Privacy Policy

Bibue ("we," "us," "our") operates the Bibue platform at bibue.com and associated mobile applications. This Privacy Policy explains exactly what personal data we collect, why we collect it, how we protect it, how long we keep it, and what rights you have over it.

By using Bibue you agree to this policy. If you do not agree, please do not use the platform.

1. Data We Collect

1.1 Account Data

• Email address (required for registration)
• Username and display name
• Profile avatar and banner image URLs
• Bio, location, and website (optional)
• OAuth tokens when linking third-party accounts (AniList, MyAnimeList)
• Hashed password (bcrypt, cost factor 12)

1.2 Payment Data

• Subscription status, plan tier, billing period start/end dates
• Transaction amounts (stored as integer cents)
• Payout method preferences for creators
• We do not store credit card numbers, CVVs, or full bank account numbers — Stripe handles all payment card data directly

1.3 Reading & Usage Data (CUR Data)

• Watchlist entries: media ID, title, status (watching/completed/plan_to_watch), episodes watched, chapters read, personal score, notes
• Viewing history: media ID, title, last episode/chapter, timestamps
• Reading progress: series ID, chapter ID, page number, completion percentage, reading direction preference
• Votes and reactions on episodes, chapters, and media
• Community activity: discussions, replies, comments, poll votes
• Bridge credits usage and voting history

1.4 Device & Technical Data

• IP address (logged by infrastructure providers, not stored in our application database)
• Browser user-agent string
• Device type and screen resolution (for responsive layout)
• Referrer URL
• Timezone and locale preferences

1.5 Communications Data

• Direct messages between users (optionally end-to-end encrypted with ECDH P-256)
• Support ticket messages and attachments
• Bug report descriptions and severity levels
• DMCA claim details (claimant name, email, company, content URLs, sworn statements)

1.6 Cookies & Local Storage

• Essential cookies: Authentication session tokens (Supabase auth), CSRF protection
• Functional storage: Theme preference, language selection, spoiler-free mode, incognito mode toggle
• Analytics cookies: Aggregate page-view counts (no cross-site tracking, no advertising cookies)

We do not use third-party advertising cookies or participate in ad exchanges.

2. Legal Basis for Processing (GDPR Article 6)

3. How We Use Your Data

• Provide, maintain, and improve Bibue services
• Personalize content recommendations based on your watchlist and reading history
• Process creator payouts and subscription billing
• Moderate content and enforce community guidelines
• Send transactional notifications (new chapters, episode alerts) based on your notification preferences
• Respond to support tickets and bug reports
• Generate aggregate, anonymized analytics for creators (view counts, country-level distribution)
• Comply with legal obligations (DMCA takedowns, tax reporting)

We do not sell, rent, or trade your personal data to any third party. Ever.

4. Data Storage & Security

4.1 Encryption

• In transit: All connections use TLS 1.2+ (TLS 1.3 preferred). HSTS is enforced.
• At rest: Database encrypted with AES-256. Backups encrypted with AES-256-GCM.
• Passwords: Hashed with bcrypt (cost factor 12). We never store plaintext passwords.
• Direct messages: Optional end-to-end encryption using ECDH P-256 key exchange with AES-256-GCM message encryption. When E2EE is enabled, we cannot read message contents.
• OAuth tokens: Encrypted with AES-256-GCM before storage, using server-side encryption keys.

4.2 Infrastructure Security

• Row-Level Security (RLS) enforced on all database tables — users can only access their own data
• Edge Functions validate request origin and enforce CORS policies
• Input validation via Zod schemas on all user-facing endpoints
• Content Security Policy (CSP) headers with strict-origin-when-cross-origin referrer policy
• X-Content-Type-Options: nosniff on all responses

4.3 Incident Response

• We maintain an internal incident response plan
• In the event of a data breach affecting your personal data, we will notify affected users within 72 hours as required by GDPR Article 33
• We will simultaneously notify the relevant supervisory authority
• SOC 2 Type II certification is on our security roadmap

5. Data Retention Schedule

6. International Data Transfers

Bibue operates globally. Your data may be transferred to, and processed in, countries other than your country of residence. We ensure adequate protection through the following mechanisms:

• EU/EEA: Standard Contractual Clauses (SCCs) as adopted by the European Commission (June 2021 version)
• UK: International Data Transfer Agreements (IDTAs) and UK Addendum to EU SCCs
• Japan: Compliance with the Act on Protection of Personal Information (APPI) Article 28 — transfers only to countries with equivalent protections or with appropriate safeguards
• South Korea: Compliance with the Personal Information Protection Act (PIPA) — data processed within PIPA-compliant infrastructure with user notification of cross-border transfers
• China: Where applicable, compliance with PIPL Article 38 — standard contracts filed with the Cyberspace Administration of China

7. Your Privacy Rights

7.1 GDPR Rights (EU/EEA/UK Residents)

• Right of access (Art. 15) — request a copy of all personal data we hold about you
• Right to rectification (Art. 16) — correct inaccurate data via account settings or by contacting us
• Right to erasure (Art. 17) — request deletion of your account and associated data
• Right to restriction (Art. 18) — request we limit processing while a dispute is resolved
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON)
• Right to object (Art. 21) — object to processing based on legitimate interest
• Right to withdraw consent (Art. 7(3)) — withdraw consent at any time for consent-based processing
• Right to lodge a complaint with your local Data Protection Authority

Response timeframe: within 30 calendar days of verified request (extendable by 60 days for complex requests, with notification).

7.2 CCPA/CPRA Rights (California Residents)

• Right to know — what personal information we collect, use, disclose, and sell
• Right to delete — request deletion of personal information
• Right to correct — correct inaccurate personal information
• Right to opt-out of sale/sharing — we do not sell or share personal information for cross-context behavioral advertising
• Right to non-discrimination — we will not discriminate against you for exercising your rights
• Right to limit use of sensitive personal information

Response timeframe: within 45 calendar days (extendable by 45 days with notification).

7.3 APPI Rights (Japan Residents)

• Right to request disclosure of retained personal data
• Right to request correction, addition, or deletion
• Right to request cessation of use or provision to third parties

Response timeframe: within 30 days.

7.4 PIPA Rights (South Korea Residents)

• Right to access, correct, delete, and suspend processing of personal information
• Right to be notified of the collection and use purposes
• Right to be informed of cross-border data transfers

Response timeframe: within 10 days.

8. Children's Privacy

• Bibue is not directed at children under the age of 13 (COPPA) or under 16 in jurisdictions where GDPR applies
• We do not knowingly collect personal data from children below these age thresholds
• If we become aware that we have collected personal data from a child without verified parental consent, we will delete that data within 72 hours
• Parents or guardians may contact us at privacy@bibue.net to request deletion of a child's data
• Age verification is performed during account registration

9. What Publishers & Creators Receive

Creators and publishers with content on Bibue receive the following data about their titles:

Data they DO receive:

• Aggregate view counts per chapter/series
• Aggregate like/reaction counts
• Country-level geographic distribution (no city-level or IP-level)
• Monthly earnings breakdowns
• Series follower counts (numeric total only)
• Chapter completion rates (anonymized percentages)

Data they do NOT receive:

• Individual reader identities, usernames, or email addresses
• Individual reading sessions or timestamps
• Reader IP addresses or device information
• Reader watchlists, ratings, or cross-platform activity
• Any personally identifiable information (PII) about readers

10. Third-Party Processors & Sub-processors

We use the following third-party services to operate Bibue. Each has been vetted for adequate data protection:

We maintain Data Processing Agreements (DPAs) with all processors that handle personal data.

11. Changes to This Policy

• We will notify users of material changes via email and/or in-app notification at least 30 days before they take effect
• The "Last updated" date at the top of this page will always reflect the most recent revision
• Continued use of Bibue after changes take effect constitutes acceptance of the revised policy
• Previous versions of this policy are available upon request

12. Contact & Data Protection Officer

For any privacy-related questions, data requests, or complaints:

• Email: privacy@bibue.net
• Support: Submit a ticket via the Support page at bibue.com/support
• Response SLA: We acknowledge all privacy requests within 72 hours and provide a substantive response within the timeframes specified in Section 7

If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.