Privacy Policy

Privacy Policy

Effective 2026-04-20. Contact: privacy@hausey.ai.

1. Information We Collect

We collect information in three categories: information you provide, information generated through your use of the Services, and information from third-party sources.

1.1 Information you provide

• Account data: name, email address, password hash (when using email sign-in), authentication provider identifiers (when using Google, Apple, Microsoft, or Facebook sign-in), account preferences, and locale.
• Payment information: billing address, subscription tier, and a Stripe customer identifier. We do not store full payment card numbers, CVV, or bank account details — those are handled by Stripe, Inc. under their own privacy policy.
• User Content: photographs, images, reference assets, prompts, refinement instructions, style selections, disclosure notes, team/household membership details, and any other content you upload or enter.
• Communications: feedback messages, support tickets, replies to our outreach or transactional emails, and the metadata associated with those communications.
• Broker-approval data (Agent Pro):when you initiate a broker sign-off workflow, we collect the broker's email address, optional name, and any notes or decisions the broker records. The broker is not required to create a Hausey account.

1.2 Information generated through use

• Generated outputs: the AI-generated variations, refinements, PDFs, export packs, and structural-check evidence produced by the Services in response to your inputs.
• Technical data: IP address, device and browser identifiers, operating system, user-agent string, timezone, referring URL, and pages viewed.
• Usage data:pages visited, features used, timestamps, session identifiers, error reports, performance metrics, aggregate event counts (e.g. “variation saved”), and inferred preferences (e.g. which style families you tend to favor).
• Cookies and similar technologies: see Section 7.
• Audit and security data: login timestamps, source IPs, rate-limit events, abuse signals, and administrative actions taken by our staff on your account.

1.3 Information from third parties

• Authentication providers (Google, Apple, Microsoft, Facebook): basic profile data such as name and email, per the permissions you grant.
• Payment processor (Stripe): subscription status, invoice history, refund events, and payment failures — but not full card numbers.
• Analytics and attribution partners (e.g. Google Analytics, Google Ads): aggregated behavioral data tied to first-party identifiers.
• Deliverability partners (e.g. Mailgun): bounce, complaint, open, and click signals associated with emails we send.
• Public data sources: where required to validate or enrich an account (e.g. DNS WHOIS when verifying a custom domain).

2. How We Use Information

We process personal data for the purposes set forth below. For each purpose we identify, where applicable under GDPR, the legal basis we rely on:

• Providing the Services — generating AI outputs, hosting your projects, running structural-check validation, delivering exports. Legal basis: performance of a contract.
• Account administration — authentication, access control, session management, plan enforcement. Legal basis: performance of a contract.
• Billing and subscriptions — processing payments, issuing refunds, preventing fraudulent transactions. Legal basis: performance of a contract; legal obligation.
• Safety, security, and abuse prevention — rate-limiting, CSAM screening, prompt safety filtering, abuse investigations, DDoS mitigation, audit logging. Legal basis: legitimate interest; legal obligation.
• Service improvement — analyzing usage to improve quality, latency, cost, and provider selection. Legal basis: legitimate interest.
• Communications — transactional email (receipts, password reset, account alerts), product announcements, retention emails, and marketing. Legal basis: performance of a contract (transactional); legitimate interest or consent (marketing).
• Legal compliance and enforcement — responding to subpoenas, court orders, and lawful government requests; enforcing the Terms of Service. Legal basis: legal obligation; legitimate interest.

We do not use your User Content to train general-purpose AI foundation models. We do send your User Content to third-party model providers (see Section 3) for the limited purpose of generating the output you requested. Those providers process the content under their own data-processing terms.

3. How We Share Information

We share personal data only as described below. We do not sell personal information for monetary consideration. Where “sale” or “sharing” has a specific statutory meaning (for example under the California Consumer Privacy Act or CPRA), see the Region-Specific Rights section for a more precise description.

• Service providers and sub-processors acting on our behalf, including: Amazon Web Services (hosting, storage, compute), Cloudflare (networking), Stripe, Inc. (payments), Google LLC (authentication, AI model access via Gemini, analytics, ad conversion, Google Maps APIs), OpenAI, L.L.C. (AI model access), Mailgun (email delivery), Firebase (authentication). We bind these providers to confidentiality and data-processing obligations consistent with applicable law.
• AI model providers specifically receive the minimum content required to fulfill a given generation: the source image and the prompt plus style instructions. We transmit this content over TLS, request that providers not use it for training where the provider offers that option (e.g. OpenAI API default), and do not share account or billing data with them.
• Recipients designated by you — when you share a project via a share link, send a listing for broker approval, or invite a household member, the intended recipient receives the content and related metadata.
• Professional advisors (legal, accounting, audit) under confidentiality obligations.
• Business transactions — in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets. Data transferred in such transactions remains subject to this Policy unless you are given explicit notice otherwise.
• Legal process — to comply with subpoenas, court orders, or other lawful requests; to enforce our Terms of Service; to protect the rights, property, or safety of Hausey, our users, or others; or to investigate fraud, security, or technical issues.
• With your consent — for any purpose disclosed to you at the time we obtain the consent.

4. International Data Transfers

Hausey operates from Vietnam and uses cloud infrastructure primarily in the United States (AWS us-east-2). If you access the Services from outside those jurisdictions, your personal data may be transferred to, stored, and processed in countries whose laws may differ from those of your home country, including the United States. Where such transfers involve personal data subject to the GDPR or UK GDPR, we rely on Standard Contractual Clauses (2021/914/EU) or other appropriate safeguards, and we conduct transfer-impact assessments where required. You may request a summary of these safeguards at privacy@hausey.ai.

