Privacy Policy

At beBee, we take the protection of your personal data very seriously. This Privacy Policy transparently explains what data we collect, why we collect it, how we use it, with whom we share it, and what rights you have over it.

This Policy applies to the use of bebee.com and all its applications, features, and associated services (the "Services").

beBee is incorporated in Spain (EU) and complies with the General Data Protection Regulation (GDPR) and applicable European Union and Spanish legislation as its primary legal framework. As a matter of good practice and respect for our global users, we also describe in this Policy the data protection rights recognized by the laws of other countries where our users reside, so that you can understand and exercise your rights regardless of your location.

The data controller for your personal data is:

beBee PLATFORM S.L.
Calle de la Virgen de los Peligros 11, 3rd floor
28013 Madrid, Spain
Tax ID: ESB84471838
Email: privacy@bebeecorp.com

Data Protection Officer (DPO): beBee has a Data Protection Officer, contactable at privacy@bebeecorp.com. The DPO also serves as the point of contact for data protection inquiries from users in all countries, including those required under Brazil's LGPD (encarregado).

3.1 Data You Provide

• Registration and account: name, email, password (encrypted), language.
• Professional profile: headline, bio, experience, education, skills, location, photo, phone (optional), social networks.
• Professional activity: applications, alerts, service requests, proposals, messages, reviews, articles.
• Payment data: processed directly by Stripe. beBee only stores Stripe customer ID and transaction history.

3.2 Third-Party Data

• Google/LinkedIn (OAuth): name, email, profile photo.
• External job sources: job offer data (not Users' personal data).

3.3 Automatically Generated Data

• Technical data: IP address, browser type, operating system, device type.
• Usage data: pages visited, actions taken, searches performed.
• Email data: opens, clicks, bounces (for service communications).
• Push data: encrypted endpoint, keys, notification preferences.
• Derived data: professional classification (AI), compatibility scores, PPP pricing level.

3.4 Sensitive Data
We do not deliberately collect sensitive personal data (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation). If such data is inadvertently included in user-generated content (e.g., a CV), we process it solely to provide the Service and delete it upon request.

4.1 Service Provision (contract performance): account management, profile, employment features, marketplace, messaging, payments, customer support.

4.2 Personalization and Improvement (legitimate interest): recommendations, search optimization, algorithm improvement, statistical analysis.

4.3 Communications (legitimate interest/consent): service communications, job alerts, push notifications, marketing (only with consent).

4.4 Security (legitimate interest): fraud detection, identity verification, content moderation, abuse prevention.

4.5 Legal Compliance (legal obligation): tax obligations, regulatory requirements, judicial requests.

4.6 Market Analysis (legitimate interest): aggregate statistics, anonymized reports, AI improvement.

4.7 Analytics (consent): when you accept analytics cookies, we use Google Analytics (GA4) via Google Tag Manager to understand how users interact with the Platform. This data is used to improve user experience. No analytics data is collected without your consent.

5.1 Under the GDPR (EU/EEA/UK)
We process your data under Article 6 of the GDPR on the following bases: contract performance (account, services, payments), legitimate interest (personalization, security, analysis, moderation), consent (marketing, analytics cookies, push notifications), and legal obligation (regulatory compliance).

When processing is based on your consent, you may withdraw it at any time. When based on legitimate interest, we have conducted proportionality assessments.

5.2 Under the LGPD (Brazil)
For Brazilian users, we process personal data under Art. 7 of the LGPD on the following bases: consent (Art. 7-I), contract performance (Art. 7-V), legitimate interest (Art. 7-IX), and legal obligation (Art. 7-II). You have the right to request confirmation of processing, access, correction, anonymization, portability, deletion, and information about shared data (Art. 18 LGPD).

5.3 For users outside the EU
Although beBee is governed primarily by EU law, we recognize the data protection rights established by other jurisdictions as a matter of good practice:

• California (CCPA/CPRA): beBee does not sell your personal information and does not share it for cross-context behavioral advertising.
• Brazil (LGPD): We recognize the rights established in Art. 18 LGPD (see Section 11).
• Canada, South Africa, Thailand, Singapore, and other jurisdictions: We apply the same data protection standards we follow under the GDPR, which generally meet or exceed local requirements.

