction. We use Standard Contractual Clauses for any onward transfers required by law.

If we discover unauthorized access to personal data, we will notify affected users by email within 48 hours of confirmation and provide remediation details.

Material changes will be emailed to registered users and posted here at least 30 days before they take effect.

For privacy questions or requests, email ourbestselfs@gmail.com