Privacy Policy

Our Commitment to Privacy

At Platcha, we take your privacy seriously. We believe that privacy is a fundamental right, and we've built our platform with privacy-first principles. This policy explains what data we collect, why we collect it, and how we protect it.

Information We Collect

Account Information

When you create an account, we collect:

• Email address (required for account creation and communication)
• Username and display name
• Password (encrypted and hashed - we never store plain text passwords)
• Profile information you choose to provide (bio, skills, portfolio links)
• Payment information (processed securely through our payment processor)

Project and Transaction Data

To facilitate the marketplace, we collect:

• Project descriptions, requirements, and deliverables
• Messages between clients and freelancers (see Messaging section below)
• Work-in-progress files and final deliverables
• Transaction history and commission records (10% of all project values)
• Reviews and ratings

Escrow and Payment Data

Security & Fraud Prevention Data

To protect our platform and users from fraud, abuse, and malicious activity, we collect certain technical identifiers:

• IP Address Hash: We store a keyed cryptographic hash (HMAC-SHA256) of your IP address using a secret key stored securely on our servers. The original IP address is not stored and cannot be recovered from the hash without access to our secret key.
• Device Fingerprint Hash: We generate a privacy-preserving fingerprint based on non-identifying technical characteristics of your browser and device (such as screen resolution, timezone, language settings, and browser capabilities). This data is hashed on your device before transmission, and we store only the keyed hash (HMAC-SHA256) using a secret key—the raw data is never stored on our servers.

Diagnostics and Product Analytics

To keep Platcha reliable and fast, we collect limited diagnostics and performance data such as:

• Error reports and stack traces
• Performance timing and page navigation data
• Browser, device, and operating system details
• Interaction breadcrumbs (clicks and navigation) related to troubleshooting

We use this data solely to debug issues, improve stability, and prevent abuse. We do not use it for advertising.

Legal basis: Legitimate interest in maintaining service reliability (GDPR Article 6(1)(f)).

Session Replay (Sentry)

We use Sentry Session Replay to understand errors and UX issues. This captures a visual representation of the app around errors and a small sample of sessions.

• Text content is masked
• Images, video, and audio are blocked
• For authenticated users, replays may be linked to your user ID and email address to help us identify and resolve issues specific to your account
• Replays are used only for debugging and quality improvements

Opt-out: If you would like to opt out of Session Replay, contact us at contact@platcha.com and we will disable replay collection for your account. Essential error logging for security and reliability is not affected.

Support and Feedback

When you submit feedback or a diagnostic report, we collect the information you provide (such as name, email, and message) and optional screenshots. This data is used only to resolve issues and improve product quality.

How We Use Your Data

We use your data exclusively to:

• Provide and improve our marketplace services
• Facilitate transactions between clients and freelancers
• Process payments and manage the escrow system
• Communicate about your projects and account
• Prevent fraud and ensure platform security
• Comply with legal obligations

Messaging and Communications

Platcha provides messaging features for project collaboration:

• Messages are stored encrypted and accessible only to participants
• We may review messages if abuse, fraud, or illegal activity is reported
• Message data is retained for 6 months for dispute resolution purposes
• Messages older than 6 months are automatically deleted

Data Security

We implement industry-standard security measures:

• End-to-end encryption for sensitive data
• Regular security audits and penetration testing
• Secure data centers with redundant backups
• Two-factor authentication (2FA) available
• Employee access controls and background checks

Your Rights

You have full control over your data:

• Access: Request a copy of all your data
• Correction: Update or correct inaccurate information
• Deletion: Request account and data deletion (subject to legal retention requirements)
• Export: Download your data in a portable format
• Objection: Object to certain data processing activities

Cookies, Fingerprinting, and Tracking

We use minimal, essential cookies and security measures:

Cookies

• Essential cookies: Required for authentication and security (no consent required under GDPR)
• Functional cookies: Remember your preferences (theme, language)

Device Fingerprinting

We use privacy-preserving device fingerprinting for security purposes only. This technology:

• Collects technical browser characteristics (screen size, timezone, language, installed fonts, graphics capabilities)
• Immediately converts this data into an irreversible hash on your device
• Only transmits and stores the hash—never the underlying data
• Is used solely for fraud detection and preventing ban evasion
• Does not track you across websites or enable advertising
• Does not automatically block access—it provides signals for manual admin review only

Legal basis: We process this data under our legitimate interest in preventing fraud and maintaining platform security (GDPR Article 6(1)(f)). We have conducted a balancing test and determined that this minimal, privacy-preserving approach does not override your rights, as (1) only hashes are stored, (2) no personal identification is possible from the hash alone, and (3) the data is used exclusively for security.

What We Don't Do

• We do not use advertising or tracking cookies
• We do not sell data to third parties
• We do not use fingerprinting for targeted advertising
• We do not share fingerprint data with any third party

Third-Party Services

We work with trusted service providers:

• Payment processors (Stripe) for secure transactions
• Cloud hosting providers (AWS/Vercel) for infrastructure
• Email services (Resend) for transactional emails
• Error monitoring and session replay (Sentry)

These providers are contractually bound to protect your data and use it only for providing services to Platcha.

International Data Transfers

Platcha operates globally. Your data may be transferred to and processed in countries outside your residence. We ensure all transfers comply with GDPR and use Standard Contractual Clauses where required.

Children's Privacy

Data Retention

We retain your data for different periods:

• Active accounts: As long as your account is active
• Closed accounts: 90 days after closure (unless legal requirements apply)
• Transaction records: 7 years (tax and legal compliance)
• Messages: 6 months
• Security data (IP hashes, fingerprint hashes): 2 years, or until account deletion request is processed

Your Right to Object

Under GDPR Article 21, you have the right to object to processing based on legitimate interest. If you object to security fingerprinting:

• Contact us at contact@platcha.com with your objection
• We will review your request and respond within 30 days
• Note that we may need to retain certain security data if there are compelling legitimate grounds (e.g., ongoing fraud investigation)

Changes to This Policy

We may update this policy occasionally. Significant changes will be communicated via email and a notice on the platform. Continued use after changes constitutes acceptance of the updated policy.

Contact Us

Questions about privacy? We're here to help:

• Email: contact@platcha.com

We aim to respond to all privacy inquiries within 48 hours on business days.