Privacy Policy

1. Introduction

We are pleased that you are visiting our website and thank you for your interest in our company and services. The protection of your personal data is very important to us. Below we inform you in detail about how we handle your data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Responsible Party / Controller

3. Data Collection Overview

What data do we collect?

We collect the following types of data:

• Data you provide directly (e.g., through contact forms, expert applications, newsletter sign-up)
• Expert subscription and billing data (plan tier, Stripe customer/subscription ID)
• Automatically collected technical data (IP address, browser type, device information)
• Usage data through analytics tools (Google Analytics, Google Search Console)
• Cookie data (with your consent)

How do we use your data?

We use your data to:

• Operate and improve our website and platform
• Process expert applications and manage expert directory listings
• Process subscription payments and manage billing via Stripe
• Communicate with you about services, account status, and billing
• Send newsletters and marketing emails (with your explicit consent)
• Analyze website traffic and user behavior
• Ensure security and prevent fraud
• Comply with legal obligations (including tax and accounting requirements)

4. Hosting & Infrastructure

Vercel (Website Hosting)

Our website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Vercel automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. This includes:

• Browser type and version
• Operating system used
• Referrer URL (the previously visited page)
• Hostname of the accessing computer
• Time of the server request
• IP address

This data is not merged with other data sources. The legal basis for data processing is Art. 6 para. 1 lit. f GDPR (legitimate interest in providing a functional and secure website).

More information: Vercel Privacy Policy

Supabase (Database & Authentication)

We use Supabase (Supabase Inc., USA) for database storage, authentication, and backend services. When you submit forms, applications, or create an account, your data is stored on Supabase servers. Supabase is GDPR-compliant and uses encryption for data protection.

More information: Supabase Privacy Policy

Stripe (Payment Processing)

For expert subscriptions, we use Stripe, Inc. (354 Oyster Point Blvd, South San Francisco, CA 94080, USA) as our payment processor. When you complete a purchase, payment data (card number, billing address) is transmitted directly to Stripe — Biohacker Alliance does not store card details on its servers.

Data processed by Stripe includes: name, email address, billing address, payment method details, and transaction history. Stripe may transfer data to the USA under Standard Contractual Clauses.

Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract — processing necessary to execute the subscription).

More information: Stripe Privacy Policy

5. Data Collection on Our Website

Expert Application & Subscription

When you apply to become a listed expert on our platform, we collect the following data across the onboarding process:

• Personal information (full name, email address, phone number)
• Professional information (specialization, credentials, years of experience, languages)
• Location data (country, city)
• Service delivery preferences (online, in-person)
• Professional bio, website URL, LinkedIn and Instagram profiles
• Profile photo (uploaded voluntarily)
• Subscription plan selection (Listing, Professional, or Authority)
• Stripe Customer ID and Subscription ID (for billing management — no card data stored by us)

Application data is initially stored with status pending_review. Upon approval, the profile is activated and displayed publicly in the expert directory. The email address associated with an approved application is used to send the plan-selection link via Brevo.

Legal basis: Art. 6 para. 1 lit. b GDPR (processing necessary for contract fulfillment — expert subscription) and Art. 6 para. 1 lit. a GDPR (consent via checkbox at application).

Data retention: Active expert profiles are retained for the duration of the subscription. Upon cancellation or account deletion, profile data is deactivated and may be deleted upon request. Billing records are retained for 10 years to comply with German tax law (§ 147 AO).

Partnership Application Forms

When you apply for a partnership opportunity, we collect:

• Name and contact information
• Availability for video calls
• Optional message/introduction
• Language preference

Legal basis: Art. 6 para. 1 lit. b GDPR (pre-contractual measures) and Art. 6 para. 1 lit. a GDPR (consent).

Contact Forms

If you send us inquiries via contact forms, your data from the inquiry form, including the contact data you provided, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent) and Art. 6 para. 1 lit. f GDPR (legitimate interest in responding to inquiries).

Newsletter Subscription

You can subscribe to our free newsletter on our website. When subscribing, we collect your email address. We use the double opt-in procedure: after entering your email address, you will receive a confirmation email and the newsletter subscription will only be activated once you click the confirmation link in that email.

Data collected:

• Email address
• Date and time of subscription
• IP address at time of subscription (for verification purposes)

Our newsletters are sent via Brevo (formerly Sendinblue) — Sendinblue SAS, 55 rue d'Amsterdam, 75008 Paris, France. Brevo acts as a data processor on our behalf and may process your email address on servers within the EU. Brevo is GDPR-compliant.

Legal basis: Art. 6 para. 1 lit. a GDPR (explicit consent via double opt-in). You can withdraw your consent at any time by:

• Clicking the unsubscribe link at the bottom of every newsletter email
• Sending an email to hello@biohackeralliance.com

The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. After unsubscribing, your email address will be deleted from our newsletter list within 30 days.

