GDPR and data security on micro-task platforms

Sign-up, ID document, IBAN, granular demographic data: a micro-task platform collects more sensitive information than a regular e-commerce account. Here is the applicable GDPR framework, 8 questions to ask before signing up, red flags to spot, and what Microtaches concretely puts in place — without sugar-coating.

Why this topic really matters

A micro-task platform collects far more than a regular e-commerce site. At sign-up: email, name, phone, country. For the profile: age, gender, education level, family situation, income, interests — exactly what a data broker dreams of obtaining. For payment: IBAN, ID document, proof of residence (KYC). For tasks: IP address, browser fingerprint, sometimes geolocation.

If the platform is poorly secured or unscrupulous, this data may leak (see the frequent scams documented in our anti-scam guide) or be resold to third parties. For the worker, the risk is concrete: identity theft, fraudulent bank account opening, aggressive marketing, profile sold to advertisers.

The applicable GDPR framework

The 6 possible legal bases

GDPR requires that no data be processed without an explicit legal basis. For a micro-task platform, three bases are relevant: contract execution (you accept the terms to work, so name/email/IBAN are necessary), legal obligation (anti-money-laundering KYC, DAC7 reporting), and consent (demographic data for task targeting, newsletters, analytics cookies). A platform invoking "consent" to process your IBAN is wrong — it's a contractual obligation, not a choice.

Your 7 user rights

• Right of access: obtain a copy of all your data in a readable format (usually JSON or PDF) within 1 month.
• Right to rectification: correct erroneous data (misspelled name, wrong country, etc.).
• Right to erasure ("right to be forgotten"): permanently delete your account and all associated data, except those the platform must keep for legal obligation (invoices for 10 years, KYC for 5 years after closure).
• Right to portability: retrieve your data in a reusable format to transfer it elsewhere.
• Right to object: refuse marketing or profiling processing.
• Right to restriction: freeze contested processing during its review.
• Right to complain: file with the CNIL in France (or its EU equivalent) for free online if the platform does not respond within 1 month.

DPO, EU representative and transfers outside Europe

A platform that exceeds certain thresholds (large-scale tracking, sensitive data) must appoint a Data Protection Officer (DPO) reachable by email. If the platform is based outside the EU (United States, post-Brexit UK, etc.) but targets European residents, it must have an EU representative named in its legal notice. Data transfers to the United States have been governed since 2023 by the Data Privacy Framework — a US platform that mentions it nowhere is in breach.

Checklist: 8 questions to ask before signing up

1. Where is the head office? Look for the legal notice — French SIRET, trade register, real postal address. An offshore PO box is a bad sign.
2. Where is the data hosted? A serious platform names its host (OVH, Scaleway, AWS Europe, etc.) and the region. "Global cloud" without details = red flag.
3. Is the IBAN encrypted at rest? An honest privacy policy explicitly mentions "AES-256 encryption", "vault", or equivalent. Otherwise, ask by email — the absence of a clear answer is a signal.
4. How long is the data retained? GDPR requires a limited, justified duration. A platform that keeps your data "indefinitely" is in breach.
5. Which subcontractors have access to your data? The list must be public (Resend for emails, Stripe for payments, etc.). A platform that refuses to disclose its subcontractors treats you poorly.
6. Is the DPO reachable? Look for an email dpo@ or privacy@. Send a test: if no response within 1 month, it's telling.
7. Is account deletion effective? Read the procedure in the terms. "Deactivation" ≠ deletion. Real deletion erases demographic data and anonymizes history.
8. Is the platform DAC7 compliant? Since 2023, any EU platform must report the income of users exceeding €2,000 or 30 services per year. See our DAC7 guide.

5 red flags that should make you run

1. No detailed legal notice or a simple Gmail address as contact. No serious company operates that way in Europe.
2. Missing privacy policy, English only, or copy-pasted from another site (typos or references to other companies are revealing).
3. Explicit refusal to delete an account or deletion conditional on payment. Illegal throughout the EU.
4. Displayed or suspected resale of demographic data to unidentified partners ("our marketing partners" without a precise list = disguised resale).
5. Excessive document requests: photo of your bank card (never necessary), email mailbox code, access to your contacts. These are clear-cut scams.

