Your data, your rights.

Power of Life Labs GmbH
Oberdorfweg 9, 8704 Herrliberg, Switzerland

Contact (including all privacy inquiries): hello@power-of-life-labs.com

Email hello@power-of-life-labs.com for any of the following. We respond within 30 days, free of charge.

• Get a copy of your data — we send a structured export (JSON) of everything we hold on you
• Take your data with you — same export, in a portable format you can give to another service
• Correct anything wrong — names, emails, handles, follower numbers, niches, anything in your application or profile
• Delete your account or withdraw your application — at any time, no reason required. Profile, contact details, messages, and marketing preferences are immediately deleted or anonymized. Records we must keep by law (transactions, contracts, tax data) are listed in Section 8.
• Restrict or object to processing — pause specific uses of your data, or opt out of legitimate-interest processing
• Withdraw consent — for anything you previously opted into (marketing, optional features). Doesn't affect prior processing.
• Lodge a complaint — with the Swiss FDPIC or your local EU supervisory authority (Section 13)

A self-serve "Export" and "Delete account" control will be available in the profile editor in Phase 2. Until then, the email above is the route — you have the same rights either way.

We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), and the German Telemedia Act (TMG) where applicable. Lawful bases under Art. 6(1) GDPR: (a) consent, (b) contract performance, (c) legal obligation, (f) legitimate interests.

Where we are today. Bundme is in pre-launch. Right now we collect only the data you submit via (a) the Founding 500 creator application and (b) the developer waitlist, plus standard server logs. The additional processing described below (campaign and transaction data, content verification, Bund-Pixel, in-platform messaging) begins once you are admitted and the platform goes live.

Application data (active today) — what you submit through the Founding 500 creator application or the developer waitlist: handle, email, country, platform handles + follower buckets, niches, audience regions/country, languages, content types you offer, compensation models you accept, rate range, license preferences, and standard usage duration. Plus your explicit consent to these terms with a server-side timestamp. Lawful basis: Art. 6(1)(b) GDPR (steps prior to entering a contract) and Art. 6(1)(a) GDPR (consent).

Communication data (active today) — emails you send to us and replies we send back, plus standard support correspondence. Lawful basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in providing support).

Server access logs (active today) — our hosting provider generates standard nginx access logs (IP address, user agent, requested path, timestamp) for security and abuse prevention. We do not actively profile or analyze visitor browsing on the public website. Lawful basis: Art. 6(1)(f) GDPR (legitimate interest in platform security).

Account credentials (Phase 2) — once we issue authenticated accounts, your password will be stored in salted, hashed form. Today's waitlist application does not require a password. Lawful basis: Art. 6(1)(b) GDPR.

Campaign and transaction data (Phase 2) — product descriptions, budgets and terms, tracking links (Bund-Links), platform messages, contracts and electronic signatures, campaign status, payment amounts, escrow status, transaction IDs, payout records, refund history. Lawful basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal obligation, for accounting records).

Content verification data (Phase 2) — from public social media profiles only: post content and captions, publication dates, engagement metrics, screenshots as proof, comment content for sentiment analysis. We do not access private accounts or messages, do not collect data from logged-in views, and never store login credentials for social accounts. Lawful basis: Art. 6(1)(f) GDPR (legitimate interest in verifying agreed deliverables on behalf of both parties).

Bund-Pixel tracking (Phase 2) — referral source (which creator link was clicked), click timestamps, conversion events if configured, anonymized session data. The pixel only fires for users who clicked a creator link containing a Bund-Link reference; no cross-site tracking of general visitors. Users can opt out via browser settings or Do Not Track headers. Lawful basis: Art. 6(1)(f) GDPR (legitimate interest in attribution measurement) and the developer's own consent obligations on their site.

Automated decision-making. The Phase 2 verification system reaches automated conclusions about whether a campaign was completed (presence of post, presence of tracking link, engagement metrics within expected ranges). You always have the right to request human review (see the Terms of Service, "Human-review request"), to express your point of view, and to contest the decision.

To create accounts and authenticate users, facilitate developer–creator agreements, process payments and escrow through Stripe, verify campaign completion via automated agents, generate contracts and certificates, provide analytics and reporting, send transactional and (opt-in) marketing emails, comply with tax and accounting obligations, prevent fraud, and improve the platform.

We do not sell your data to third parties, use it for purposes beyond those stated here, or share identifiable data except as required by law or as described below.

Within the platform. Developers and creators see each other's public profile, the campaigns and offers they share, the messages they exchange, the contracts they agreed to, and the verification data relevant to their deal.

