Privacy Policy

Last updated: 24 March 2026

1. Introduction

This Privacy Policy explains how Yubizzle, operated by Mohamad Salam ("we", "us", "our"), collects, uses, stores, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and Belgian data protection law. By using the App, you acknowledge that you have read and understood this Policy.

2. Data Controller

The data controller responsible for your personal data is a private individual operating the Yubizzle platform. Yubizzle is not a registered company or legal entity. The data controller is:

3. Data We Collect

We collect and process the following personal data:

Account data:

• Full name
• University email address
• Password (stored as a secure hash — never in plain text)
• University affiliation (derived from your email domain)

Content data:

• Listings you create (title, description, price, category, condition)
• Photos you upload to listings
• Messages and chat content exchanged with other users
• Reviews and ratings you submit or receive

Technical data:

• IP address (for security and abuse prevention)
• App usage events (login, listing views, messages sent — for analytics)
• Device type and operating system (via standard app telemetry)

4. How We Use Your Data

We process your personal data for the following purposes and on the following legal bases:

• To provide and operate the App — performance of contract (Art. 6(1)(b) GDPR)
• To verify your student eligibility — performance of contract (Art. 6(1)(b))
• To send email verification and transactional notifications — performance of contract (Art. 6(1)(b))
• To moderate content and prevent abuse — legitimate interests (Art. 6(1)(f))
• To analyse usage and improve the platform — legitimate interests (Art. 6(1)(f))
• To comply with legal obligations — legal obligation (Art. 6(1)(c))

5. Third-Party Services (Data Processors)

We use the following third-party services to operate the App. Each acts as a data processor under GDPR:

• Neon (neon.tech) — PostgreSQL database hosting. Servers located in the EU (AWS eu-west-1). Stores account data, listings, and messages.
• Cloudinary (cloudinary.com) — Image hosting and delivery. Stores listing photos you upload. Servers may be located outside the EU; Cloudinary is compliant with GDPR standard contractual clauses.
• Resend (resend.com) — Transactional email delivery. Used to send verification and notification emails. Processes your email address only.
• Render (render.com) — Backend application hosting. Processes requests and serves the API. Servers located in the EU region.

We do not sell your personal data to any third party. We do not use your data for advertising purposes.

6. Data Retention

• Account data: retained for the duration of your account and deleted within 30 days of account closure.
• Listing and message data: retained while your account is active and for up to 90 days after deletion.
• Analytics events: retained for up to 12 months, then anonymised or deleted.
• Legal obligations may require us to retain certain data for longer periods.

7. Data Security

We implement appropriate technical and organisational security measures including:

• Passwords stored as bcrypt hashes (never plain text)
• All data transmitted over HTTPS/TLS encryption
• JWT tokens for authenticated API access
• IP-based rate limiting and abuse prevention
• Access controls limiting data access to authorised personnel only

No method of transmission or storage is 100% secure. In the event of a data breach, we will notify affected users and the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) within 72 hours as required by GDPR.

8. International Data Transfers

Your data is primarily stored within the EU. Where data is processed outside the EU (e.g. Cloudinary CDN), we ensure appropriate safeguards are in place including Standard Contractual Clauses (SCCs) as required under GDPR Chapter V.

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of access — request a copy of your personal data
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure — request deletion of your data ("right to be forgotten")
• Right to restriction — limit how we process your data
• Right to data portability — receive your data in a machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent

To exercise any of these rights, contact us at yubizzle@outlook.com. We will respond within 30 days. You also have the right to lodge a complaint with the Belgian Data Protection Authority: www.gegevensbeschermingsautoriteit.be

10. Children's Privacy

The App is intended for university students aged 18 and over. We do not knowingly collect personal data from individuals under 18. If you believe a minor has registered, please contact us immediately.

11. Cookies and Tracking

The mobile App does not use cookies. We collect limited usage analytics (events such as logins and listing views) to improve the platform. This data is not linked to advertising profiles and is not shared with third-party advertisers.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be notified via the App or by email to your registered address. Continued use of the App after changes constitutes acceptance of the updated Policy.

13. Contact and Complaints