GDPR-compliant vs non-compliant platform

What Microtaches concretely does

Microtaches is a French entity based in Paris, hosted in the European Union. Our GDPR approach can be summed up in five factual points.

1. IBAN and financial data encrypted AES-256 via a dedicated vault. The IBAN is never stored in clear in the database, even for admins. Reading goes through a secure function that logs every access.

2. Immutable encrypted KYC. Identity documents submitted for KYC verification are stored in a private bucket with strictly restricted access. Messages exchanged with the KYC team are stored in an immutable table (impossible to modify or delete even for an admin), which protects the worker in case of dispute.

3. Effective account deletion via a dedicated server function. The procedure erases your demographic data, anonymizes your transactions and missions, and revokes your tokens. Data kept for legal obligation (DAC7, anti-money-laundering) is kept 5 years in a separate space then destroyed.

4. No resale of demographic data. Your answers to the demographic wizard are used solely to target relevant missions (for example, a "young parents" mission is only offered if you indicated it). We do not resell any data to brokers, advertisers or marketing partners.

5. Public subcontractor list in the privacy policy: Lovable Cloud (Supabase) for the database and authentication, Resend for transactional emails, AI providers for help features. No marketing subcontractor.

How to exercise your GDPR rights in practice

1. Identify the right contact: DPO (dpo@, privacy@) or failing that the general contact. On Microtaches: privacy@microtaches.com.
2. Formulate the request in writing specifying the right invoked (access, deletion, portability, etc.) and attaching an ID to prevent identity theft.
3. Wait a maximum of 1 month. The platform can extend by 2 months if the request is complex, but must inform you.
4. In case of silence or refusal, file with the CNIL online (cnil.fr/plaintes) — it's free and the investigation is serious.

Can I really delete my Microtaches account?

Yes. The procedure is documented in the privacy policy and executed via a dedicated server function. Your demographic data is erased, your missions and transactions anonymized, your tokens revoked. Data we must keep for legal obligation (DAC7, anti-money-laundering traceability of withdrawals) is kept 5 years in a separate space then destroyed. If you have never triggered KYC, deletion is total immediately.

Is my demographic data resold to advertisers?

No. Demographic wizard answers are used solely to target missions suited to your profile (for example, some missions are restricted to a "parents" or "students" group). No data is resold to brokers, marketing partners or advertisers. The exhaustive list of our subcontractors is public in the privacy policy.

What happens if Microtaches goes bankrupt?

GDPR requires that in case of liquidation, the appointed judicial administrator is responsible for the data and guarantees its destruction or transfer in a compliant framework. In practice: Ops balances converted to euros would be entered as liabilities (which is why it's important not to accumulate excessive balances — see our guide on the withdrawal threshold), and data would be destroyed or transferred to a buyer under CNIL supervision.

Is a platform hosted outside the EU automatically illegal?

No, but it must meet three conditions: appoint an EU representative in its legal notice (article 27 of GDPR), use a valid transfer mechanism (Data Privacy Framework for the United States since 2023, or standard contractual clauses), and offer the same level of rights as a European platform. Most major US platforms are now compliant, but many smaller platforms are not — always check the legal notice.

How do I know if my IBAN is really encrypted?

The only serious way is to read the privacy policy: an honest platform explicitly mentions "AES-256 encryption", "vault", or equivalent. Failing that, write to support or the DPO. A vague answer ("we take security seriously" without technical details) is a warning signal. On Microtaches, the IBAN is encrypted AES-256 via Supabase Vault and is never readable in clear in the database, even on the admin side.

What if a platform refuses to respond to my GDPR request?

First wait 1 month (legal response time). If silence or refusal, file with the CNIL via cnil.fr/plaintes — it's free, online, and the investigation is serious. You can also file with the data protection authority of the country where the platform is headquartered (CNIL for France, ICO for the United Kingdom, etc.). GDPR fines can reach 4 % of global turnover, which generally motivates a quick response.