Privacy Policy

Introduction

Hashed Horizon Sp. z o.o. (operating as "Hashed Horizon") is committed to protecting your privacy and Personal Data. This Privacy Policy explains how we collect, use, share, and protect your Personal Data when you use ThisOne AI Platform and our Services.

Scope: This Privacy Policy applies to all users of ThisOne AI Platform, including:

• Website visitors (https://thisone.app)

• Mobile application users (iOS and Android)

• Account holders and Subscribers

Understanding Our Role: Controller vs. Processor

Important: Our role depends on your customer type:

• Consumer Users (individual accounts): Hashed Horizon is the Data Controller - we determine how your personal data is processed to provide Services
• Enterprise Customers (Business/Team plans with signed Data Processing Agreement): Hashed Horizon is the Data Processor - you (the Controller) determine processing purposes, we process end-user data only as instructed

Quick Reference: See Data Processing Roles and Legal Bases for a clear table explaining who is responsible for your data.

Controller/Processor Relationship

Understanding the Data Flow:

Consumer (B2C) Model:

When you use our Services as an individual consumer:

• You (Data Subject): The individual whose personal data is being processed
• Hashed Horizon (Data Controller): We decide how to process your data and are responsible for GDPR compliance
• AI Providers (Data Processors/Subprocessors): Companies like Google and OpenAI process data only as we instruct them and cannot use your data for other purposes

Enterprise (B2B) Model:

When you integrate our Services into your business application:

• Your End Users (Data Subjects): Individuals whose data is processed through your application
• You (Data Controller): As the enterprise customer, you decide how to process end-user data and are responsible for GDPR compliance
• Hashed Horizon (Data Processor): We process data only according to your instructions, with obligations defined in our Data Processing Agreement (GDPR Art. 28)
• AI Providers (Sub-processors): Process data according to our agreement, listed in the DPA with your approval

Key Responsibilities:

What This Means for You:

• If you're a consumer: Hashed Horizon controls your data and is responsible for GDPR compliance
• If you're an Enterprise customer: You control your end-users' data; we process it only as you instruct via DPA

Data Controller Information (GDPR Art. 13(1)(a))

Data Controller: Hashed Horizon Sp. z o.o.

Registered Address: ul. Marszałkowska 1, 00-624 Warsaw, Poland

Contact Information:

• Email: support@hashedhorizon.com
• Website: https://thisone.app
• Data Protection Contact: dpo@hashedhorizon.com

Registration: Registered in Poland

Legal Framework

Our data processing practices comply with:

1. General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
2. ePrivacy Directive - Directive 2002/58/EC (as amended)

Key Privacy Principles (GDPR Art. 5)

We process your Personal Data in accordance with the following principles:

1. Lawfulness, Fairness, Transparency: We process Personal Data lawfully, fairly, and transparently
2. Purpose Limitation: We collect Personal Data for specified, explicit, and legitimate purposes only
3. Data Minimization: We collect only Personal Data that is adequate, relevant, and necessary
4. Accuracy: We keep Personal Data accurate and up to date
5. Storage Limitation: We retain Personal Data only as long as necessary
6. Integrity and Confidentiality: We implement appropriate security measures
7. Accountability: We demonstrate compliance with data protection principles

What This Privacy Policy Covers

This Privacy Policy explains:

• What Personal Data we collect (Types of Personal Data)
• Why we process your Personal Data (Purposes and Legal Basis)
• Who we share your Personal Data with (Recipients of Personal Data)
• How we transfer Personal Data internationally (Cross-Border Data Transfers)
• How long we retain your Personal Data (Retention Periods)
• Your rights under GDPR (California Privacy Rights and Rights Under GDPR)
• How we protect your Personal Data (Our Commitment to Security)
• Children's privacy (Age Restrictions)
• How we update this Policy (Right to Modify)
• How to contact us (General Privacy Inquiries)

Your Consent

By using our Services, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as our legal basis for processing (GDPR Art. 6(1)(a)), we will obtain your explicit consent before processing your Personal Data.

Withdrawal of Consent: You can withdraw consent at any time by contacting dpo@hashedhorizon.com. Withdrawal does not affect the lawfulness of processing before withdrawal.

Children Under 18

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect Personal Data from children under 18 without verifiable parental consent (where required by law). See Audit Rights for details.

Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes at least 30 days in advance. See Termination and Data Return for details.

Questions and Concerns

If you have questions about this Privacy Policy or our data processing practices, please contact:

• General Inquiries: support@hashedhorizon.com
• Data Protection Contact: dpo@hashedhorizon.com
• Postal Address: ul. Marszałkowska 1, 00-624 Warsaw, Poland

Language

Authoritative Version: The English version of this Privacy Policy is authoritative for interpretation.

Translations: Translations may be provided for convenience. For EU consumers, if local law requires translation, both English and local language versions are equally authoritative.

What Personal Data We Collect

Types of Personal Data (GDPR Art. 13(1)(c))

We collect and process the following categories of Personal Data:

1. Identity and Contact Data

What We Collect:

• Full name
• Email address
• Username
• Phone number (if provided)

How We Collect:

• Directly from you when you create an Account
• When you update your Account profile
• When you contact our customer support

Legal Basis: Performance of contract (GDPR Art. 6(1)(b))

2. Authentication Data

What We Collect:

• Encrypted password (hashed using bcrypt with salt)
• Session tokens and cookies
• Multi-factor authentication credentials (if enabled)
• OAuth tokens from third-party authentication providers (Google, GitHub, etc.)

How We Collect:

• When you create or log in to your Account
• When you enable security features

Legal Basis: Performance of contract (GDPR Art. 6(1)(b))

Security: Passwords are never stored in plain text. We use industry-standard encryption (bcrypt, argon2) with per-user salts.

3. AI Service Usage Data

What We Collect:

• Inputs: Text, images, or other content you provide to AI Services
• Outputs: AI-generated content produced in response to your Inputs
• Prompts: Instructions and parameters you provide to AI models
• Model Settings: Temperature, max tokens, model selection
• Usage Metrics: Number of requests, tokens consumed, response times

How We Collect:

• Automatically when you use AI Services
• Logged for service provision and debugging

Legal Basis: Performance of contract (GDPR Art. 6(1)(b))

Retention: up to 90 days for non-authenticated users; up to 12 months after account closure for Account holders

Subprocessor Sharing: Your Inputs are transmitted to our AI Subprocessors:

Training Data: We NEVER use your AI inputs or AI outputs to train our AI models, improve our Services, or train any third-party AI models (including OpenAI, Google, or Anthropic). Your data is processed solely to provide the Services you request. See our AI Subprocessors' privacy policies for their API data handling commitments (they do NOT use API data for training).

4. Technical and Usage Data

What We Collect:

• IP Address: For security, fraud prevention, and geolocation
• Device Information: Device type, operating system, browser type and version
• Network Data: ISP, connection type, approximate location (city-level)
• Activity Logs: Pages visited, features used, timestamps, session duration
• Error Logs: Application errors, crash reports, diagnostic data
• Performance Metrics: Page load times, API response times

How We Collect:

• Automatically via cookies, server logs, and analytics tools
• Through error monitoring systems (Sentry, etc.)

Legal Basis: Legitimate interests (GDPR Art. 6(1)(f)) - for security, fraud prevention, and service improvement

5. Communication Data

What We Collect:

• Support Tickets: Your inquiries, support requests, and our responses
• Email Communications: Transactional emails, notifications, marketing communications (if consented)
• Feedback: Product feedback, feature requests, survey responses

How We Collect:

• When you contact customer support
• When you respond to surveys or provide feedback
• When you subscribe to newsletters (with consent)

Legal Basis: Performance of contract (GDPR Art. 6(1)(b)) for support; Consent (GDPR Art. 6(1)(a)) for marketing

6. Payment and Billing Data

What We Collect:

• Billing Information: Billing address, country, postal code
• Payment Method: Last 4 digits of card, card type, expiration month/year
• Transaction History: Invoice numbers, payment amounts, dates, status
• VAT Information: VAT number (for EU business customers), tax identification

How We Collect:

• From you when you subscribe to paid services
• From our payment processors ()

Legal Basis: Performance of contract (GDPR Art. 6(1)(b)); Legal obligation (GDPR Art. 6(1)(c)) for tax compliance

Payment Processor Independence: Our payment processors () are independent Data Controllers for full payment card details. We never receive or store complete credit card numbers.

Sensitive Data: We do NOT collect or process full credit card numbers, CVV codes, or bank account credentials.

7. Analytics Data

What We Collect:

• Cookie Identifiers: Unique identifiers set by analytics cookies
• Behavior Data: Click patterns, navigation paths, feature engagement
• A/B Test Data: Experiment variants, user cohorts

How We Collect:

• Through first-party and third-party cookies (with your consent)

• Analytics services we use:

• Google Analytics (ID: G-XXXXXXXXXX): Website traffic and behavior analysis - Privacy Policy

Legal Basis: Consent (GDPR Art. 6(1)(a)) - obtained via cookie consent banner

Opt-Out: You can opt out via cookie settings or browser "Do Not Track" settings.

Personal Data We Do NOT Collect

We do NOT collect or process:

1. Special Categories of Personal Data (GDPR Art. 9):

   • Racial or ethnic origin
   • Political opinions
   • Religious or philosophical beliefs
   • Trade union membership
   • Biometric data for identification purposes (we process images for editing only, NOT for biometric identification)
   • Genetic data
   • Health data
   • Sex life or sexual orientation

2. Criminal Convictions Data (GDPR Art. 10): We do not process data related to criminal convictions or offenses

Exception: If you voluntarily include special category data in your Inputs to AI Services or user-generated content, you are solely responsible for ensuring you have a lawful basis (GDPR Art. 9(2)) to do so.

