Privacy Policy

Summary.Sepky is a messaging product with payments. We collect the minimum needed to run accounts, deliver messages, process payments, prevent fraud, and comply with law. Payment details are handled by our payment providers; we don't store full card numbers.

Data minimisation. We only collect what is strictly necessary to run the Sepky Protocol: your email, your @handle (if you set one), and your transaction history. We do not track your location, we do not sell your data to third parties, and we do not use advertising tracking cookies.

1. Who we are

This Privacy Policy explains how Sepky("Sepky", "we", "us", "our") collects, uses, shares, and protects personal data when you use our website, apps, and related services (the "Service").

If you have questions, contact support@sepky.com.

2. What this policy covers

• The Service (including public links like sepky.com/your-handle), messaging, wallets/balances, and onboarding.
• Interactions with us (support emails, transactional emails, and product notifications).
• It does not cover third-party sites or services you access through Sepky. Those have their own privacy policies.

3. Personal data we collect

We collect information you provide, information generated in-product, and limited technical data.

• Account data. Email address, authentication/session identifiers, and account status.
• Profile data. Handle, display name, bio, avatar, pricing, and other fields you choose to publish.
• Messaging data. Message content, attachments you upload, timestamps, and related conversation/handshake identifiers.
• Payment and wallet data. Transaction amounts, wallet balances (deposits/earnings), refund/withdrawal records, and payment provider identifiers (for example Stripe customer IDs, checkout session IDs, payment intent IDs, and transfer IDs).
• Reviews and reputation. Ratings and review text, plus aggregates shown on gates (for example average rating, response count).
• Invites / external recipients.If you invite someone by email, we process the recipient's email to deliver the invitation and enable them to claim/access the message and funds.
• Support communications. Messages you send to support and any information you include.
• Device/usage data. Basic logs and security signals that may include IP address, user-agent, and timestamps (typically via our hosting and infrastructure providers).

Sensitive data.Please don't send sensitive personal data (for example health data, government ID numbers, or passwords) in messages. If you do, you do so at your own risk.

3.2 Message storage and access

• Storage. Messages are stored in our database (including metadata like timestamps and conversation identifiers). Message delivery uses encrypted connections (TLS) in transit. Where supported by our infrastructure providers, data is protected with encryption at rest.
• Participant access. Message content is primarily accessible only to the Sender and the Recipient through their authenticated accounts. We use access controls (including database Row Level Security) designed to restrict message access to the relevant participants.
• Platform access. Authorised Sepky personnel may access message content strictly when necessary for dispute resolution, fraud and safety investigations, product support, or legal compliance.
• Automated processing. Our systems may use automated tools to scan messages and attachments for prohibited or harmful content (for example spam, phishing, or malware) to help keep the protocol safe.

3.1 Non-users ("Ghost") data

We process limited data (email addresses) of non-users when a verified Sepky user initiates a Financial Bond for them. This data is used solely to facilitate the notification and claim of said funds. If the funds are not claimed within 48 hours, the record is flagged for archival.

4. How we use personal data

• Provide the Service. Create accounts, authenticate users, display profiles and gates, deliver messages, and operate the wallet/bond system.
• Payments, refunds, and withdrawals. Initiate and reconcile transactions, handle refunds, and pay out earnings (where available).
• Handshake visibility. By engaging in a Bonded Request, the Sender and Receiver agree to share their @handles and the status of the transaction with each other.
• Safety and fraud prevention. Detect abuse, prevent fraud, enforce product rules, and secure accounts.
• Customer support. Respond to your requests and troubleshoot issues.
• Legal compliance. Meet legal obligations and respond to lawful requests.
• Improve the product. Debug, monitor reliability, and improve features.

5. Legal bases (UK/EU-style)

Where applicable (for example under UK GDPR/EU GDPR), we process personal data on these bases:

• Contract. To provide the Service you request.
• Legitimate interests. To prevent abuse, keep the Service secure, and improve the product.
• Legal obligation. To comply with financial, tax, and other legal requirements.
• Consent. Where we ask (for example, optional communications), you can withdraw consent at any time.

