1. Personal Information We Collect

1.1. Information you provide to us

• Contact data: Your name and email address, processed and stored via our authentication provider, Clerk.
• Profile data: Username, profile picture, and preferences set within your account.
• Transactional data: Information relating to your subscription history.
• Payment data: Needed to complete transactions. When subscription billing launches, payment data will be processed through a secure third-party payment processor; Hashqix does not store card numbers.
• User-shared Content: Text, images, videos, and other materials you upload to your canvas (stored via Supabase Storage and Cloudflare Images / Stream).
• Query and Prompt data: Commands, descriptions, and questions you input into our AI tools. Text, image, and video generation are processed via the AI inference providers described in Section 3 (and listed canonically in our internal Article 30 records, available on request).
• Feedback data: Information regarding your experiences with the Service.

You should not provide any confidential, sensitive, unlicensed proprietary, or biometric information through the Service. We do not knowingly process the categories of Sensitive Personal Information defined under CPRA § 1798.140(ae).

1.2. Automatic data collection

We and our service providers may automatically log:

• Device data: Operating system, browser type, IP address, approximate geographic region (country / state) derived from IP, and unique identifiers.
• Online activity data: Navigation paths, access times, duration of sessions, and feature interactions (instrumented via PostHog with autocapture disabled — we record specific events only, never raw clicks or form-input contents).
• Diagnostic data: Error reports, crash logs, and performance metrics (via Sentry, with sensitive form fields masked).

1.3. Cookies, tracking, and consent signals

We use essential cookies (provided by Clerk and Supabase) to maintain your session and ensure security; analytics cookies (PostHog) and error-monitoring tools (Sentry) only fire after you indicate consent (or, in regions that permit it, by implicit acceptance you can override at any time). Session replay is opt-in everywhere and off by default. We honor the Global Privacy Control (GPC) signal as an opt-out request for residents of US states with comprehensive consumer privacy laws that recognize it (see Section 8.7 for the operative list). See our Cookie Policy for the full per-vendor table.

2. How We Use Your Personal Information

• Service delivery: To provide the canvas features and process AI generations.
• Service improvement: To analyze aggregate usage patterns and improve Hashqix during its Beta phase. Inputs and Outputs are not used to train Hashqix-owned ML models — see Section 11.
• Security: To prevent fraud, identity theft, and deter unauthorized activity.
• Compliance: To comply with applicable laws and protect our legal rights.
• Communication: To send service-related and (where you have opted in) product-update emails. Marketing emails always honor opt-out per CAN-SPAM and the GDPR.

3. How We Share Your Personal Information

We share data with categories of service providers (sub-processors). The current list is maintained on our Sub-Processors page and updated within 7 days of any change. As of the Last Updated date above, sub-processors include:

• Authentication and identity providers: for sign-in, session management, and authentication-related transactional email (verification, password reset, magic links).
• Hosting and infrastructure providers: for application hosting, edge functions, database, file storage, and request logs.
• Content delivery and media storage providers: for image / video storage, adaptive-bitrate streaming, and global CDN delivery.
• AI model inference providers: gateways and underlying model owners for text, image, and video generation, including providers operating in or routing through non-EEA jurisdictions. The specific list of inference providers varies as the AI model landscape evolves; the canonical current list is maintained internally and disclosed on request via [email protected].
• Analytics and error monitoring providers: for product-event analytics (no autocapture) and error / performance monitoring.
• Payment processors: when subscription billing is active (none currently integrated).
• Professional advisors: Lawyers, auditors, or compliance vendors where necessary.

We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under CCPA / CPRA. See Section 8.4.

4. Retention & Deletion

We retain personal information for as long as your account is active, and only for as long as needed for the purposes for which it was collected. Specific retention windows by category:

• Active project content: Retained while the project is active.
• Soft-deleted (Trash) content: Retained 30 days by default; you can choose 7 / 30 / 60 / 90 days in Settings → Storage & retention. After the chosen window passes, content is hard-deleted within 60 minutes by an automated purge worker.
• Hard-delete propagation: Once hard-deletion runs, content is removed from Cloudflare Stream, Cloudflare Images, Supabase Storage, and our database. Backups (Supabase Point-in-Time Recovery) overwrite within 7 days on our paid plan.
• Account closure: When you request erasure (Section 5.3 or 8), all projects are scheduled for immediate purge; full removal completes within 1 hour. Your audit log is retained for 7 years to comply with tax / billing regulations, then archived to cold storage.
• Inactive accounts: If you do not access your account for 24 months, we may notify you and delete inactive accounts after a 30-day grace period.