How We Collect Personal Data

Direct Collection

• Account Registration: You provide Personal Data when creating an Account
• Profile Updates: You update Personal Data in Account settings
• Contact Forms: You provide data when contacting support
• Surveys: You provide data when participating in surveys or feedback

Automatic Collection

• Cookies: Set by our website and third-party services (see Cookie Policy)
• Server Logs: Automatically logged by our web servers
• API Calls: Logged when you use our Services or API
• Error Tracking: Automatically captured when errors occur

Third-Party Sources

• OAuth Providers: We receive identity data from Google, GitHub, etc. when you use social login
• Payment Processors: We receive transaction confirmations from

Data Accuracy Obligation

Under GDPR Art. 5(1)(d), we must keep Personal Data accurate and up to date. You can help us by:

• Updating your Account information when it changes
• Notifying us of inaccuracies via support@hashedhorizon.com
• Using the "Edit Profile" feature in Account settings

We will correct inaccurate data within 30 days of notification (GDPR Art. 16).

Mandatory vs. Optional Personal Data

Mandatory Fields (required to provide the Services):

• Email address
• Password
• Acceptance of Terms and Privacy Policy

Optional Fields (enhance your experience but not required):

• Full name
• Phone number
• Profile picture
• Preferences and settings

If you do not provide mandatory Personal Data, we cannot provide the Services to you.

Data Processing Roles and Legal Bases

Quick Reference: Who is Responsible for Your Data?

Important: Understanding our role helps you know your rights and who to contact.

Enterprise Customers: Controller-Processor Relationship

When does this apply? This Controller-Processor relationship only applies when you:

1. Purchase a Business/Team plan, AND
2. Sign our Data Processing Agreement (DPA), AND
3. Process end-user Personal Data (not your own company data) through our Services

What this means:

• You are the Controller: You determine WHY and HOW end-user data is processed
• We are the Processor: We process data ONLY as instructed in the DPA
• Your responsibilities: Ensure lawful basis, provide privacy notices to end users, handle data subject rights requests
• Our responsibilities: Maintain security, assist with rights requests, notify you of breaches within 24 hours

How to activate: Contact support@hashedhorizon.com with subject "Enterprise DPA Request" to execute our Data Processing Agreement.

Read more: See our complete Enterprise Addendum and Data Processing Agreement for full terms.

Legal Basis for Processing (GDPR Art. 6)

As a Data Controller (for consumer users), we process your Personal Data under the following legal bases:

1. Performance of Contract (Art. 6(1)(b))

Purpose: To provide ThisOne AI Platform Services Activities:

• Creating and managing your account
• Processing your requests (AI image processing, feature access)
• Providing customer support
• Delivering service functionality

Why necessary: We cannot provide the Services without this processing.

2. Legitimate Interests (Art. 6(1)(f))

Purpose: Security, fraud prevention, and service improvement (non-EU) or security/fraud only (EU/UK) Activities:

• Analytics and usage tracking (page views, feature usage)
• Detecting and preventing fraud, abuse, and security threats
• Improving user experience and fixing bugs

Balancing test: Our legitimate interest in improving services and maintaining security outweighs any potential impact on your privacy. You can object to this processing under GDPR Art. 21.

3. Consent (Art. 6(1)(a))

Purpose: Marketing communications and optional features Activities:

• Sending marketing emails (if you opt-in)
• Newsletter subscriptions
• Personalized content recommendations

Your control: You can withdraw consent at any time via account settings or unsubscribe links. Withdrawal does not affect lawfulness of processing before withdrawal.

4. Legal Obligation (Art. 6(1)(c))

Purpose: Compliance with legal requirements Activities:

• Tax and accounting record retention
• Responding to lawful government requests
• Complying with court orders

Retention: Typically 7 years for financial records (required by tax law).

Impact on Your Rights

If You Are a Consumer User (We Are Controller)

Your GDPR Rights:

• Access (GDPR Art. 15): Request a copy of your Personal Data
• Rectification (GDPR Art. 16): Correct inaccurate data
• Erasure (GDPR Art. 17): Request deletion after retention period
• Portability (GDPR Art. 20): Receive your data in a machine-readable format
• Restriction (GDPR Art. 18): Limit how we process your data
• Object (GDPR Art. 21): Object to processing based on legitimate interests

How to exercise: Email support@hashedhorizon.com with your request. We respond within 30 days (GDPR Art. 12(3)).

If You Are an Enterprise Customer (We Are Processor)

Your end users exercise rights against YOU (the Controller). We assist you in responding to these requests as outlined in our DPA:

Our assistance includes:

• Providing end-user data upon your request (within 72 hours)
• Deleting end-user data when instructed
• Restricting processing as directed
• Exporting data in machine-readable format

DPA requirement: Data subject rights assistance terms are detailed in our Data Processing Agreement (Data Subject Rights Assistance section).

Questions About Roles?

For individual users: Contact support@hashedhorizon.com if you have questions about how we process your personal data.

For enterprise customers: Contact support@hashedhorizon.com with subject "DPA Question" or "Processor Relationship" for clarification on Controller-Processor roles.

Data Protection Contact: For GDPR-specific compliance questions, contact our Data Protection team at dpo@hashedhorizon.com

Read more: For a detailed explanation of Controller vs. Processor roles, see our comprehensive Data Controller and Processor Roles documentation below.

How We Use Your Personal Data

Purposes and Legal Basis (GDPR Art. 13(1)(c))

We process your Personal Data for the following purposes, each with a specific lawful basis under GDPR Art. 6:

1. Service Provision and Account Management

Purpose: To provide, maintain, and improve ThisOne AI Platform Services.

Personal Data Processed:

• Identity and Contact Data
• Authentication Data
• Technical and Usage Data
• AI Service Usage Data (Inputs, Outputs)

Legal Basis: Performance of a contract (GDPR Art. 6(1)(b))

Activities:

• Creating and managing your Account

• Authenticating your identity and securing access

• Processing AI Inputs to generate Outputs

• Providing customer support and responding to inquiries

• Delivering features and functionality

• Personalizing your user experience

Necessity: This processing is necessary to perform our contract with you under the Terms of Service. Without this processing, we cannot provide the Services.

2. AI Service Provision

Purpose: To process your Inputs through AI models and deliver Outputs.

Personal Data Processed:

• AI Inputs (text, images, or other content you provide)
• AI Outputs (generated content)
• Model selection and parameters

Legal Basis: Performance of a contract (GDPR Art. 6(1)(b))

Subprocessor Involvement: Your Inputs are transmitted to our AI Subprocessors:

Cross-Border Transfers: AI processing may involve transfers to the United States and other non-EEA countries. See Security Measures for transfer safeguards.

Model Training: We NEVER use your uploaded photos, Personal Data, AI inputs, or AI outputs to train our AI models or any third-party AI models (including Google Gemini, OpenAI, Anthropic). Your data is used ONLY to provide the Services you request—NEVER for training. Our AI Subprocessors are contractually prohibited from using API data for training purposes (see their respective privacy policies and our Data Processing Agreements).

3. Payment Processing and Billing

Purpose: To process payments, manage Subscriptions, and fulfill billing obligations.

Personal Data Processed:

• Payment and Billing Data
• Transaction History
• VAT/Tax Information

Legal Basis:

• Performance of a contract (GDPR Art. 6(1)(b)) for payment processing
• Legal obligation (GDPR Art. 6(1)(c)) for tax compliance, accounting, invoice retention

Activities:

• Processing Subscription payments
• Generating invoices and receipts
• Managing billing disputes and refunds
• Calculating and remitting VAT/taxes
• Preventing payment fraud

Payment Processor Role: Our payment processors () act as independent Data Controllers for payment card details. We receive only limited payment information (last 4 digits, transaction status).

4. Security, Fraud Prevention, and Abuse Detection

Purpose: To protect the security of our Services and prevent fraud, abuse, and unauthorized access.

Personal Data Processed:

• IP addresses and network data
• Authentication logs and access patterns
• Device fingerprints
• Usage anomalies and suspicious activity indicators

Legal Basis: Legitimate interests (GDPR Art. 6(1)(f))

Legitimate Interest Assessment (LIA):

• Our Interest: Protecting the security of our Services and preventing fraud benefits all users
• Your Interest: You benefit from secure Services protected against fraud and abuse
• Necessity: This processing is necessary for effective security and fraud prevention
• Balancing Test: The security benefits outweigh any minimal privacy impact
• Safeguards: Data minimization, encryption, access controls

Activities:

• Monitoring for suspicious login attempts
• Detecting brute-force attacks and account takeovers
• Identifying automated bot traffic and scraping
• Preventing Terms of Service violations
• Blocking malicious actors and spam

Your Right to Object: You can object to this processing under GDPR Art. 21. However, objection may limit our ability to protect your Account security.

5. Service Improvement and Analytics

Purpose: To understand how users interact with our Services and improve user experience.

Personal Data Processed:

• Technical and Usage Data

• Analytics and Marketing Data (with consent)

• Feature engagement metrics

• Error logs and crash reports

Legal Basis:

• Consent (GDPR Art. 6(1)(a)) for analytics cookies and third-party analytics

• Legitimate interests (GDPR Art. 6(1)(f)) for first-party analytics and essential service improvement

Activities:

• Analyzing feature usage and engagement
• Identifying bugs and technical issues
• Testing new features (A/B testing)
• Optimizing performance and reliability
• Developing new features based on user needs

Anonymization: Where possible, we anonymize or pseudonymize data used for analytics to minimize privacy impact.

6. Marketing and Communications

Purpose: To send you relevant marketing communications, product updates, and promotional offers.

Personal Data Processed:

• Email address
• Communication preferences
• Marketing engagement data (email opens, clicks)

Legal Basis: Consent (GDPR Art. 6(1)(a))

Consent Mechanism:

• Opt-in checkbox during Account registration
• Email subscription forms
• Cookie consent banner (for remarketing)

Withdrawal of Consent (GDPR Art. 7(3)): You can withdraw consent at any time through the following methods:

1. Account Settings: Manage cookie and marketing consent in Account Settings > Privacy (https://thisone.app/account/settings/privacy)
2. Email Request: Send a withdrawal request to dpo@hashedhorizon.com
3. Cookie Banner: Adjust cookie preferences using the cookie consent banner on our website
4. Unsubscribe Links: Click "Unsubscribe" in marketing emails

Effective Immediately: Withdrawal takes effect immediately upon processing your request. We may retain your data for up to 30 days for operational needs, after which it will be deleted.