5. Data Retention

We retain personal data for as long as reasonably necessary to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and protect legitimate interests. Typical retention ranges:

• Account data: for the life of the account plus a commercially reasonable archive period (typically up to 7 years) for tax, audit, and legal defense.
• User Content: for the life of the account, or until you delete it.
• Billing records: at least 7 years per Vietnamese tax law and applicable US/EU tax rules.
• Audit logs: 13 months.
• Deliverability data (bounces, complaints, suppressions): indefinitely, to honor your opt-out permanently.
• Backups: routinely rotated; any personal data in a backup is deleted in the next rotation cycle after account deletion, typically within 35 days.

6. Security

We implement administrative, technical, and physical safeguards designed to protect personal data, including: TLS 1.2+ in transit; server-side encryption for stored data (AWS KMS / S3 default encryption); authentication via Firebase-issued signed session cookies with rotation; role-based access controls; secrets-manager backed credential storage; structural least-privilege IAM; audit logging of administrative actions; rate limiting, bot detection, and abuse filtering. No system is perfectly secure; if we become aware of a personal-data breach affecting you, we will notify you and any applicable regulators within the timelines required by law (72 hours under the GDPR).

7. Cookies and Similar Technologies

We use cookies, local storage, and similar technologies for the following purposes:

• Strictly necessary — authentication (Firebase __session), CSRF protection, load balancing, rate-limit tracking. These cannot be disabled without making the Services unusable.
• Preferences — locale (hausey-locale), UI state, dismissed tooltips and nudges.
• Analytics — first-party Google Analytics (_ga) to measure aggregate usage.
• Advertising — Google Ads conversion tracking tied to campaign attribution. This is limited to sign-up and upgrade events you explicitly initiate.

You can manage cookies through your browser settings. Blocking strictly-necessary cookies will prevent you from signing in. Users in the EEA, UK, and other consent-required jurisdictions will see a cookie banner on first visit and can manage non-essential cookies there.

8. Children

The Services are not directed to children under 13 (or under 16 in the EEA / UK, or under the minimum age required for data-processing consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have collected data from a child without verifiable parental consent, contact privacy@hausey.ai and we will promptly delete it.

9. Region-Specific Rights

9.1 European Economic Area, United Kingdom, and Switzerland

Under the GDPR and equivalent laws, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase (“right to be forgotten”) your data, subject to our lawful retention obligations.
• Restrict or object to specific processing activities.
• Port your data in a structured, commonly-used, machine-readable format.
• Withdraw consent where processing is based on consent.
• Complain to your local supervisory authority.

To exercise these rights, email privacy@hausey.ai. We respond within one month of a verified request and will not charge a fee unless the request is manifestly unfounded or excessive.

9.2 California (CCPA / CPRA)

If you are a California resident, you have the right to: (a) know the categories and specific pieces of personal information we have collected about you; (b) know the categories of sources, the business purposes for which we collect, and the categories of third parties with whom we share; (c) delete your personal information subject to statutory exceptions; (d) correct inaccurate personal information; (e) opt out of the “sale” or “sharing” of your personal information as defined by the CCPA; (f) limit the use of sensitive personal information; and (g) be free from retaliation for exercising these rights.

Hausey does not “sell” personal information for monetary consideration. Our use of Google Analytics and Google Ads may constitute “sharing” for cross-context behavioral advertising under the CPRA. To opt out, email privacy@hausey.ai or set your browser to send a Global Privacy Control (GPC) signal; we honor GPC.

9.3 Virginia, Colorado, Connecticut, Utah, and other US states

Residents of states with comprehensive privacy laws (including but not limited to the Virginia CDPA, Colorado CPA, Connecticut CTDPA, and Utah UCPA) have rights substantially similar to the California rights described above. Contact privacy@hausey.ai to exercise them.

9.4 Automated decision-making

We do not make decisions that produce legal or similarly significant effects solely on the basis of automated processing without human involvement. AI-generated outputs produced by the Services are decorative design suggestions, not binding decisions. Structural-check results are advisory and do not replace human verification.

10. Your Choices

• Account settings — edit your profile, plan, password, and notification preferences at any time.
• Marketing email opt-out — every marketing or outreach email includes a one-click unsubscribe link. Transactional emails (receipts, password resets, security alerts) cannot be disabled while your account is active.
• Account deletion — request deletion from your account settings or by emailing privacy@hausey.ai. We will delete or anonymize your data within 30 days, subject to the retention exceptions in Section 5.
• Do Not Track / Global Privacy Control — we honor GPC signals as an opt-out of “sharing” under the CPRA.

11. Third-Party Services and Links

The Services may link to or interoperate with third-party websites, services, or APIs (including but not limited to payment processors, social-auth providers, AI model providers, analytics platforms, and email-delivery platforms). We do not control and are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

12. Changes to This Policy

We may update this Policy periodically. When we do, we will revise the “Effective” date at the top. Material changes will be announced by email, an in-product notice, or both, at least 30 days before taking effect. Your continued use of the Services after a revised Policy takes effect constitutes acceptance.

13. Contact

Questions, requests, or complaints? Email privacy@hausey.ai. For regulatory complaints in the EEA, you may also contact your local data protection authority.

This document constitutes a legal agreement. Defined terms in this Policy carry their defined meaning when used elsewhere in our Terms of Service and related agreements. To the extent of any conflict between this Policy and our Terms of Service regarding personal data, this Policy controls with respect to personal data.