Privacy Policy
Placeholder text. Final Privacy Policy will be drafted before general availability.
This document is a placeholder. BIM will replace it with a formal Privacy Policy, drafted by counsel, before opening to the public. Until then, here is what we actually do with your data:
1. What we collect
Account data (email, password hash, OAuth identity if you sign in with a third party), application payloads and intake answers, profile data you approve for publication, messages between you and other users, auction bids, and payment metadata (PayPal order IDs — never card numbers).
2. What we encrypt
Application payloads, intake answers, and message bodies are encrypted at rest with a server-side key. The encryption key is separate from the database, so a database-only compromise does not reveal the plaintext of these fields.
3. Who can see what
Your profile visibility is your choice: fully public, matched-only, or hidden. Messages are only visible to you, the counterparty, and moderation staff when flagged. Auction bids are sealed — only the business and admin see them, only after the window closes.
4. Payments
All payments are processed through PayPal. BIM never sees or stores card numbers, bank accounts, or wire details. We receive only the status and the PayPal order identifier.
5. Third parties
We use Ably for real-time messaging transport (messages passing through their network are encrypted as described above), Google for OAuth sign-in (only if you choose), and PayPal for payment processing. We do not sell your data to any third party.
6. Data retention
Account data is retained as long as your account is active. On deletion request, personal data is removed within 30 days, with legally required records (payment ledger, audit log) retained for the minimum period required by law.
7. Your rights
You can request export, correction, or deletion of your personal data from the settings page. Residents of jurisdictions with specific privacy rights (GDPR, CCPA, etc.) are honored to the extent those laws apply.
8. Contact
Privacy questions: the operator account inside the app once approved. A public contact address will be published alongside the final Privacy Policy.