5. Your Choices

5.1. Account Information

You may review and update your account information by logging into your account at any time.

5.2. Content Deletion

You may delete content from your canvas through the Service interface. Deleted projects move to the Trash for the retention window described in Section 4. After the window expires, the automated purge worker deletes the content from all third-party storage layers within 60 minutes. Backups overwrite within 7 days.

5.3. Account Closure / Right to Erasure

You may request to close your account through Settings → Privacy & Data → Delete my account, or by contacting us at [email protected]. Upon confirmation, all projects are scheduled for immediate purge; full removal completes within 60 minutes.

5.4. Data Portability

You may download a complete copy of your data via Settings → Privacy & Data → Download my data, or by emailing [email protected]. Exports are provided in JSON format within a ZIP archive.

5.5. Marketing Communications

If we send you marketing emails, you may opt out by following the unsubscribe instructions in those emails. You will continue to receive service-related communications regardless of your marketing preferences.

5.6. Cookie & Tracker Preferences

Manage analytics, error monitoring, and session-replay preferences anytime in Settings → Privacy & cookie settings. We honor the Global Privacy Control (GPC) signal as an opt-out request — see Section 8.7.

6. Security

Hashqix LLC implements technical and organizational safeguards designed to protect your personal information, including encryption in transit (TLS 1.2+) and at rest, multi-factor authentication for administrative access, RLS-enforced database access, principle-of-least-privilege service-role keys, and continuous monitoring. However, no method of transmission over the Internet or electronic storage is completely secure, and Hashqix LLC cannot guarantee the absolute security of your data.

7. Third-Party Services and Links

The Service may contain links to or integrations with third-party websites and services that are not operated by Hashqix LLC. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you access through or in connection with the Service.

8. United States Privacy Rights

8.1. Notice at Collection (CCPA § 1798.100(b))

At or before the point of collection, we collect the following categories of personal information (mapped to CCPA enumerated categories):

• (A) Identifiers: name, email, IP address, device identifiers — collected from you directly and via your browser.
• (B) Customer records: subscription history, billing information — collected from you and from our payment processor (when subscription billing launches).
• (F) Internet / network activity: browsing within the Service, feature interactions — collected automatically.
• (G) Geolocation (approximate): country and US state derived from IP — for region-aware compliance only; not used for advertising.
• (K) Inferences: aggregate usage patterns drawn from the above to improve features.

We do not collect categories C (protected classifications), D (commercial purchases beyond billing), E (biometric info), H (audio / electronic / thermal / olfactory), I (employment / professional info), or J (education info).

Each category is retained per Section 4. We do not sell or share any category for cross-context behavioral advertising.

8.2. Your Rights — California (CCPA / CPRA)

If you reside in California, you have the right to:

• Right to Know: request a copy of personal information we have collected about you in the prior 12 months.
• Right to Delete: request deletion of personal information we have collected from you (subject to legal retention requirements).
• Right to Correct: request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: we do not sell or share personal information; this right is preserved should our practices ever change.
• Right to Limit Use of Sensitive Personal Information: we do not collect SPI categories; this right is preserved.
• Right to Non-Discrimination: we will not discriminate against you for exercising any privacy right.
• Right to Appeal: if we deny a request, you may appeal to [email protected] within 60 days.

Shine the Light (Civ Code § 1798.83): we do not share personal information with third parties for their own direct-marketing purposes.

8.3. Your Rights — Other US States

If you reside in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Florida (FDBR), Oregon (OCPA), Montana (MCDPA), Tennessee (TIPA), Minnesota (MCDPA), Iowa (ICDPA), Indiana (INCDPA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Maryland (MODPA), Kentucky (KCDPA), or Rhode Island (RIDTPPA), you have substantially the same rights as California residents — access, deletion, correction, portability, opt-out of profiling-with-significant-effects, and appeal.

