Privacy Policy

Experts by OStory Platform with its registered office in Kraków, Poland, address: Bociana 6B/46, e-mail: experts@ostoryplatform.com, as the personal data controller, provides the following Privacy Policy in accordance with Regulation (EU) 2016/679 (GDPR) and the Polish Personal Data Protection Act.

1. What data do we collect and why?

a) Registration / login (Supabase Auth)

• Required data: e-mail, first name, last name, role (User/Client or Expert), location (optional).
• Purpose: account identification, enabling login and UI personalization.
• Legal basis: performance of a contract/user request (Art. 6(1)(b) GDPR).

b) Expert profile

• Portfolio URL, certifications, industries, offered services, additional information (max. 600 characters).
• Purpose: presenting the offer and facilitating matching for clients.
• Legal basis: performance of a contract / consent (depending on functionality).

c) Messages (chat/inbox)

• You exchange messages through the system (React + supabase).
• We do not share these data with third parties and they are encrypted in the database.
• Purpose: communication between user and expert.
• Legal basis: legitimate communication (Art. 6(1)(f) GDPR – legitimate interests of the Administrator and users).

d) Reviews and ratings

• Data: text comment (up to 500 characters), star rating (1–5).
• Collected after service completion – only by the client.
• Purpose: building trust and credibility of experts.
• Legal basis: client consent / performance of contract / legitimate interest (quality verification).

e) Search / embeddings (AI)

• We process text queries to generate embeddings (OpenAI).
• Embeddings do not contain sensitive data and analytics are anonymized.
• Purpose: better expert matching in the search engine (semantic search).
• Legal basis: legitimate interest (improving quality and UX).

f) Notifications (in-app + e-mail)

• System notifications (e.g. new message, completion of an order) – and optional e-mail notifications.
• Purpose: informing the user about actions requiring attention.
• Legal basis: performance of a contract / consent (if mailing).

g) Logs and security

• Log data (who, when, what actions were performed), event audit (RLS, trigger, edge functions).
• Purpose: security, protection against abuse, legal compliance (e.g. confidentiality of communication).
• Legal basis: legitimate interest (ensuring security and integrity of the service).

2. How long do we store data?

• Registration and profile data: until the user deletes the account.
• Messages: at least as required by law (e.g. 6 months / 1 year – in accordance with telecommunications law).
• Reviews: remain public unless the user requests deletion (right to be forgotten).
• Logs: minimum per GDPR requirements (e.g. 6 months) or longer for security audits.
• Notifications / e-mails: temporarily, e.g. 30 days.

3. Who do we share data with?

• No participants – data are not sold or shared with third parties.
• Technical service providers (Supabase, Vercel, OpenAI) – only as processors under data processing agreements.
• When required by law (e.g. law enforcement authorities) – only upon a valid court decision or as required by law.

4. Your rights (under GDPR)

• right of access to data
• right to rectification
• right to erasure ("right to be forgotten")
• right to restrict processing
• right to data portability
• right to object
• right to withdraw consent

You can exercise these rights via the user panel or by e-mail: experts@ostoryplatform.com. You also have the right to lodge a complaint with the President of the Personal Data Protection Office.

5. Cookies / tracking files

• We use essential cookies required for operation (session, authentication).
• Other files (analytics, optimization) operate after your consent (consent banner).
• You can manage consents in your browser settings.

6. Changes and contact

• The privacy policy may be updated – latest version: 27.08.2025
• If you have questions or wish to exercise your rights – write to experts@ostoryplatform.com