Service providers (data processors). Each processor is bound by a data processing agreement (DPA). We will name additional processors here before each one goes live; for the up-to-date list at any moment email hello@power-of-life-labs.com.

Currently active:

• Supabase (Supabase Inc., USA; database instance hosted on AWS in the EU) — stores your application data and the developer waitlist. Cross-border safeguards: EU Standard Contractual Clauses with Supabase Inc. Privacy

Legal disclosures. We may disclose data where required by law, to protect our rights, to prevent fraud, or with your explicit consent.

Business transfers. In a merger, acquisition, or asset sale, user data may be transferred to the acquirer. You will be notified.

Power of Life Labs GmbH is based in Switzerland. Some service providers operate in the USA or other countries. For transfers to countries without adequate protection, we rely on EU Standard Contractual Clauses (SCCs) and assess the destination country's legal situation.

We take appropriate technical and organizational measures to protect your data, including encryption in transit (TLS) and access controls limited to the people who need it. Specific measures will evolve as the platform itself does; we will keep this section current. No internet transmission is 100% secure and we cannot guarantee absolute security.

We keep your data only as long as necessary for the purpose it was collected for. Where Swiss law requires longer retention (notably accounting and tax records under Art. 958f of the Swiss Code of Obligations), we retain those records for the legally mandated period and no longer.

• Pending applications: 90 days after last activity, then deleted
• Approved-account data: duration of your account + 30 days after deletion
• Transaction records: 10 years (mandatory under Art. 958f Swiss CO)
• Campaign data and contracts: campaign duration + 3 years (civil-claim limitation)
• Verification screenshots: 2 years after the campaign (proof of work for disputes)
• Platform messages: duration of your account + 30 days after deletion
• Marketing consent and email preferences: until you withdraw consent
• Server access logs and IP addresses: 30 days
• Error and security logs: 90 days

Withdrawing or deleting at any time. You can withdraw a pending application or delete an approved account at any time by emailing hello@power-of-life-labs.com. A self-serve "Delete account" control will be available in the profile editor in Phase 2. On deletion we immediately remove or anonymize your profile, contact details, messages, and marketing preferences. Anything we must keep by law (notably the 10-year transaction records above) is retained only for the legally required period.

Under GDPR and Swiss law you have the right to:

• Access (Art. 15) — request a copy of all data we hold about you
• Rectification (Art. 16) — correct inaccurate or incomplete data
• Erasure (Art. 17) — be forgotten, except where we have legal obligations to retain
• Restriction (Art. 18) — limit how we use your data
• Portability (Art. 20) — receive your data in machine-readable format
• Object (Art. 21) — to processing based on legitimate interests or for direct marketing
• Withdraw consent — at any time by emailing the contact in Section 1, without affecting prior processing
• Lodge a complaint — with a supervisory authority

To exercise any of these, email hello@power-of-life-labs.com. We respond within 30 days.

Today (pre-launch landing page). The public bundme.com site sets no cookies and loads no third-party scripts, trackers, analytics, or social-media pixels. Fonts are self-hosted at build time, so no external font CDN is contacted. No consent banner is shown because none is required.

Once the full platform is live (Phase 2). We will set strictly necessary first-party cookies for authentication, CSRF protection, and session management. These are essential to the service and cannot be disabled. We do not intend to use advertising cookies, social-media tracking pixels, or third-party analytics such as Google Analytics. If we add analytics, we will use privacy-friendly tools (e.g., Plausible) that require no consent banner. The first-party Bund-Pixel only fires for users who clicked a creator attribution link and respects Do Not Track headers.

Bundme is not intended for users under 18 (see Terms of Service, Section 1). Because the service is age-gated above the GDPR threshold for children's processing (Art. 8 GDPR), we do not engage parental-consent flows. We do not knowingly collect data from minors. If you believe we have, email hello@power-of-life-labs.com and we will delete it.

Power of Life Labs GmbH does not currently meet the thresholds requiring the appointment of a Data Protection Officer under Art. 37(1) GDPR (no large-scale systematic monitoring, no large-scale processing of special-category data). All data-protection inquiries are handled directly by the contact in Section 1; we will appoint a DPO and update this page if and when our processing volume crosses the relevant thresholds.

We may update this policy. Material changes are notified by email and a platform banner. The "last updated" date at the top reflects the most recent revision. Continued use after changes constitutes acceptance.

Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern — edoeb.admin.ch

European Union: Lodge a complaint with the authority in your country of residence — edpb.europa.eu