SlovoHub Privacy Policy
DRAFT - NOT YET LEGALLY REVIEWED. This document is a working draft. Do not publish on slovohub.com until reviewed by a qualified Bulgarian/EU lawyer. The remaining placeholders in
<ANGLE BRACKETS>-<LEGAL ENTITY NAME>,<LEGAL FORM>,<UIC>,<ADDRESS>- are retained intentionally because the operating entity has not yet been registered. They MUST be filled in (and this document re-reviewed by counsel) before the document goes live onslovohub.com.
| Version | 0.2 (draft) |
| Last updated | 2026-05-11 |
| Effective date | not yet effective - pending entity registration and legal review |
1. Who we are
SlovoHub ("SlovoHub", "we", "us", or "our") is a Progressive Web App that helps readers digitize their physical book collections, manage book clubs, and lend books to other community members.
Data controller: <LEGAL ENTITY NAME>, a <LEGAL FORM, e.g. EOOD> registered in Bulgaria with company number <UIC>, having its registered office at <ADDRESS>. (These placeholders are intentionally retained: the operating entity has not yet been registered. This policy is not legally effective until those values are filled in and the document is reviewed by counsel.)
Contact for privacy matters: privacy@slovohub.com
Data Protection Officer: We have not appointed a DPO. Under Article 37 GDPR, appointing a DPO is mandatory only where (a) the core activity involves regular and systematic monitoring of data subjects on a large scale, or (b) the core activity involves large-scale processing of special-category data. SlovoHub's Phase 0 (waitlist) and Phase 1 (Library + Shelves) processing meets neither threshold: we do not behaviourally track users (our analytics provider is cookieless and aggregate-only - see §6), and we do not process special-category data. We will reassess this position before each subsequent milestone, and appoint a DPO if our processing changes. Privacy questions can be sent to privacy@slovohub.com and will be handled by the founder directly until any DPO is appointed.
2. What this policy covers
This Privacy Policy explains what personal data we collect when you use SlovoHub at slovohub.com (the "Service"), how we use it, who we share it with, how long we keep it, and the rights you have under the EU General Data Protection Regulation ("GDPR") and the Bulgarian Personal Data Protection Act.
By creating an account, you confirm you have read this policy.
3. Information we collect
We collect personal data in three ways: information you give us directly, information generated by your use of the Service, and information from third-party integrations you choose to connect.
3.1 Information you give us
- Account details - email address, password (stored hashed; we never see your plaintext password), display name, handle, language preference, city.
- Profile content - avatar image, bio, any other content you add to your profile.
- Shelf content - photos of your bookshelves, book titles, editions, ratings, reviews, and the privacy setting you choose for each book.
- Reading activity - what you mark as currently reading, your progress entries, what you finish, and your ratings.
- Club content - the clubs you create or join, the messages you post, the meetings you schedule.
- Lending activity - books you mark as available to borrow, loan requests you send or receive, handshake records, optional handover photos, and the messages exchanged.
- Reports - the content you report to us, including what you said about it.
- Support correspondence - anything you send to
support@slovohub.comor via in-app support.
3.2 Information generated by your use of the Service
- Device and browser information - browser type and version, operating system, device type, screen size, language.
- Connection information - IP address (used for rate limiting, fraud detection, and approximate country detection; we do not store precise geolocation).
- Usage data - pages viewed, features used, errors encountered. Collected via our privacy-respecting analytics (see §6).
- Karma events - increases or decreases to your reputation score and the loan they relate to.
- Audit records - administrative actions taken on your account by our team, retained for fraud prevention and dispute resolution.
3.3 Information from third parties
- Patreon - if you sign in with Patreon, we receive your Patreon user ID, the creators you support, and your tier level. We use this only to verify creator status and tier-gated club access.
- Payment processors - for Restorative Justice donations, our payment provider (Stripe or EasyPay) shares back a transaction reference, amount, and status. We do not see or store your card or bank details.
3.4 What we do not collect
- We do not collect precise location (GPS / lat-long).
- We do not collect biometric data.
- We do not collect special-category personal data (racial origin, political opinions, religion, health, etc.) unless you voluntarily include it in profile or content (which we recommend you avoid).
- We do not buy data about you from data brokers.
4. How we use your information and the lawful basis
We process your personal data only when we have a lawful basis under Article 6 GDPR. The table below sets out each purpose and the basis.
| Purpose | Data used | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Create and operate your account | Account details | (b) Performance of a contract |
| Display your Shelf to the audiences you choose | Shelf content, privacy settings | (b) Performance of a contract |
| Enable book club participation | Club content, reading activity | (b) Performance of a contract |
| Facilitate lending between users (handshakes, loan records) | Lending activity, handover photos | (b) Performance of a contract |
| Calculate Karma and detect lending fraud | Lending activity, audit records, IP | (f) Legitimate interest (maintaining a trustworthy lending community) |
| Send essential service notifications (verification, security, loan reminders) | Account details, lending activity | (b) Performance of a contract |
| Send marketing emails | Email address, preferences | (a) Consent (opt-in only) |
| Provide product analytics for improving the Service | Usage data | (f) Legitimate interest, balanced with privacy by using a cookieless analytics provider |
| Comply with legal obligations (accounting, lawful requests, content moderation under DSA) | Whatever is required by law | (c) Legal obligation |
| Defend our rights in disputes | Whatever is needed for the dispute | (f) Legitimate interest |
You can withdraw consent at any time where consent is the basis (see §9).
