Privacy Policy
Last updated: February 25, 2026
1. Controller & Contact
The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:
HandyHive (independent startup)
E-Mail: info@handyhive.eu
If you have questions about this Privacy Policy or your personal data, please contact us by email at info@handyhive.eu.
2. What Data We Collect
We collect the following categories of personal data:
Account Data
- •Name and email address
- •Password (hashed, never stored in plaintext)
- •Phone number (optional)
- •Profile photo (optional)
Booking Data
- •Service address (shared only after confirmation)
- •Preferred time slots
- •Job description and uploaded photos
- •Booking status and history
Payment Data
- •Billing name and address
- •Stripe customer and subscription IDs
- •We never store full card numbers — Stripe handles that
Technical Data
- •IP address and browser user agent
- •Device type and screen resolution
- •Pages visited and timestamps
- •Referral source
3. Legal Basis for Processing
We process your data based on the following legal grounds under the GDPR:
- •Contract performance (Art. 6(1)(b) GDPR): To create your account, process bookings, and handle payments.
- •Legitimate interest (Art. 6(1)(f) GDPR): To improve our platform, prevent fraud, and ensure security.
- •Consent (Art. 6(1)(a) GDPR): For optional marketing emails and non-essential cookies. You can withdraw consent at any time.
- •Legal obligation (Art. 6(1)(c) GDPR): To comply with tax, accounting, and regulatory requirements.
4. How We Use Your Data
- •Provide and maintain the HandyHive platform
- •Match customers with verified skilled professionals
- •Process bookings, payments, and refunds
- •Send transactional emails (booking confirmations, reminders, receipts)
- •Verify handworker identity, qualifications, and insurance
- •Display reviews tied to completed bookings
- •Improve the platform through aggregated, anonymised analytics
- •Detect and prevent fraud or abuse
- •Respond to support requests
5. Third-Party Services & Data Sharing
We share personal data only when necessary to operate the platform, never for advertising or selling to third parties. The following processors may receive data:
| Service | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, database, file storage, AI features | EU (eu-west-1) |
| Stripe | Payment processing and subscriptions | EU / US (with EU SCCs) |
| Auth.js / NextAuth | Authentication and session management | Self-hosted (EU) |
| Resend / AWS SES | Transactional email delivery | EU / US (with EU SCCs) |
| Upstash Redis | Rate limiting (optional) | EU |
Where data is transferred outside the EU/EEA we rely on Standard Contractual Clauses (SCCs) or an adequacy decision from the European Commission.
6. Cookies
We use the following types of cookies:
- •Essential cookies: Required for authentication, session management, and CSRF protection. Cannot be disabled.
- •Preference cookies: Remember your theme choice (light/dark mode) and language settings.
- •Analytics cookies (optional): Help us understand how visitors use the platform. Only set with your consent.
We do not use advertising or tracking cookies. You can manage cookie preferences in your browser settings at any time.
7. Data Retention
- •Account data: Retained while your account is active. Deleted within 30 days of account deletion, unless legally required to keep it longer.
- •Booking records: Kept for 10 years after completion to comply with German commercial and tax law (HGB § 257, AO § 147).
- •Payment records: Kept for 10 years per tax regulations.
- •Server logs: Automatically deleted after 90 days.
- •Support conversations: Retained for 3 years after the last interaction.
8. Your Rights Under the GDPR
As a data subject in the EU, you have the right to:
Access
Request a copy of the personal data we hold about you.
Rectification
Ask us to correct inaccurate or incomplete data.
Erasure
Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
Restriction
Ask us to limit how we process your data in certain circumstances.
Data portability
Receive your data in a structured, machine-readable format.
Objection
Object to processing based on legitimate interest, including profiling.
Withdraw consent
Where processing is based on consent, withdraw it at any time without affecting prior processing.
Lodge a complaint
File a complaint with a supervisory authority (e.g. Berliner Beauftragte fĂĽr Datenschutz und Informationsfreiheit).
To exercise any of these rights, email info@handyhive.eu. We will respond within 30 days.
9. Address Privacy
Your exact service address is never shown publicly on the platform. It is shared with the assigned handworker only after a booking is confirmed by both parties, and solely for the purpose of performing the booked service.
10. Security Measures
We protect your data with industry-standard measures including:
- •TLS encryption for all data in transit
- •AES-256 encryption at rest for databases and file storage
- •Hashed passwords (never stored in plaintext)
- •Role-based access controls for internal systems
- •Regular security audits and dependency updates
- •Two-factor authentication available for all accounts
11. Children's Privacy
HandyHive is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us at info@handyhive.eu and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice at least 14 days before they take effect. The “Last updated” date at the top reflects the most recent revision.