Privacy Policy

1. Information We Collect

When you use Satya, we collect different types of information depending on how you interact with our platform.

Account information: your name, email address, username, and password (stored as a secure bcrypt hash — we never store your password in plain text).
Profile data: optional biography, profile picture, social media links, display name, and your privacy preferences.
Service listings: if you are a practitioner, we store your service titles, descriptions, pricing, availability schedules, location, categories, and media uploads.
Usage data: pages visited, features used, and interaction patterns to help us improve the platform experience.

2. Cookies

We use the following cookies, all of which are essential for site operation and security:

satya_session — satya_session — Session cookie that maintains your login state. Flags: HttpOnly, Secure, SameSite=Lax. Lifetime: 24 hours.

satya_did — satya_did — Device identification cookie used for security and fraud prevention. Flags: Secure, SameSite=Strict. Lifetime: 2 years.

satya_remember — satya_remember — Optional persistent login cookie, only set if you choose "Remember me" at login. Flags: HttpOnly, Secure, SameSite=Lax. Lifetime: 30 days.

We store your acceptance of this cookie notice in your browser's local storage (satya_cookie_consent). This is not a cookie and is not sent to our servers.

3. Device Fingerprinting

We use browser fingerprinting technology to generate a device identifier based on your browser and device characteristics, including screen resolution, timezone, and browser configuration.

This fingerprint is used exclusively for security purposes: detecting unauthorized access to your account, preventing fraud, and recognizing your trusted devices so you receive fewer unnecessary login verifications.

4. Geolocation

If you choose to share your location, we store approximate latitude and longitude coordinates to enable location-based service discovery ("Near Me" search) and distance calculations.

Location sharing is entirely optional and requires your explicit browser consent. You can revoke location access at any time through your account privacy settings or your browser settings.

5. Payments

Payment processing is handled by Stripe through their Connect platform. We do not store your credit card numbers, bank account details, or other payment instrument data on our servers.

We store transaction records including amounts, currencies, payment status, booking references, and your Stripe Connect account identifier if you are a service provider. This data is necessary for order history, refunds, and financial compliance.

6. Messaging

Messages sent between users are stored in our database to provide conversation history. Messages are visible only to the participants of each conversation. We do not scan or analyze message content for advertising purposes.

7. Bookings

When you book a service, we store the service details, provider and client identifiers, date and time, price, payment status, booking status, and any notes you provide.

Both the service provider and the client can view their respective booking details. Providers see bookings from all their clients; clients see only their own bookings.

8. Security & Fraud Prevention

To protect our community, we operate a risk assessment system that monitors for suspicious activity. This system records:

IP addresses associated with login attempts, registrations, and other sensitive actions.
Device fingerprints, browser user-agent strings, and device cookies to identify trusted and untrusted devices.
Risk scores calculated from behavioral patterns to detect potential fraud, abuse, or unauthorized access.

This data is used solely for security purposes. Risk events are subject to the retention periods described below.

9. Third-Party Services

We integrate the following third-party services:

Stripe — Payment processing and provider payouts. Stripe's own privacy policy governs how they handle payment data.

Cloudflare Turnstile — Bot protection during registration and sensitive actions. Cloudflare processes a limited set of browser signals; no personal data is shared beyond what is necessary for bot detection.

FingerprintJS (open-source) — Browser fingerprinting for device identification. This runs entirely client-side; no data is sent to FingerprintJS servers.

10. Data Retention & Deletion

We retain your account data for as long as your account is active. If you request account deletion, we will remove your personal data within 30 days, subject to legal obligations.

Security logs (risk events, IP addresses, device records) are retained for up to 90 days for fraud prevention and investigation, then automatically purged.

Booking and transaction records may be retained longer as required by applicable financial and tax regulations.

11. Your Rights Under GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data:

Right of Access — You can request a copy of all personal data we hold about you.
Right to Rectification — You can update or correct your personal data through your account settings, or by contacting us.
Right to Erasure — You can request the deletion of your account and all associated personal data.
Right to Data Portability — You can request your data in a structured, machine-readable format.
Right to Object — You can object to the processing of your data for specific purposes.
Right to Restriction — You can request that we limit how we process your data while a concern is being investigated.

To exercise any of these rights, please contact us using the information below. We will respond to your request within 30 days.

12. Contact Us

If you have questions about this privacy policy or wish to exercise your data protection rights, please contact us:

Email: privacy@satya.pl