Privacy Policy

Last updated: 10 May 2026 · Effective: 10 May 2026

Operational draft. This document accurately reflects how the berneiz product works today and is structured to satisfy GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), Brazil’s LGPD, and Apple’s App Store privacy disclosures. Before public launch you should still have it reviewed by counsel in your primary jurisdiction.

This Privacy Policy (“Policy”) explains what personal information V & GARNET (“berneiz,” “we,” “us,” or “our”) collects when you use the berneiz mobile application, the website at berneiz.com, and related services (collectively, the “Service”), how we use it, with whom we share it, and what rights you have. By creating an account or using the Service, you acknowledge the practices described here.

1. Who we are (data controller)

V & GARNET, a free-zone company incorporated in Dubai, United Arab Emirates, is the controller of the personal information processed under this Policy and operates the Service under the “berneiz” brand. Privacy contact: privacy@berneiz.com. For postal correspondence, write to us at the address listed on our App Store Connect support page. EU/UK data subjects may contact our designated representative at the same email.

2. What we collect

2.1 Information you provide directly

• Account information: email address (required), display name, country (ISO 2 code), date of birth (only used to confirm 18+), and password handled by our authentication provider (Supabase Auth) as a salted hash. We never see the plaintext password.
• Public social handles: your TikTok and/or Instagram username, used solely to verify that the post you submit was actually published from your account.
• Wallet and payout information: your coin balance, transaction history, chosen payout method (PayPal, Stripe Connect, gift cards, bank transfer), and the destination identifier you supply (e.g. PayPal email, Stripe Connect account id). The destination identifier is stored both in plaintext (so we can issue the payout) and as a one-way SHA-256 hash (used for fraud-detection joins so we never have to scan the plaintext column for matches).
• Tax information: for U.S. residents whose cumulative cash-out exceeds $600 in a calendar year, we collect a W-9 (legal name, address, taxpayer ID) as required by the Internal Revenue Service for 1099-NEC reporting. Non-U.S. residents may be asked for an analogous declaration if their jurisdiction requires it.
• Customer support communications: the contents of any email, chat, or in-app message you send us.

2.2 Information we collect automatically

• Device and connection data: device model, operating system version, app version, language, time zone, IP address (stored as a salted SHA-256 hash for fraud detection; we do not retain the plaintext IP after the request is processed), and a per-install device fingerprint used to detect multi-account abuse.
• Product analytics and crash data: page views, taps on key flows (offer accepted, post submitted, cash-out requested), and crash stack-traces. We use PostHog for product analytics and Sentry for error monitoring. These events are tied to your account id but contain no message content, contacts, or media.
• Push tokens: if you opt in to push notifications, we store your APNs/FCM token to deliver new offer alerts and payout notifications.

2.3 Information we receive from third parties

• Public engagement metrics: when you submit a post URL, we fetch publicly visible metrics (view count, like count, share count, comment count) from TikTok and Instagram to verify the post and compute any view bonus. We do not log into your social accounts and we do not access private data, DMs, or your follower list.
• Payout-provider events: Stripe Connect and PayPal Payouts notify us when a payout settles, fails, or is reversed. We store the resulting transaction reference, status, and any error code.

2.4 What we do NOT collect

• We do not access your contacts, your photo library beyond the single image you choose to upload, your microphone, your calendar, or your precise location.
• We do not use the iOS App Tracking Transparency (ATT) framework to track you across other companies’ apps and websites, and we do not display the ATT prompt. The advertising identifier (IDFA) is not collected.
• We do not collect data from anyone under 18; see Section 9.

3. Why we use it (purposes and legal bases)

For users in the EEA, UK, and Switzerland, the table below also identifies the legal basis under Article 6(1) GDPR.

• Run the Service: match offers, generate the carousel pack assigned to you, verify posts, calculate and pay rewards, run cash-outs. Legal basis: performance of the contract between you and us (Art. 6(1)(b)).
• Fraud detection and platform integrity: detect multi-account abuse, fake engagement, deletion of paid posts, and suspicious payout patterns. Legal basis: legitimate interest in operating a sustainable payout platform (Art. 6(1)(f)); also necessary for the contract.
• Transactional communication: welcome email, email-verification code, payout confirmations, security alerts. Legal basis: performance of the contract.
• Product analytics and improvement: understand which flows convert, which break, and where users get stuck. Legal basis: legitimate interest. You may opt out. See Section 7.
• Legal and tax compliance: issue 1099-NEC forms, respond to lawful requests, defend legal claims. Legal basis: legal obligation (Art. 6(1)(c)) and our legitimate interest in defending claims.
• Marketing emails: only if you explicitly opt in. You can unsubscribe at any time from any such email. Legal basis: consent (Art. 6(1)(a)).

