Privacy Policy

This Privacy Policy applies to all services offered by TAKISOFT 2.0 under the BeeNet brand, including:

• The BeeNet website at beenet.app
• The BeeNet mobile application for Android (distributed via Google Play) and iOS (distributed via the Apple App Store)
• The BeeNet admin portal at admin.beenet.app
• The BeeNet Identity Server at identity.beenet.app

By using any of these services, you agree to the practices described in this policy. If you do not agree, please do not use BeeNet.

TAKISOFT 2.0
200 rue de la Croix Nivert
75015 Paris, France

TAKISOFT 2.0 is the data controller for all personal data processed through BeeNet services.

Privacy Contact / Data Protection Officer (DPO):
Email: privacy@beenet.app
We respond to all privacy inquiries within 30 days (or 72 hours for data breach notifications).

We collect only the data necessary to operate BeeNet. The exact categories depend on which service you use and your role (parent, student, instructor, organization administrator, driver).

3.1 Account & Identity Data

• Phone number (E.164 format) — used for one-time password (OTP) authentication on mobile
• Name, email address, profile photo — provided by you or your organization administrator
• Organization membership — which school, sports club, daycare, or community center you belong to, and your role within it
• Guardian relationships — links between parent and child accounts, where applicable

3.2 Authentication & Security Data

• Device identifier, device name, platform (iOS/Android) — used to bind refresh tokens to your device for security
• Device attestation signals — provided by Google Play Integrity API (Android) and Apple App Attest (iOS) to detect rooted/jailbroken devices
• Login history — timestamp, IP address, user agent, approximate geolocation (derived from IP, not GPS) — used for suspicious activity detection (impossible travel, brute force attempts)
• Device fingerprint (web only) — browser characteristics hash, used for anti-fraud on the admin portal
• Two-factor authentication settings — your preferences (email, TOTP, phone OTP)

3.3 Communication & Content Data

• Messages you send in channels and direct messages, including text, reactions, and metadata (timestamp, read receipts, typing indicators)
• Attachments you upload — photos, documents, voice recordings, files
• Channel and group membership — which conversations you participate in
• Presence information — online/offline status, last seen timestamp (if you enable it)

3.4 School & Educational Data

When your organization is a school or daycare, we process (on behalf of the school, under their instructions):

• Attendance records, behavior notes, notebooks, progress reports
• Class assignments, homework, grades
• Transportation bus routes, stops, boarding status (for the transportation module)
• Daily recap entries, photos, and activity feeds (for daycares)

3.5 Technical & Usage Data

• IP address — used for security logging (retained 90 days)
• Server logs — HTTP request paths, status codes, timing (no request bodies)
• Error reports — crash traces when something goes wrong (no personal content included)
• Push notification tokens — FCM (Android) or APNs (iOS) tokens, used exclusively to deliver notifications to your device

3.6 What We Do NOT Collect

BeeNet deliberately does not collect:

• Your contacts, call logs, or SMS messages
• Advertising identifiers (AAID, IDFA)
• Behavioral tracking data for marketing purposes
• Biometric data (your fingerprint or face ID never leaves your device — it is handled by your operating system for app unlock only)
• Your browsing history outside BeeNet

The BeeNet mobile app requests only the permissions strictly necessary for its features. Each permission is optional where possible — denying it will only disable the specific feature that requires it.

You can revoke any permission at any time in your device settings.

We use your personal data only for the purposes below:

• Service delivery — create your account, authenticate you, show your messages, deliver notifications, route bus tracking
• Security — detect suspicious logins, prevent brute-force attacks, verify device integrity, protect against abuse
• Support — respond to your inquiries and troubleshoot issues
• Legal compliance — retain records required by law (billing, audit logs)
• Service improvement — aggregate, anonymized performance metrics (no individual tracking)

We do not use your data for advertising, profiling, or sale to third parties. We do not use your messages or content to train AI models.

Under the European General Data Protection Regulation (GDPR), each processing activity has a legal basis:

• Contract performance (Art. 6(1)(b)) — processing necessary to provide the BeeNet service you or your organization subscribed to
• Legitimate interest (Art. 6(1)(f)) — security monitoring, fraud prevention, system administration, and aggregated service improvement
• Consent (Art. 6(1)(a)) — optional features such as location sharing for drivers, marketing communications, and non-essential cookies on the website
• Legal obligation (Art. 6(1)(c)) — billing record retention, tax reporting, responses to lawful requests from authorities
• Vital interests (Art. 6(1)(d)) — child safety notifications (e.g., attendance alerts, incident reports) for schools and daycares

We rely on a limited set of carefully selected sub-processors to operate BeeNet. Each one is bound by a Data Processing Agreement (DPA) compliant with GDPR Article 28.

