--- document: Privacy Policy language: en status: draft version: 0.1.0-draft last_updated: 2026-05-20 master: false translates: privacy-policy.ru.md ---

> Draft — owner + counsel review required before publishing. > Applicable law: GDPR (EU customers); Russian Federal Law No. 152-FZ "On Personal Data" (RU citizens). > Russian (privacy-policy.ru.md) is the master. The Russian text prevails in case of discrepancy until an English version is signed off.

Bendahara — Privacy Policy

Version: 0.1.0-draft  •  Effective from: [TBD: publication date]

This Privacy Policy (the "Policy") explains what data Bendahara collects about its users, how it is used, shared with third parties, and protected. It applies both to corporate Customers (tenants) and individual end users (the tenant's employees).

In GDPR terminology:

Controller of employees' personal data = the customer company (tenant) that invited the employee;
Processor = the Operator of Bendahara, acting on the Controller's instructions under the DPA (see dpa.ru.md; an English DPA is planned for Phase 5).
With respect to Tenant Owners and the company's own registration data, the Operator may itself act as Controller.

---

1. Operator (Controller / Processor) details

Full name: [TBD: legal entity name] Address: [TBD: registered address] Registration number: [TBD] Email: [TBD: privacy@bendahara.app] Data Protection Officer: [TBD: name and contact of DPO, mandatory under GDPR Art. 37 if processing special categories or large scale]

For Russian residents — notification to Roskomnadzor of intent to process personal data (152-FZ Art. 22): [TBD: filing status].

---

2. What we collect

2.1. From the Tenant Owner (at company signup)

| Data category | Purpose | Legal basis (GDPR) | |--------------------------------|----------------------------------------------------|----------------------------------| | Email | Identification, password recovery, notifications | Contract performance (Art. 6.1.b) | | Name / display name | Identification in the UI | Contract performance | | Password hash (if not OAuth) | Authentication (Firebase Auth) | Contract performance | | Company name | Tenant identification | Contract performance | | Payment details (via provider) | Billing | Contract performance | | IP address, user agent | Abuse prevention, security | Legitimate interest (Art. 6.1.f) |

2.2. From employees (when joining a tenant)

| Data category | Purpose | Legal basis (GDPR) | |-------------------------------------|--------------------------------------|------------------------| | Email or phone (via Telegram contact) | Identification, notifications | Contract performance | | Display name | UI display | Contract performance | | Telegram chatid, userid | Message routing | Contract performance | | Phone number (from Telegram) | Routing, identification | Contract performance | | Role and department | RBAC, approval routing | Contract performance | | IP address, user agent | Security | Legitimate interest |

2.3. During Service use

| Data category | Purpose | |--------------------------------------------------------------|----------------------------------------| | Claim content (amounts, descriptions, categories, departments, dates) | Core Service function | | Attached files (receipts, documents) | Core Service function | | Approver actions (approve / reject / comments) | Audit log, core function | | Interaction metadata (timestamp, IP, action, target) | Audit log, security | | Telegram messages (callbackdata, command text) | Routing, error debugging | | Backend logs (structured, tenantid tagged) | Support, security, debugging | | Usage analytics (anonymised aggregate) | Service improvement |

2.4. What we do NOT collect

Payment card numbers — handled solely by payment providers (Stripe / YooKassa / other); the Operator receives only a token.
Geolocation (GPS / IP geolocation for marketing).
Biometric data.
Special categories of personal data (GDPR Art. 9): health, political opinions, religious beliefs, etc. — the Customer is bound not to upload these (see ToS 5.1.7).
Telegram message content not addressed to the bot. The bot sees only commands sent to it and inline-button clicks.

---

3. Purposes of processing

3.1. Service delivery — primary function: tenant creation, claim processing, approvals, audit log.

3.2. Billing and subscription — payment accounting, invoicing, receipts.

3.3. User communication — technical notifications, support responses, legally binding notices (ToS changes, breach notification).

3.4. Security — detection and prevention of abuse, fraud, attacks; rate limiting; incident investigation.

3.5. Analytics and Service improvement — anonymised aggregates (DAU, MAU, signups/day, churn). Individual data is not used for advertising.

3.6. Legal compliance — responses to lawful government requests, compliance with 152-FZ / GDPR / other applicable rules.

3.7. Marketing — only with prior opt-in consent (newsletter, product updates). Opt-out — in every message and in /admin/profile.

---

4. Retention

| Category | Retention | |-----------------------------------------------------|----------------------------------------------------------------------------| | Active tenant data (claims, members, audit) | While the tenant is active | | Soft-deleted tenant | 30-day grace + 365-day archive ≈ 13 months | | Backend logs | [TBD: 30 / 90 days — set during Cloud Logging configuration] | | Payment data (for accounting) | Per accounting law — typically 5 years | | Backups | Up to 90 days rolling, then overwritten | | Audit log | For the tenant's lifetime; exported at deletion | | Support tickets | Up to 2 years after closure | | Marketing consents | Until withdrawal |

After retention expiry — physical deletion with deletion-integrity verification (GDPR Art. 17).

---

5. Sub-processors

The Service relies on the sub-processors listed below. The full current list and processing scope — in dpa.ru.md (Appendix "List of sub-processors").

| Sub-processor | Processes | Jurisdiction / transfer | |----------------------------------------|------------------------------------------------------|-------------------------------| | Google Firebase / Cloud (Google LLC) | Auth, Firestore, Storage, Functions, Logging | US / region europe-west1 for tenant data; SCC for EU | | [TBD: Stripe / YooKassa / Cloudpayments] | Payment processing | US / RU respectively; PCI-DSS | | Telegram Messenger LLP / Telegram FZ-LLC | Bot message delivery | Dubai (UAE) / international | | Resend (Plus Five Five, Inc.) | Transactional email (invites, password reset) | US; SCC for EU | | [TBD: Sentry / Better Stack] | Error reporting, observability | US / EU |

5.1. Before adding a new sub-processor, the Operator notifies tenants at least 30 days in advance via email and updates dpa.ru.md. The Customer may object; if no reasonable compromise can be reached — the Customer may terminate the subscription with a refund for the unused portion of the period.

