Bearicorn Privacy Policy

Bearicorn services – Bearicorn provides a self‑hosted chat, file storage and password manager. Customers can run the hub on our cloud infrastructure or deploy it on their own servers. Only session cookies are used to detect whether you are logged in; we do not use analytics or advertising cookies. Unless otherwise stated, references to “you” or “your” include visitors to our website, paying customers and users of our mobile applications.

Self‑hosted hub – When you deploy the hub yourself on‑premise, you act as the data controller for content stored in the hub. Like other self‑hosted services, we cannot access user‑generated data in a self‑hosted hub and there are no backdoors. Only you and those you authorize hold the encryption keys. For cloud‑hosted hubs, Bearicorn acts as a data processor on your behalf.

End‑to‑end encryption – Our hub encrypts messages, files and passwords on the client device before they are transmitted, and they are only decrypted on the recipient’s device. End‑to‑end encryption hides data from intermediaries and even from us; attackers monitoring traffic or compromising a server cannot access the content. When you upload files, the content remains encrypted and inaccessible to us.

Cookies – Cookies are small data packets stored on your device. Session cookies are deleted when you close the browser; some cookies may persist longer. Cookies are technically necessary to perform functions like keeping you signed in. We do not use analytics or advertising cookies.

Account information: When you create an account you provide your name and email address. We use this information to create and manage your account, authenticate you, communicate with you and provide access to the hub. Payment details: We use Stripe Checkout to process payments. Stripe collects payment data, including name, contact details, payment method details such as card numbers and purchase amounts. Bearicorn does not store or process your full credit‑ or debit‑card number. We receive transaction metadata such as the amount paid, currency and Stripe transaction ID so we can manage your subscription. Log files: Our servers automatically record minimal technical information such as IP address, browser type and page request timestamps when you access our website or cloud service. We use these logs for security purposes, to prevent abuse and to diagnose technical problems. We do not track activity inside your self‑hosted hub.

Support and communications: If you contact us via email, support ticket or otherwise we collect the information you provide to respond to your inquiry. We may also send service‑related messages, for example payment receipts, important security notices or changes to the Service.

Cookies usage: We use only technically necessary cookies. Session cookies keep you logged in and prevent you from having to sign in repeatedly. Cookies are stored on the basis of our legitimate interest in providing a secure and user‑friendly service. You can configure your browser to refuse cookies, but some features may not work correctly.

Mobile application data: Our mobile apps on Android and iOS use the same end‑to‑end encryption principles as the web service. We collect only the minimum information necessary to operate the app, such as device tokens for push notifications. Crash logs or anonymous diagnostics may be collected to improve app stability.

Data stored in your hub: All chat messages, files and passwords stored in the hub are encrypted on your device before being sent. Only you and those you share content with hold the keys to decrypt it; we cannot read or access your data. If you choose to run the hub on our cloud infrastructure, we store the encrypted data on servers located in secure data centres. You can also download a Docker image to run the hub on your own infrastructure; in that case the data never touches our servers.

We use your personal data to provide and maintain the Service, operate the website, create accounts, authenticate users, provide chat, file storage and password manager functionalities and deliver the hub either cloud‑hosted or self‑hosted. We process payments and manage subscriptions by sharing your registration and order details with Stripe to process payments. Stripe acts as a processor on our behalf and is contractually required to protect your data. We communicate with you to respond to your messages, send updates about your subscription, security alerts or changes to our Services. If you sign up for marketing communications, we will rely on your consent and you can opt out at any time. We use IP addresses and log data to ensure security and prevent misuse by detecting, preventing and mitigating fraud, security breaches, abuse or violations of our Terms. We retain transaction records to comply with legal obligations such as tax and accounting duties. We do not sell or rent your personal data. We do not use your data for behavioural advertising or build profiles for targeted advertising.

Under the GDPR we rely on the performance of a contract to process your registration and payment information to deliver the Service. We rely on legitimate interests, such as using necessary cookies and log data to provide and secure the Service, while balancing our interests against your rights and processing only what is necessary. We process data to comply with legal obligations, such as retaining transaction records to fulfil tax and accounting duties. For optional marketing communications or diagnostic and crash reporting in our apps we rely on consent, which you can withdraw at any time.

We share your personal data with payment processors, service providers and legal or regulatory authorities. We use Stripe Payments Europe Ltd. to handle card payments. During checkout we send Stripe your name, email and order details to process the payment. Stripe collects payment details including card numbers, expiration date, CVC and transaction amounts. Stripe acts as our processor and uses Standard Contractual Clauses for international transfers. You can find more information in Stripe’s privacy policy at stripe.com/privacy. We engage trusted service providers to host our website, send emails and provide support. These providers may process personal data on our behalf under confidentiality agreements. We may disclose personal data when required to comply with law, enforce our terms or protect our rights or the rights of others. We will notify you where legally permitted. We do not disclose or sell your encrypted hub content to any third party. Because of end‑to‑end encryption we cannot access the contents ourselves.

Bearicorn is based in Slovakia. We may transfer your personal data to countries outside the European Economic Area when we use service providers such as Stripe. To safeguard these transfers we rely on Standard Contractual Clauses or other approved mechanisms.

We retain your name, email address and transaction records as long as your account is active and for a limited period afterwards to meet legal obligations. When you delete your account, we will remove or anonymise your personal data, except where we must retain it for legal reasons. You control the lifecycle of your encrypted content. When you delete a message, file or password in the hub, it is removed from our servers for cloud‑hosted hubs after a short grace period. If you delete your account, all associated encrypted data will be scheduled for deletion. Session cookies expire when you log out or close your browser. You can delete cookies manually at any time.

You have rights under the GDPR and other data‑protection laws. You have the right to access your personal data and obtain confirmation that we process it. You have the right to request deletion of your personal data. You have the right to correct or update your personal data. You can withdraw consent where processing is based on consent. You may request that we restrict processing of your data under certain conditions. You may object to processing based on legitimate interest. You can request your personal data in a portable format. You also have the right to lodge a complaint with a supervisory authority. To exercise these rights, contact us at privacy@hello.bearicorn.hello.com. We may require proof of identity to protect your privacy.

Our Services are not directed to children under the age of 13 or under the minimum age required by local law. We do not knowingly collect personal data from children. If we learn that a child has provided us with personal data, we will take steps to delete it. Parents or guardians who believe that a child has provided us with personal data may contact us at privacy@hello.bearicorn.hello.com.

Our website may contain links to third‑party websites or services that are not controlled by Bearicorn. We are not responsible for the privacy practices of these sites. We encourage you to read the privacy policies of every site you visit.

We may update this Privacy Policy to reflect changes in our Services or legal requirements. When we do, we will revise the effective date at the top and, if the changes are significant, notify you by email or through a notice on our website. Please review this policy periodically.

If you have questions or concerns about this Privacy Policy or our data practices, contact Bearicorn Privacy Team at privacy@hello.bearicorn.hello.com. We will respond to your request as soon as reasonably practicable.