We do not use third-party analytics or advertising SDKs in the mobile app. See section 16 for details.

Your data is primarily stored in the European Union (Azure Europe Central region), with disaster-recovery replication to Azure North Europe (Ireland). Both are within the EU/EEA and subject to GDPR.

Certain sub-processors listed in section 7 are based in the United States (Cloudflare, Twilio, Google, Apple, hCaptcha). When your data is transferred to these processors, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
• Supplementary technical measures — TLS 1.2+ encryption in transit, encryption at rest
• Data minimization — we send the minimum data necessary (e.g., Twilio receives only the phone number and OTP, not your account contents)

For users in the United Kingdom, we use the UK International Data Transfer Addendum. For users in Switzerland, we apply the revised Swiss FADP.

We retain personal data only as long as necessary:

• Active accounts — for the duration of the service agreement between BeeNet and your organization
• Deleted accounts — 30 days after deletion request (grace period for recovery), then permanently erased
• Messages and content — retained per your organization's policy (typically mirrors account lifetime)
• Billing and invoicing records — 7 years (French commercial law requirement)
• Security and audit logs — 90 days in active storage, archived up to 7 years for production (legal and compliance purposes)
• Server logs — 90 days
• OTP codes — hashed and deleted after 5 minutes or first use
• Push notification tokens — deleted when you log out or uninstall the app

Under GDPR (EU, UK, Switzerland, Norway, Iceland, Liechtenstein)

• Access — obtain a copy of your personal data
• Rectification — correct inaccurate or incomplete data
• Erasure ("right to be forgotten") — request deletion of your data, subject to legal retention obligations
• Restriction — limit how we process your data
• Portability — receive your data in a structured, machine-readable format (JSON)
• Objection — object to processing based on legitimate interest
• Withdraw consent — for processing based on consent, at any time without affecting past processing
• Lodge a complaint — with a supervisory authority, including the French CNIL (cnil.fr)

Under Saudi Arabia PDPL, UAE PDPL, and other GCC laws

Residents of Saudi Arabia, the United Arab Emirates, Qatar, Bahrain, Kuwait, and Oman have equivalent rights under their respective Personal Data Protection Laws, including the right to know, to access, to correct, and to request destruction of their personal data.

How to exercise your rights

Contact privacy@beenet.app. We will respond within 30 days. You can also exercise most rights directly within the BeeNet app under Settings → Privacy, or request account deletion at beenet.app/account-deletion.

BeeNet is explicitly designed for educational and youth-serving organizations, including schools, daycares, and sports clubs where children under 13 are primary users.

COPPA School Official Exception (United States)

When BeeNet is provided to a school or daycare, the educational institution acts as the parent's authorized representative under the Children's Online Privacy Protection Act (COPPA) "School Official Exception." The school obtains and maintains parental consent through its enrollment agreement. BeeNet collects children's personal data solely on the school's instructions and only for legitimate educational purposes. We do not use children's data for commercial purposes, behavioral advertising, or profile building.

GDPR-K (Article 8 - European Union)

For children in the EU/EEA under the age of digital consent (13 to 16 depending on the member state), parental consent is required. We rely on the school or organization to obtain and document this consent as part of its enrollment process.

Parental rights

Parents of a child enrolled in a BeeNet-connected organization may, at any time:

• Request to review the personal data collected about their child
• Request correction or deletion of the child's data
• Refuse further collection
• Request a copy of the data in a portable format

To exercise these rights, contact your school administrator first (who maintains the primary relationship under COPPA), or email privacy@beenet.app directly.

No direct collection from children

BeeNet does not allow children to create accounts on their own. All accounts for users under the age of majority are created by an authorized organization administrator, parent, or guardian.

We protect your data with layered technical and organizational safeguards:

Encryption

• In transit — TLS 1.2 or higher for all connections, HSTS preload enforced, Certificate Transparency monitored
• At rest — Azure SQL Transparent Data Encryption (TDE), Azure Blob Storage encryption, Azure Key Vault HSM-backed key management
• OTP codes — salted SHA-256 hashing with constant-time comparison

Important notice about message encryption: BeeNet messages are encrypted at rest in the database and in transit over the network. However, BeeNet does not currently offer end-to-end encryption. Authorized administrators within your organization (and, in limited support scenarios, BeeNet system administrators under an audited access procedure — see section 13) may technically access message content to perform moderation, compliance, or legal obligations.

