Skip to content
NegotiaNegotia

Privacy Policy

DRAFT — not legal advice

This page is a working draft used during Negotia’s user-acceptance testing phase. It has not been reviewed by qualified legal counsel in any jurisdiction and must not be relied upon for binding commitments. Awaiting counsel review as of 2026-05-09.

Last updated: 2026-05-09.

1. Who we are

Negotia (“we”, “us”) is the data controller for personal data processed via the Service. Contact: privacy@negotia.test.

2. Data we collect

  • Account data: name, email, phone, password (hashed), locale, timezone.
  • Verification data: ID documents, selfies, proof of address (only as required for KYC).
  • Transactional data: negotiations, offers, messages, contracts, payment proofs.
  • Technical data: IP address, user agent, device identifiers, log data.
  • Optional: profile photo, bio, preferences.

3. Lawful bases (GDPR Art. 6)

  • Contract performance — for account, negotiations, payments, contracts.
  • Legal obligation — KYC/AML, tax, audit retention.
  • Legitimate interest — fraud prevention, security, product analytics (aggregated).
  • Consent — marketing emails, optional features (revocable any time).

4. How we share data

We share personal data only with:

  • Counterparties in your negotiations (limited to information necessary for the transaction).
  • Service providers (cloud hosting, email, KYC verification, payment processors) under data processing agreements.
  • Authorities when legally compelled.

We do not sell personal data.

5. International transfers

Where data leaves your region (e.g. EEA), we rely on Standard Contractual Clauses or equivalent safeguards.

6. Retention

  • Account data: while your account is active + 12 months after closure.
  • Executed contracts and payment records: 7 years (regulatory).
  • KYC documents: as required by AML law (typically 5 years).
  • Audit logs: 6 months minimum.

7. Your rights

You have the right to:

  • Access your data — GET /api/v1/auth/me/data-export (also via Settings → Privacy).
  • Rectify inaccurate data — Settings → Profile.
  • Erase your account — DELETE /api/v1/auth/me (also via Settings → Delete account).
  • Restrict or object to processing — contact us.
  • Data portability — JSON export (above).
  • Lodge a complaint with your supervisory authority.

8. Security

We use TLS in transit, encryption at rest, access controls, audit logging, and regular security testing. Passwords are bcrypt-hashed. Refresh tokens are stored hashed and rotated on use. We do not store payment card numbers; payments are handled by PCI-DSS-compliant processors.

9. Cookies

Essential cookies only by default. See Cookie Policy for details.

10. Children

The Service is not directed to children under 18.

11. Changes

Material changes will be notified by email at least 30 days in advance.