For purposes based on legitimate interest, we have considered the impact on your rights and concluded that our interest does not override them. You can object to processing on this basis (see §9).
5. AI features and your content
SlovoHub uses AI features (e.g. shelf scanning, daily discussion prompts).
- We use Google Cloud Vision to perform OCR on photos you upload of your bookshelves. The photo is transmitted to Google for processing. Per Google's terms, your photos are not used to train Google's models when used through the Cloud Vision API.
- We do not use your photos, scans, ratings, messages, lending activity, or any other content you generate to train any AI model - ours or anyone else's.
- AI-generated discussion prompts ("Daily Nuggets") are produced from publicly available book metadata only. We do not feed your messages or your reading progress into prompt generation.
6. Cookies and analytics
We use a small number of strictly necessary cookies to operate the Service (for example, to keep you signed in). We also use Plausible Analytics (operated by Plausible Insights OÜ, hosted in the European Union) to understand how the Service is used in aggregate. Plausible is cookieless and does not assign a persistent identifier to you; for that reason, the French CNIL's deliberation of 27 March 2020 (and EDPB guidance to similar effect) treats it as exempt from the ePrivacy consent requirement, so we run it without a banner. We do not use Google Analytics, Facebook Pixel, or similar US-based tracking tools.
See the Cookie Policy for the full list and how to manage your preferences.
7. Who we share your information with
We share personal data only with the following categories of recipients, and only as needed for the purposes in §4.
7.1 Subprocessors
The Service is in Phase 0 (waitlist-only) at the time this policy is published. The subprocessors actually receiving personal data today are those marked Active. Others are listed because they are part of the published technical architecture and will become active in named future phases - they are included now so you can review the full set in advance.
| Subprocessor | Status | Purpose | Country of processing | Transfer safeguards |
|---|---|---|---|---|
Vercel Inc. (regional deployment: Frankfurt, fra1) | Active (Phase 0) | Application hosting, serverless function execution | EU (Germany) | EU data residency configured; SCCs cover any USA-based control-plane processing (account, billing) |
| Supabase Inc. (regional deployment: Frankfurt) | Active (Phase 0) | Managed PostgreSQL database, authentication, object storage | EU (Germany) | EU data residency configured; SCCs cover any USA-based control-plane processing |
| Brevo (Sendinblue SAS) | Active (Phase 0) | Transactional emails (waitlist confirmation; account notifications from Phase 1) | EU (France) | N/A (intra-EU) |
Sentry (sentry.io EU instance, de.sentry.io) | Active (Phase 0) | Error and performance monitoring; we tunnel events through our own domain so no third-party tracker is loaded in the browser | EU (Germany) | N/A (intra-EU) |
| Plausible Insights OÜ (EU-hosted) | Active (Phase 0) | Privacy-respecting, cookieless product analytics | EU | N/A (intra-EU) |
| Google Cloud (Vision API) | Planned - Phase 1 (Shelf Scanner) | OCR on shelf photos | EU region requested; Google may process in other regions | Standard Contractual Clauses |
| Patreon, Inc. | Planned - Phase 1 (Patreon sign-in) | Creator sign-in and tier verification (only if you choose to connect Patreon) | USA | Standard Contractual Clauses |
| Stripe Payments Europe Ltd. | Planned - Phase 3 (Restorative Justice donations) | Payment processing for Restorative Justice donations | EU + USA | Standard Contractual Clauses |
| EasyPay (ЕазиПей АД) | Planned - Phase 3 | Bulgarian-local payment processing for donations | Bulgaria | N/A (intra-EU) |
We keep an up-to-date list of subprocessors and notify users if a new one is added, or if a "Planned" subprocessor becomes active, in a way that materially affects how data is processed.
7.2 Other community members
Information you choose to make public or to share with a club, club members, or a specific lending counterparty is visible to those people. The visibility setting on each Shelf entry, club, and post controls who can see it.
7.3 Legal and safety disclosures
We disclose personal data when we are legally compelled to (e.g. a valid court order from a Bulgarian or EU authority) or when we reasonably believe disclosure is necessary to prevent serious harm. We aim to notify you of such requests unless we are legally prohibited from doing so.
7.4 Business transfers
If SlovoHub is acquired or merged with another company, your personal data may transfer to the successor. We will notify you in advance and your rights under this policy will continue to apply.