No Adverse Consequences: Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal, nor does it prevent us from processing data on other legal bases (e.g., contract performance for core Services)

Transactional vs. Marketing: This does NOT apply to transactional emails (password resets, payment confirmations, security alerts), which are sent based on performance of contract.

7. Legal Compliance and Regulatory Obligations

Purpose: To comply with legal obligations, court orders, and regulatory requirements.

Personal Data Processed: Any Personal Data necessary to fulfill legal obligations

Legal Basis: Legal obligation (GDPR Art. 6(1)(c))

Examples:

• Tax and Accounting: Retaining transaction records as required by tax law
• Law Enforcement: Responding to valid court orders and subpoenas
• Regulatory Compliance: Complying with data protection authority requests
• Legal Claims: Establishing, exercising, or defending legal claims

Retention: Data retained for legal compliance is kept for the minimum period required by law, then securely deleted.

8. Protecting Vital Interests

Purpose: To protect your vital interests or those of others in emergency situations.

Personal Data Processed: Minimal Personal Data necessary to address the emergency

Legal Basis: Protection of vital interests (GDPR Art. 6(1)(d))

Examples:

• Disclosing Account information to emergency services if we reasonably believe someone's life or safety is at risk
• Sharing information to prevent suicide or self-harm

Rare Use: This legal basis is used only in exceptional emergency circumstances.

Automated Decision-Making (GDPR Art. 22)

AI-Assisted Outputs: ThisOne AI Platform uses AI to generate Outputs based on your Inputs. This is NOT automated decision-making with legal or similarly significant effects under GDPR Art. 22 because:

1. Human-in-the-Loop: You review and decide whether to use AI Outputs
2. No Automated Consequences: AI Outputs do not automatically result in legal or significant effects on you
3. Your Control: You control what Inputs you provide and how you use Outputs

Prohibited Automated Decisions: We do NOT use AI for:

• Automated credit scoring or loan decisions
• Automated employment or hiring decisions
• Automated healthcare diagnosis or treatment
• Any other decisions with legal or similarly significant effects without human oversight

If You Use AI for Automated Decisions: If you use our AI Services to make automated decisions affecting others, YOU are responsible for GDPR Art. 22 compliance, including:

• Providing notice to affected individuals
• Implementing human oversight
• Allowing individuals to contest decisions
• Obtaining explicit consent (where required)

Profiling (GDPR Art. 4(4))

Limited Profiling: We may use profiling for the following purposes:

1. Service Personalization: Tailoring features and recommendations based on your usage patterns
2. Fraud Detection: Analyzing behavior patterns to detect fraudulent activity

Legal Basis:

• Legitimate interests (GDPR Art. 6(1)(f)) for service personalization and fraud detection

Your Rights: You can object to profiling under GDPR Art. 21. Contact dpo@hashedhorizon.com to exercise this right.

No High-Risk Profiling: We do NOT use profiling for high-risk purposes (credit scoring, employment decisions, healthcare) without explicit consent and human oversight.

Changes to Purposes

If we wish to process your Personal Data for a purpose other than those listed above, we will:

1. Assess Compatibility: Determine if the new purpose is compatible with the original purpose (GDPR Art. 6(4))
2. Notify You: Provide notice of the new purpose and legal basis
3. Obtain Consent: If the new purpose is incompatible and not covered by another legal basis, we will obtain your explicit consent

Transparency: We will update this Privacy Policy to reflect any new purposes, with at least 30 days' advance notice.

Data Controller and Processor Roles

Understanding Our Roles

Under GDPR Art. 4(7) and 4(8), there are two distinct roles in data processing:

• Data Controller: Determines the purposes and means of processing Personal Data
• Data Processor: Processes Personal Data on behalf of and under the instructions of the Controller

CRITICAL DISTINCTION: These roles have different legal obligations and liabilities. This section clarifies when Hashed Horizon acts as a Controller versus a Processor.

Role Clarification Table

When We Are a Data Controller

Hashed Horizon is a Data Controller when we process your Personal Data for our own purposes, including:

1. Providing ThisOne AI Platform Services (GDPR Art. 6(1)(b) - Contract)

Activities:

• Creating and managing your account
• Processing your AI requests (image enhancement, generation, editing)
• Storing your uploaded images and AI outputs
• Providing customer support
• Enforcing Terms of Service and Acceptable Use Policy

Our Decisions:

• Retention Periods: We decide to retain uploaded images for ~30 days
• Security Measures: We select encryption, access controls, and audit logging
• Subprocessors: We choose AI providers (OpenAI, Anthropic, Google) and ensure DPAs
• Data Transfers: We decide to transfer data to USA-based AI providers with SCCs

Your Rights:

• Access your Personal Data (GDPR Art. 15)
• Rectify inaccurate data (GDPR Art. 16)
• Erase data after retention period (GDPR Art. 17)
• Port data to another service (GDPR Art. 20)
• Object to processing based on legitimate interests (GDPR Art. 21)

2. Usage Analytics (GDPR Art. 6(1)(f) - Legitimate Interest)

Activities:

• Analyzing service usage patterns (page views, feature usage)
• Improving user experience and fixing bugs
• Conducting A/B testing and performance optimization
• Marketing analytics and conversion tracking

Our Decisions:

• Analytics Tools: We select Google Analytics, Hotjar, or similar tools
• Data Anonymization: We determine when to anonymize or aggregate data
• Retention: We decide analytics data retention (up to 90 days for logs)

Balancing Test: Our legitimate interest in improving services outweighs any minimal privacy impact. You can object to this processing under GDPR Art. 21.

Your Rights:

• Object to analytics processing
• Opt out via cookie settings or Do Not Track signals
• Request deletion of analytics data associated with you

3. Security and Fraud Prevention (GDPR Art. 6(1)(f) - Legitimate Interest)

Activities:

• Detecting and preventing fraud, abuse, and security threats
• Monitoring for suspicious activity and attack patterns
• Error logging and crash diagnostics
• Rate limiting and abuse prevention

Balancing Test: Our legitimate interest in maintaining platform security and preventing fraud outweighs any minimal privacy impact. This processing is essential for service integrity and protecting all users.

Your Rights:

• Object to this processing under GDPR Art. 21 (we will assess objection on case-by-case basis)
• Request deletion after security retention period (up to 90 days)

4. Marketing and Communications (GDPR Art. 6(1)(a) - Consent)

Activities (if you consent):

• Sending product updates, feature announcements, and promotional emails
• Personalized content recommendations
• Newsletter subscriptions

Our Decisions:

• Marketing Content: We determine email content, frequency, and targeting
• Segmentation: We decide how to segment users for personalized marketing
• Unsubscribe: We handle opt-out requests and manage preferences

Your Rights:

• Withdraw consent at any time (unsubscribe link in emails)
• Request no further marketing (GDPR Art. 21(2) - absolute right)
• Update communication preferences in account settings

When We Are a Data Processor

Not Applicable: Hashed Horizon currently operates only as a Data Controller for individual end users. We do not act as a Data Processor.

If you are an enterprise customer interested in API access with Data Processor relationship, contact support@hashedhorizon.com for a Data Processing Agreement (DPA).

Payment Processing

Independent Controllers (GDPR Art. 4(7))

When you make a payment, Hashed Horizon and our payment processors act as independent controllers:

Our Role:

• We collect transaction metadata (amount, product, timestamp)
• We determine THAT payment processing is necessary for premium features
• We select and integrate payment providers

Payment Processor's Independent Role:

• Payment providers (Stripe, Apple, Google) independently determine HOW to process payments
• They set their own fraud detection, security measures, and data retention policies
• They are responsible for their own GDPR compliance and data protection obligations

Data Sharing:

• We share limited transaction details (amount, product type) with payment processors
• Payment processors receive payment instrument data directly from you (card details, billing address)
• We receive transaction confirmation and last 4 digits of payment instruments

Your Rights:

• Exercise rights with Hashed Horizon for transaction metadata we retain
• Exercise rights directly with payment providers for payment instrument data and fraud detection
• See payment processor privacy policies for their specific data practices

Payment Processor Privacy Policies:

• Stripe: https://stripe.com/privacy
• PayPal: https://www.paypal.com/privacy

Subprocessor Relationships

When we are a Controller, our subprocessors (hosting, AI providers, analytics) are Processors acting on our behalf:

Our Subprocessors (GDPR Art. 28):

Google Cloud AI (Gemini)

Purpose: AI photo conversion and enhancement Location: EU/USA Privacy Policy: Google Cloud AI (Gemini) Privacy Policy DPA: Google Cloud AI (Gemini) Data Processing Agreement Role: Processor (processes data on our behalf under contractual obligations) Safeguards:

• Data Processing Agreement (DPA) ensuring GDPR Art. 28 compliance
• Contractual prohibition on using your data for their own purposes (e.g., training their models)
• Security and confidentiality obligations
• Data breach notification requirements

Vercel

Purpose: Application hosting and CDN Location: EU Privacy Policy: Vercel Privacy Policy DPA: Vercel Data Processing Agreement Role: Processor (processes data on our behalf under contractual obligations) Safeguards:

• Data Processing Agreement (DPA) ensuring GDPR Art. 28 compliance
• Contractual prohibition on using your data for their own purposes (e.g., training their models)
• Security and confidentiality obligations
• Data breach notification requirements

Neon

Purpose: PostgreSQL database hosting Location: EU Privacy Policy: Neon Privacy Policy DPA: Neon Data Processing Agreement Role: Processor (processes data on our behalf under contractual obligations) Safeguards:

• Data Processing Agreement (DPA) ensuring GDPR Art. 28 compliance
• Contractual prohibition on using your data for their own purposes (e.g., training their models)
• Security and confidentiality obligations
• Data breach notification requirements

