Privacy Policy

1. Introduction

Welcome to Haroo Chat ("we", "our", or "us"). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI character chat platform.

This policy complies with the EU General Data Protection Regulation (GDPR) and Czech Republic data protection laws, including Act No. 110/2019 Coll., on Personal Data Processing.

2. Data Controller

3. Personal Data We Collect

3.1 Account Information

• Email address (required for account creation)
• Username and display name
• Password (encrypted)
• Profile information (avatar, bio)
• Account preferences and settings

3.2 Usage Data

• Chat messages and conversations with AI characters
• AI characters you create (name, description, traits, avatar)
• Crystal balance and transaction history
• Daily rewards and achievement progress
• Referral information and codes

3.3 Payment Information

• Payment details (processed securely by Stripe - we do not store full card details)
• Billing address
• Transaction history and receipts

3.4 Technical Information

• IP address
• Browser type and version
• Device information (type, operating system)
• Device fingerprint (for fraud prevention via FingerprintJS)
• Cookies and similar tracking technologies
• Log data (access times, pages viewed, errors)
• Error reports and stack traces (via Sentry)
• Product analytics and feature usage (via PostHog)

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our services (chat functionality, crystal economy, creator payments)
• Consent: For optional features like marketing communications and certain cookies
• Legitimate Interest: For fraud prevention, security, analytics, and service improvement
• Legal Obligation: To comply with tax, accounting, and anti-money laundering laws

5. How We Use Your Data

• Provide and maintain the AI chat service
• Process payments and manage your crystal balance
• Enable AI character creation and management
• Calculate and distribute creator commissions
• Send important service updates and notifications
• Improve AI model performance and user experience
• Detect and prevent fraud, abuse, and security threats
• Comply with legal obligations
• Respond to support requests
• Send marketing communications (with your consent)

6. Data Sharing and Third Parties

We share your data with the following third-party service providers:

6.1 Service Providers

• Supabase: Database and authentication (EU-based servers available)
• Stripe: Payment processing (GDPR compliant)
• DeepInfra: AI model hosting (Sao10K L3.3-70B-Euryale, DeepSeek V3.2)
• Anthropic: Claude AI models (Claude Haiku 3.5, Claude Sonnet 4.5)
• PostHog: Product analytics and feature flags (EU region: eu.i.posthog.com)
• Sentry: Error tracking and performance monitoring (EU region: de.sentry.io)
• Google Analytics: Website analytics (when consent provided)
• FingerprintJS: Device fingerprinting for fraud prevention

6.2 Legal Requirements

We may disclose your information if required by law, court order, or to protect our rights, property, or safety.

6.3 Business Transfers

In case of merger, acquisition, or sale of assets, your data may be transferred to the new entity.

7. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). We ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Binding Corporate Rules where applicable

8. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

• Account data: Until account deletion + 30 days backup retention
• Chat messages: Retained for the lifetime of your account
• Payment records: 7 years (tax and accounting requirements)
• Marketing data: Until consent is withdrawn
• Security logs: 12 months
• Analytics cookies: Up to 2 years (Google Analytics, PostHog)
• Error logs: 90 days (Sentry error tracking)
• Device fingerprints: 90 days (FingerprintJS)

9. Your Rights Under GDPR

As a data subject in the EU/Czech Republic, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restriction: Limit how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Lodge a Complaint: File a complaint with the Czech DPA (ÚOOU)

To exercise any of these rights, contact us at privacy@haroo.chat. We will respond within 30 days.

10. Children's Privacy

In accordance with Czech law, users must be at least 15 years old to provide consent for data processing. Users under 18 require parental consent. We do not knowingly collect data from children under 15 without parental authorization.

11. Cookies and Tracking

We use cookies and similar technologies to enhance your experience. For detailed information, see our Cookie Policy.

12. Security Measures

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (TLS/SSL) and at rest
• Row-Level Security (RLS) policies in our database
• Regular security audits and penetration testing
• Access controls and authentication
• Device fingerprinting for fraud detection (FingerprintJS)
• Regular backups and disaster recovery procedures
• Error monitoring and alerting (Sentry)
• Privacy-respecting analytics (PostHog with session recording disabled)

13. AI-Specific Privacy Considerations

When you interact with AI characters:

• Chat messages are processed by AI models (Spicy One, Claude) to generate responses
• We do not use your chat data to train AI models without explicit consent
• AI-generated content is not reviewed by humans unless you report an issue
• Conversations are private between you and the AI character
• Personality creators cannot access chat messages with their personalities

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or prominent notice on our platform. Continued use after changes constitutes acceptance.

15. Contact and Complaints

Contact Us

For privacy-related questions or to exercise your rights:
Email: info@click-click.cz
Data Protection Officer: info@click-click.cz

Czech Data Protection Authority