6.1 With Other Users: public profile according to your settings; contact information only with prior relationship and Premium subscription.

6.2 With Service Providers: AWS (infrastructure, EU region), Stripe (payments, PCI-compliant), Google (OAuth, Analytics — only with consent), LinkedIn (OAuth), Anthropic (AI, anonymized data only), Sentry (error monitoring). All providers operate under Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) where required.

6.3 External Offers: we do not share your data when redirecting you to external job sites. You leave the Platform and are subject to that site's terms.

6.4 With Authorities: when required by law, court order, or to protect the safety of Users.

6.5 Corporate Operations: in case of merger, acquisition, or asset sale, you will be notified in advance and your data will remain subject to this Privacy Policy.

6.6 What We Do NOT Do:

• We never sell your personal data.
• We never share your data for third-party marketing without your explicit consent.
• We never share contact information unless the visibility conditions are met (prior relationship + Premium).
• We never use your data to train AI models.

Your data is primarily stored in the EU (AWS eu-west-1, Ireland). When transfers outside the EEA occur, we ensure adequate safeguards exist:

• Adequacy decisions by the European Commission.
• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Supplementary measures (encryption in transit and at rest, pseudonymization, access controls).

For Brazilian users: international transfers comply with LGPD Art. 33, using SCCs and ensuring the receiving country provides an adequate level of data protection.

For all users: you may request information about the specific safeguards applied to transfers involving your data by contacting privacy@bebeecorp.com.

8.1 Strictly Necessary Cookies (no consent required):

• next-auth.session-token: authentication (30 days).
• next-auth.csrf-token: CSRF protection (session).
• next-auth.callback-url: redirects (session).
• bebee_cookie_consent: stores your cookie preferences (persistent).

8.2 Analytics Cookies (consent required):

• _ga, _ga_*: Google Analytics 4 (2 years). Only activated with your consent.

8.3 Marketing Cookies (consent required):

• Third-party advertising and measurement pixels. Only activated with your explicit consent.

8.4 Google Tag Manager and Consent Mode v2
beBee uses Google Tag Manager (GTM) to manage analytics and marketing tags. We implement Google Consent Mode v2, which means:

• If you accept analytics cookies: GA4 operates normally with cookies for full measurement.
• If you reject analytics cookies: no cookies are set. GTM may send anonymized, cookieless pings for aggregate statistical modeling only (no personal data is collected).
• Marketing tags are only fired if you explicitly consent to marketing cookies.

8.5 Cookie Management
You can manage your cookie preferences at any time through:

• The cookie banner (shown on first visit).
• The "Cookie settings" link in the footer of every page.
• Your browser settings.

Rejecting non-essential cookies does not affect any functionality of the Platform.

8.6 Email Tracking
We use tracking pixels in service communications to measure opens and clicks. You can disable image loading in your email client to prevent this tracking.

If you enable push notifications, we store your subscription endpoint (encrypted), browser keys, and preferences. They are sent exclusively with your prior consent, which you can revoke at any time from your notification settings. All notifications are encrypted with AES-128-GCM (RFC 8188).

• Account and profile data: while the account is active.
• Payment and billing data: 5 years (tax obligation under Spanish law).
• Usage and analytics data: 26 months (GA4 default); anonymized internal data: indefinitely.
• Email events: 180 days.
• Security logs: 12 months.
• Deleted account data: deleted or anonymized within 30 days maximum.
• Cookie consent preferences: until you change them or clear your browser data.

After the applicable retention period, data is permanently deleted or irreversibly anonymized.

11.1 Rights for all Users
Regardless of your location, you can:

• Access your data (export from your account settings).
• Rectify your data (edit your profile).
• Delete your account and data ("right to be forgotten" — your profile is anonymized immediately).
• Export your data in machine-readable format (JSON).
• Withdraw consent at any time for optional processing (marketing, analytics, push).
• Object to processing based on legitimate interest.
• Request human review of any automated decision.