Sentry

Purpose: Error tracking and crash diagnostics Location: EU/USA Privacy Policy: Sentry Privacy Policy DPA: Sentry Data Processing Agreement Role: Processor (processes data on our behalf under contractual obligations) Safeguards:

• Data Processing Agreement (DPA) ensuring GDPR Art. 28 compliance
• Contractual prohibition on using your data for their own purposes (e.g., training their models)
• Security and confidentiality obligations
• Data breach notification requirements

Stripe

Purpose: Payment processing and subscription management Location: EU/USA Privacy Policy: Stripe Privacy Policy DPA: Stripe Data Processing Agreement Role: Processor (processes data on our behalf under contractual obligations) Safeguards:

• Data Processing Agreement (DPA) ensuring GDPR Art. 28 compliance
• Contractual prohibition on using your data for their own purposes (e.g., training their models)
• Security and confidentiality obligations
• Data breach notification requirements

Apple (App Store / Apple Pay)

Purpose: iOS in-app purchases and Apple Pay transactions Location: USA Privacy Policy: Apple (App Store / Apple Pay) Privacy Policy DPA: Apple (App Store / Apple Pay) Data Processing Agreement Role: Processor (processes data on our behalf under contractual obligations) Safeguards:

• Data Processing Agreement (DPA) ensuring GDPR Art. 28 compliance
• Standard Contractual Clauses (SCCs) for EEA data transfers
• Contractual prohibition on using your data for their own purposes (e.g., training their models)
• Security and confidentiality obligations
• Data breach notification requirements

Google (Play Store / Google Pay)

Purpose: Android in-app purchases and Google Pay transactions Location: USA Privacy Policy: Google (Play Store / Google Pay) Privacy Policy DPA: Google (Play Store / Google Pay) Data Processing Agreement Role: Processor (processes data on our behalf under contractual obligations) Safeguards:

• Data Processing Agreement (DPA) ensuring GDPR Art. 28 compliance
• Standard Contractual Clauses (SCCs) for EEA data transfers
• Contractual prohibition on using your data for their own purposes (e.g., training their models)
• Security and confidentiality obligations
• Data breach notification requirements

Subprocessor Changes:

• Notice: We provide 30 days advance notice of new subprocessors or changes
• Objection: You may object to new subprocessors on reasonable grounds
• Alternative: If you object, we will attempt to provide alternative solutions or allow contract termination

Your Control:

• We remain fully liable for our subprocessors' actions under GDPR Art. 28(4)
• You exercise GDPR rights against US, not directly against subprocessors
• We handle subprocessor data breaches and notify you as required

Implications of Controller vs Processor Roles

For Individual Users (Where We Are Controller)

What This Means for You:

• You exercise GDPR rights directly against Hashed Horizon
• We are responsible for data security, breach notifications, and compliance
• We handle data subject access requests (DSARs) within 30 days
• We are liable for any GDPR violations or data breaches
• You cannot dictate HOW we process data (we determine security measures, retention, subprocessors)
• You cannot demand specific subprocessors or data localization (we choose based on service needs)

Your Rights:

• Access, rectify, erase, port, restrict, and object to processing
• Complain to supervisory authority if you believe we violate GDPR
• Seek judicial remedies for GDPR violations

For Enterprise Customers (Where We Are Processor)

What This Means for You:

• You determine processing purposes and lawful basis
• You instruct us on data retention, deletion, and transfers via DPA
• You can request data localization or specific security measures (subject to feasibility)
• You handle end user GDPR rights requests; we assist upon request
• You conduct DPIAs for high-risk processing
• You are liable for unlawful processing or lack of lawful basis
• You must notify end users about our processing (we are your subprocessor)

Your Obligations:

• Execute Data Processing Agreement (DPA) with us
• Ensure lawful basis for processing end user data
• Respond to end user rights requests (we assist but don't handle directly)
• Notify us if you become aware of data subject requests or breaches
• Conduct audits if required by your compliance obligations

Contact for Controller/Processor Questions

For questions about our role as Controller or Processor:

• Individual Users: support@hashedhorizon.com (we are your Controller)
• Enterprise Customers: support@hashedhorizon.com with subject "DPA Request" or "Processor Agreement"
• Data Protection Contact: dpo@hashedhorizon.com (GDPR Art. 37-39)
• Supervisory Authority Inquiries: dpo@hashedhorizon.com

Response Time: 30 days for GDPR rights requests (GDPR Art. 12(3)), 72 hours for enterprise processor assistance requests

How We Share Your Personal Data

Recipients of Personal Data (GDPR Art. 13(1)(e))

We share your Personal Data with the following categories of recipients:

1. Subprocessors (Third-Party Service Providers)

We engage Subprocessors to provide infrastructure and services on our behalf. Under GDPR Art. 28, these Subprocessors process Personal Data on our instructions and are bound by Data Processing Agreements (DPAs).

Current Subprocessors:

Google Cloud AI (Gemini)

• Purpose: AI photo conversion and enhancement
• Location: EU/USA
• Type: Service Provider
• Privacy Policy: Google Cloud AI (Gemini) Privacy
• DPA: Google Cloud AI (Gemini) DPA

Vercel

• Purpose: Application hosting and CDN
• Location: EU
• Type: Service Provider
• Privacy Policy: Vercel Privacy
• DPA: Vercel DPA

Neon

• Purpose: PostgreSQL database hosting
• Location: EU
• Type: Service Provider
• Privacy Policy: Neon Privacy
• DPA: Neon DPA

Sentry

• Purpose: Error tracking and crash diagnostics
• Location: EU/USA
• Type: Service Provider
• Privacy Policy: Sentry Privacy
• DPA: Sentry DPA

Stripe

• Purpose: Payment processing and subscription management
• Location: EU/USA
• Type: Service Provider
• Privacy Policy: Stripe Privacy
• DPA: Stripe DPA

Apple (App Store / Apple Pay)

• Purpose: iOS in-app purchases and Apple Pay transactions
• Location: USA
• Type: Service Provider
• Privacy Policy: Apple (App Store / Apple Pay) Privacy
• DPA: Apple (App Store / Apple Pay) DPA

Google (Play Store / Google Pay)

• Purpose: Android in-app purchases and Google Pay transactions
• Location: USA
• Type: Service Provider
• Privacy Policy: Google (Play Store / Google Pay) Privacy
• DPA: Google (Play Store / Google Pay) DPA

Subprocessor Changes: We will notify you at least 30 days before adding or replacing Subprocessors, allowing you to object under GDPR Art. 28(2). To object, contact dpo@hashedhorizon.com.

Subprocessor Obligations: Our DPAs with Subprocessors require them to:

1. Process Personal Data only on our documented instructions
2. Implement appropriate technical and organizational security measures (GDPR Art. 32)
3. Assist with data subject rights requests (GDPR Art. 28(3)(e))
4. Notify us of Personal Data breaches without undue delay (GDPR Art. 33)
5. Delete or return Personal Data upon termination

2. Payment Processors (Independent Data Controllers)

Our payment processors act as independent Data Controllers for payment card information:

****: Full payment card details, billing information

Limited Data Sharing: We receive only:

• Last 4 digits of payment card
• Card type (Visa, Mastercard, etc.)
• Expiration month/year
• Transaction status (successful, failed, pending)

Payment Processor Independence: Payment processors determine their own purposes and means of processing payment card data. Their processing is governed by their privacy policies, not this Privacy Policy.

3. Analytics and Marketing Services

With your consent (obtained via cookie consent banner), we share data with analytics and advertising services:

Google Analytics: Website behavior, page views, session data for traffic analysis - Google Analytics Privacy

Withdrawal of Consent: You can withdraw consent by changing cookie settings or contacting support@hashedhorizon.com. Upon withdrawal, we will stop sharing data with these services.

4. Legal and Regulatory Authorities

We may share Personal Data with government authorities, law enforcement, or regulatory bodies when:

1. Legal Obligation: Required by law, regulation, or court order (GDPR Art. 6(1)(c))
2. Legal Process: Responding to subpoenas, warrants, or legal requests
3. Public Interest: Necessary for public interest or exercise of official authority (GDPR Art. 6(1)(e))
4. Vital Interests: Protecting vital interests in emergency situations (GDPR Art. 6(1)(d))

Transparency: Where legally permitted, we will notify you before disclosing your Personal Data to authorities.

Data Protection Authority: We cooperate with supervisory authorities and may share information in response to regulatory investigations or complaints.

Supervisory Authorities:

5. Business Transfers (Mergers and Acquisitions)

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy:

Successor's Obligations: The acquiring entity must:

1. Continue to process Personal Data in accordance with this Privacy Policy
2. Comply with GDPR and applicable data protection laws
3. Provide notice if they intend to use Personal Data for new purposes

Advance Notice: We will provide at least 30 days' advance notice of:

• The identity of the acquiring entity
• Any changes to data processing practices
• Your rights to object or request data deletion

Your Rights: You can object to the transfer or request data deletion before the transfer completes.

6. Professional Advisors

We may share Personal Data with professional advisors (lawyers, accountants, auditors, consultants) under confidentiality obligations when necessary for:

• Legal advice and representation
• Financial audits and tax compliance
• Business consulting and strategic planning

Legal Basis: Legitimate interests (GDPR Art. 6(1)(f)) - seeking professional advice

7. No Sale of Personal Data

We do NOT sell your Personal Data to third parties for monetary consideration or other valuable consideration.

No Data Brokers: We do not provide Personal Data to data brokers, lead generation services, or marketing list providers.

Data Sharing Principles

When sharing Personal Data with third parties, we ensure:

1. Necessity: Sharing is necessary for the specified purpose
2. Minimization: Only necessary Personal Data is shared (GDPR Art. 5(1)(c))
3. Security: Appropriate technical and organizational measures are in place (GDPR Art. 32)
4. Contractual Protection: Third parties are bound by contracts or DPAs
5. Transparency: You are informed about sharing practices in this Privacy Policy

Your Right to Object

Under GDPR Art. 21, you can object to data sharing based on legitimate interests. Contact dpo@hashedhorizon.com to exercise this right. We will stop sharing unless we demonstrate compelling legitimate grounds.

