Data Processing Policy
Last updated: March 2026
This Data Processing Policy provides detailed information about how BUYONE processes personal data in compliance with the General Data Protection Regulation (GDPR) and applicable Latvian data protection laws.
1. Data Controller
BUYONE acts as the data controller for personal data collected through the platform. For data processing inquiries, contact our Data Protection Officer at privacy@buyone.me.
2. Categories of Data Processed
We process the following categories of personal data: identity data (name, username, profile photo), contact data (email, phone number), financial data (payment card details processed by our payment provider), transaction data (booking history, payments), technical data (IP address, browser type, device information), and usage data (platform interaction patterns, preferences).
3. Data Processing for Hosts
For Hosts, we additionally process: business information (service descriptions, qualifications), financial data (bank details for payouts, tax information), verification data (identity documents for KYC compliance), and performance data (ratings, reviews, booking statistics).
4. International Data Transfers
Your data is primarily processed within the European Economic Area (EEA). If data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions by the European Commission.
5. Automated Decision-Making
We use automated systems for: fraud detection and prevention, service recommendations and search personalization, and trust and safety scoring. You have the right to request human review of any automated decision that significantly affects you.
6. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected individuals without undue delay, as required by GDPR Article 33.
7. Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals, including new features involving personal data processing and changes to data processing practices.
8. Supervisory Authority
You have the right to lodge a complaint with the Data State Inspectorate of the Republic of Latvia (Datu valsts inspekcija) or any other relevant EU supervisory authority if you believe your data protection rights have been violated.