Privacy Policy

This section constitutes the full Privacy Policy of Bemellou and is a continuation of the Terms of Service.

9.1 — Data Controller
Bemellou ("we," "us," or "our") is the data controller responsible for your personal data. For any data-related inquiries,
Contact us at support@bemellou.com.

9.2 — Information We Collect
We collect the following categories of personal data:

Account Data: Name or nickname, email address, password (cryptographically hashed; we never store or access plain-text passwords), avatar image, bio, and referral codes.
Profile & Activity Data: Sparks earned, streak data, subscription tier, community rank, journal entries, weekly intentions, quiz results, messages posted, likes given, and participation history.
Device & Usage Data: Browser type, operating system, device type, screen resolution, IP address (anonymised after collection), pages visited, timestamps, session duration, and interaction patterns.
Plushie Registration Data: Plushie verification codes entered and associated plushie types.
Payment Data: We do not directly store credit card numbers or full payment credentials. Payment processing is handled by Stripe, Inc. (PCI DSS Level 1). We store only customer identifiers, subscription status, plan type, and transaction timestamps.
Moderation Data: Flagged content, matched moderation terms, moderation review history, and administrative actions for community safety enforcement.
Voice Data: If you use voice-to-text journaling, audio recordings are temporarily processed for transcription and are not permanently stored. Transcribed text is stored as part of your journal entry.

9.3 — Legal Basis for Processing (GDPR)

Consent: You consent to data processing when you accept these Terms and create your account. You may withdraw consent at any time by deleting your account.
Contractual Necessity: Processing necessary to provide you with Platform features you have subscribed to.
Legitimate Interest: Platform security, fraud prevention, content moderation, rate limiting, abuse detection, and service improvement.
Legal Obligation: Compliance with applicable laws, regulations, court orders, or valid legal processes.

9.4 — How We Use Your Data
We use your personal data to: (a) provide, maintain, and improve the Platform; (b) personalise your experience; (c) moderate content and enforce Community Guidelines; (d) process payments and manage subscriptions; (e) communicate with you about your account, service updates, or security alerts; (f) analyse usage patterns in aggregate to improve the Platform; (g) prevent fraud, abuse, and security threats; (h) comply with legal obligations; (i) enforce these Terms.

9.5 — Data Storage & Security

Your data is stored securely on cloud infrastructure with encryption at rest (AES-256) and in transit (TLS 1.2+). We implement comprehensive security measures including Row-Level Security (RLS) database policies, server-side rate limiting, strict input validation and sanitisation, comprehensive audit logging, role-based access control, and automated content moderation. Passwords are cryptographically hashed and never stored in plain text. Despite these measures, no system is 100% secure, and you acknowledge this inherent risk.

9.6 — Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: (a) notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33); (b) notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34); (c) document all breaches, their effects, and remedial actions taken.

9.7 — Data Retention
We retain your personal data for as long as your account is active. Upon account deletion:

  • Profile data, journal entries, and personal settings are permanently deleted within 30 days.
  • Community messages may be anonymised rather than deleted to preserve conversation context.
  • Moderation logs, flagged content records, and audit trails may be retained for up to 3 years for legal compliance and safety.
  • Anonymised and aggregated analytics data may be retained indefinitely, as it cannot be used to identify you.
  • Payment records may be retained as required by tax and financial regulations (typically 7 years).

9.8 — Data Sharing & Third-Party Processors

 We do NOT sell, rent, trade, or otherwise commercially exploit your personal data.

We may share data with:

  • Stripe, Inc., for payment processing, subject to Stripe's privacy policy and PCI DSS compliance. 
  • Cloud infrastructure providers for hosting and data storage, subject to data processing agreements with appropriate safeguards.
  • Law enforcement only when required by a valid legal process (court order, subpoena, or warrant) and only the minimum data necessary.
  • In connection with a merger, acquisition, or sale of assets, there will be at least 30 days' prior notice to users and the option to delete accounts before transfer.

Anonymous posting hides your identity from other community members, but remains visible to Platform administrators for moderation and safety purposes.