Onward Transfers

If our Subprocessors engage sub-subprocessors (onward transfers), they must:

1. Obtain our prior written authorization
2. Ensure equivalent data protection obligations
3. Remain liable for the sub-subprocessor's compliance

International Data Transfers

Cross-Border Data Transfers (GDPR Art. 44-50)

Your Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), including countries that do not provide the same level of data protection as your home country.

Countries Where We Transfer Personal Data

United States: The following Subprocessors process data in the United States:

Other Non-EEA Countries: Data may be processed in other countries where our Subprocessors maintain infrastructure.

Transfer Safeguards (GDPR Art. 46)

We implement appropriate safeguards for international transfers:

1. Standard Contractual Clauses (SCCs)

EU Commission-Approved: We use Standard Contractual Clauses (2021/914/EU) approved by the European Commission for transfers to third countries.

Binding Commitments: SCCs require data importers to:

• Implement appropriate technical and organizational security measures
• Process Personal Data only on documented instructions
• Assist with data subject rights requests
• Notify us of government data access requests
• Delete or return data upon termination

SCC Documentation: You can request a copy of our SCCs by contacting dpo@hashedhorizon.com.

2. Adequacy Decisions

EU Commission Recognition: Where available, we rely on EU Commission adequacy decisions recognizing that certain countries provide adequate data protection:

• United Kingdom: Adequacy decision in effect (2021/1772/EU)
• Switzerland: Adequacy decision in effect (2000/518/EC)
• Other Countries: As recognized by the European Commission

No Privacy Shield: We do NOT rely on the invalidated EU-U.S. Privacy Shield framework (Schrems II decision).

3. Supplementary Measures

In addition to SCCs, we implement supplementary measures to protect data transferred to third countries:

Technical Measures:

• Encryption in Transit: TLS 1.3 for all data transmissions
• Encryption at Rest: AES-256 encryption for stored data
• Pseudonymization: Where feasible, Personal Data is pseudonymized before transfer
• Access Controls: Role-based access controls and multi-factor authentication

Organizational Measures:

• Data Minimization: Transfer only necessary Personal Data
• Contractual Restrictions: Enhanced contractual protections beyond SCCs
• Government Access Transparency: Subprocessors must report government data requests

4. Transfer Impact Assessments (TIAs) - Schrems II Compliance

Legal Requirement: Following the CJEU Schrems II decision (Case C-311/18), we conduct Transfer Impact Assessments (TIAs) for each Subprocessor located in third countries without adequacy decisions, particularly the United States.

Assessment Methodology: For each international transfer, we evaluate:

Step 1: Destination Country Legal Framework

We assess the laws and practices of the destination country regarding:

• Government Access to Data: Laws permitting government surveillance or data access (e.g., FISA 702, Executive Order 12333)
• Legal Safeguards: Whether oversight mechanisms, transparency, and redress exist
• Proportionality: Whether government access is limited to what is necessary and proportionate
• Rule of Law: Independence of judiciary and availability of effective remedies

United States Assessment:

• FISA Section 702 and Executive Order 12333 allow U.S. intelligence agencies to access data of non-U.S. persons without individualized warrants
• Limited Redress: Non-U.S. persons have limited judicial remedies in U.S. courts
• Commercial Services Exception: Our Subprocessors provide commercial services, reducing likelihood of government access
• Data Protection Framework (2023): New adequacy mechanism provides enhanced safeguards (not yet in force for transfers)

Step 2: Subprocessor-Specific Assessment

We evaluate each Subprocessor's specific circumstances:

• Type of Data Processed: Whether sensitive or high-risk data is transferred
• Processing Location: Physical servers and data center locations
• Access Patterns: Who within the Subprocessor organization can access data
• Historical Requests: Subprocessor's track record of government data requests (transparency reports)

Step 3: Supplementary Measures Effectiveness

We assess whether our supplementary measures provide essentially equivalent protection to GDPR:

Technical Measures Implemented:

• End-to-End Encryption (TLS 1.3): Data encrypted in transit, making interception ineffective
• Encryption at Rest (AES-256): Stored data encrypted, limiting access to encrypted data
• Pseudonymization: Where possible, personal identifiers replaced with pseudonyms
• Data Minimization: Only necessary data transferred; metadata limited

Organizational Measures Implemented:

• Enhanced SCCs: Contractual obligations beyond standard SCCs, including transparency requirements
• Government Request Notification: Subprocessors contractually obligated to notify us of government data requests (unless legally prohibited)
• Challenge Obligation: Subprocessors must challenge disproportionate or unlawful government requests
• Regular Audits: Annual compliance audits and security assessments

Contractual Measures:

• Data Deletion Rights: Subprocessors must delete data upon termination
• Suspension Rights: We can suspend transfers if safeguards become inadequate
• Audit Rights: We retain rights to audit Subprocessor data protection practices

Step 4: Residual Risk Assessment

Conclusion: Based on our TIA for each Subprocessor, we have determined:

1. Government Access Risk: LOW - Our Subprocessors provide commercial cloud services processing encrypted data for photo editing purposes. This is unlikely to be a target for government surveillance programs focused on national security.

2. Supplementary Measures: EFFECTIVE - Encryption (TLS 1.3, AES-256), contractual protections, and data minimization provide essentially equivalent protection to GDPR standards.

3. Essentially Equivalent Protection: YES - The combination of SCCs, technical encryption, and organizational measures ensures data transferred to our Subprocessors receives protection essentially equivalent to GDPR.

4. Ongoing Monitoring: ACTIVE - We continuously monitor legal developments, Subprocessor transparency reports, and effectiveness of safeguards.

TIA Documentation: Detailed Transfer Impact Assessments for each Subprocessor are available upon request from dpo@hashedhorizon.com.

Last TIA Review: Our TIAs are reviewed annually or whenever significant legal or factual changes occur (e.g., new surveillance laws, changes to Subprocessor infrastructure).

Consent-Based Transfers (GDPR Art. 49(1)(a))

For certain non-essential services (analytics, marketing), we may rely on your explicit consent for international transfers. Consent is obtained via:

• Cookie consent banner for analytics cookies
• Opt-in checkboxes for marketing communications
• Account settings for optional features

Withdrawal: You can withdraw consent at any time by adjusting cookie settings or contacting support@hashedhorizon.com.

Derogations for Specific Situations (GDPR Art. 49)

In exceptional circumstances, we may transfer Personal Data without adequacy decisions or SCCs under GDPR Art. 49 derogations:

1. Vital Interests (GDPR Art. 49(1)(d)): Emergency situations protecting life or safety
2. Legal Claims (GDPR Art. 49(1)(e)): Establishing, exercising, or defending legal claims
3. Public Interest (GDPR Art. 49(1)(d)): Transfers required by law or public register

Rare Use: These derogations are used only in exceptional, one-off situations.

Your Rights Regarding International Transfers

You have the right to:

1. Information: Obtain information about transfer safeguards (this section)
2. Object: Object to transfers based on legitimate interests (GDPR Art. 21)
3. Copies: Request copies of SCCs and adequacy decisions
4. Complaint: Lodge a complaint with your supervisory authority about cross-border transfers

Contact: For questions about international transfers, contact dpo@hashedhorizon.com.

Monitoring Transfer Safeguards

We continuously monitor:

1. Legal Developments: Changes to adequacy decisions, SCCs, and data protection laws
2. Subprocessor Compliance: Annual audits of Subprocessor data protection practices
3. Government Requests: Transparency reports from Subprocessors about government access requests
4. Schrems II Implications: Ongoing assessments following CJEU case law

Proactive Updates: If transfer safeguards become inadequate, we will:

• Suspend transfers until appropriate safeguards are implemented
• Notify affected users
• Update this Privacy Policy

Data Retention

Retention Periods (GDPR Art. 13(2)(a))

We retain Personal Data only as long as necessary for the purposes described in this Privacy Policy or as required by law, in accordance with GDPR Art. 5(1)(e) (storage limitation).

General Retention

Active Accounts: Data retained while your account is active and you continue using the Services

Inactive Accounts: Accounts inactive for 2+ years may be deleted automatically

Uploaded Content: May be retained for up to 90 days for service delivery, fraud prevention, and legal compliance

Deleted Accounts: Most data deleted within up to 90 days to up to 12 months after account closure, except where legal retention applies

Specific Retention Periods

Temporary Processing Data: Up to up to 90 days

This includes:

• AI Inputs and Outputs from non-authenticated users

• Session logs and activity data

• Temporary cache and working files

• Non-essential analytics data

• Error logs and diagnostic data

Retained User Data: Up to up to 12 months after account closure after account closure

This includes:

• Account registration information

• User profile and preferences

• AI Inputs and Outputs from authenticated users

• Billing and transaction records

• Support ticket history

• Legal compliance data

Legal Hold Data: Retained until resolution of legal matters

Data subject to:

• Ongoing litigation or investigations (no deletion until resolved)
• Regulatory inquiries or audits
• Law enforcement requests with legal basis
• Tax records: 7 years as required by law
• Abuse/fraud logs: up to 3 years for security purposes

Retention Criteria

We determine retention periods based on:

1. Contractual Necessity: How long needed to provide Services
2. Legal Obligations: Minimum periods required by law (tax, accounting, etc.)
3. Legitimate Interests: Fraud prevention, security, legal defense
4. Data Subject Expectations: Reasonable expectations of users
5. Data Minimization: Shortest period consistent with purposes

Specific Retention Periods

Account Data: up to 12 months after account closure after account deletion or 2 years of inactivity

Authentication Logs: up to 90 days for security auditing

Billing Records: for tax compliance (required by tax law in most jurisdictions)

Support Communications: up to 90 days after resolution

Marketing Consent: Until withdrawal of consent or 2 years of inactivity

Analytics Data: As specified by analytics providers (Google Analytics: 26 months default, Hotjar: 365 days)

Deletion Process

At the end of retention periods, Personal Data is:

1. Permanently Deleted: Securely overwritten using industry-standard data destruction methods
2. Anonymized: Personal identifiers irreversibly removed, making re-identification impossible
3. Archived: Moved to secure, access-restricted archives (for legal hold data only)

Deletion Verification: Deletion is logged and auditable for compliance purposes.

