Skip to main content
Privacy Policy

Your privacy, our priority.

This policy explains what personal data Beedy Market LTD collects, why and on what legal basis, with whom we share it, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the Israeli Privacy Protection Law (חוק הגנת הפרטיות) 5741-1981 as amended by Amendment 13 (2024).

Last updated: 14 May 2026

1. Overview & Data Controller

At Beedy, we believe privacy is a fundamental right. This policy explains how we collect, use, share, and protect your personal data when you use beedy.app (the "Platform"), the marketplace operated by Beedy Market LTD. It is written in plain language so you can understand quickly, while satisfying the disclosure requirements of GDPR Articles 13–14 and Israeli Privacy Protection Law Amendment 13.

If anything is unclear, contact our privacy team at privacy@beedy.app. You have the right at any time to receive a clear explanation of any processing, to exercise the rights listed in Section 7, and to lodge a complaint with the supervisory authority of your country of residence.

Data Controller

The data controller is Beedy Market LTD (ביידי מרקט בע"מ), an Israeli private company (חברה פרטית) incorporated under the Companies Law 5759-1999, Israeli company number 517344826, registered office at Basel St. 2, Herzliya 4666002, Israel. Privacy contact: privacy@beedy.app. For data-protection-specific matters or to exercise your rights, write to privacy@beedy.app — for the avoidance of doubt, this address routes to the Beedy privacy team acting in a DPO-equivalent capacity.

2. Information We Collect & Sources

We only collect the information needed to operate the Platform, secure accounts, comply with legal obligations, and improve the service. The categories below capture what we process; the next section explains the legal bases.

  • Identity & contact: Your name, email address, phone number, and — for partners — business name, registration / VAT number, professional licence references, and identity verification documents. For Pros operating as natural persons, this is personal data within the meaning of GDPR Article 4(1) and PPL §7.

  • Service usage: Bookings you make or receive, messages exchanged with the other party in a Booking, reviews, ratings, search and browsing history within the Platform, and metadata about your platform activity (timestamps, device fingerprint for fraud prevention).

  • Payment data: Card details tokenised by our payment processors (Braintree / Stripe) — Beedy never stores raw card numbers; billing address, transaction history, and chargeback / dispute records. For tax-invoice and anti-fraud purposes we retain transaction metadata in line with statutory retention rules (see Section 6).

  • Technical data: Device, browser, IP address, language preference, approximate location derived from IP, analytics events, error logs. Where you grant explicit permission, precise geolocation. Technical data is used for security, fraud detection, accessibility, and product improvement (anonymised aggregate analytics).

Where the data comes from

We receive most personal data directly from you (when you register, place a Booking, message a counterparty, or submit a review). For Pros: we may also receive verification data from public business registries (e.g., INSEE / SIRENE in France, רשם החברות in Israel) and from third-party verification providers, as permitted by GDPR Art. 14 and PPL §11. Customers and Pros each receive the other party's contact and Booking details strictly to perform the service contract between them.

3. How We Use Your Information & Legal Bases

Each processing purpose below is paired with the corresponding legal basis under GDPR Article 6 (and, where applicable, GDPR Art. 9 for special-category data). We do not process your personal data for any purpose other than those disclosed here.

  • Run the Platform: Matching Customers with Pros, handling Bookings, processing payments, delivering customer support, sending transactional notifications related to your Bookings, and providing access to the features you signed up for.

    Legal basis: Performance of a contract (GDPR Art. 6(1)(b)) — necessary to perform the Beedy Terms of Service and the underlying Booking. PPL §11(1) — necessary for the purpose for which the data was provided.

  • Security & fraud prevention: Verifying identities, detecting suspicious activity, account-takeover prevention, chargeback fraud detection, abuse prevention, and protecting the rights, property, and safety of Beedy, our users, and third parties.

    Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) — our interest in preventing fraud and securing the Platform is strong and proportionate; balancing test documented in our internal records and available on request. Legal obligation (GDPR Art. 6(1)(c)) where AML / consumer-protection rules apply.

