Privacy Notice

1. Controller

The data controller for personal data processed through hbar systems is the operator (New York, USA), acting in a sole-proprietor capacity until a legal entity is formed. Contact: privacy@hbar.systems.

2. Scope

This notice applies to personal data processed by hbar.systems and all subsystems operating under the hbar namespace, including site analytics, account data, and engagement-specific materials processed under Category A commercial engagements (see hbar.legal §2.2).

3. Lawful Bases (GDPR Art. 6)

• Performance of a contract (Art. 6(1)(b)) — to deliver services agreed under Category A or Category B engagements.
• Legitimate interests (Art. 6(1)(f)) — for operational analytics, security, and improving published systems, balanced against user rights.
• Consent (Art. 6(1)(a)) — for optional features, communications, and any processing not covered by the bases above. Withdrawable at any time without affecting prior processing.
• Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and regulatory requirements.

4. Categories of Data

• Identifiers: email address, name where voluntarily provided.
• Site analytics: page views, referrers, approximate region, aggregated where possible.
• Engagement data: materials shared under a Category A contract, processed only as needed to deliver the agreed service.

No special-category data (GDPR Art. 9) is intentionally processed. Users should not submit such data through hbar surfaces.

5. Retention

Account data is retained for as long as the account is active and for a reasonable period thereafter for accounting and dispute-resolution purposes. Engagement materials are retained per the applicable written contract or, absent one, for 24 months from last activity. Analytics are retained in aggregated form indefinitely; raw identifiers are deleted or anonymized within 12 months.

6. International Transfers

hbar systems are operated from the United States. Where personal data of EEA or UK users is transferred to the US or other third countries, the operator relies on appropriate safeguards under GDPR Art. 46 (including Standard Contractual Clauses where applicable) and on the EU-US Data Privacy Framework where the processor is certified.

7. User Rights (GDPR Art. 15-22)

Users located in the EEA or UK have the right to:

• Access (Art. 15) — confirmation of processing and a copy of personal data.
• Rectification (Art. 16) — correction of inaccurate data.
• Erasure (Art. 17) — deletion where the lawful basis no longer applies.
• Restriction (Art. 18) — limiting processing during disputes.
• Portability (Art. 20) — receipt of data in a structured, machine-readable format.
• Objection (Art. 21) — to processing based on legitimate interests.
• Not to be subject to automated decision-making (Art. 22) with legal or similarly significant effects.

Requests: privacy@hbar.systems. The operator will respond within one month (GDPR Art. 12(3)).

8. Complaints

Users in the EEA may lodge a complaint with their local supervisory authority. Users in the UK may lodge a complaint with the Information Commissioner's Office (ICO).

9. Changes

This notice is versioned together with the hbar.legal framework. Material changes will be reflected in the document version identifier.

10. Contact

privacy@hbar.systems