Backup Retention

Backups: Deleted data may persist in backups for up to 90 days before permanent deletion

Active Backups: Up to up to 90 days

Archived Backups: Up to up to 12 months after account closure

At the end of backup retention periods, backups containing Personal Data are securely deleted or anonymized.

Flexible Retention

Legal Retention: We may retain data longer when required by law, court order, or to establish/defend legal claims

Operational Needs: We reserve the right to adjust retention periods to comply with evolving legal requirements or operational needs. Material changes will be reflected in this Privacy Policy with 30 days notice

Retention Ranges: Where we specify retention periods as ranges (e.g., "up to 90 days to up to 12 months after account closure"), actual deletion may occur at any point within that range depending on system processes and operational requirements

Your Right to Erasure

You can request earlier deletion of your Personal Data under GDPR Art. 17 (see California Privacy Rights section below). However, we may retain data where legally required or where legal exceptions to erasure apply.

California Privacy Rights (CCPA/CPRA)

Effective Date: January 1, 2020 (CCPA) / January 1, 2023 (CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information.

Categories of Personal Information We Collect

We collect the following categories of personal information from California residents:

Your California Privacy Rights

As a California resident, you have the following rights under CCPA/CPRA:

1. Right to Know

You have the right to request that we disclose:

• Categories of personal information collected about you
• Categories of sources from which personal information is collected
• Business or commercial purpose for collecting or selling personal information
• Categories of third parties with whom we share personal information
• Specific pieces of personal information we have collected about you

How to Exercise: Email support@hashedhorizon.com with subject line "CCPA Right to Know Request"

Response Timeline: We will respond within 45 days (may extend by 45 days with notice)

Verification: We will verify your identity using email confirmation and account authentication

2. Right to Delete

You have the right to request deletion of your personal information that we have collected, subject to certain exceptions.

Exceptions - We May Retain Data To:

• Complete transactions or provide requested services
• Detect security incidents, protect against malicious activity
• Debug to identify and repair errors
• Comply with legal obligations (e.g., tax records, DMCA counter-notices)
• Enable solely internal uses reasonably aligned with your expectations

How to Exercise: Email support@hashedhorizon.com with subject line "CCPA Right to Delete Request"

Response Timeline: We will respond within 45 days (may extend by 45 days with notice)

Deletion Scope: We will delete or de-identify your personal information from our active databases and instruct our service providers to do the same.

3. Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you.

How to Exercise: Email support@hashedhorizon.com with subject line "CCPA Right to Correct Request"

4. Right to Opt-Out of Sale/Sharing

Do Not Sell or Share My Personal Information

Hashed Horizon DOES NOT SELL your personal information to third parties for monetary consideration.

What "Sharing" Means Under CPRA: Under California law, "sharing" includes disclosing personal information to third parties for cross-context behavioral advertising, even without monetary consideration.

Our Sharing Practices:

• We DO NOT share personal information for targeted advertising based on your activity across different websites or services
• Analytics Services May Be Considered "Sharing": We use analytics services (Google Analytics) that may process your data in ways CPRA defines as "sharing"

How to Opt Out of Sharing:

1. Cookie Consent Banner: When you first visit our website, decline analytics and marketing cookies

   • This prevents analytics cookies from being set
   • Your choice is saved for 12 months

2. Direct Opt-Out Link: Visit our Do Not Sell page

   • Link: Do Not Sell or Share My Personal Information
   • Click "Opt Out" button
   • Confirmation message displays immediately

3. Cookie Settings Page: Manage preferences anytime

   • Visit: https://thisone.app/cookie-settings
   • Disable "Analytics" and "Marketing" categories
   • Changes apply immediately

4. Email Request: Contact us directly

   • Email: support@hashedhorizon.com
   • Subject: "Do Not Sell or Share My Personal Information"
   • We'll process your request within 15 business days

What Happens When You Opt Out:

• No Analytics Tracking: Google Analytics, Hotjar, and similar services will not track your activity
• No Targeted Ads: We will not share data for behavioral advertising
• Service Unaffected: Opting out does NOT affect your ability to use our Services
• Persistent Choice: Your opt-out preference is saved and respected across sessions
• No Discrimination: We will not treat you differently for opting out

Opt-Out Applies To:

• Analytics cookies (Google Analytics)
• Marketing cookies (advertising services)
• Cross-context behavioral advertising

Opt-Out Does NOT Apply To (necessary for service provision):

• Essential cookies (authentication, security)
• Service functionality (preferences, account settings)
• Legal compliance (fraud prevention, security logging)

Browser "Do Not Track" Signals: We honor Global Privacy Control (GPC) as an opt-out signal for sharing/selling personal information. Standard "Do Not Track" signals are not universally recognized, but GPC is specifically designed for CPRA compliance.

5. Right to Limit Use of Sensitive Personal Information

Sensitive Personal Information We Collect:

• Precise geolocation (if you enable location services)
• Contents of communications (chat messages, AI prompts)
• Racial or ethnic origin, religious beliefs (only if you voluntarily provide in AI prompts)

Limitation: You have the right to limit our use of sensitive personal information to:

• Performing services or providing goods reasonably expected by you
• Ensuring security and integrity
• Short-term, transient use
• Performing services on behalf of the business
• Activities to verify or maintain quality/safety

How to Exercise: Email support@hashedhorizon.com with subject line "CCPA Limit Sensitive PI Request"

6. Right to Non-Discrimination

We will NOT discriminate against you for exercising your CCPA rights. We will not:

• Deny goods or services to you
• Charge different prices or rates for goods or services
• Provide a different level or quality of goods or services
• Suggest that you will receive a different price or quality of goods or services

Financial Incentive Programs: We may offer financial incentives (discounts, loyalty programs) that require your personal information. These programs are:

• Opt-In: You must affirmatively consent to participate
• Revocable: You may withdraw consent at any time
• Non-Discriminatory: Declining participation will not result in different pricing for standard services

Value Calculation: The value of your personal information is reasonably related to the value of the incentive offered, calculated based on:

• Revenue generated from your subscription/purchases
• Cost of goods/services provided
• Customer acquisition and retention costs

How to Submit CCPA Requests

Authorized Agent: You may designate an authorized agent to submit requests on your behalf. The agent must:

• Provide written authorization signed by you
• Verify their identity
• Provide proof of agency relationship

Methods to Submit Requests:

1. Email: support@hashedhorizon.com (preferred)
2. Phone: +48-22-000-0000
3. Mail: Hashed Horizon Sp. z o.o., ul. Marszałkowska 1, 00-624 Warsaw, Poland

Verification Process:

• For account holders: Email confirmation + account authentication
• For non-account holders: Email confirmation + additional identifying information
• For deletion requests: Two-step verification process

Response Timeline:

• Initial Response: Within 10 business days acknowledging receipt
• Full Response: Within 45 days (may extend by 45 days with notice)
• Free Requests: First 2 requests per 12-month period are free
• Excessive Requests: We may charge a reasonable fee or decline excessive, repetitive, or manifestly unfounded requests

CCPA Business Purpose Disclosures

We disclose personal information to the following categories of third parties for business purposes:

Service Provider Contracts: All service providers are contractually prohibited from:

• Retaining, using, or disclosing your personal information for any purpose other than performing services for us
• Selling your personal information

California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information regarding disclosure of personal information to third parties for direct marketing purposes.

Our Policy: We do NOT disclose your personal information to third parties for their direct marketing purposes without your explicit consent.

California Online Privacy Protection Act (CalOPPA)

We comply with CalOPPA by:

• Providing this Privacy Policy with clear disclosures
• Honoring "Do Not Track" browser signals via Global Privacy Control (GPC)
• Allowing you to review and update your personal information

Do Not Track Signals: We honor GPC signals as opt-outs for the sale/sharing of personal information.

Contact for California Privacy Rights

California Privacy Contact:

• Email: support@hashedhorizon.com
• Subject Line: "CCPA Privacy Request"
• Phone: +48-22-000-0000

California Attorney General: If you are not satisfied with our response, you may contact:

• California Attorney General's Office
• Privacy Enforcement Section
• https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

UK GDPR and Data Protection Act 2018

Effective Date: January 1, 2021 (post-Brexit UK GDPR)

If you are a UK resident, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 provide you with specific rights regarding your personal data.

UK Data Controller Information

Data Controller: Hashed Horizon Sp. z o.o.

UK Representative (if applicable): [object Object]

Information Commissioner's Office (ICO): You have the right to lodge a complaint with the UK supervisory authority:

• Information Commissioner's Office (ICO)
• Website: https://ico.org.uk/make-a-complaint/
• Phone: 0303 123 1113

Your UK GDPR Rights

As a UK resident, you have the following rights:

1. Right of Access (GDPR Art. 15): Request confirmation of whether we process your personal data and obtain a copy

2. Right to Rectification (GDPR Art. 16): Correct inaccurate or incomplete personal data

3. Right to Erasure (GDPR Art. 17): Request deletion of personal data ("right to be forgotten")

4. Right to Restriction (GDPR Art. 18): Restrict processing in certain circumstances

5. Right to Data Portability (GDPR Art. 20): Receive personal data in machine-readable format

6. Right to Object (GDPR Art. 21): Object to processing based on legitimate interests or direct marketing

7. Rights Related to Automated Decision-Making (GDPR Art. 22): Not be subject to solely automated decisions with significant effects

Exercising Your UK Rights

How to Exercise: Email support@hashedhorizon.com with subject line "UK GDPR Rights Request"

Response Timeline: We will respond within one month (may extend by two months for complex requests with notice)

Verification: We will verify your identity using email confirmation and account authentication

No Fee: Exercising your rights is free unless requests are manifestly unfounded or excessive

UK-Specific Data Processing

Lawful Basis: We process your personal data under the following lawful bases:

• Performance of Contract (GDPR Art. 6(1)(b)): To provide ThisOne AI Platform Services
• Legitimate Interests (GDPR Art. 6(1)(f)): For analytics, security, and service improvement
• Consent (GDPR Art. 6(1)(a)): For marketing communications and optional features
• Legal Obligation (GDPR Art. 6(1)(c)): To comply with UK legal requirements

International Transfers: Transfers of personal data outside the UK are protected by:

• EU Standard Contractual Clauses (recognized under UK GDPR)
• UK Addendum to SCCs (for UK-specific transfers)
• Adequacy Decisions: Transfers to countries with adequacy recognition

Contact for UK Privacy Rights

UK Privacy Contact: support@hashedhorizon.com

Subject Line: "UK GDPR Rights Request" or "UK Privacy Inquiry"

Your Privacy Rights

Rights Under GDPR (GDPR Art. 15-22)

If you are in the European Union or European Economic Area, you have the following rights under the GDPR:

1. Right of Access (GDPR Art. 15)

What: Obtain confirmation of whether we process your Personal Data and access a copy of that data.

