Data Privacy & Compliance
How Bervice minimizes data collection, encrypts everything by default, and aligns with global privacy regulations (e.g., GDPR/CCPA) through clear roles, transparent processing, and user-first controls.
Bervice follows a strict data minimization model. We do not store plaintext files, passwords, or titles . Your content is encrypted locally and stored off-chain in decentralized storage. On-chain we only record the minimum metadata needed for subscription state and referral accounting—never your plaintext personal content.
Controller vs. Processor. For your end-user account and app telemetry, Bervice acts as a data controller. For encrypted content you upload, we operate infrastructure as a data processorunder your instructions. Where required, we offer a Data Processing Addendum (DPA), Standard Contractual Clauses (SCCs) for international transfers, and maintain a record of processing activities.
Lawful Basis & Consent. We rely on contract necessity to provide the service (e.g., subscription management), legitimate interests for basic security/anti-abuse, and consent for optional analytics or cookies. All optional data collection can be toggled off. We never sell personal data.
User Rights. You can exercise access, rectification, deletion, portability, and objection rights from the in-app privacy panel. Because content is end-to-end encrypted, deletion is immediate and cryptographically enforced by removing keys and unpinning associated encrypted blobs. Off-chain caches and pins are purged according to our retention schedule.
Telemetry & Cookies. By default, only strictly necessary cookies are used (session/security). Optional analytics are opt-in, anonymized where possible, and never linked to your encrypted content or wallet addresses. We publish a full cookie list and purpose descriptions in our Cookie Policy.
Retention & Deletion. Account metadata is retained only while your subscription is active and for a short statutory period for fraud/financial compliance. Encrypted content is retained while pinned; upon deletion, keys are destroyed and blobs are scheduled for removal from our pinning cluster.
Security & DPIAs. We conduct Data Protection Impact Assessments for high-risk features, implement role-based access for internal tools, and require security training and confidentiality agreements for staff. Third-party sub-processors undergo due diligence and are listed with purposes and locations.
Incident Response. We operate a 24/7 on-call rotation, log integrity events, and notify affected users without undue delay if a breach materially impacts personal data. Thanks to end-to-end encryption, exposure risk is significantly reduced because servers never see plaintext content.
For specifics, see Data Minimization, Key Management, Post-Quantum Cryptography (PQC), and Sub-processors.