Privacy Policy

Last updated: May 17, 2026
Controller: Hahoowa Medias Services LLC (United States) and Hahoowa Medias Services SARL AU (Morocco), jointly. Contact: privacy@hahoowa.app.

This Policy describes what personal data Hahoowa collects, why, how long we keep it, and your rights.

1. Data we collect

We do not collect: full card numbers, full IBAN, biometric data, sensitive religious/health data unless you voluntarily publish it.

2. Why we collect it (legal basis)

• Provide the service (contract): account, listings, conversations
• Process payments (contract): Stripe customer creation
• Legal obligation: tax records (LLC accounting), DSA compliance, responding to court orders
• Legitimate interest: anti-fraud, security, analytics, product improvement
• Consent: marketing emails, push notifications

3. How long we keep it

• Account data: as long as your account exists + 12 months after closure
• Listings: 24 months after the listing is archived
• Conversations: 36 months after the last message
• Payment records: 10 years (legal accounting requirement)
• Moderation logs: 5 years
• Device & usage logs: 13 months

After these periods we delete or fully anonymize the data.

4. Who we share it with

• Stripe — for payment processing (subscription, credits). Stripe is the joint controller for payment data; see https://stripe.com/privacy
• HeyGen — your brief + chosen avatar/voice when you generate an AI reel. HeyGen processes it under their terms; see https://www.heygen.com/privacy-policy
• AWS — hosting of generated videos and uploaded images (S3 + CloudFront)
• Postgres / Redis providers — database infrastructure
• Expo — push notification delivery
• Authorities — when required by law (court order, tax audit, DSA)

We do not sell your personal data.

5. International transfers

Hahoowa LLC is in the United States. EU/UK personal data is transferred to the US under Standard Contractual Clauses (SCCs) as approved by the European Commission. Moroccan personal data is processed in Morocco (SARL AU) and replicated to the US LLC for service operation.

6. Your rights (GDPR / CCPA / Moroccan law 09-08)

You have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Delete your account and personal data (subject to legal retention obligations — e.g. we keep payment records 10 years)
• Object to processing (e.g. opt out of marketing)
• Restrict processing
• Portability — export your data in a machine-readable format
• Withdraw consent at any time
• Lodge a complaint with your local data protection authority (CNIL in France, CNDP in Morocco, your state AG in the US, etc.)

To exercise these rights, contact privacy@hahoowa.app from the email on your account, or use Account → Settings → Privacy → Request data / Delete account in the app.

We respond within 30 days.

7. Cookies (web)

Our website uses:

• Strictly necessary cookies: session, CSRF, language preference. No consent needed.
• Analytics cookies: aggregated traffic metrics. Consent required in EU/UK.
• Marketing cookies: third-party advertising. Consent required.

You can manage your preferences via the cookie banner on first visit and via Account → Settings → Cookies thereafter.

8. Children

Hahoowa is not directed to children under 16. If we learn we have collected data from a child under 16 without verifiable parental consent, we delete it.

9. Security

We protect your data with:

• TLS encryption in transit
• AES-256 encryption at rest for sensitive fields (IBAN, password hashes)
• Role-based access control internally
• Regular security audits

No system is perfectly secure; we recommend a strong, unique password.

10. Changes to this Policy

Material changes are notified in-app at least 14 days before they take effect.

11. Contact

• Data protection: privacy@hahoowa.app
• DPO (Data Protection Officer): dpo@hahoowa.app (when appointed — currently the same contact)
• Postal: see Terms of Service section 14