What You Receive:

• Categories of Personal Data processed
• Purposes of processing
• Recipients of your Personal Data
• Retention periods
• Information about international transfers
• Your GDPR rights

How to Exercise: Email dpo@hashedhorizon.com with subject "GDPR Art. 15 - Access Request"

Response Time: 30 days (extendable by 2 months for complex requests)

Format: JSON or PDF format

Fee: Free for first request; reasonable fee for excessive or repetitive requests

2. Right to Rectification (GDPR Art. 16)

What: Correct inaccurate or incomplete Personal Data.

Examples:

• Update email address or phone number
• Correct misspelled name
• Complete incomplete profile information

How to Exercise:

• Update directly in Account settings
• Email dpo@hashedhorizon.com with subject "GDPR Art. 16 - Rectification Request"

Response Time: 30 days

Verification: We may request proof of corrected information to ensure accuracy.

3. Right to Erasure / "Right to Be Forgotten" (GDPR Art. 17)

What: Request deletion of your Personal Data.

When Applies:

1. Personal Data no longer necessary for original purposes
2. You withdraw consent (where consent was the legal basis)
3. You object to processing (GDPR Art. 21) and no overriding legitimate grounds exist
4. Personal Data was unlawfully processed
5. Erasure required for legal compliance
6. Personal Data collected from a child under 18 without proper consent

Exceptions (we may refuse erasure if retention is necessary for):

1. Legal Obligation: Compliance with EU or Member State law
2. Legal Claims: Establishing, exercising, or defending legal claims
3. Public Interest: Archiving, research, or statistical purposes
4. Freedom of Expression: Exercise of freedom of expression and information

How to Exercise: Email dpo@hashedhorizon.com with subject "GDPR Art. 17 - Erasure Request"

Process:

1. We verify your identity
2. We assess whether exceptions apply
3. If erasure granted, we delete data within 30 days
4. We notify Subprocessors to delete data
5. We confirm deletion to you

Backup Deletion: Data in backups is deleted at end of retention periods (up to 90 days for active backups, up to 12 months after account closure for archived backups).

4. Right to Restriction of Processing (GDPR Art. 18)

What: Request temporary restriction of processing (data stored but not actively processed).

When Applies:

1. You contest accuracy of Personal Data (restricted during verification)
2. Processing is unlawful but you prefer restriction over erasure
3. We no longer need data but you need it for legal claims
4. You objected to processing (GDPR Art. 21) pending verification of legitimate grounds

How to Exercise: Email dpo@hashedhorizon.com with subject "GDPR Art. 18 - Restriction Request"

Effect: We will not process restricted data except:

• With your consent
• For legal claims
• To protect another person's rights
• For important public interest

Notification: We will notify you before lifting restriction.

5. Right to Data Portability (GDPR Art. 20)

What: Receive your Personal Data in a structured, machine-readable format and transmit it to another service provider.

Scope: Applies only to:

• Personal Data you provided to us
• Processing based on consent (GDPR Art. 6(1)(a)) or contract (GDPR Art. 6(1)(b))
• Processing carried out by automated means

Format Options:

• JSON: Structured JSON format
• CSV: Comma-separated values for spreadsheet import

What You Receive:

• Account information and profile data

• AI Inputs and Outputs

• Usage history and preferences

• Transaction history (if applicable)

How to Exercise:

• Use "Export My Data" feature in Account settings
• Email dpo@hashedhorizon.com with subject "GDPR Art. 20 - Data Portability Request"

Delivery: Data export link provided within 48 hours, valid for 7 days

Direct Transfer: Where technically feasible, we can transmit data directly to another service provider at your request.

6. Right to Object (GDPR Art. 21)

What: Object to processing of your Personal Data.

Processing Based on Legitimate Interests (GDPR Art. 6(1)(f)):

• You can object at any time
• We must stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms
• Example: Security and fraud prevention

Direct Marketing (GDPR Art. 21(2)):

• Absolute right to object (no balancing test)
• We must stop processing immediately
• Includes profiling for direct marketing

How to Exercise:

• Click "Unsubscribe" in marketing emails
• Update preferences in Account settings
• Email dpo@hashedhorizon.com with subject "GDPR Art. 21 - Objection"

Response: We will stop processing within 30 days unless we can demonstrate compelling legitimate grounds.

7. Rights Related to Automated Decision-Making and Profiling (GDPR Art. 22)

What: Not be subject to solely automated decisions with legal or similarly significant effects without human involvement.

Our AI Services: Our AI Outputs do NOT constitute automated decision-making under GDPR Art. 22 because you review and decide whether to use them.

Your Responsibility: If you use our AI to make automated decisions affecting others, YOU must:

1. Provide notice to affected individuals
2. Implement meaningful human oversight
3. Allow individuals to contest decisions
4. Obtain explicit consent (where required by GDPR Art. 22(2)(c))

How to Exercise Your Rights

Contact Methods:

• Email: dpo@hashedhorizon.com
• Subject Line: Use format "GDPR Art. [XX] - [Right Name] Request"
• Postal Mail: Hashed Horizon Sp. z o.o., PolandUnited KingdomUSAWorldwide

Identity Verification: We will verify your identity using:

• Email confirmation to registered account
• Additional information (last 4 digits of payment card, recent transaction, etc.)
• Government-issued ID (for sensitive requests like erasure)

Response Time: We respond to GDPR requests within 30 days. For complex or numerous requests, we may extend by up to 2 months, as permitted by GDPR Art. 12(3).

What "Complex" Means: Requests may be considered complex if they:

• Involve large volumes of Personal Data
• Require coordination with multiple subprocessors or third parties
• Involve legal or technical analysis
• Require retrieval from backup systems or archives
• Are frivolous, excessive, or manifestly unfounded

No Fee: Exercising GDPR rights is free, unless requests are manifestly unfounded or excessive.

Fee for Excessive Requests: We may charge a reasonable fee for manifestly unfounded or excessive requests (GDPR Art. 12(5)).

Refusal: If we refuse your request, we will explain why and inform you of your right to complain to a supervisory authority.

Right to Lodge a Complaint (GDPR Art. 77)

If you are unsatisfied with how we handle your Personal Data or respond to your rights requests, you have the right to lodge a complaint with a supervisory authority:

European Data Protection Board: List of all EU supervisory authorities: https://edpb.europa.eu/about-edpb/board/members_en

Your Habitual Residence: You can lodge a complaint in your country of habitual residence, place of work, or place of alleged infringement.

Non-Discrimination

We will not discriminate against you for exercising your GDPR rights. Exercising your rights will not affect:

• Service availability or quality
• Pricing or fees (except manifestly excessive requests)
• Access to features or functionality (except where Personal Data is necessary for those features)

Security Measures

Our Commitment to Security (GDPR Art. 32)

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, protecting Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Technical Security Measures

1. Encryption:

• In Transit: TLS 1.3 (Transport Layer Security) for all data transmissions
• At Rest: AES-256 encryption for stored data in databases and file storage
• Passwords: bcrypt or argon2 hashing with per-user salts (never plain text)
• Backups: Encrypted backups with separate encryption keys

2. Access Controls:

• Role-based access control (RBAC) with least privilege principle
• Multi-factor authentication (MFA) for administrative access
• Regular access reviews and permission audits
• Automatic session expiration after inactivity

3. Network Security:

• Firewalls and intrusion detection/prevention systems (IDS/IPS)
• DDoS protection and rate limiting
• Network segmentation and isolation
• Virtual Private Networks (VPNs) for administrative access

4. Application Security:

• Input validation and output encoding to prevent injection attacks
• CSRF (Cross-Site Request Forgery) protection tokens
• Content Security Policy (CSP) headers
• Regular security patching and dependency updates

5. Monitoring and Logging:

• 24/7 security monitoring and alerting
• Centralized logging with tamper-proof audit trails
• Anomaly detection and behavioral analysis
• Real-time threat intelligence integration

Organizational Security Measures

1. Employee Training:

• Mandatory data protection and security training for all employees
• Regular phishing awareness and social engineering training
• Secure coding practices for developers
• Annual refresher training and updates

2. Access Management:

• Background checks for employees with data access
• Confidentiality and non-disclosure agreements (NDAs)
• Immediate access revocation upon employment termination
• Separation of duties for critical operations

3. Security Policies and Procedures:

• Information Security Policy (ISO 27001 aligned)
• Incident Response Plan with defined escalation procedures
• Business Continuity and Disaster Recovery Plans
• Regular policy reviews and updates

4. Vendor Management:

• Security assessments of Subprocessors before engagement
• Contractual security and data protection obligations (DPAs)
• Regular security audits of critical Subprocessors
• Right to audit Subprocessor security practices

5. Physical Security:

• Our infrastructure providers implement:
  • 24/7 physical security and access controls
  • Environmental controls (temperature, humidity, fire suppression)
  • Video surveillance and intrusion detection
  • Secure disposal of hardware containing data

Security Testing and Audits

Penetration Testing: Annual penetration tests by independent security firms

Vulnerability Scanning: Automated weekly vulnerability scans

Code Reviews: Security code reviews for all changes

Compliance Audits: Regular compliance audits against GDPR, ISO 27001, SOC 2

Bug Bounty: Responsible disclosure program for security researchers

Data Breach Response (GDPR Art. 33-34)

In the event of a Personal Data breach, we follow a comprehensive incident response process:

1. Detection and Awareness:

• Security monitoring systems detect and alert on potential breaches 24/7
• Incident response team activated immediately upon detection
• "Becoming aware" clock starts when we have reasonable certainty a breach occurred

2. Containment and Impact Assessment:

• Immediate incident response to contain and mitigate breach
• Evaluation of breach scope, affected individuals, and risk level
• Documentation of breach timeline, affected data types, and potential consequences

3. Supervisory Authority Notification (GDPR Art. 33):

72-Hour Breach Notification Clock: We notify the competent supervisory authority within 72 hours of becoming aware of a Personal Data breach that is likely to result in a risk to the rights and freedoms of individuals.

