Legal

Privacy Policy

Last updated: 6 June 2026 · Version 1.0

1. Who We Are

Hibiso ("we", "us", "our") operates an online marketplace that connects travel content creators with brands seeking user-generated content (UGC). This Privacy Policy explains how we collect, use, share, and protect personal data when you use our platform at hibiso.eu and its associated applications.

We are the data controller for the personal data described in this policy. If you have questions, please contact us at contact@hibiso.eu.


2. What Data We Collect

2.1 Account & Identity Data

  • Full name, email address, and password (stored in hashed form)

  • User role (creator or brand)

  • Account creation date and last login

2.2 Creator Profile Data

  • Biography, niche categories, and portfolio information

  • Social media profile links and handles (Instagram, TikTok, YouTube, etc.)

  • Profile photograph and introduction video

  • Service packages and pricing

  • Onboarding status and completion steps

2.3 Brand Profile Data

  • Company name, description, and industry

  • Product catalogue entries

  • Subscription and billing status

2.4 Campaign & Contract Data

  • Campaign details, briefs, deliverable requirements, and timelines

  • Applications submitted to campaigns

  • Contract content, negotiated terms, and e-signatures (typed or drawn)

  • Deliverables submitted (files, links, media)

  • Review and rating content written after completed collaborations

2.5 Payment & Financial Data

  • Stripe customer and payment identifiers

  • Stripe Connect account identifiers (creators)

  • Transaction amounts, fees, and payment status records

  • Payout request history and earnings records

  • We do not store raw card numbers or full bank account details — these are held directly by Stripe

2.6 Communications Data

  • Messages sent between creators and brands via our in-platform chat

  • In-app notifications

  • Emails sent to you as part of onboarding reminders and transactional communications

2.7 Technical & Usage Data

  • IP address, browser type, and device information

  • Pages visited and features used within the platform

  • Authentication tokens (short-lived access tokens, refresh tokens stored as HTTP-only cookies where applicable)

  • Log data and error reports

2.8 Files & Media

  • Profile images and intro videos uploaded to our platform

  • Campaign poster images and brief documents

  • Deliverable files submitted by creators

  • PDF documents you upload (e.g. contract attachments)


3. How We Use Your Data

PurposeLegal Basis (GDPR Art. 6)Creating and managing your accountContract performanceMatching creators with brands and displaying profilesContract performance / Legitimate interestsFacilitating campaigns, applications, and contractsContract performanceProcessing payments and managing escrowContract performancePaying out creator earnings via Stripe ConnectContract performanceSending transactional emails (onboarding, notifications)Contract performanceSending platform reminders and usage communicationsLegitimate interestsStoring and serving uploaded files and mediaContract performanceDetecting and preventing fraud or abuseLegitimate interestsComplying with legal and regulatory obligationsLegal obligationImproving and developing the platformLegitimate interests

We do not use your personal data for automated decision-making that produces significant legal effects without human review.


4. Who We Share Your Data With

We share data only where necessary and with appropriate contractual protections in place.

4.1 Other Platform Users

  • Creator profiles are visible to registered brands for discovery and campaign purposes. This includes your bio, niche, social links, service packages, and portfolio.

  • Brand profiles and campaigns are visible to creators browsing available opportunities.

  • Contract parties can see each other's agreed contract terms, signatures, and submitted deliverables.

4.2 Service Providers (Data Processors)

ProviderPurposeLocationStripePayment processing, subscriptions, creator payouts via Stripe ConnectUSA (EU-adequacy mechanisms apply)Amazon Web Services (AWS S3)Secure file storage (profile images, videos, briefs, deliverables, PDFs)EU region where possibleBrevo (Sendinblue)Transactional email delivery (onboarding reminders, notifications)EUMongoDB AtlasDatabase hostingEU region where possible

4.3 Legal & Regulatory Disclosure

We may disclose your data to law enforcement or regulatory bodies where required by law, court order, or to protect the rights and safety of our users or the platform.

4.4 Business Transfers

If Hibiso is involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will notify affected users before any such transfer and provide options where required by law.

We do not sell personal data to third parties.


5. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). Where we transfer personal data internationally, we rely on:

  • EU Standard Contractual Clauses (SCCs)

  • Adequacy decisions issued by the European Commission

You can request details of the specific transfer mechanisms in place by contacting contact@hibiso.eu.


6. Data Retention

We retain your data for as long as your account is active or as needed to provide our services. Specific retention periods:

Data TypeRetention PeriodAccount dataDuration of account + 2 years after deletionContract and transaction records7 years (legal/tax obligation)Chat messages2 years from last activityUploaded deliverables1 year after contract completionProfile images and mediaDuration of accountPayment records7 years (financial compliance)Server and access logs90 days

When your account is deleted, we anonymise or erase personal data that is no longer required, subject to the retention obligations above.


7. Your Rights Under GDPR

As a data subject in the EEA, you have the following rights:

  • Right of access — request a copy of the personal data we hold about you

  • Right to rectification — request correction of inaccurate or incomplete data

  • Right to erasure — request deletion of your data, subject to legal retention obligations

  • Right to restrict processing — request that we limit how we use your data in certain circumstances

  • Right to data portability — receive your data in a structured, machine-readable format

  • Right to object — object to processing based on legitimate interests

  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us at contact@hibiso.eu. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.


8. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Passwords hashed using bcrypt

  • JWT-based authentication with short-lived access tokens and secure refresh token handling

  • HTTPS encryption for all data in transit

  • AWS S3 server-side encryption for stored files

  • Role-based access controls limiting data access to authorised personnel

No system is completely secure. If you believe your account has been compromised, contact us immediately at contact@hibiso.eu.


9. Cookies

We use cookies and similar technologies to operate the platform. These include:

  • Essential cookies — required for authentication, session management, and core platform functionality

  • Preference cookies — to remember your settings and preferences

We do not use advertising or cross-site tracking cookies. You can control cookie behaviour through your browser settings, though disabling essential cookies will affect your ability to use the platform.


10. Children's Privacy

Our platform is intended for users aged 18 and over. We do not knowingly collect personal data from individuals under 18. If you believe a minor has registered, please contact us and we will promptly delete the account.


11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email and update the "Last updated" date at the top of this page. Continued use of the platform after changes are published constitutes acceptance of the updated policy.


12. Contact Us

For any privacy-related questions, requests, or concerns:

Email: contact@hibiso.eu
Platform: hibiso.eu

We aim to respond to all enquiries within 5 business days.