9.9 — Your Rights Under GDPR & Applicable Law

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data via your Profile settings or by contacting us.
  • Right to Erasure (Art. 17): Request deletion of your personal data. We will comply unless retention is required for legal obligations or defence of legal claims.
  • Right to Restrict Processing (Art. 18): Request that we limit how we use your data while a complaint or request is being resolved.
  • Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
  • Right to Object (Art. 21): Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Withdraw consent at any time by deleting your account or contacting us. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
  • Right re: Automated Decision-Making (Art. 22): We do not make any decisions based solely on automated processing that produce legal effects concerning you.

To exercise any of these rights, contact us at support@bemellou.com. We will verify your identity and respond within 30 days (up to 60 days with notification if additional time is needed).

9.10 — California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights:

  • Right to Know: Request disclosure of categories and specific pieces of personal information collected, sources, business purposes, and third parties with whom we share it.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions permitted by law.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do NOT sell or share your personal information for cross-context behavioural advertising. No opt-out is necessary.
  • Right to Limit Use of Sensitive Personal Information: We only use sensitive personal information for purposes authorised under CCPA/CPRA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, contact support@bemellou.com. We will verify your identity using reasonable means before fulfilling any request.

9.11 — Children's Privacy
The Bemellou app and platform are strictly for users aged 18 and older. We do not knowingly collect, use, or disclose personal data from users under the age of 18. If we become aware that a user under 18 has accessed the app or platform, we will promptly terminate their account and permanently delete all associated personal data. Physical plush toy purchases on the Bemellou website are open to all ages; parental guidance is encouraged for purchasers under 18. If you believe a minor has created an account, contact us immediately at support@bemellou.com.

9.12 — Cookies & Tracking Technologies
We use only essential first-party cookies strictly necessary for authentication, session management, and security (e.g., CSRF protection). We do NOT use third-party advertising cookies, tracking pixels, or cross-site tracking technologies. We do NOT participate in ad networks or share browsing data with advertisers. Analytics data is collected server-side in anonymised and aggregated form for service improvement only.

9.13 — International Data Transfers
Your data may be transferred to and processed in countries outside your own, including the United States. Such transfers are protected by appropriate safeguards, including: (a) Standard Contractual Clauses (SCCs) as approved by the European Commission; (b) adequacy decisions where applicable; (c) supplementary measures as required by the Schrems II ruling. By using the Platform, you consent to these transfers subject to the safeguards described.

9.14 — Do Not Track Signals
The Platform responds to "Do Not Track" (DNT) browser signals. When a DNT signal is detected, we limit data collection to what is strictly necessary for the operation of the service.

9.15 — Changes to Privacy Policy
We may update this Privacy Policy from time to time. For material changes that affect how we process your personal data, we will: (a) provide at least 30 days advance notice via email and Platform notification; (b) clearly identify what has changed; (c) provide an opportunity to review the changes before they take effect. Your continued use after the effective date constitutes acceptance. If you do not agree to the changes, you must stop using the Platform and delete your account.

9.16 — Data Protection Officer
For privacy-related inquiries, data access requests, complaints, or to report a potential data breach, contact our Data Protection Officer at support@bemellou.com. If you are dissatisfied with our response, you have the right to lodge a complaint with your local supervisory authority. For EU residents, a list of authorities is available at edpb.europa.eu.

 

CONTACT & PLAIN LANGUAGE SUMMARY

Contact Information 
All inquiries — general support, legal matters, privacy & data requests, DMCA notices: support@bemellou.com

In Plain Language
Bemellou is a community, not therapy, not a medical service, not a crisis line. We built this because we care deeply about emotional well-being and believe nobody should have to feel alone. We can't promise outcomes, but we can promise a space designed with heart.

The Bemellou app is for adults 18 and older — strictly. Our website and plushies are for everyone; all ages are welcome to shop, with parental guidance encouraged for younger customers.

Our 30-day return policy means you can return any unused plushie within 30 days of delivery, for any reason, with free return shipping on us. If something arrives damaged, let us know within 7 days, and we will make it right.

We protect your data seriously — we never sell it, and you can request deletion at any time. Be kind to each other, remember that fellow members aren't trained professionals, and please reach out to qualified help for serious concerns. We're really glad you're here.

© 2026 Bemellou Inc. · Miami, Florida, United States · bemellou.com · support@bemellou.com