Privacy policy

«Buyka» (the «Service», «we», «us») operates the B2B marketplace at buyka.io for goods, services and investment opportunities in nanotechnology, robotics, green energy and other innovative segments.

This policy explains what personal data we process about visitors and registered users (buyers, suppliers, investors, innovators, administrators), why we process it, who we share it with, and what rights you have.

• Account data: email, password hash (Argon2), locale, role.
• Company data: legal name, VAT/TIN, country, KYC documents, beneficial-owner information (suppliers only).
• Business activity: RFQs, quotes, deal records, messages, attachments, reviews, ratings.
• Payment data: handled exclusively by Stripe — we store only metadata (subscription id, invoice id, last 4 of card).
• Technical data: IP, user-agent, session cookies, audit log entries (login attempts, role changes, dispute actions).
• AI usage: tokens consumed, scenario, model, latency, cost (kept 90 days).

• Contract performance — providing the marketplace, RFQs, deals, messenger, support.
• Legal obligation — KYC (AML/CTF), tax invoices, sanctions screening.
• Legitimate interest — fraud prevention, security audit, product improvement.
• Consent — marketing emails, optional AI scenarios (revocable any time at /dashboard/settings).

• Financial / billing records: 7 years (regulatory).
• Security audit log: 1 year.
• General audit log: 90 days.
• AI usage events: 90 days.
• KYC documents: 5 years after the company's last activity.
• Account data: until you request erasure (Art. 17) — see §8 below.

We never sell personal data. We share only with sub-processors that help us run the platform under a Data Processing Agreement (DPA):

• Payment: Stripe (USA, EU branch for EU customers).
• KYC: Sumsub (EU) / Veriff (EU).
• Email: Resend / Postmark.
• SMS: Twilio.
• AI: OpenAI Enterprise / Anthropic / DeepL Pro, all with data_retention=0 contractual term.
• Cloud infra: AWS (EU residency for EU users).
• Observability: Sentry (errors), Cloudflare (CDN/WAF).

EU residents' data stays in eu-central-1 (Frankfurt) by default. Cross-border transfers (e.g. to OpenAI USA) rely on Standard Contractual Clauses (SCC, 2021/914) and our supplementary measures.

We use the minimum cookies needed for authentication (buyka_refresh, buyka_session) plus optional analytics cookies that you control via the cookie banner. No advertising cookies, no third-party trackers.

• Access: GET /api/v1/compliance/export — JSON snapshot of everything we hold on you.
• Rectification: edit your profile in the cabinet.
• Erasure: DELETE /api/v1/compliance/account — soft delete + PII scrub (audit log retained per §4).
• Restriction / objection: contact privacy@buyka.io.
• Data portability: same export endpoint, machine-readable JSON.
• CCPA «Do not sell or share»: POST /api/v1/compliance/do-not-sell or toggle in /dashboard/settings.
• Right to lodge a complaint: with your local supervisory authority (e.g. EDPB in the EU).

We implement TLS 1.3 in transit, AES-256 at rest for KYC documents, Argon2id for password hashes, OWASP Top 10 controls, SAST (Semgrep) and DAST (OWASP ZAP) in CI. Vulnerability disclosure policy at /security-policy.

Buyka is a B2B service intended for legal entities and their representatives. We do not knowingly collect data from anyone under 16.

We announce material changes via email + an in-app banner at least 30 days before they take effect. Older versions are archived on request.