5.2. International transfers (GDPR Chapter V). Transfers outside the EEA rely on Standard Contractual Clauses (SCC, 2021/914) or equivalent. For Google Firebase — Google Workspace standard SCC; for Stripe — Stripe SCC + PCI-DSS.

5.3. Law enforcement. Disclosure on lawful request — only to the extent required by law. Where permitted, the Customer is notified.

5.4. M&A. In a merger, reorganisation, or sale of the business, data may be transferred to the successor with at least 30 days' notice to the Customer.

---

6. Data subject rights (GDPR Art. 12–22, 152-FZ ch. 4)

Every Service user (Tenant Owner, employee) has the following rights:

6.1. Right of access (Art. 15)

Obtain confirmation of processing and a copy of personal data. Channel: /admin/profile/export or written request to the email in § 1.

6.2. Right to rectification (Art. 16)

Correct inaccurate or outdated data through /admin/profile or by contacting support.

6.3. Right to erasure (Art. 17, "right to be forgotten")

Tenant employee — via /admin/profile/delete. users/{uid} and tenants/{tid}/members/{uid} are removed; audit-log references are replaced with a pseudonym [deleted-user-<hash>] to preserve audit integrity (legitimate interest).
Tenant Owner — tenant deletion (see ToS 7.1).
Response time — up to 30 days.

6.4. Right to restriction of processing (Art. 18)

Available via support with justification. Applied during disputes about data accuracy.

6.5. Right to data portability (Art. 20)

Export in machine-readable format (JSON + binary files):

employee — /admin/profile/export (own data + tenant data they can see);
Owner — /admin/export (full tenant export).

6.6. Right to object (Art. 21)

Object to processing based on legitimate interest (§ 2.1, IP/user-agent for security) — contact support. Reviewed individually with interest balancing.

6.7. Right not to be subject to fully automated decisions (Art. 22)

The Service does not make fully automated decisions with legal effect (approve/reject decisions are made by humans, not AI).

6.8. Right to withdraw consent (Art. 7.3)

For consent-based processing (marketing, opt-in) — withdraw via /admin/profile or the unsubscribe link in email.

6.9. Right to lodge a complaint with a supervisory authority (Art. 77)

EU: DPA of the user's country of residence.
RU: Roskomnadzor (rkn.gov.ru).
UK: ICO (ico.org.uk).

6.10. Timing and format

Response within 30 days (default) or 60 days (complex cases; with prior notice).
Free of charge (except repeated identical requests from the same subject — reasonable handling fee may apply).
Default channel — the email in § 1.

---

7. Cookies and similar technologies

7.1. The Service uses only strictly necessary cookies:

__session or equivalent — Firebase Auth session cookie;
csrf_token — CSRF protection;
tenant_id (in local storage) — current tenant context (multi-tenant navigation, Phase 2+).

7.2. We do not use:

Marketing / advertising cookies (Google Ads, Meta Pixel, etc.);
Cross-site tracking;
Analytics with long-term user identification (e.g., GA with user-id).

7.3. Analytics is server-side, cookie-less. Events — eventtype, tenantid (hash), timestamp. No device fingerprinting.

7.4. Cookie banner — not required by default since only essential cookies are used (GDPR Art. 5.3 / ePrivacy Directive 5(3) — essential cookies do not require consent). [TBD: if any non-essential cookies are added — add a cookie banner UI in Phase 3.4 follow-up.]

---

8. Data security

8.1. Encryption:

At rest — AES-256 (Google Cloud Storage / Firestore default).
In transit — TLS 1.2+ on all connections.

8.2. Access control:

Firebase Auth + Firestore rules (see docs/multi-tenancy.md);
Least-privilege for Operator staff;
Audit log of all material actions, including administrative.

8.3. Tenant isolation:

Subcollection-based isolation;
Cross-tenant negative tests in CI (see Phase 1 Done criteria).

8.4. Backups:

Daily Firestore export → Google Cloud Storage europe-west1;
90-day rolling retention;
Encrypted (Google-managed keys; [TBD: customer-managed keys for Enterprise]).

8.5. Incident management / breach notification:

Detection → triage (< 4 hours);
Customer notification (for personal-data breach) — within 72 hours of detection (GDPR Art. 33);
Data subject notification (where high risk) — without undue delay (Art. 34);
Roskomnadzor notification (where applicable to 152-FZ) — within statutory deadlines.

8.6. Operator staff:

Sign NDAs;
Access to production data — only where technically necessary, with logging;
Regular security and privacy training.

---

9. Children and the Service

9.1. The Service is not intended for individuals under 18. We do not knowingly collect data from minors. If discovered — data is deleted on the legal guardian's request.

---

10. Changes to the Policy

10.1. Material changes are announced 30 days in advance via the Tenant Owner's email + in-app banner.

10.2. Non-material changes (wording clarifications, contact updates) may be made without prior notice; the current version is identified by the "Effective from" date in the header.

10.3. Past-versions archive — app/(public)/legal/privacy/history ([TBD]).

---

11. Privacy contact

Privacy / DPO: [TBD: privacy@bendahara.app or dpo@bendahara.app] Postal address: [TBD]

Subject-rights requests under section 6 — to the above email with subject line [Privacy Request]. Response time — up to 30 calendar days.

> Versioning: 0.1.0-draft → 1.0.0 upon first publication.