  • Product improvement & analytics: Anonymised or pseudonymised analytics to understand usage patterns, fix bugs, prioritise development, and measure feature performance. Where strictly necessary, we may process identifiable data to debug an issue you reported.

    Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) for anonymised / aggregated analytics. Consent (GDPR Art. 6(1)(a)) for non-essential analytics cookies — managed via the cookies policy.

  • Communications & marketing: Onboarding tips, transactional notifications (always sent — required for the service), and marketing emails about new features, promotions, or related services. Marketing emails are only sent with your explicit opt-in consent and you can opt out at any time via the unsubscribe link in every marketing email.

    Legal basis: Performance of a contract (GDPR Art. 6(1)(b)) for transactional notifications. Consent (GDPR Art. 6(1)(a)) for marketing communications — freely given, specific, and revocable at any time.

Where we rely on legitimate interest, we have conducted a balancing test weighing our interest against your fundamental rights. You may object to processing based on legitimate interest at any time by writing to privacy@beedy.app, and we will stop unless we demonstrate compelling legitimate grounds that override your rights.

4. Sharing, Third Parties & International Transfers

We share your personal data only when strictly necessary, with documented categories of recipients: (i) the other party in a Booking (e.g., your Pro receives your service address; your Customer receives your Pro profile and contact details once a Booking is confirmed); (ii) our payment and infrastructure subprocessors (Braintree / Stripe, cloud hosting, customer-support tooling); (iii) AI subprocessors for limited assistive features (Section 5); (iv) legal, tax, and accounting advisors under confidentiality obligations; (v) law-enforcement, regulatory authorities, or courts where a valid legal request is received.

We do not sell your personal data to advertisers or data brokers. Period. We do not engage in cross-context behavioural advertising as defined under emerging US privacy laws.

Curious which processors handle your data? Our public sub-processors page lists every vendor we work with, their function, their location, and the transfer mechanism (where applicable). We update the list as we onboard or offboard processors.

International transfers

Beedy Market LTD is established in Israel. EU/EEA personal data may be transferred to Israel (which benefits from a European Commission adequacy decision) and to other countries where our subprocessors operate. Israeli personal data may be transferred to the EU and to other jurisdictions per PPL §36. For every transfer outside the EEA where no adequacy decision applies, we use one of the following safeguards under GDPR Chapter V:

  • European Commission adequacy decisions — Israel benefits from an adequacy decision (Commission Decision 2011/61/EU as updated), so transfers EU → Israel do not require additional safeguards.

  • EU Standard Contractual Clauses (SCCs, Commission Decision 2021/914) for transfers to processors in third countries without adequacy (e.g., parts of US infrastructure), combined with transfer-impact assessments and supplementary measures (encryption in transit/at rest).

  • For OpenAI (US): transfers are made under the EU-U.S. Data Privacy Framework (where OpenAI participates) plus contractual no-training and confidentiality commitments. See Section 5 for AI subprocessor details.

5. AI Features & Automated Decisions

Beedy uses AI tools, including third-party large-language-model providers such as OpenAI (under a subprocessor agreement), for limited assistive features. These features are advisory — they help the operator or you make a decision, but they do not autonomously bind anyone or make decisions with legal effect on you.

Personal data sent to AI subprocessors is transmitted over TLS 1.2+ encrypted connections via API. Under our contractual arrangement, AI providers do not train their models on Beedy User Content, and content is not retained beyond what is necessary to process the request. We monitor regulatory developments under the EU AI Act and Israeli AI guidelines and update this policy as we deploy new AI features.

AI features in use

  • Photo analysis — assistive review of uploaded photos for content moderation (e.g., flagging clearly unsafe or non-compliant content). Final moderation decisions are reviewed by a human before suspension or removal.

  • Content moderation — assistive screening of reviews, messages, and listings for community-guideline violations. Outputs are advisory; enforcement decisions involve human review.

  • Category & price suggestion — for Pros, AI may suggest a service category or a price range based on similar Bookings. Suggestions are non-binding; the Pro sets the final terms.

