Legal
Privacy Policy
Last updated: 6 June 2026 · Version 1.0
1. Who We Are
Hibiso ("we", "us", "our") operates an online marketplace that connects travel content creators with brands seeking user-generated content (UGC). This Privacy Policy explains how we collect, use, share, and protect personal data when you use our platform at hibiso.eu and its associated applications.
We are the data controller for the personal data described in this policy. If you have questions, please contact us at contact@hibiso.eu.
2. What Data We Collect
2.1 Account & Identity Data
Full name, email address, and password (stored in hashed form)
User role (creator or brand)
Account creation date and last login
2.2 Creator Profile Data
Biography, niche categories, and portfolio information
Social media profile links and handles (Instagram, TikTok, YouTube, etc.)
Profile photograph and introduction video
Service packages and pricing
Onboarding status and completion steps
2.3 Brand Profile Data
Company name, description, and industry
Product catalogue entries
Subscription and billing status
2.4 Campaign & Contract Data
Campaign details, briefs, deliverable requirements, and timelines
Applications submitted to campaigns
Contract content, negotiated terms, and e-signatures (typed or drawn)
Deliverables submitted (files, links, media)
Review and rating content written after completed collaborations
2.5 Payment & Financial Data
Stripe customer and payment identifiers
Stripe Connect account identifiers (creators)
Transaction amounts, fees, and payment status records
Payout request history and earnings records
We do not store raw card numbers or full bank account details — these are held directly by Stripe
2.6 Communications Data
Messages sent between creators and brands via our in-platform chat
In-app notifications
Emails sent to you as part of onboarding reminders and transactional communications
2.7 Technical & Usage Data
IP address, browser type, and device information
Pages visited and features used within the platform
Authentication tokens (short-lived access tokens, refresh tokens stored as HTTP-only cookies where applicable)
Log data and error reports
2.8 Files & Media
Profile images and intro videos uploaded to our platform
Campaign poster images and brief documents
Deliverable files submitted by creators
PDF documents you upload (e.g. contract attachments)
3. How We Use Your Data
PurposeLegal Basis (GDPR Art. 6)Creating and managing your accountContract performanceMatching creators with brands and displaying profilesContract performance / Legitimate interestsFacilitating campaigns, applications, and contractsContract performanceProcessing payments and managing escrowContract performancePaying out creator earnings via Stripe ConnectContract performanceSending transactional emails (onboarding, notifications)Contract performanceSending platform reminders and usage communicationsLegitimate interestsStoring and serving uploaded files and mediaContract performanceDetecting and preventing fraud or abuseLegitimate interestsComplying with legal and regulatory obligationsLegal obligationImproving and developing the platformLegitimate interests
We do not use your personal data for automated decision-making that produces significant legal effects without human review.
4. Who We Share Your Data With
We share data only where necessary and with appropriate contractual protections in place.
4.1 Other Platform Users
Creator profiles are visible to registered brands for discovery and campaign purposes. This includes your bio, niche, social links, service packages, and portfolio.
Brand profiles and campaigns are visible to creators browsing available opportunities.
Contract parties can see each other's agreed contract terms, signatures, and submitted deliverables.
4.2 Service Providers (Data Processors)
ProviderPurposeLocationStripePayment processing, subscriptions, creator payouts via Stripe ConnectUSA (EU-adequacy mechanisms apply)Amazon Web Services (AWS S3)Secure file storage (profile images, videos, briefs, deliverables, PDFs)EU region where possibleBrevo (Sendinblue)Transactional email delivery (onboarding reminders, notifications)EUMongoDB AtlasDatabase hostingEU region where possible
4.3 Legal & Regulatory Disclosure
We may disclose your data to law enforcement or regulatory bodies where required by law, court order, or to protect the rights and safety of our users or the platform.
4.4 Business Transfers
If Hibiso is involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will notify affected users before any such transfer and provide options where required by law.
We do not sell personal data to third parties.
5. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA). Where we transfer personal data internationally, we rely on:
EU Standard Contractual Clauses (SCCs)
Adequacy decisions issued by the European Commission
You can request details of the specific transfer mechanisms in place by contacting contact@hibiso.eu.
6. Data Retention
We retain your data for as long as your account is active or as needed to provide our services. Specific retention periods:
Data TypeRetention PeriodAccount dataDuration of account + 2 years after deletionContract and transaction records7 years (legal/tax obligation)Chat messages2 years from last activityUploaded deliverables1 year after contract completionProfile images and mediaDuration of accountPayment records7 years (financial compliance)Server and access logs90 days
When your account is deleted, we anonymise or erase personal data that is no longer required, subject to the retention obligations above.
7. Your Rights Under GDPR
As a data subject in the EEA, you have the following rights:
Right of access — request a copy of the personal data we hold about you
Right to rectification — request correction of inaccurate or incomplete data
Right to erasure — request deletion of your data, subject to legal retention obligations
Right to restrict processing — request that we limit how we use your data in certain circumstances
Right to data portability — receive your data in a structured, machine-readable format
Right to object — object to processing based on legitimate interests
Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing
To exercise any of these rights, contact us at contact@hibiso.eu. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.
8. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
Passwords hashed using bcrypt
JWT-based authentication with short-lived access tokens and secure refresh token handling
HTTPS encryption for all data in transit
AWS S3 server-side encryption for stored files
Role-based access controls limiting data access to authorised personnel
No system is completely secure. If you believe your account has been compromised, contact us immediately at contact@hibiso.eu.
9. Cookies
We use cookies and similar technologies to operate the platform. These include:
Essential cookies — required for authentication, session management, and core platform functionality
Preference cookies — to remember your settings and preferences
We do not use advertising or cross-site tracking cookies. You can control cookie behaviour through your browser settings, though disabling essential cookies will affect your ability to use the platform.
10. Children's Privacy
Our platform is intended for users aged 18 and over. We do not knowingly collect personal data from individuals under 18. If you believe a minor has registered, please contact us and we will promptly delete the account.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email and update the "Last updated" date at the top of this page. Continued use of the platform after changes are published constitutes acceptance of the updated policy.
12. Contact Us
For any privacy-related questions, requests, or concerns:
Email: contact@hibiso.eu
Platform: hibiso.eu
We aim to respond to all enquiries within 5 business days.