Access controls

• Role-based access control (RBAC) on all data
• Managed identities for service-to-service authentication (no shared passwords)
• Private network endpoints for all data stores (no public internet access to databases)
• Multi-factor authentication enforced for administrators
• Progressive lockout on failed login attempts

Mobile security

• Device-bound refresh tokens (cannot be used from a different device)
• Device integrity attestation (Play Integrity / App Attest)
• Secure storage via Android Keystore and iOS Keychain
• Automatic session expiration

Operational security

• Regular security audits and dependency vulnerability scanning
• Immutable audit logs for all administrative actions
• Incident response procedures aligned with GDPR notification requirements

In strictly limited circumstances — such as technical support, debugging a reported issue, or complying with a lawful request — authorized BeeNet system administrators may temporarily access your organization's data or impersonate a user account using a secure Token Exchange procedure (RFC 8693). All such access is:

• Logged in an immutable audit trail
• Available to your organization administrator on request
• Restricted to the minimum scope necessary
• Forbidden for user accounts with SuperAdmin privileges

Additionally, administrators within your own organization (such as your school principal or club manager) may access member messages, attendance records, and other data as required by their role. This access is governed by your organization's internal policies, not by BeeNet.

BeeNet does not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you (GDPR Article 22). The platform contains automated features (spam filtering, suspicious login detection, lockout escalation), but these do not make final decisions without human review where legal rights are involved.

BeeNet does not use your messages, attachments, or personal data to train artificial intelligence or machine learning models.

BeeNet accounts are created and managed by the organization that invited you (your school, sports club, daycare, or community center). Account deletion therefore normally goes through your organization administrator.

Step 1 — Contact your organization administrator (recommended): your school principal, club manager, daycare director, or the staff member who invited you. They can remove your account directly from the BeeNet admin portal within minutes.

Step 2 — Contact BeeNet directly (appeal path): if your organization is unresponsive, refuses a legitimate request without a valid legal basis, or no longer exists, you can submit a deletion request directly to BeeNet:

• Web form — visit beenet.app/account-deletion (no login required)
• Email — send your request to privacy@beenet.app with the subject "Account deletion request — direct appeal"
• Post — write to TAKISOFT 2.0 at the address in section 2

As data controller, BeeNet is required to respond to direct appeals under GDPR Article 12(3), regardless of the organization's involvement.

Once a deletion request is approved, your account enters a 30-day grace period. After 30 days, your personal data is permanently erased from active systems, and backup copies are overwritten within 90 days.

Data retained after deletion (for legal compliance):

• Billing and invoice records (7 years, French commercial law)
• Security audit logs (as required by data protection authorities)
• Anonymized aggregate statistics (cannot be linked back to you)

Important: records held by your organization (attendance registers, grade reports, enrollment history, etc.) are kept by your organization under its own legal obligations and are not deleted by BeeNet. To request deletion of those records, contact your organization directly.

For the full procedure, timelines, and special cases (minors, closed organizations, full organization deletion), see the account deletion page.

Transparency about what we do not track matters as much as what we do.

Mobile app

The BeeNet mobile application contains no third-party analytics, advertising, or user-tracking SDKs. Specifically, we do not embed:

• Firebase Analytics
• Google Analytics for Firebase
• Crashlytics
• Sentry
• Mixpanel, Amplitude, AppsFlyer, Adjust, or similar
• Advertising networks (AdMob, Meta Audience Network, etc.)

The only Google service integrated into the mobile app is Firebase Cloud Messaging (for push notifications) and Google Play Integrity (for device attestation) — both are necessary for core functionality and neither tracks your behavior.

Backend performance monitoring

Our servers use Azure Application Insights to monitor backend performance (response times, error rates, system health). This collects aggregate technical metrics and does not track individual user behavior or link data to your identity.

Website

The BeeNet marketing website (beenet.app) uses only essential cookies required for its functionality. No behavioral or advertising tracking cookies are used. See our Cookies Policy for details.

In the unlikely event of a personal data breach likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (CNIL in France, and others as applicable) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights, as required by GDPR Article 34
• Document the breach, its effects, and the remedial action taken
• Cooperate fully with regulators and affected organizations

You can report suspected security vulnerabilities to security@beenet.app. See also our security.txt.

We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or best practices. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify active users via email or an in-app notice
• Provide a reasonable period to review the changes before they take effect

Continued use of BeeNet after the effective date of revisions constitutes acceptance of the updated policy. If you do not agree, you may exercise your right to delete your account (see section 15).

For any question about this policy or about how we handle your data:

TAKISOFT 2.0
Attn: Privacy / Data Protection Officer
200 rue de la Croix Nivert
75015 Paris, France
Email: privacy@beenet.app

You may also file a complaint with your local data protection authority. For France, this is the CNIL: www.cnil.fr.