  • Customer-support assistance — AI may suggest draft responses to support agents. Agents review and edit every response before it is sent to you.

Automated decisions with legal effect (GDPR Art. 22)

Beedy does NOT make decisions producing legal effects or similarly significantly affecting you on a purely automated basis. Acceptance, refusal, or pricing of a Booking is decided by you or by a human Pro, with AI providing optional assistance only. You have the right under GDPR Article 22(3) to obtain human intervention, express your point of view, and contest any decision; write to privacy@beedy.app. For fraud-prevention scoring (which may temporarily flag a transaction for human review), no automated final decision is taken — a human reviewer evaluates flagged transactions before suspension.

6. How Long We Keep Your Data

We keep personal data only for as long as needed for the purpose for which we collected it. Specific periods (mandatory under GDPR Art. 13(2)(a) and PPL §11) are set out below. Where law requires longer retention (e.g., tax, anti-fraud), the longer period prevails.

Active account data
Identity, contact, and service-usage data are retained for as long as your account is active and for thirty (30) days thereafter, after which personal data is deleted or anonymised — except for the items below.
Invoices & tax records
Tax invoices, payment receipts, and accounting records: retained for ten (10) years in France (French Commercial Code) and seven (7) years in Israel (Israeli Tax Ordinance), whichever applies based on the user's jurisdiction.
Anti-fraud & dispute records
Records relating to identified or suspected fraud, chargebacks, and disputes are retained for five (5) years after the last related event, in line with our legitimate interest in preventing repeat fraud and supporting future investigations.
Consent & cookie preferences
Records of consent (for marketing, cookies, terms acceptance) are retained for five (5) years as proof under GDPR Art. 7. You may withdraw consent at any time; we keep the record of withdrawal for the same period.
Server logs & technical data
Security logs (IP, access timestamps): retained for twelve (12) months for security and incident investigation. Analytics events: pseudonymised after ninety (90) days; aggregated thereafter.

7. Your Rights & How to Exercise Them

You stay in control of your personal data. Under GDPR Articles 15–22 and the Israeli Privacy Protection Law (as amended by Amendment 13), you may exercise the following rights, free of charge unless requests are manifestly unfounded or excessive:

  • Access (GDPR Art. 15 / PPL §13): Receive confirmation whether we process your data and, if so, a copy of that data plus the information required by Art. 15 (purposes, recipients, retention, etc.). One free copy per twelve-month period.

  • Rectification (GDPR Art. 16 / PPL §14): Correct inaccurate or incomplete personal data without undue delay.

  • Erasure / "Right to be Forgotten" (GDPR Art. 17): Request deletion of your personal data where one of the Art. 17(1) grounds applies. Exceptions: data we are legally required to keep (tax invoices, anti-fraud records, dispute history), data subject to ongoing legal proceedings, and data needed to establish or defend legal claims.

  • Portability (GDPR Art. 20): Receive your data in a structured, commonly used, machine-readable format (e.g., JSON) and transmit it to another controller where technically feasible. Applies to data processed on consent or contract basis.

  • Object (GDPR Art. 21): Object to processing based on legitimate interest at any time (including profiling). Object to direct marketing absolutely — we will stop immediately and unconditionally.

  • Restrict processing (GDPR Art. 18): Ask us to restrict ("freeze") processing of your data in defined circumstances, e.g., while we verify the accuracy of contested data or while we consider an objection.

  • Withdraw consent (GDPR Art. 7(3)): Where we rely on your consent (marketing, non-essential cookies), withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

How to exercise your rights

Most rights can be exercised directly in Settings → Security & privacy, or by writing to privacy@beedy.app. We respond within one (1) month of receipt (extendable by two months for complex requests, with prior notice). We may ask for proof of identity before acting on a request involving non-public data, to protect you from impersonation.

