Privacy Policy
Last updated: 13 May 2026
1. Who we are (data controller)
The data controller for the Human Sender service is Blustrix OÜ, a private limited company registered in Estonia (registry code 16864889), with registered address at Ahtri tn 12, Tallinn, 15551, Estonia.
For all privacy-related requests, contact us at legal@humansender.com.
2. What data we collect and why
Account data
When you register, we collect your email address and, if you complete SMS verification, your phone number. We use this to authenticate you and send you service notifications. Legal basis: performance of a contract (Article 6(1)(b) GDPR).
Profile data
You may optionally provide a display name, profile photo, and LinkedIn profile URL. This data is publicly visible on your Human Sender profile page and on verification pages shown to recipients of your signed messages. Legal basis: consent (Article 6(1)(a) GDPR). You can update or remove this data at any time.
Verification codes and message data
When you sign a message, we store the code, a timestamp, an optional recipient hint you provide, and optionally a hash of the message body and a preview (up to 200 characters). We do not store the full message body. Codes expire after 30 days. Legal basis: performance of a contract (Article 6(1)(b) GDPR).
Identity verification data (Levels 2–4)
Higher verification levels require submitting a government-issued identity document and a liveness check. This process is handled by our third-party provider Didit (didit.me). We receive a verification result and confidence score; we do not store the raw identity document images ourselves. Legal basis: consent (Article 6(1)(a) GDPR).
Technical and usage data
Our infrastructure (Vercel and Supabase) automatically logs IP addresses, browser type, timestamps, and pages visited as part of normal server operation. This data is used for security monitoring and debugging. Legal basis: legitimate interests (Article 6(1)(f) GDPR).
3. Data sharing and processors
We do not sell your personal data. We share it only with the following sub-processors:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt) |
| Vercel | Web hosting, edge network | EU regions |
| Didit | Identity verification (Levels 2–4 only) | EU |
All processors operate under data processing agreements that require them to handle data in compliance with GDPR.
4. International transfers
We store all personal data in EU regions (Frankfurt). We do not transfer personal data to countries outside the European Economic Area (EEA) except where covered by an adequacy decision or Standard Contractual Clauses.
5. How long we keep your data
We retain data for the following periods:
- Account data: for the lifetime of your account, then deleted within 30 days of account deletion.
- Verification codes: 30 days from creation (message codes), 2 minutes from creation (live codes). Expired codes are purged automatically.
- Profile data: retained until you update or delete it, or delete your account.
- Server logs: up to 90 days, as retained by our infrastructure providers.
- Identity verification records: retained per Didit's data retention policy; we retain only the resulting verification level.
6. Your rights under GDPR
As a data subject under GDPR, you have the right to:
- Access: request a copy of the personal data we hold about you.
- Rectification: correct inaccurate data (most profile data you can update directly in your dashboard).
- Erasure: request deletion of your personal data ("right to be forgotten").
- Portability: receive your data in a structured, machine-readable format.
- Restriction: request that we limit processing of your data in certain circumstances.
- Objection: object to processing based on legitimate interests.
- Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, contact us at legal@humansender.com. We will respond within 30 days.
7. Cookies and local storage
Human Sender uses only strictly necessary session cookies set by Supabase for authentication. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required for strictly necessary cookies under ePrivacy Directive Article 5(3).
If we introduce non-essential cookies in the future, we will update this policy and obtain your consent first.
8. Children
The Service is not directed at or intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
9. Changes to this policy
We may update this Privacy Policy from time to time. We will notify registered users by email at least 14 days before material changes take effect. The "last updated" date at the top of this page will always reflect the current version.
10. Complaints
If you have a concern about how we handle your personal data, please contact us first at legal@humansender.com.
You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), the supervisory authority for data protection in Estonia:
www.aki.ee · info@aki.ee · +372 627 4135
EU residents may also contact the supervisory authority in their country of residence.
11. Contact
For any privacy question or request:
legal@humansender.com
Blustrix OÜ · Registry code 16864889
Ahtri tn 12, Tallinn, 15551, Estonia