πŸ”’ Legal

Privacy Policy

Last updated May 22, 2026

Overview

bio.re ("we", "us") is the controller of your personal data under GDPR, CCPA, and other applicable privacy laws. This Privacy Policy explains:

  • What data we collect and why
  • How we use, share, and protect it
  • Your rights and how to exercise them
  • How to contact us about privacy
In plain English: We collect only what's needed to run bio.re. We don't sell your data. We don't show ads. You control your data and can delete it any time.

Data We Collect

We collect data in three ways:

1. Data you provide

CategoryExamples
AccountEmail, password (hashed), username (handle), display name
ProfileBio, avatar, banner, social links
ContentLinks, DMs, uploaded images/videos
Payment (Creators)Bank account or Stripe Connect details, tax info (W-9/W-8BEN), KYC identity documents
Payment (Fans)Card last-4 via Stripe, billing address

2. Data we collect automatically

  • Usage data: Pages visited, clicks, session duration, device type, browser, approximate location (city-level via IP)
  • Cookies: Session cookies, preferences (see Cookie Policy)
  • Logs: IP address, timestamps, user agent (kept 90 days for security/fraud prevention)

3. Data from third parties

  • OAuth sign-in providers (Google, X, Apple) β€” name and email only
  • KYC providers (Sumsub) β€” identity verification status
  • Payment processor (Stripe) β€” transaction status and fraud signals

How We Use Your Data

We use your data to:

  • Provide the Services β€” create and maintain your account, process payments, deliver DMs
  • Improve features β€” analyze usage patterns (aggregated and anonymized)
  • Communicate β€” account notifications, security alerts, updates about new features
  • Prevent fraud & abuse β€” detect suspicious activity, enforce our Terms
  • Comply with law β€” respond to subpoenas, tax reporting, regulatory obligations

We do not use your data for advertising, profiling for marketing, or automated decision-making that significantly affects you.

PurposeLegal basis
Account & servicesContract (Art. 6(1)(b))
Payments & KYCLegal obligation (Art. 6(1)(c))
Fraud preventionLegitimate interest (Art. 6(1)(f))
Product improvementLegitimate interest (Art. 6(1)(f))
Marketing emailsConsent (Art. 6(1)(a)) β€” opt-in only

Data Sharing

We share data only when necessary:

  • Service providers: Stripe (payments), Sumsub (KYC), Postmark (email), Cloudflare (CDN/security), PostHog (analytics) β€” all bound by data processing agreements
  • Legal: When required by law, subpoena, or to protect rights and safety
  • Business transfers: If bio.re is acquired or merged, data transfers to the new entity (with equal privacy protections)
  • With your consent: Anytime you explicitly authorize (e.g., connecting a third-party app)

We never sell or rent your personal data. We don't share it with advertisers.

Data Retention

DataRetention
Account data (active)While account exists
Account data (after deletion)30-day grace period, then deleted
Financial records7 years (tax/regulatory)
Server logs90 days
Backups35 days rolling
Deleted messages30 days in backups, then purged

Security

We take security seriously:

  • Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Passwords hashed with bcrypt (12+ rounds)
  • Two-factor authentication (TOTP) available and encouraged
  • Regular security audits and penetration testing
  • SOC 2 Type II compliance (in progress)
  • Bank-level PCI DSS compliance for payments (via Stripe)

Report security issues to hi@bio.re. See our Security page.

Your Rights

Depending on your location, you have the right to:

  • Access β€” request a copy of your data (we provide JSON export)
  • Rectify β€” correct inaccurate data
  • Erase β€” delete your account and data ("right to be forgotten")
  • Restrict β€” limit how we process your data
  • Portability β€” receive your data in a portable format
  • Object β€” opt-out of processing based on legitimate interest
  • Withdraw consent β€” where consent is the legal basis

Exercise these rights from Settings > Privacy or email hi@bio.re. We respond within 30 days.

California residents: You have additional rights under CCPA. See our California Privacy Notice linked above.

Children

bio.re is not for anyone under 18. We do not knowingly collect data from minors. If we learn a user is under 18, we delete their account and data immediately. Parents who suspect their child is using bio.re should contact hi@bio.re.

International Transfers

bio.re is operated by MENSO DIGITAL LTD, based in the United Kingdom. Data is processed primarily in the UK and EU (Frankfurt). For transfers outside the UK/EEA, we rely on the UK International Data Transfer Agreement (IDTA) and EU Standard Contractual Clauses (SCCs) as applicable.

UK and EU users: Your data receives equivalent protections regardless of where it's processed.

Changes to This Policy

We'll notify you via email and in-app banner at least 14 days before material changes take effect. You can see the full change log by clicking the version number at the top of this page.

Contact the Data Protection Officer

  • Email: hi@bio.re
  • Company Name: MENSO DIGITAL LTD
  • Company Number: 17010102
  • Data Protection Registration Certificate: ZC089517
  • Address: Suite 10477 5 Brayford Square, London, United Kingdom, E1 0SG

If we can't resolve your concern, you have the right to lodge a complaint with your local data protection authority.

← Previous
πŸ“œ Terms of Service
Next β†’
πŸͺ Cookie Policy