Right to lodge a complaint with a supervisory authority (GDPR Art. 77)

If you believe our processing infringes data-protection law, you have the right to complain to the supervisory authority of your country of residence — without prejudice to any other administrative or judicial remedy. In France: the Commission Nationale de l'Informatique et des Libertés (CNIL, www.cnil.fr). In Israel: the Privacy Protection Authority (Reshut HaGanat HaPrivatiyut, www.gov.il/he/departments/the_privacy_protection_authority). For other EU/EEA jurisdictions, see edpb.europa.eu/about-edpb/board/members_en.

8. Children's Privacy

Beedy is not intended for persons under the age of sixteen (16). We do not knowingly collect personal data from children under thirteen (13). If we become aware that we have collected personal data from a child under 13 without verified parental consent, we will delete it without undue delay.

In France, the consent threshold for information-society services under GDPR Art. 8 and the French Data Protection Act (Loi Informatique et Libertés) is set at fifteen (15) years; users aged 13–15 must obtain the joint consent of a holder of parental responsibility. In Israel, minors under eighteen (18) lack capacity to enter into binding contracts without a legal representative under the Capacity and Guardianship Law 5722-1962.

If you believe a minor has shared information with us without proper authorisation, please contact privacy@beedy.app so we can investigate and delete the data without delay.

9. Data Security & Breach Notification

We use industry-standard technical and organisational measures to protect your data, proportionate to the risk: encryption in transit (TLS 1.2+) and at rest (AES-256 for sensitive fields), role-based access controls with least-privilege defaults, multi-factor authentication for staff, audit logging, regular vulnerability assessments, and incident-response procedures.

Our infrastructure is hosted on cloud providers with SOC 2 Type II / ISO 27001 certification (or equivalent). We segregate production data from development environments. Access by Beedy staff is logged and limited to a documented business need.

No system is 100% impenetrable. We run a coordinated-disclosure program for security researchers — vulnerabilities should be reported to security@beedy.app with a 48-hour acknowledgement commitment, and we will not pursue good-faith research conducted within the program's scope.

Breach notification commitment

If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and, in any event, within seventy-two (72) hours of becoming aware of the breach, as required by GDPR Article 33 and Israeli PPL Amendment 13. We will notify the relevant supervisory authority (CNIL / Israeli PPA) under the same timing rule.

10. Cookies

We use cookies and similar storage technologies to keep you logged in, remember your preferences, secure sessions, and measure platform performance. Cookies fall into four categories: strictly necessary (always on), preferences, analytics, and marketing. The latter two require your explicit consent — managed via the cookies banner and the cookies policy page.

Manage your cookie preferences

Review the full cookie inventory (purpose, lifetime, provider, transfer mechanism) and update your choices at any time. Strictly necessary cookies cannot be disabled — turning them off would prevent the Platform from functioning.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect new features, processing activities, regulatory developments, or operational changes. The "last updated" date at the top of this page always reflects the current version.

Where a change is material — adding a new processing purpose, expanding the scope of personal data collected, or introducing a new category of recipient — we will notify you in advance via in-app notification and email, and (where required by law) seek renewed consent before applying the change to data already collected. Non-material changes (clarifications, typo fixes) may be made without notice; previous versions remain available on request.

We recommend reviewing this page periodically. You may also subscribe to a notification list (write to privacy@beedy.app) to be alerted of every update.

12. Contact Us & Supervisory Authority

Questions, requests, or concerns about your privacy or this policy? Our privacy team is here for you. We respond within five (5) business days for general inquiries, and within one month for formal rights requests (extendable by two months for complex matters, with prior notice).

Privacy team (DPO-equivalent)

privacy@beedy.app

If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority of your country of residence — see Section 7 for the CNIL (France) and Israeli Privacy Protection Authority contact details. You may also seek judicial remedies in your local courts where law so provides.

Frequently Asked Questions (FAQ)

Have more questions? Reach out via the chat or contact our privacy team.

Any privacy question? Talk to our team.

We've designed Beedy with privacy as a default — minimum data collection, explicit consent where required, and full transparency on AI subprocessors. If something feels off, or if you simply want to know more about how we protect your data, write to us.