6. Cookies and similar technologies

We use "Essential Cookies" to keep you logged in and secure. We do not use "Tracking Cookies" for advertising. Sepky uses cookies primarily for authentication (to keep you signed in and to secure your session). We may also rely on cookies or similar technologies used by our third-party providers (for example to detect fraud or maintain checkout sessions).

You can usually control cookies through your browser settings. Disabling cookies may break login and other core Service functionality.

7. How we share personal data

We share personal data only as needed to run Sepky.

• Payment providers. To process card payments, holds, refunds, top-ups, and payouts (for example Stripe). These providers process payment information under their own terms and privacy policies.
• Financial data (Stripe). Sepky does not store your credit card numbers. All payment processing is handled by Stripe. We store limited payment records and provider identifiers (for example Stripe customer IDs, checkout session IDs, payment intent IDs) to reconcile transactions, support refunds/withdrawals, and help with support. We do not store full card numbers, CVCs, or card expiry dates in our database.
• Infrastructure providers. Hosting, storage, databases, and content delivery that keep the Service running (for example Supabase).
• Email delivery. Transactional email delivery (for example Postmark).
• Other users. Your public profile/gate data is visible to anyone who visits your public link. Messages and reviews are shared with the relevant participants as part of the Service.
• Legal and safety. If required by law, court order, or to protect Sepky, our users, or the public.
• Business transfers. If Sepky is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that deal (subject to appropriate safeguards).

We do not sell personal data.

8. International data transfers

Your data is stored in Supabase (AWS London region). Some processing (like Stripe payments) may occur in the US under Standard Contractual Clauses.

9. Data retention

We keep personal data for as long as needed to provide the Service, comply with law, resolve disputes, and enforce agreements.

• Account and profile. Retained while your account is active and for a reasonable period after deletion where required for legal/operational reasons.
• Messages and transactions. Financial and messaging records may be retained for longer to support audits, fraud prevention, disputes, and legal compliance.
• Right to be Forgotten.You have the "Right to be Forgotten." If you delete your account, we wipe your profile data. However, we are legally required to keep Financial Transaction Records for 7 years to comply with UK tax laws.
• Backups. Copies may persist for a limited time in backups.

10. Security

We use reasonable technical and organisational safeguards designed to protect personal data. No system is perfectly secure; you are responsible for keeping access to your email account secure, since Sepky login relies on email OTP.

11. Your choices and rights

Privacy rights depend on where you live (and sometimes which US state you are in). The list below describes common requests we honour where applicable. If you are unsure what applies to you, contact us — we will respond in line with applicable law.

• Access / portability. Request a copy of your data.
• Correction. Update inaccurate information in your profile or by contacting us.
• Deletion. You can delete your account in-product where available. Some records may be retained as described above.
• Marketing opt-out. If we ever send non-essential marketing emails, you can opt out.

United Kingdom and European Economic Area. If UK GDPR or EU GDPR applies to you, you may have additional rights (for example to object to certain processing, to restrict processing, or to lodge a complaint with a supervisory authority). Our legal bases are described in section 5.

United States. Several US states have privacy laws that may give residents rights such as access, deletion, and correction of personal information, and (where applicable) opt-out of certain uses. We do not sell personal information as defined under those laws. To exercise rights available in your state, contact us using the email below. We will not discriminate against you for exercising privacy rights where such protection applies.

Other countries. If local law gives you rights we have not listed here, contact us and we will handle your request in line with that law where we are required to.

To exercise rights, email support@sepky.com from the email on your Sepky account.

12. Children

Sepky is not intended for children. You must be at least 18 to use the Service.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the latest version on this page and update the "Last updated" date. Continued use of the Service after an update means you accept the updated policy where permitted by law.

14. Contact

For privacy questions or requests, contact support@sepky.com.