Submit any state-law request via the same channels described in Section 8.8.

8.4. Your Privacy Choices — Do Not Sell or Share

Hashqix does not sell personal information for monetary consideration, and does not share personal information for cross-context behavioral advertising as those terms are defined in CCPA / CPRA § 1798.140. Should our practices ever change, this section will be updated at least 30 days in advance and the “Your Privacy Choices” link in our footer will provide an immediate opt-out mechanism.

8.5. Sensitive Personal Information (SPI)

Hashqix does not knowingly collect categories of Sensitive Personal Information as defined in CPRA § 1798.140(ae) (precise geolocation, racial / ethnic origin, religion, mail / email content, genetic data, biometric identifiers, health, sex life / orientation, citizenship / immigration status, account login + password). When subscription billing launches, account login credentials processed by Clerk become SPI; we use them solely for authentication and never disclose them to third parties. You may instruct us to limit use to that purpose by contacting [email protected].

8.6. Children’s Privacy

See Section 10. Minors under 16 have a right to opt in to sale or sharing of their personal information under CCPA — we do not sell or share, so no opt-in mechanism is provided.

8.7. Global Privacy Control (GPC) Signal

We treat the Global Privacy Control signal as a valid opt-out request for residents of California, Colorado, Connecticut, and other US states with comprehensive consumer privacy laws that recognize a universal opt-out mechanism (currently including Oregon, Texas, New Hampshire, Maryland, Delaware, New Jersey, and Montana). When detected via the Sec-GPC: 1 HTTP header or navigator.globalPrivacyControl === true, we suppress non-essential trackers (PostHog product analytics and Sentry session replay) and treat your session as opted-out from analytics. Our implementation honors GPC across the broader set of US states with comprehensive privacy laws, so residents of those states are also covered even where the underlying statute does not yet mandate GPC. You may override this for a specific device in Settings → Privacy & cookie settings.

8.8. How to Submit a Privacy Request

Two methods, both no-cost:

• In-app: Settings → Privacy & Data → Delete my account for erasure; Download my data for access / portability.
• Email: [email protected].

Verification: we verify your identity by requiring you to confirm your primary email on file (typed-email confirmation). For authorized agents, please provide a notarized authorization. Response timeline: 45 days from receipt, with up to 45 additional days when reasonably necessary (CCPA standard). Appeal: if a request is denied, you may appeal at the same email within 60 days; we will respond within 60 days of the appeal.

9. Notice to European Users (GDPR / UK GDPR)

9.1. Data Controller and Sub-Processors

The Data Controller is Hashqix LLC, located at 30 N Gould St Ste N, Sheridan, WY 82801, United States. The current sub-processor list is on our Sub-Processors page; major sub-processors are also listed in Section 3 above. All sub-processors are bound by Standard Contractual Clauses (SCCs) for EEA→US transfers and the UK International Data Transfer Addendum for UK→US transfers.

9.2. EU / UK Article 27 Representative

Pursuant to GDPR Article 27, our designated EU Representative is [Pending — contact details to be published once the Article 27 representative service is provisioned. EEA users may, in the interim, contact [email protected].] Pursuant to UK GDPR Article 27, our UK Representative is [Pending — see above.]

9.3. International Data Transfers

The Operator is located in the United States. Your personal data is primarily stored and processed on secured servers located in the United States provided by our sub-processors. For transfers from the EEA / UK to non-adequate jurisdictions (including the USA), we rely on the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum to ensure an equivalent level of data protection. Where applicable, we also rely on the EU-US Data Privacy Framework adequacy decision.

Some AI inference, particularly for video generation, may transit through providers operating in non-EEA jurisdictions, including the People’s Republic of China. We have completed an internal Transfer Impact Assessment under Schrems II principles. The data scope for such routing is limited to user prompts, reference images, and generated outputs; residency in non-EEA infrastructure is short. EEA / UK users who wish to opt out of specific routing destinations may email [email protected] (practical consequence: certain generation features will be disabled for that account).

