Privacy Policy

1. Data Controller

The administrator of personal data is Igor Oprządek.

Bągart 14A, Poland
E-mail: privacy[at]weborbiton.com

2. Data Protection Officer

No Data Protection Officer has been appointed.

3. Nature of the Service

MevaSearch is a private internet search engine available in a premium model.

• no search history assigned to the user
• no user profiling
• no cross-site tracking
• no tracking identifiers
• no sale of user data to third parties

4. Scope of Processed Data

Using MevaSearch requires creating an account and purchasing access through an external Payment Processor.

In connection with this, the following data may be processed:

Account Data

• e-mail address
• information about active subscription / access
• Kids Mode status (enabled/disabled), set by the account holder

Payment Data

• transactional data processed by the authorized Payment Processor. We do not store your full credit card details on our servers.

Technical Data

• IP address (exclusively for technical, security, and diagnostic purposes)
• date and time of request
• browser and device type

Search Data

• are not saved in a way that allows user identification
• are not assigned to the account
• do not create a search history
• are forwarded to external search index providers in anonymous form — see Section 8

5. Analytics – PriviMetrics

The service uses its own analytical system, PriviMetrics, which is privacy-first and self-hosted.

• no cookies / no user tracking
• privacy-first aggregated data (number of visits, country, browser type)

6. Purposes and Legal Basis (GDPR)

• service provision (account, premium access) – Art. 6(1)(b) GDPR
• ensuring the security and operation of the service – Art. 6(1)(f) GDPR
• privacy-focused traffic analysis – Art. 6(1)(f) GDPR
• forwarding anonymous search queries to external index providers to deliver results – Art. 6(1)(b) GDPR
• forwarding anonymous queries to an AI provider to generate content summaries – Art. 6(1)(b) GDPR
• Kids Mode settings management (parental control feature) – Art. 6(1)(b) GDPR

7. Server Logs

The server records technical logs containing the IP address exclusively for technical and security purposes.

8. Data Recipients and Sub-processors

MevaSearch uses the following external service providers. Where search queries or AI prompts are transmitted, they are forwarded in anonymous form — without any user identifier, account reference, or personal data attached. The providers listed below receive only the query text and standard technical request metadata (e.g. server-side IP of MevaSearch).

Infrastructure & Payments

• Hostinger – hosting provider (server infrastructure). Physical service files and user account data are stored on servers located in Lithuania (primary), with backup copies maintained in France. Both locations are within the European Economic Area (EEA). The service additionally uses a global Content Delivery Network (CDN) for static asset delivery (scripts, stylesheets, fonts) — CDN edge nodes may be located outside the EEA; no personal user data is stored or processed at CDN nodes.
• Polar.sh (Polar Signals Inc.) – payment processor and authorized reseller

Search Index Providers (anonymous queries only)

• Brave Search API (Brave Software, Inc.) – web search index. Queries are forwarded without any user identifier; only the query text and MevaSearch's server-side IP are transmitted. Data processing by the provider is governed by the standard API terms and Brave's privacy policy: brave.com/privacy. No personal data of MevaSearch users is shared with Brave.
• Mojeek API (Mojeek Ltd.) – independent web search index. Queries are forwarded anonymously, without any user identifier.
• WebAtlas Index API – web search index. Queries are forwarded anonymously, without any user identifier.

AI Content Generation (anonymous queries only)

• Google Gemini AI (Google LLC) – used to generate AI summaries displayed above search results. Queries are sent as anonymous requests from MevaSearch's servers; no user account data or personal identifiers are included. Google may process and retain query data in accordance with its API terms and applicable data processing agreements. MevaSearch does not share any personal data of its users with Google in connection with this integration. Google's terms of service apply to API usage: ai.google.dev/gemini-api/terms.

9. Kids Mode and Minors

When Kids Mode is active:

• SafeSearch is locked to Strict filtering
• Access to billing, payment settings, and subscription management is blocked
• The mode can only be disabled by entering the account password

MevaSearch does not collect any additional personal data from or about children. No separate child profile is created. The account remains registered to the adult account holder.

Parental responsibility: The account holder (parent/guardian) is solely responsible for enabling Kids Mode and supervising usage. MevaSearch does not guarantee complete filtering of all potentially inappropriate content and does not assume liability for content accessed through search results.

MevaSearch is a service intended for adults (18+). Minors may use the Service only under parental supervision, with the parent or legal guardian as the registered account holder.

MevaSearch does not knowingly collect personal data from children under the age of 16 without verified parental consent, in accordance with Art. 8 GDPR and applicable Polish law. Note: the age of 16 referred to in Art. 8 GDPR relates specifically to the lawfulness of processing personal data of minors, and is separate from the general requirement that the account holder must be an adult (18+).

10. Cookies and Local Storage

MevaSearch uses a single functional cookie (meva_prefs) and browser localStorage solely to store your UI preferences (e.g. color theme). No tracking, advertising, or analytics cookies are used.

• These are strictly necessary for the correct display of the interface.
• No personal data is stored in these mechanisms.
• They are not shared with any third party.

11. Retention Period

• technical logs: up to 30 days
• account data: for the duration of the service provision
• analytical data: up to 12 months
• search queries: not retained (anonymous, not stored)
• AI prompts: not retained on MevaSearch servers (processed in transit)

12. User Rights

• access to data, rectification, and deletion
• restriction of processing and data portability
• objection to processing and withdrawal of consent
• right to lodge a complaint with a supervisory authority (PUODO – Polish Personal Data Protection Office)

Contact: privacy[at]weborbiton.com

13. Voluntariness of Data

Providing account data is voluntary, but necessary to use the service.

14. Profiling and Automated Decisions

The service does not use profiling or automated decision-making affecting users (Art. 22 GDPR).

15. Data Transfer Outside the EEA

User account data and service files are physically hosted within the European Economic Area (EEA) — primary servers in Lithuania, backup in France.

The following involves processing that may occur outside the EEA:

• Hostinger CDN (global content delivery network) – static technical assets (scripts, stylesheets, fonts) may be cached and served from CDN edge nodes located outside the EEA, including the United States. No personal data, user account information, or search queries are stored or transmitted through CDN nodes.
• Polar.sh (Polar Signals Inc.) – United States. Data transfers are subject to appropriate legal safeguards (Standard Contractual Clauses or equivalent).
• Brave Software, Inc. – United States. Anonymous queries only.
• Google LLC (Gemini AI) – United States. Anonymous queries only, processed under Google's API terms and applicable data transfer mechanisms.

All transfers involving personal data are carried out in accordance with Chapter V of the GDPR using appropriate safeguards.

16. Changes to the Policy

We reserve the right to update this policy. Users will be informed of significant changes via e-mail.