b3rri

privacy

last updated · 2026-05-24

pre-launch notice. b3rri isn't shipped yet. counsel is still reviewing this policy. the version that ships with the app may differ from what's on this page today — when it changes, we'll publish a diff so you can see exactly what moved.

at a glance

  • today, the only personal data we collect is the email you give the waitlist. that's it.
  • emails are encrypted at rest (AES-256-GCM) with the key held separately from the database.
  • we don't sell your data. ever. no ad pixels, no third-party analytics, no fingerprinting.
  • self-service deletion: visit the waitlist page and use the "remove me" link, or email [email protected]. either way we confirm by email and finish the deletion in seconds — not days.
  • in the EU/UK you have full GDPR rights. in korea, full 개인정보보호법 and 정통망법 rights. in the US, full CCPA/CPRA rights. none of these are optional for us.
  • if there's a breach, we'll tell the regulator (72h GDPR, 24h korea) and tell you without delay if you're at real risk. we'll say what happened, not soft-pedal it.

who we are

b3rri is built by b3rri labs. this policy covers the waitlist site (alpha.b3rri.com today) and the b3rri mobile app (iOS, summer 2026; android about three months after). today, only the waitlist collects any data. anything labeled at launch describes the app, not the site.

contact: [email protected].

what personal data we collect

the waitlist, today

  • your email, encrypted at rest.
  • an HMAC-SHA-256 hash of your email, used only to detect duplicates without reading the plaintext.
  • the masked IP address of the signup request — for v4 we zero the last octet (203.0.113.42 → 203.0.113.0), for v6 we keep only the first 64 bits. the full address never goes to the database. used for abuse and rate-limit defense.
  • the user-agent and referer of the signup request, capped at 512 characters.
  • a sha256 hash of your verification token (never the raw token), with a 7-day expiry. consumed on first click.

the app, at launch

  • account and profile: display name, photo, bio, your native and learning language (the matching primitive for voice rooms).
  • OAuth identifiers from apple or google.
  • voice and video streams. not recorded by default.
  • media you upload (loopi, photofeed, boards).
  • messages and posts.
  • your social graph (follows, blocks, mutes).
  • in-app purchase receipts only. we do not see card numbers.
  • device and push tokens, OS version, locale, crash diagnostics.
  • moderation signals tied to reports or trust and safety review.

the lawful basis (GDPR art. 6)

basiswhat we rely on it for
consentwaitlist email and verification token; optional marketing at launch
legitimate interestabuse defense, rate limiting, moderation
contractprofile, content, voice rooms, payments — at launch
legal obligationtax, fraud, and reporting duties tied to payments — at launch

in korea we collect granular consent per 개인정보보호법 and 정통망법, separated by purpose.

how we collect, use, and share it

we collect data directly from you, from server logs of your requests, from your sign-in provider, and from your mobile device.

we use it to run the service, match people by language pair, defend against abuse, process payments, send notifications you've opted into, and comply with the law.

sub-processors today: cloudflare, resend, and the cluster operator. at launch we add apple and google for in-app purchases and push, a media CDN, a real-time communications provider, and an observability vendor. each handles a defined slice under contract.

we do not sell your personal data, under any definition. we respond to law enforcement only on a valid legal order. we push back when an order is overbroad. we notify the affected person where the law allows.

how we protect it (today)

  • emails are encrypted at rest with AES-256-GCM, using a 96-bit IV and a 128-bit authentication tag.
  • the key lives in a sealed-secrets controller, separate from the database.
  • duplicate detection uses HMAC-SHA-256 with a pepper rotated independently of the encryption key.
  • the production app refuses to boot if those secrets aren't present.
  • traffic is TLS 1.2+.
  • reading a row requires both the database credential and the cluster encryption key. they're held by different operators.

at launch we add: scheduled key rotation, audit logs for sensitive operations, signed media URLs with short expiry, certificate pinning where feasible, secure token storage on device, and jailbreak/root signals used only for moderation context.

no system is perfectly secure. we won't pretend otherwise.

how long we keep it

  • waitlist email and signup metadata: 12 months after the verify click. a nightly job (03:00 UTC) deletes rows past their retention_purge_after deadline — this is enforced in code, not a promise.
  • server logs: 30 days.
  • unverified signups (no opt-in click): 30 days, also enforced by the nightly purge.
  • self-service deletion: immediate row delete after you confirm the OTP email. the request itself is kept for 7 days as an audit record (no PII, just a hash and a timestamp).
  • account data after deletion: hard purge within 30 days, except where retention is required for tax or abuse history.
  • voice rooms and calls: not recorded.
  • uploaded media: until you delete it; CDN caches expire within 24 hours.
  • moderation records: up to 2 years.

international transfers

our cluster sits in korea and serves the world.

for the EU, EEA, and UK we rely on the standard contractual clauses (Commission Decision 2021/914) and the UK IDTA. the supplementary technical measures are the AES-256-GCM at-rest encryption and HMAC pepper described above. for other jurisdictions we use equivalent contractual safeguards.

your rights

everyone: email [email protected]. we acknowledge within 7 days and complete within 30.

  • GDPR (EU/EEA). access, rectification, erasure, portability, restriction, objection, and withdrawal of consent. you can complain to your national data protection authority. we don't yet have an EU representative; that will be appointed before EU launch.
  • korea (개인정보보호법 / 정통망법). 열람, 정정, 삭제, 처리정지, 동의철회. you can contact KISA at 118 or the personal information protection commission.
  • CCPA / CPRA (california). the right to know, delete, correct, limit use of sensitive personal information, and non-discrimination for exercising those rights. we don't "sell" or "share" your data in the CCPA sense.
  • LGPD (brazil), PIPEDA (canada), privacy act (australia). the equivalent local rights apply.

children

b3rri is not for anyone under 13. at launch the app will gate signup at 13, or higher where the law requires (16 in parts of the EU, 14 in parts of korea). if you believe a child has signed up, email [email protected]. there is no child-oriented version of b3rri.

cookies and tracking

only strictly-necessary cookies. no third-party analytics, no ad pixels, no fingerprinting. this is deliberate, not provisional.

at launch we will add first-party product analytics with a visible opt-out. nothing third-party.

if something goes wrong

  • under GDPR we notify the lead supervisory authority within 72 hours of becoming aware, and notify you without undue delay if the risk to you is high.
  • under korea's 정통망법 and 개인정보보호법 we notify the regulator within 24 hours and notify you without undue delay.
  • in the US we follow each state's breach-notification law.

we will tell you what happened, what data was involved, what we've done, and what we recommend you do. plain language.

changes

we update the last updated date when this page changes. for material changes we publish in-app notice and email the waitlist before the change takes effect. at public launch we will publish a full diff of what moved.

Questions? [email protected]