Privacy information

Data stored for accounts and access

• Email address, optional name, role, language preference, and session records.
• Passwordless login tokens are temporary and expire after a short time.
• Demo account switching can exist in preview environments and must stay disabled in production.

Data stored for business profiles

• Public profile fields such as business name, country, category, profession label, descriptions, contact options, languages, specializations, and materials.
• Media metadata for cover and gallery images.
• Reference projects, optional profile sections, pinboard posts, review status, reviewer notes, and audit events.

Data stored for requests

Guest and customer requests store name, email, optional phone, topic, message, optional timeline and budget context, request status, and the private message thread between customer and business. Requests are not public content.

Data stored for payments

Transaction records may store gross amount, currency, platform fee, net amount to business, request relation, payment provider, provider reference, status, and timestamps. LEMATO separates platform fee from business value in the data model.

Protection and retention basis

• Critical forms use server-side validation, rate limiting, and honeypot protection where relevant.
• Logs should avoid sensitive message bodies and raw rate-limit identifiers.
• Data is kept only as long as needed for the MVP operation, review, security, communication, and transaction traceability.
• Final retention periods, processor lists, and legal rights handling must be completed before a broad public launch.

External providers

The MVP is prepared for external services such as hosting, database, object storage, email delivery, and payment processing. Exact provider details must match the production environment before launch.