1. Introduction

Onitly is a product of Dem Business LLC, a Florida limited liability company ("Company," "we," "us," or "our"). We are committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, store, and protect your data when you use our platform, website, and services (collectively, the "Platform"), accessible at www.onitly.app.

This policy is designed to comply with applicable data protection regulations, including the General Data Protection Regulation (GDPR), the Lei Geral de Proteção de Dados (LGPD), the California Consumer Privacy Act (CCPA), and other applicable privacy laws. By using the Platform, you consent to the practices described in this Privacy Policy.

2. What Data We Collect

2.1 Information You Provide

• Account Information: Name, email address, phone number, password (cryptographically hashed), profile picture, account type (client or service provider);
• Profile Information: Professional qualifications, certifications, service descriptions, business name, address, service areas, portfolio images;
• Communication Data: Messages sent through the Platform, reviews, ratings, feedback, and support requests;
• Financial Information: Billing address, subscription plan details. Payment card details are processed exclusively by our PCI-DSS compliant third-party payment processor (Stripe) and are never stored on our servers;
• Verification Data: Identity documents, professional licenses, insurance certificates (when voluntarily provided for profile verification);
• Document Data: Invoices, estimates, contracts, and related business documents created through the Platform;
• AI Interaction Data: Text messages and voice conversations with Carol, our AI assistant powered by Google Gemini. Conversations are processed in real-time and stored to provide continuity and improve service quality;
• Digital Signature Data: When signing digital contracts, we collect your IP address, device information, timestamp, and generate a SHA-256 document hash for tamper detection and legal auditability;
• Social Data: Posts, comments, friend connections, and group messages shared through the Platform's social community features.

2.2 Information Collected Automatically

• Device Information: IP address, browser type and version, operating system, device identifiers, screen resolution;
• Usage Data: Pages visited, features used, search queries, time spent on the Platform, interaction patterns;
• Location Data: General geographic location derived from IP address (precise location only with your explicit consent);
• Log Data: Access times, error logs, referring URLs, HTTP request headers.

2.3 Information from Third Parties

• OAuth Providers: If you sign in using Google, Facebook, or Apple, we receive your name, email address, and profile picture as authorized by you through the OAuth consent flow. See Section 11 for Google-specific disclosures;
• Payment Processors: Transaction confirmation and subscription status from Stripe.

3. How We Use Your Data

We use your personal data for the following lawful purposes:

• Platform Operation: To create and manage your account, facilitate connections between clients and service providers, process transactions, and deliver Platform features;
• Communication: To send service-related notifications, respond to inquiries, and facilitate messaging between users;
• Improvement: To analyze usage patterns, improve Platform functionality, develop new features, and enhance user experience;
• Safety and Security: To detect and prevent fraud, abuse, security incidents, and violations of our Terms of Use;
• Legal Compliance: To comply with legal obligations, respond to lawful requests from authorities, and protect our legal rights;
• Marketing: To send promotional communications only with your explicit consent. You may opt out at any time via account settings or by clicking the unsubscribe link in any marketing email.

4. Data Sharing

We do not sell, rent, or trade your personal data. We share your information only in the following limited circumstances:

• Between Transaction Parties: When a client engages a service provider (or vice versa), relevant contact and transaction information is shared between the parties to facilitate the service;
• Service Providers (Operational): With third-party vendors who assist us in operating the Platform, bound by strict confidentiality and data processing agreements. These include: Railway (cloud hosting), Stripe (payment processing), Google Gemini (AI processing for Carol assistant), Gmail API (email delivery), and Cloudflare (CDN and security);
• Legal Requirements: When required by law, court order, or governmental authority;
• Protection of Rights: To protect the safety, rights, or property of Onitly, our users, or the public;
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with continued protection of your data under this policy or an equivalent policy.

Public profile information (name, profile picture, service descriptions, ratings, and reviews) is visible to other Platform users as necessary for the Platform's core functionality.

5. Data Security

We implement industry-leading security measures to protect your personal data:

• Encryption at Rest: All sensitive data is encrypted using AES-256 encryption;
• Encryption in Transit: All data transmitted between your device and our servers is protected using TLS 1.3;
• Access Controls: Strict role-based access controls (RBAC) limit employee access to personal data on a need-to-know basis;
• Password Security: User passwords are hashed using bcrypt with unique salts and are never stored in plain text;
• Infrastructure: Our systems are hosted on enterprise-grade cloud infrastructure (Railway) with regular security audits;
• CSRF Protection: All forms and API endpoints are protected against cross-site request forgery attacks;
• Rate Limiting: Automated abuse prevention on all endpoints to prevent brute-force attacks;
• Content Security Policy: Strict CSP headers prevent cross-site scripting (XSS) attacks;
• Two-Factor Authentication: Optional TOTP-based 2FA available for all accounts.

While we employ robust security measures, no system is completely immune to breaches. In the event of a data breach affecting your personal information, we will notify you and relevant authorities within 72 hours in accordance with applicable law.