More information: Brevo Privacy Policy

6. Analytics & Tracking Tools

Google Analytics 4

This website uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Google Analytics uses cookies to help analyze how users use the site.

IP Anonymization: We have activated IP anonymization on this website. Your IP address will be shortened by Google within member states of the European Union or other parties to the Agreement on the European Economic Area before transmission to the United States.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent via cookie banner) and Art. 6 para. 1 lit. f GDPR (legitimate interest in website optimization and understanding user behavior).

Data retention: Google Analytics data is automatically deleted after 14 months.

Opt-out: You can prevent Google Analytics from collecting your data by:

• Adjusting your cookie preferences in our cookie banner
• Installing the Google Analytics Opt-out Browser Add-on
• Configuring your browser to block cookies

More information: Google Privacy Policy

Google Search Console

We use Google Search Console to monitor and maintain our website's presence in Google Search results. Google Search Console collects data about:

• Search queries that led users to our site
• Click-through rates from search results
• Website indexing status and errors
• Performance metrics in search results

This data is aggregated and anonymized. Google Search Console does not collect personal data from individual users.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in improving our website's search visibility and user experience).

Vercel Analytics

We use Vercel Analytics for basic website performance monitoring. Vercel Analytics does not use cookies and collects only anonymized, aggregated data about page views and performance metrics.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in monitoring website performance).

7. Cookies

Our website uses cookies. Cookies are small text files that are stored on your device and saved by your browser. They do not cause any damage to your device.

Types of Cookies We Use:

Managing Cookies: You can configure your browser to inform you about the setting of cookies and decide individually whether to accept them, or to exclude the acceptance of cookies for certain cases or in general. Please note that restricting cookies may limit the functionality of our website.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent for optional cookies) and Art. 6 para. 1 lit. f GDPR (legitimate interest for essential cookies).

8. Third-Party Services

Email Service (Brevo)

We use Brevo (formerly Sendinblue) — Sendinblue SAS, 55 rue d'Amsterdam, 75008 Paris, France — for sending transactional emails (application confirmations, account notifications, expert approval emails) as well as our newsletter. When you submit a form or subscribe to our newsletter, Brevo processes your email address to deliver these communications. Brevo is GDPR-compliant and processes data within the EU.

Data shared with Brevo: Email address, name (where provided), IP address at time of subscription, email engagement metrics (open rates, click rates — anonymized).

Legal basis: Art. 6 para. 1 lit. b GDPR (transactional emails necessary for service delivery) and Art. 6 para. 1 lit. a GDPR (newsletter emails, consent-based).

More information: Brevo Privacy Policy

Content Delivery Network (CDN)

We use CDN services to deliver website content efficiently. CDNs may temporarily cache your IP address and request data for performance optimization.

9. Data Security

We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. Our security measures include:

• SSL/TLS encryption for all data transmission (HTTPS)
• Encrypted database storage
• Regular security updates and patches
• Access controls and authentication
• Regular backups
• Secure hosting infrastructure

Our security measures are continuously improved in line with technological developments.

10. Your Rights Under GDPR

As a data subject, you have the following rights:

To exercise these rights, please contact us at: hello@biohackeralliance.com

11. Data Retention

We store your personal data only as long as necessary for the purposes for which it was collected:

• Expert profiles: For the duration of your listing on our platform, plus 3 months after removal
• Partnership applications: Until processing is complete, then archived for 1 year
• Contact form inquiries: Until the inquiry is resolved, then deleted after 6 months
• Newsletter subscriptions: For the duration of your subscription; deleted within 30 days of unsubscribing
• Analytics data: Automatically deleted by Google Analytics after 14 months
• Server logs: Deleted after 30 days
• Cookies: Vary by type (see cookie policy), typically 1-24 months

Legal retention periods (e.g., tax law, commercial law) remain unaffected. After these periods expire, the corresponding data is routinely deleted.

12. International Data Transfers

Some of our service providers (Google, Vercel, Supabase) are based in the United States or other countries outside the European Economic Area (EEA). Data transfers to these countries are secured through:

• Standard Contractual Clauses (SCCs) approved by the EU Commission
• Adequacy decisions by the EU Commission
• Privacy Shield certification (where applicable)
• Additional technical and organizational measures

We ensure that all international data transfers comply with GDPR requirements and provide adequate protection for your personal data.

13. Children's Privacy

Our website and services are not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe that we have inadvertently collected information from a child, please contact us immediately, and we will delete such information.

14. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in our practices or for legal, operational, or regulatory reasons. The current version is always available on this page. Material changes will be communicated through a prominent notice on our website.

We encourage you to review this privacy policy periodically to stay informed about how we protect your data.