سياسة الخصوصية

_Last updated: [DATE]_ Hashtags Studios ("we", "us") is the data controller for the personal data described here. We operate from Dubai, United Arab Emirates, and process personal data in line with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL). Where users are located in the EU/EEA or UK, we also align our practices with the GDPR. This policy explains what we collect, how we use it, who can see it, how long we keep it, and the rights you can exercise. ## 1. What we collect **At signup** — name, email, phone number, password (stored as a bcrypt hash, never plaintext), account type (TALENT / COMPANY / MEMBER), and for talents and companies: discipline, sub-category, location, services offered, and basic profile fields. **KYC documents** — passport / Emirates ID / company trade license / selfies, uploaded for identity verification. KYC documents are encrypted at rest, accessed only by the SUPPORT / FULL admin tier for face-match review, and never shipped to public profile responses. **Operational data** — bookings, offers, jobs you post or apply to, transactions (Stripe IDs only — we do not store full card numbers), messages between platform users, notifications, reviews, reports, wishlist + saved searches. **Audit + security data** — sign-in IP / user agent, failed login counts, token version, account lockout timestamps, rate-limit counters. ## 2. How we use it To run the platform: authenticate you, route bookings + payments, send notifications + email receipts (via Resend), translate public content (via Google Translate), and prevent fraud. KYC data is used only for identity verification + admin moderation; we do not use document OCR for marketing. Our legal bases for processing are: **performance of a contract** (operating your account, bookings, payouts), **legal obligation** (KYC / anti-money-laundering, tax and accounting record-keeping), **legitimate interests** (fraud prevention, platform security, anonymised analytics), and **consent** (non-essential cookies and optional marketing communications, which you can withdraw at any time). ## 3. What stays sealed Talent contact info (email, phone, full name) is sealed from companies until a Work Contract is signed. Company identity is sealed from talents on the public job feed (postings render as "Hashtags posted a job" or anonymised by company sub-type). Admin notes, internal flags, parent contact info (for under-18 talents), payout IBAN / bank details, and basic credit balances never appear on public surfaces. ## 4. Third-party processors - **Stripe** — payments (Checkout, Connect transfers), identity verification, refunds. Stripe's privacy policy applies to data they process on our behalf. - **Resend** — transactional email delivery. - **Google Translate (google-translate-api-x)** — public content auto-translation across 30+ locales. - **Hostinger** — hosting + MySQL database (UAE region). - **Cloudflare / image CDN** — public image delivery. We do not sell user data to third parties for advertising or any other purpose. ## 5. Cookies See the dedicated Cookies policy. We use session cookies for authentication, locale cookies for language preference, and feature-flag cookies for UI rollouts. No third-party tracking cookies are loaded by the platform itself. ## 6. Retention Active accounts: data retained while the account is active. After account closure: PII is anonymised within 90 days, except where retained for legal, tax, or fraud-prevention reasons (financial records retained 7 years per UAE accounting standards). ## 7. Your rights - **Access** — request a copy of your data via /contacts. - **Correction** — edit your profile in your dashboard, or request a correction for fields you can't self-edit. - **Deletion** — request account deletion via /contacts. We honour requests within 30 days, subject to legal retention obligations. - **Portability** — talent profile + booking history exports are available on request. - **Withdrawal of consent** — disable optional notifications + analytics from your settings, or decline non-essential cookies in the cookie banner. - **Objection + restriction** — object to, or ask us to restrict, processing based on legitimate interests. - **Complaint** — you may lodge a complaint with the UAE Data Office (or, if you are in the EU/EEA/UK, your local supervisory authority) if you believe your data has been mishandled. We do not make solely-automated decisions that produce legal or similarly significant effects about you without human review. ## 8. Children Talents under 18 require parental approval. Members must be at least 13. We do not knowingly collect data from anyone under 13. ## 9. International transfers Data may be processed by our third-party processors (Stripe, Resend, Google Translate) in the EU, US, and other regions where they operate. We rely on the processors' contractual safeguards (DPAs, standard contractual clauses) for these transfers. ## 10. Changes + contact Material changes announced in-app + by email at least 14 days before effective. Questions: privacy@hashtags.studios (or via /contacts). This content can be updated live by an admin from /admin/settings (key: legal.privacy).