Privacy Policy

This policy explains how Ebenworks Systems (Pvt) Ltd, a private company incorporated in Zimbabwe (“Ebenworks”, “we”, “us”), handles your personal information. We operate Ebenworks Accounts(accounts.ebstar.co), the central account system for the Ebenworks family of products (such as BidWright, Imali, Phila, Chingu AI and Dates A–Z). It gives you one sign-in and one place to manage your account and subscriptions across those products. We are the data controller for the account, identity and billing data described here. For privacy questions or to exercise your rights, contact privacy@ebstar.co.

Each individual product may process additional data within that product under its own notice; this policy covers only the central account system.

What we collect

• Account identity — your email address and/or mobile phone number (at least one is required; some products are phone-first), your name, an optional profile picture, and a securely hashed password (we never store your password in plain text).
• Google sign-in (optional) — if you choose “Continue with Google”, Google shares your basic profile with us: your email address, name and profile picture. We use it only to create or sign you into your Ebenworks account.
• Organisation & subscriptions — which Ebenworks products you use and your plan, subscription status and limits for each.
• Payments — when you subscribe to a paid plan, payment is handled by our payment providers (see Payments & Merchant of Record below). We keep payment status and records (amount, currency, plan, date, a gateway reference); we do not store your full card or bank details.
• Technical & security — a single sign-in session cookie, and limited logs (e.g. IP address, approximate timestamps and security/audit events) used for security, rate-limiting and abuse prevention.

How we use it & our legal bases

Where the GDPR, the UK GDPR or comparable laws apply, we rely on these legal bases:

• Performance of a contract — to authenticate you, keep you signed in across Ebenworks products, and create and manage your organisation, subscriptions and billing.
• Legitimate interests — to protect the service against fraud, abuse and security threats, and to operate and improve it. We balance these against your rights.
• Consent — where you choose optional features such as Google sign-in. You can withdraw consent at any time.
• Legal obligation — to keep accounting, tax and transaction records as required by law.

We also use your contact details to send essential transactional messages (sign-in links, verification and one-time codes, receipts and important account notices). These are not marketing and you cannot opt out of them while you hold an account.

Sharing with Ebenworks products

When you open an Ebenworks product, the account system shares the minimum it needs with that product only: your account identifier, name, email/phone, avatar, and your subscription status for that product. Marketing pages receive only whether you are signed in and your display name. We do not sell your personal information, and we do not use it for third-party advertising.

Payments & Merchant of Record

Depending on your location and the product, payment is handled by Stripe, Paystack or Paddle at the prices shown at checkout. Where a plan is sold through Paddle, Paddle acts as the Merchant of Record — i.e. Paddle is the reseller of that subscription and is responsible for charging you, handling applicable sales tax/VAT, and processing refunds for that transaction under Paddle’s buyer terms. Where Stripe or Paystack is used, Ebenworks is the merchant and they act as our payment processors. These providers receive the payment details you enter and the transaction data needed to complete the purchase; we receive back the payment status and a reference, not your full card details.

Service providers (sub-processors)

We share data with the processors that run this service, each under a data-processing agreement and only as needed to operate it:

• Vercel — application hosting and content delivery.
• Neon — managed PostgreSQL database (where account, subscription and payment-status records are stored).
• Resend — sending transactional email (sign-in links, codes, receipts).
• Stripe, Paystack, Paddle — payment processing / Merchant of Record, as described above.
• Google — only if you choose to sign in with Google.

International transfers

We operate from South Korea, are incorporated in Zimbabwe, and serve users worldwide; some of our providers store and process data in the United States, the European Union and other regions. Where we transfer personal data across borders, we rely on appropriate safeguards — such as the European Commission’s Standard Contractual Clauses or an equivalent mechanism — so that your data remains protected.

Google API Services — Limited Use

Ebenworks Accounts’ use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We request only your basic profile and email to authenticate you; we do not transfer or use Google user data for advertising, and we do not allow humans to read it except as you direct, for security, or to comply with law.

Cookies

We use a single, strictly necessary session cookie (__Secure-ebstar-session) set on the .ebstar.co domain so your sign-in works across Ebenworks products. Because it is strictly necessary to provide the service you have asked for, no consent banner is required for it. We do not use advertising, analytics or cross-site tracking cookies.

Security & retention

Data is encrypted in transit; passwords are hashed with bcrypt and secrets and tokens are stored only as hashes. We keep account data for as long as your account is active. After you delete your account we remove or anonymise your identity, but we may retain certain records (for example payment and tax records) for the period required by applicable accounting and tax law, after which they are deleted.

Your rights & choices

You can view and update your profile, and delete your account, from your account page. Deleting your account removes your identity from the account system and signals connected products to remove your linked data.

Depending on where you live, you may also have the right to access, correct, delete, restrict or object to processing of your personal data, to data portability, and to withdraw consent. To exercise any of these, email privacy@ebstar.co; we respond within the time required by applicable law. These rights apply under, among others, the EU/UK GDPR, South Africa’s POPIA, South Korea’s PIPA (Personal Information Protection Act), and Zimbabwe’s Cyber and Data Protection Act. If you believe we have mishandled your data you may also lodge a complaint with your local data-protection authority.

Children

The service is not directed to children under 16, and we do not knowingly create accounts for them. If you believe a child has provided us personal data, contact privacy@ebstar.co and we will delete it.

Changes

We may update this policy; material changes will be reflected by the “Last updated” date above and, where appropriate, notified to you.