Privacy Policy

This Privacy Policy explains how Thinkspark SRL(“Haas.my”, “we”, “our”) collects, uses, shares, and protects personal data when you use the Haas.my platform (website, API, and MCP server). It applies to all users: clients, human contractors, and API operators.

We comply with the EU General Data Protection Regulation (GDPR / AVG) and Belgian law. Our supervisory authority is the Autorité de protection des données (APD) (APD/GBA).

Account data

• →Email address (required to create an account)
• →Full name and profile photo (provided during onboarding)
• →Location / city (for task matching)

Human contractor profile

• →Skills, hourly rate, bio, and response time
• →Identity verification data (document scan + selfie) collected and processed by Stripe Identity on our behalf. We receive only the verification result (pass / fail), not the raw document images.
• →Payout information (bank account / IBAN) stored by Stripe Connect. We do not store banking details ourselves.

Transaction data

• →Booking details: task description, amount, status, timestamps
• →Payment records (amounts and dates — card numbers are never stored by us)

Technical data

• →IP address, browser / device type (via server logs and Vercel analytics)
• →API key usage logs (timestamp, endpoint, response code)
• →Authentication tokens (session cookies, magic link tokens)

• →Contract performance (Art. 6(1)(b) GDPR) — processing your account data, bookings, and payments is necessary to provide the service.
• →Legal obligation (Art. 6(1)(c) GDPR) — KYC/AML compliance, tax records, fraud prevention.
• →Legitimate interest (Art. 6(1)(f) GDPR) — platform security, abuse prevention, service analytics, and improving the product.
• →Consent (Art. 6(1)(a) GDPR) — marketing communications. You may withdraw consent at any time.

Data transfers to the US are covered by the EU–US Data Privacy Framework and/or standard contractual clauses (SCCs).

• →To create and manage your account
• →To match clients with human contractors and facilitate bookings
• →To process payments and manage payouts
• →To verify the identity of human contractors (KYC)
• →To detect and prevent fraud, abuse, and security incidents
• →To send transactional emails (booking confirmations, status updates)
• →To comply with applicable laws and regulations
• →To improve the platform (aggregate, anonymised analytics)

We do not sell your personal data to third parties.

• →Account data: retained for the duration of your account, plus 3 years after deletion (legal obligation).
• →Booking / payment records: 7 years (Belgian accounting law, Code des sociétés et des associations).
• →KYC records: as required by Stripe Identity; we retain only the outcome. Detailed identity data is retained by Stripe per their compliance obligations.
• →Server logs: 30 days rolling.

As a data subject, you have the following rights under the GDPR:

• →Access (Art. 15) — request a copy of the data we hold about you.
• →Rectification (Art. 16) — correct inaccurate or incomplete data.
• →Erasure (Art. 17) — “right to be forgotten”, subject to legal retention obligations.
• →Restriction (Art. 18) — restrict processing in certain circumstances.
• →Portability (Art. 20) — receive your data in a structured, machine-readable format.
• →Objection (Art. 21) — object to processing based on legitimate interest.
• →Withdraw consent — at any time, without affecting the lawfulness of prior processing.

To exercise any right, email legal@haas.my. We will respond within 30 days. You also have the right to lodge a complaint with the APD/GBA (+32 (0)2 274 48 00).

We use the following cookies:

• →Authentication cookies (session) — required for login. These are httpOnly, secure, and expire at session end or after 7 days.
• →Preference cookies — theme (light/dark). No expiry.

We do not use advertising trackers, Facebook Pixel, Google Analytics, or any third-party marketing cookies. Vercel Observability may collect anonymised page-view metrics.

We implement appropriate technical and organisational measures to protect your data:

• →All data in transit is encrypted via TLS 1.2+
• →Passwords are never stored — we use magic-link authentication via Supabase Auth
• →Admin access is protected by a secret token stored in a httpOnly cookie
• →API keys are hashed and never returned in full after creation
• →Database access is restricted to server-side code via row-level security (RLS)

Haas.my is intended for users who are at least 18 years old. We do not knowingly collect personal data from minors under 18. If you believe a minor has registered, please contact us at legal@haas.my and we will delete the account promptly.

As an operator of a digital marketplace, Thinkspark SRL is subject to EU Directive 2021/514 (DAC7), transposed into Belgian law. This directive requires platform operators to report income earned by sellers (human contractors) on the platform to the relevant tax authority.

When reporting applies

• →A human contractor earns more than €2 000 in a calendar year via the platform, OR
• →A human contractor completes more than 25 transactions in a calendar year via the platform.

What is reported

• →Full name, primary address, country of tax residence
• →Tax Identification Number (TIN / NISS / BCE), if provided
• →Date of birth (for individuals)
• →Total fees earned on the platform during the calendar year

Reports are submitted annually to the SPF Finances / FOD Financiën(Belgian tax authority) no later than 31 January of the following year. Belgian authorities then automatically exchange this data with the tax authorities of the contractor's country of residence within the EU.

The legal basis for this processing is legal obligation (Art. 6(1)(c) GDPR). You cannot opt out of DAC7 reporting if the thresholds above are met. We encourage all human contractors to provide their Tax ID during registration to ensure accurate reporting.

If you have questions about what data has been or will be reported for your account, contact us at legal@haas.my.

We may update this policy from time to time. Material changes will be announced by email to registered users at least 14 days before taking effect. The “Last updated” date at the top of this page always reflects the current version.