9.4. Legal Basis for Processing

We process your data under the following legal bases:

• Contractual Necessity (Art. 6(1)(b)): to provide Hashqix services as per our Terms of Use.
• Legitimate Interests (Art. 6(1)(f)): to prevent fraud, ensure network security, and improve our Service. These interests are balanced against your rights and freedoms.
• Consent (Art. 6(1)(a)): for non-essential analytics, error monitoring, session replay, and marketing — collected via our consent banner, withdrawable anytime.
• Legal Obligation (Art. 6(1)(c)): for retention of audit logs, billing records, and similar.

9.5. Your Rights under GDPR / UK GDPR

You have the right to:

• Access (Art. 15): request a copy of your personal data.
• Rectification (Art. 16): correct inaccurate data.
• Erasure (Art. 17 / “Right to be Forgotten”): request deletion of your account and content. Processing window: 60 minutes for active data; backups overwrite within 7 days.
• Portability (Art. 20): receive your data in machine-readable JSON format.
• Restriction (Art. 18) / Object (Art. 21): object to processing or restrict it.
• Withdraw consent (Art. 7(3)): change tracker preferences anytime via Settings.

To exercise these rights, contact [email protected]. You also have the right to lodge a complaint with your local Data Protection Authority.

9.6. Data Access by the Operator

Access to your personal data by the Operator and its authorized contractors and employees worldwide is strictly limited to administrative and support purposes. We implement technical and organizational measures (TOMs), including encrypted access and multi-factor authentication, to ensure that no unauthorized data access occurs.

10. Children’s Privacy

The Service is not directed to children under 18. We do not knowingly collect personal information from children. Specifically, we comply with:

• COPPA (USA): children under 13 cannot have personal information processed without verifiable parental consent.
• GDPR Article 8 (EEA): the digital age of consent is 16 in some EEA states (Croatia, Cyprus, France, Germany, Greece, Hungary, Ireland, Italy, Lithuania, Luxembourg, Malta, Netherlands, Romania, Slovakia, Slovenia) and lower in others (down to 13 in Belgium, Czech Republic, Denmark, Estonia, Finland, Iceland, Latvia, Norway, Poland, Portugal, Sweden, the UK).
• UK Data Protection Act 2018: 13.
• PIPL (China): 14.

If a person under 18 nonetheless creates an account in violation of our Terms, we treat any data collected from them as if collected from a child for the purposes of COPPA / GDPR Art. 8 and delete it within 30 days of becoming aware. Parents or guardians who believe their child has provided personal information may contact [email protected] for immediate deletion.

11. AI Training Disclosure

Hashqix does not train, fine-tune, or otherwise use any user-submitted prompts, content, or AI Outputs to develop or improve machine-learning models that we own or operate. All AI inference is performed by upstream providers (listed on our Sub-Processors page). Each upstream provider operates under its own privacy and retention terms; where the provider offers an enterprise / API tier with a default no-training commitment, we route through that tier. Where applicable, we contractually require providers to exclude our routed traffic from consumer-model training. We cannot independently verify upstream training practices and rely on each provider’s published policies; consult each provider directly for current terms.

Hashqix may use aggregated, de-identified usage statistics (for example: feature-popularity counts, error rates, average session duration) to improve product features and prioritize development. Such statistics never include user prompts, generated content, or any data that can be linked back to an individual user.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If a revision is material — for example, expanding the categories of personal data we collect, the purposes for which we use it, or the recipients with whom we share it — we will provide notice at least 30 days before the new terms take effect, by posting a notice on the Service and, where we hold a verified email address, by email to that address. Non-material updates (typo fixes, contact-information changes, references to non-substantive new features) take effect on publication. Changes required by law, regulation, or our third-party processors may, where compliance does not permit a notice period, take effect immediately; we will document the legal basis on request. The “Last Updated” date above always reflects the most recent revision.

13. Contact Us

• Operator: Hashqix LLC
• Address: 30 N Gould St Ste N, Sheridan, WY 82801, United States
• Legal & data requests: [email protected] — privacy / GDPR / CCPA, DMCA, acceptable-use & DSA notices, security disclosures, Article 27 (EU/UK).
• Product support: [email protected] — billing, account access, “how do I…” questions.

For statutory requests sent to [email protected], please prefix the subject line with [Privacy], [DMCA], [Abuse], or [Security] so that we can respond within the applicable statutory window.