8. International data transfers
Your personal data is stored and processed primarily within the European Union. Where a subprocessor processes data outside the EU (currently: Patreon, Stripe, parts of Google Cloud Vision), we rely on the European Commission's Standard Contractual Clauses (SCCs) to ensure your data is protected to EU standards.
You can request a copy of the SCCs we use by emailing privacy@slovohub.com.
9. Your rights
Under the GDPR, you have the following rights. You can exercise most of them directly in your account settings; for the rest, email privacy@slovohub.com.
| Right | What it means | How to use it |
|---|---|---|
| Access (Art. 15) | Get a copy of the personal data we hold about you. | Settings → Download my data. JSON export within 24 hours. |
| Rectification (Art. 16) | Correct inaccurate data. | Edit your profile, or email us. |
| Erasure (Art. 17) | Delete your account and personal data. | Settings → Delete account. 14-day grace period; then hard-delete. Active loans must be resolved first. |
| Restriction (Art. 18) | Limit how we process your data while a dispute is open. | Email privacy@slovohub.com. |
| Portability (Art. 20) | Receive your data in a machine-readable format. | Settings → Download my data. |
| Object (Art. 21) | Object to processing based on legitimate interest, or to direct marketing. | Email us, or for marketing use the unsubscribe link in any marketing email. |
| Withdraw consent | Withdraw consent for processing based on consent. | Settings → Notifications. Withdrawal does not affect prior lawful processing. |
| Not be subject to solely automated decisions (Art. 22) | We do not make legal or similarly significant decisions about you using only automated processing. | N/A - applies by default. |
We respond to all requests within 30 days (the GDPR maximum). We aim to respond within 7 days.
You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (Комисия за защита на личните данни) at:
Адрес: гр. София 1592, бул. „Проф. Цветан Лазаров" № 2 Email: kzld@cpdp.bg Web: https://www.cpdp.bg
10. How long we keep your data
| Data | Retention |
|---|---|
| Account data | Until you delete your account, plus a 14-day grace period. |
| User-generated content (posts, reviews) after account deletion | Anonymized to "[deleted user]" and retained as part of club history. |
| Application and web server logs | 30 days. |
| Audit logs (admin actions, lending dispute records) | 2 years (legitimate interest - fraud prevention). |
| Karma history | 2 years. |
| Loan handover photos | 90 days after the loan closes, unless attached to an open dispute. |
| Donation receipts | 7 years (Bulgarian accounting law). |
| Marketing consent records | Until withdrawn, plus 1 year (proof of consent). |
| Backups | Daily snapshots, retained 30 days. |
11. How we protect your data
- All traffic to and from SlovoHub uses TLS 1.2 or higher.
- Passwords are hashed using bcrypt at an industry-standard work factor; we never see or store your plaintext password.
- Photos and other uploads have their EXIF metadata stripped before storage.
- Sensitive data (such as loan handover photos) is encrypted at rest.
- Production credentials are stored in a secret manager, separate from the codebase.
- We perform OWASP Top-10 reviews before each major release.
- We have an incident-response runbook and will notify the Bulgarian CPDP within 72 hours of becoming aware of a personal-data breach affecting you, as required by Art. 33 GDPR.
No system is perfectly secure. If you believe your account has been compromised, contact us immediately at security@slovohub.com.
12. Children
SlovoHub is not intended for users under 16. The Bulgarian threshold for valid GDPR consent for information-society services is 16 years (Art. 8 GDPR; Bulgarian implementation). We require all users to confirm they are at least 16 at signup. If we learn that an account belongs to a person under 16, we will suspend it pending verification and delete it if verification fails.
If you believe a minor has created an account, please email privacy@slovohub.com.
13. Lending - additional information
When you lend or borrow a physical book through SlovoHub:
- The other party sees your display name, handle, Karma score, and city.
- The QR Handshake records both parties, the time, and (optionally) a photo of the book at handover. The photo is visible only to you, the other party, and - if a dispute is opened - the SlovoHub moderation team.
- If a book is reported lost and you are the borrower, you may pay a Restorative Justice donation to a partner library to clear the strike. Payment is processed by Stripe or EasyPay; we receive only the transaction status.
14. Changes to this policy
We may change this policy. When we do:
- We will increment the version number at the top of this page.
- For changes that materially affect how we use your personal data, we will notify you in advance, in-app and by email, before the change takes effect.
- The previous version will remain available on request.
15. Contact
For any privacy-related question, request, or complaint:
privacy@slovohub.com
Or by post: <LEGAL ENTITY NAME>, <ADDRESS>.
Changes to this policy
- 0.2 (2026-05-11) - Subprocessor table updated to name the actually-deployed Phase 0 vendors (Vercel, Supabase, Brevo, Sentry, Plausible) and to label still-future vendors (Google Cloud Vision, Patreon, Stripe, EasyPay) as "Planned". §1 records the DPO-not-appointed assessment. §6 names Plausible as the analytics provider and explains why it runs without a cookie banner.
- 0.1 (2026-05-09) - Initial draft.