6. Your Rights

In accordance with LGPD, GDPR, CCPA, and other applicable data protection laws, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you;
• Right of Correction: Request correction of inaccurate or incomplete data;
• Right of Deletion: Request deletion of your personal data (subject to legal retention requirements);
• Right to Portability: Request your data in a structured, commonly used, machine-readable format (JSON or CSV);
• Right to Restrict Processing: Request that we limit how we use your data;
• Right to Object: Object to processing of your data for certain purposes, including direct marketing;
• Right to Withdraw Consent: Withdraw previously given consent at any time, without affecting the lawfulness of prior processing;
• Right to Information: Be informed about what data is collected, how it is used, and with whom it is shared;
• Right to Non-Discrimination: Exercise your privacy rights without receiving discriminatory treatment.

To exercise any of these rights, contact us using the information in Section 14. We will respond within 15 business days (or as required by applicable law).

7. Cookies

We use cookies and similar technologies for the following purposes:

• Essential Cookies: Maintain your session, remember your login status, and ensure Platform security. These are required for Platform operation and cannot be disabled;
• Preference Cookies: Remember your language, theme, and display preferences to personalize your experience;
• Analytics Cookies: Understand how users interact with the Platform to improve functionality. This data is anonymized and aggregated.

We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may affect Platform functionality.

8. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy:

• Active Accounts: Data is retained for the duration of your account's existence;
• Closed Accounts: Core account data is retained for up to 2 years after account closure for legal, tax, and compliance purposes;
• Transaction Records: Financial and transaction records are retained for 5 years as required by applicable law;
• Communication Data: Messages and reviews are retained for 2 years after account closure;
• Usage Logs: Anonymized usage data may be retained indefinitely for analytical purposes.

After the applicable retention period, your data is securely deleted or irreversibly anonymized.

9. International Data Transfers

Your data may be processed in countries other than your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), adequacy decisions, or other mechanisms approved by applicable data protection authorities.

10. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a minor, we will take immediate steps to delete such information and terminate the associated account.

11. Google API Services User Data Policy

11.1 What Google Data We Access

When you choose to sign in with Google, we request access to the following Google account data through the OAuth 2.0 consent flow:

• Basic Profile Information: Your name, email address, and profile picture;
• Email Address: Used to create and identify your Onitly account.

We do not request access to your Google Drive, Google Calendar, Gmail messages, contacts, or any other Google services data beyond what is listed above.

11.2 How We Use Google Data

Google user data obtained through Sign-In is used exclusively for:

• Account Authentication: To verify your identity and create or log into your Onitly account;
• Profile Population: To pre-fill your name and profile picture in your Onitly account, saving you from manual entry;
• Account Communication: To send essential service-related notifications to your email address.

11.3 Limited Use Disclosure

• No Selling: We do not sell Google user data to third parties;
• No Advertising: We do not use Google user data for serving advertisements;
• No Unauthorized Transfer: We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, with user consent, or for legal/security purposes;
• No Human Reading: We do not allow humans to read Google user data unless we have your affirmative consent, it is necessary for security purposes, to comply with applicable law, or the data is aggregated and anonymized for internal operations;
• Minimum Scope: We request only the minimum necessary OAuth scopes required for authentication and account creation.

11.4 Storage and Protection of Google Data

• Google user data is stored in our encrypted database with the same AES-256 encryption and security measures applied to all user data (see Section 5);
• Access to Google user data is restricted to automated systems that require it for authentication;
• Google OAuth tokens are stored securely and are never exposed to client-side code;
• You may revoke Onitly's access to your Google data at any time through your Google Account permissions page.

11.5 Deletion of Google Data

When you delete your Onitly account, all Google-sourced data (name, email, profile picture, and OAuth tokens) is permanently deleted as part of our standard account deletion process described in our Cancellation Policy.

12. Third-Party Authentication Providers

In addition to Google (detailed in Section 11), Onitly supports sign-in through the following providers:

• Apple Sign-In: We receive your name and email address (or a private relay email) as authorized by you through Apple's OAuth flow. Apple's privacy practices are governed by Apple's Privacy Policy;
• Facebook Login: We receive your name, email address, and profile picture as authorized by you through Facebook's OAuth flow. Facebook's privacy practices are governed by Meta's Privacy Policy.

For all third-party authentication providers, the same principles apply: we use received data solely for account authentication and profile population, and we do not access any additional data beyond what is disclosed during the consent flow.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on the Platform with a revised "Last updated" date;
• Sending an email notification for material changes;
• Displaying a prominent notice within the Platform.

Your continued use of the Platform after changes are posted constitutes your acceptance of the revised policy.

14. Contact for Data Requests

For any questions about this Privacy Policy, to exercise your data rights, or to submit a data-related request:

We are committed to working with you to resolve any concerns about your privacy and personal data.

---