11.2 Additional rights under the GDPR (EU/EEA/UK)
You have the right to: restriction of processing, data portability, and to lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es. If you reside in another EEA member state, you may contact your local data protection authority.

11.3 Additional rights under the LGPD (Brazil)
Brazilian users have the right to: confirmation of processing, access, correction, anonymization of unnecessary data, portability, deletion, information about shared data, information about denying consent and its consequences, and revocation of consent. You may also file complaints with the Autoridade Nacional de Proteção de Dados (ANPD): www.gov.br/anpd.

11.4 Additional rights under the CCPA/CPRA (California, USA)
California residents have the right to:

• Know what personal information we collect, use, disclose, and sell.
• Delete your personal information.
• Opt-out of the sale or sharing of personal information. beBee does not sell or share your personal information.
• Non-discrimination: we will not discriminate against you for exercising your CCPA rights.
• Correct inaccurate personal information.
• Limit use of sensitive personal information.

Categories of personal information collected (per CCPA § 1798.100): identifiers, professional information, internet activity, geolocation (approximate), and commercial information (payment history). We do not collect biometric data.

11.5 Additional rights under POPIA (South Africa)
South African users have the right to: access, correction, deletion, objection to processing, and to lodge a complaint with the Information Regulator: inforegulator.org.za.

11.6 Additional rights under PIPEDA (Canada)
Canadian users have the right to: access, correction, withdrawal of consent, and to file complaints with the Office of the Privacy Commissioner of Canada: www.priv.gc.ca.

11.7 How to exercise your rights
You can exercise your rights from your account settings or by contacting privacy@bebeecorp.com. We respond within:

• GDPR: 1 month maximum.
• LGPD: 15 days maximum.
• CCPA: 45 days maximum.
• Other jurisdictions: within the applicable statutory period.

We implement technical and organizational security measures: encryption in transit (HTTPS/TLS), encryption at rest (AWS S3), bcrypt-hashed passwords, encrypted push notifications (AES-128-GCM), signed JWT tokens. Access limited by least privilege principle, staff training, incident response procedures.

In case of a security breach, we will notify the competent authority within 72 hours (GDPR) and, if there is high risk, inform you directly. For Brazilian users, we will also notify the ANPD as required by the LGPD.

beBee is not directed at persons under 18 years of age and we do not deliberately collect data from minors. If we discover a minor's data, we will immediately delete their account. Contact privacy@bebeecorp.com if you are aware that a minor has used our Services.

For users in the United States: beBee complies with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under 13.

beBee uses AI models (Claude by Anthropic) for content moderation, professional classification, job recommendations, market rate suggestions, and informational content generation.

• Data sent to AI models is anonymized or pseudonymized beforehand.
• Only minimal fragments necessary for the task are sent.
• We do not use your data to train AI models.
• You can request human review of any automated decision.
• AI-generated content is clearly labeled where applicable.

In compliance with the EU AI Act (Regulation 2024/1689), beBee's AI systems are classified as limited-risk and we provide transparency about their use.

beBee respects the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we treat it as a valid opt-out request for the sale or sharing of personal information (relevant for CCPA/CPRA compliance).

beBee also respects the "Do Not Track" (DNT) browser signal. When detected, no analytics or marketing cookies are activated, regardless of prior consent.

We may update this Policy periodically. Substantial modifications will be notified at least 30 days in advance via email and through a notice on the Platform. The last updated date is always shown at the top of the document.

If you disagree with the updated Policy, you may delete your account before the changes take effect.

For any queries about this Privacy Policy or to exercise your data protection rights:

• Privacy inquiries: privacy@bebeecorp.com
• General support: support@bebeecorp.com
• Address: beBee PLATFORM S.L., Calle de la Virgen de los Peligros 11, 3rd floor, 28013 Madrid, Spain.
• Tax ID: ESB84471838

Supervisory authorities:

• Spain (AEPD): www.aepd.es
• Brazil (ANPD): www.gov.br/anpd
• South Africa (Information Regulator): inforegulator.org.za
• Canada (OPC): www.priv.gc.ca