Effective Date: February 21, 2026

Last Updated: March 1, 2026

1. Introduction

Haiphen ("we", "us", "our") operates the Haiphen platform at haiphen.io and related subdomains. This Privacy Policy explains what information we collect when you use our services, how we use it, and your rights regarding that information.

2. Information We Collect

2.1 Account Information

When you sign in via GitHub or Google OAuth, we receive and store:

• Your display name and email address
• Your OAuth provider username (e.g., GitHub login)
• Your profile avatar URL

We do not receive or store your OAuth provider password.

2.2 Usage Data

We automatically collect:

• API request metadata (endpoint, timestamp, response status, request IP)
• Daily request counts for quota enforcement
• Subscription and entitlement status

2.3 Payment Information

Payment processing is handled by Stripe. We store your Stripe customer ID and subscription status, but we never store credit card numbers, CVVs, or full card details on our systems.

2.4 Mobile App Data

When you use the Haiphen mobile application, we may additionally collect:

• Biometric authentication status — We use Face ID (iOS) or fingerprint (Android) to secure access to your account. Biometric data is processed on-device only and is never transmitted to our servers.
• Push notification tokens — Device tokens issued by Apple Push Notification Service (APNs) or Firebase Cloud Messaging (FCM) to deliver push notifications you subscribe to.
• Device identifiers — Anonymous device identifiers used for crash reporting and push notification delivery.
• Secure storage — Authentication tokens are stored in the platform secure keychain (iOS Keychain / Android Keystore) and are not accessible to other applications.

2.5 Cookies and Local Storage

• JWT cookie — scoped to *.haiphen.io, HttpOnly, Secure, SameSite=Lax. Used for authentication across our services.
• Cookie consent — localStorage key recording your consent preferences.
• Lens preference — localStorage key haiphen.lens storing your chosen UI lens (Tech/Finance).

3. How We Use Your Information

• Authentication: Verify your identity and maintain your session
• Service delivery: Provide API access, CLI functionality, desktop and mobile apps
• Quota enforcement: Track usage against your plan tier (Free, Pro, Enterprise)
• Billing: Process payments and manage subscriptions via Stripe
• Communication: Send transactional emails (welcome, purchase confirmation, subscription changes)
• Security: Detect abuse, enforce rate limits, and manage token revocation

4. Third-Party Services

We share data with the following third parties only as necessary to operate our service:

• Cloudflare — Infrastructure hosting (Workers, D1, KV, R2), DDoS protection, CDN
• Stripe — Payment processing and subscription management
• GitHub — OAuth authentication provider
• Google — OAuth authentication provider
• SendGrid — Transactional email delivery (via haiphen-contact)
• Expo / EAS — Mobile app build and over-the-air update delivery
• Apple (APNs) — iOS push notification delivery
• Firebase (FCM) — Android push notification delivery

We do not sell your personal data to any third party.

5. Data Retention

• Account data: Retained while your account is active; deleted upon request
• API usage logs: Retained for 90 days for security and debugging
• Billing records: Retained as required by tax and financial regulations
• Revoked tokens: KV entries expire automatically (token TTL)

6. Data Security

We employ the following security measures:

• All data in transit is encrypted via HTTPS/TLS
• JWT tokens are signed with HMAC-SHA256 and validated on every request
• Token revocation is fail-closed (missing data causes rejection, not acceptance)
• Webhook secrets are encrypted at rest using AES-256-GCM
• API keys are stored as SHA-256 hashes
• Admin endpoints are gated by email allowlist

7. Your Rights

7.1 GDPR (European Economic Area)

If you are located in the EEA, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate personal data
• Erase your personal data ("right to be forgotten")
• Restrict processing of your personal data
• Data portability — receive your data in a structured, machine-readable format
• Object to processing based on legitimate interests

7.2 CCPA (California)

If you are a California resident, you have the right to:

• Know what personal information is collected, used, and disclosed
• Request deletion of personal information
• Opt out of the sale of personal information (we do not sell personal data)
• Non-discrimination for exercising your rights

7.3 Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Data Export and Deletion

You may request a full export of your account data or permanent deletion of your account by emailing [email protected]. Upon deletion:

• Your user record and OAuth associations are removed
• Your API keys are revoked
• Your entitlement and subscription data is cleared
• Stripe customer data is handled per Stripe's data retention policy

9. Children's Privacy

Our services are not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last Updated" date. Continued use of our services after changes constitutes acceptance.

11. Contact

For questions about this Privacy Policy, contact us at:

• Email: [email protected]
• Web: https://haiphen.io