4. Who we share it with (subprocessors)

We share the minimum personal information necessary with the following categories of subprocessors. Each operates under a written data-processing agreement and is bound to use the information only to provide the service we have engaged them for:

• Hosting and database: Supabase (PostgreSQL, authentication, file storage), Vercel (Next.js application hosting, CDN). Primary region: U.S.
• Email: Resend (transactional email delivery).
• Push notifications: Apple APNs and Google FCM, only the platform-issued token and notification payload.
• Payouts: Stripe (Stripe Connect Express payouts), PayPal Payouts, Tremendous / Tango Card (gift-card fulfilment, when activated).
• Analytics and observability: PostHog (product analytics), Sentry (error monitoring).
• Advertising measurement: Meta Pixel and Meta Conversions API to measure the performance of our advertising on Facebook and Instagram. Personal identifiers (email, IP address, browser fingerprint) are hashed with SHA-256 before transmission; Meta never receives the underlying plaintext. We only forward conversion-relevant events (signup completed, trial started, subscription activated) and never your campaign content or message bodies. Legal basis: legitimate interest in measuring the performance of our advertising (GDPR Art. 6(1)(f)) — for EEA/UK visitors you may opt out via the “Do Not Track” signal or by emailing privacy@berneiz.com.
• AI providers: OpenAI and Google AI for campaign-creative generation. We send only the campaign brief and angle text we author ourselves; we never send your personal information, your posts, or your social handles.

We do not sell or share your personal information with third parties for their independent advertising or marketing purposes, and we do not engage in “cross-context behavioural advertising” as defined by the CPRA.

5. International transfers

We are headquartered in the United States and most of our subprocessors operate U.S.-based infrastructure. Where personal information of EEA, UK, or Swiss residents is transferred to us or to subprocessors outside their respective jurisdictions, we rely on the European Commission’s Standard Contractual Clauses (2021/914) and, for UK transfers, the UK International Data Transfer Addendum, supplemented by the additional safeguards required by the European Data Protection Board.

6. Data retention

• Active accounts: we keep your data while your account is active.
• Deleted accounts: within 24 hours of a deletion request, we anonymise account information (email, name, social handles, payout destination, push tokens, device fingerprints) and revoke access. See Section 8.
• Financial records: transaction ledgers, payouts, and any tax forms are retained for at least 7 years to comply with U.S. tax law and analogous EU/UK obligations. These records are pseudonymised (linked only to a non-personal internal id) once the account is deleted.
• Tracking-link clicks: IP-derived analytics older than 90 days are aggregated and the per-event rows are deleted.
• Backups: encrypted database backups are retained for 30 days for disaster recovery and then rotated out automatically.

7. Your rights

Subject to applicable law, you have the right to: (a) access the personal information we hold about you; (b) correct inaccurate data; (c) delete your account (see Section 8); (d) restrict or object to certain processing; (e) data portability (receive a machine-readable export); (f) withdraw consent where processing is based on consent; (g) lodge a complaint with your local supervisory authority (in the EEA / UK) or the California Privacy Protection Agency (in California).

To exercise any of these rights, email privacy@berneiz.com from the email address associated with your account. We will respond within 30 days. We will not discriminate against you for exercising your rights.

California residents (CCPA/CPRA): you also have the right to know what personal information we collect and disclose, the right to opt out of the sale or sharing of your information (we do not sell or share it), the right to limit the use of sensitive personal information (we do not use sensitive personal information for any purpose not strictly necessary to provide the Service), and the right to non-discrimination.

8. Account deletion

You can delete your account from inside the app: Profile → Delete account. Confirming the action will, within 24 hours: (i) anonymise your email, name, country, date of birth, social handles, and payout destination; (ii) delete your stored push tokens and device fingerprints; (iii) cancel any pending offers and unfilled store orders; (iv) revoke all sign-in sessions; and (v) flag your account so no further offers, payouts, or referral credits are processed. Financial records linked to your account before deletion are retained as described in Section 6.

You can also request deletion by emailing privacy@berneiz.com.

9. Children

The Service is not directed to anyone under 18. We do not knowingly collect personal information from minors. If you believe a minor has created an account, contact privacy@berneiz.com and we will delete the account and any associated data immediately.

10. Cookies and similar technologies

On the website we use a small number of strictly necessary cookies (sign-in session, CSRF token, referral attribution) and an optional analytics cookie set by PostHog. The analytics cookie respects the “Do Not Track” signal sent by your browser. Inside the mobile app no advertising SDKs are loaded; we use the platform-native push token only.

11. Security

Personal information is encrypted in transit (TLS 1.2+) and at rest (AES-256 on managed Supabase storage). Access to production data is restricted to a small number of engineers under an audited least-privilege policy and protected by mandatory single-sign-on with hardware-key two-factor authentication. We will notify affected users and the relevant supervisory authorities of any personal data breach without undue delay, and in any event within the timeframes required by law.

12. Changes to this Policy

We may update this Policy as the Service evolves. Material changes will be communicated by email and via an in-app notice at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the current version.

13. Contact

Privacy questions: privacy@berneiz.com.
General support: support@berneiz.com.
Terms of Service: berneiz.com/legal/terms.