Notification Contents:

• Nature of the breach (categories and approximate numbers of data subjects affected)
• Contact details of our Data Protection Contact (dpo@hashedhorizon.com)
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate adverse effects

Phased Notification: If information cannot be provided within 72 hours, we provide initial notification followed by updates as information becomes available.

4. Individual Notification (GDPR Art. 34):

When We Notify You: We notify affected individuals without undue delay when a breach is likely to result in a high risk to your rights and freedoms. High-risk breaches include:

• Exposure of sensitive personal data (health, financial, biometric)
• Identity theft or fraud risk
• Significant economic or social disadvantage
• Loss of confidentiality of data protected by professional secrecy

Notification Method: Email to your registered email address, supplemented by public announcement if individual notification is disproportionate or impossible.

Notification Contents:

• Description of the breach in clear, plain language
• Contact point for more information (dpo@hashedhorizon.com)
• Likely consequences of the breach
• Measures we have taken to address the breach
• Recommendations for actions you can take to protect yourself

Exceptions: Notification to individuals is not required if:

• We implemented appropriate technical and organizational protection measures (e.g., encryption) rendering data unintelligible
• We have taken subsequent measures ensuring high risk to rights and freedoms is no longer likely
• Individual notification would involve disproportionate effort (in which case we make a public communication)

5. Documentation and Remediation:

• Comprehensive breach documentation maintained for supervisory authority inspection
• Root cause analysis and implementation of preventive measures
• Security improvements to prevent similar future breaches
• Regular review and update of incident response procedures

Your Security Responsibilities

Account Security:

• Use strong, unique passwords (minimum 12 characters, mix of types)
• Enable multi-factor authentication (MFA) where available
• Never share passwords or API keys
• Log out from shared or public devices

Report Suspicious Activity:

• Unauthorized account access
• Suspected phishing attempts
• Security vulnerabilities
• Data breaches

Contact: Report security issues immediately to support@hashedhorizon.com with subject "URGENT: Security Issue"

Limitations

No Absolute Security: Despite our measures, no system is 100% secure. Internet transmission and electronic storage carry inherent risks.

Your Risk: You acknowledge and accept the risk that unauthorized third parties may access Personal Data despite our security measures.

Breach Notification: We will notify you of any Personal Data breaches in accordance with GDPR Art. 34 requirements.

Children's Privacy

Age Restrictions (GDPR Art. 8)

Our Services are not intended for children under 18 years of age.

We do not knowingly collect or process Personal Data from individuals under 18 years of age.

No Knowingly Collecting Children's Data

We do NOT knowingly:

• Collect Personal Data from children under 18
• Allow children under 18 to create Accounts
• Market our Services to children under 18
• Process Personal Data of children under 18 without valid parental consent

Age Verification

We employ the following age verification measures:

Account Registration: Users must confirm they are at least 18 years old when creating an Account

Self-Certification: Users provide their date of birth during registration

Behavioral Indicators: We monitor for behavioral patterns suggesting underage use

Parental Reports: We investigate parental reports of underage accounts

Discovery of Underage Users

If we discover that we have collected Personal Data from a child under 18 without proper parental consent:

1. Immediate Suspension: We will immediately suspend the Account

2. Parental Notification: If possible, we will notify the parent or guardian

3. Data Deletion: We will delete all Personal Data associated with the Account within 30 days

4. No Retention: We will NOT retain any Personal Data except as required by law for child protection

5. Compliance Documentation: We will document the deletion for GDPR compliance (GDPR Art. 5(2) accountability)

Parental Rights

Parents or guardians have the right to:

1. Request Information: Obtain information about Personal Data we hold about their child

2. Request Correction: Correct inaccurate Personal Data about their child

3. Request Deletion: Request deletion of their child's Personal Data (GDPR Art. 17)

4. Object to Processing: Object to processing of their child's Personal Data

5. Lodge Complaints: Complain to supervisory authorities about our handling of children's Personal Data

Contact: Parents or guardians should contact dpo@hashedhorizon.com with subject "Child Privacy Concern" to exercise these rights.

Verification of Parental Identity

To protect children's privacy, we will verify parental identity before:

• Providing access to a child's Personal Data
• Processing parental requests regarding a child's data
• Deleting a child's Account

Verification Methods:

• Government-issued ID matching the child's registered parent/guardian
• Credit card verification (small authorization hold)
• Knowledge-based authentication (recent account activity, registration details)

COPPA Compliance (USA - Children Under 13)

Children's Online Privacy Protection Act (COPPA) requires parental consent before collecting personal information from children under 13 years of age in the United States.

COPPA Notice to Parents

Hashed Horizon provides the following information to parents regarding our children's privacy practices:

Information We Collect from Children Under 13

If a child under 13 creates an account with parental consent, we may collect:

Personal Information:

• Name or username
• Email address (for account recovery and parental notifications)
• Parent's email address (for consent and communication)

Usage Information:

• Content created by the child (AI prompts, generated content)
• Usage patterns and interaction with AI features

Automatically Collected:

• IP address and device information
• Cookies and similar technologies (essential cookies only for children under 13)

NOT Collected: We do NOT collect:

• Social Security numbers
• Precise geolocation
• Photographs or videos (unless explicitly authorized by parent)
• Personal information more than reasonably necessary for participation

How We Use Children's Information

We use children's information ONLY for:

1. Service Delivery: Providing the Services the child registered for
2. Safety: Protecting the security and integrity of our Services
3. Compliance: Complying with legal obligations
4. Parental Communication: Notifying parents of account activity

NO Marketing: We do NOT use children's information for:

• Behavioral advertising
• Marketing communications
• Building user profiles for advertising
• Sharing with third parties for their marketing purposes

Disclosure of Children's Information

We disclose children's information ONLY to:

Service Providers: Companies that help us operate our Services:

• Google Cloud AI (Gemini): - EU/USA

• Vercel: - EU

• Neon: - EU

• Sentry: - EU/USA

• Stripe: - EU/USA

• Apple (App Store / Apple Pay): - USA

• Google (Play Store / Google Pay): - USA

Required by Law: When required to comply with legal obligations, court orders, or protect safety

With Parental Consent: When parents explicitly authorize disclosure

We do NOT allow third parties to collect personal information from children under 13 through our Services for their own purposes.

Verifiable Parental Consent Mechanism

COPPA Requirement: We obtain verifiable parental consent BEFORE collecting, using, or disclosing personal information from children under 13.

Consent Methods (COPPA-Compliant)

We use the following FTC-approved methods to obtain verifiable parental consent:

Method 1: Credit Card Verification (Preferred)

• Parent provides credit card information
• We charge a small verification fee (€0,50, immediately refunded)
• This confirms parent has financial relationship and control

Method 2: Government ID + Video Verification

• Parent uploads government-issued photo ID
• Parent records short video confirmation statement
• We verify ID authenticity and match to video

Method 3: Knowledge-Based Authentication

• Parent answers knowledge-based questions (credit bureau-verified)
• Questions only the parent would know (financial history, addresses)
• This method verifies parent's identity through third-party data

Method 4: Signed Consent Form

• Parent downloads, signs, and returns consent form via:
  • Postal mail to Hashed Horizon Sp. z o.o., ul. Marszałkowska 1, 00-624 Warsaw, Poland
  • Scanned email to support@hashedhorizon.com with subject "COPPA Parental Consent"

Email Consent (Limited Use):

• For low-risk contexts ONLY (e.g., one-time newsletter)
• Parent receives email requesting consent
• Parent must respond with confirmation from same email address
• NOT used for ongoing collection of personal information

Consent Process Timeline

1. Child Attempts Registration → System detects age under 13
2. Parent Notification Email → Sent immediately to parent's email
3. Parent Reviews Notice → This COPPA notice provided
4. Parent Chooses Consent Method → Selects from options above
5. Identity Verification → We verify parent's identity (24-48 hours)
6. Consent Recorded → Account activated ONLY after verification
7. Ongoing Notice → Parent receives activity notifications

Timeline: Account activation within 48-72 hours of consent verification

Parental Rights Under COPPA

Parents of children under 13 have the right to:

1. Review Personal Information

• Request to see all personal information collected from your child
• Method: Email support@hashedhorizon.com with subject "COPPA Review Request"
• Verification: We will verify your identity using consent method records
• Timeline: 10 business days

2. Direct Us to Delete Information

• Request deletion of your child's personal information
• Method: Email support@hashedhorizon.com with subject "COPPA Deletion Request"
• Effect: Child's account will be terminated and all data deleted
• Exceptions: We may retain records of deletion for compliance purposes

3. Refuse Further Collection

• Refuse to permit further collection or use of your child's information
• Method: Withdraw consent via account settings or email support@hashedhorizon.com
• Effect: Child's access to Services may be limited or terminated
• No Penalty: We will not penalize the child for your refusal

4. Revoke Consent

• Revoke previously given consent at any time
• Method: Account settings or email support@hashedhorizon.com with subject "Revoke COPPA Consent"
• Immediate Effect: Collection stops immediately, account suspended

COPPA Conditional Access

Permitted Under COPPA: We may condition a child's participation in certain activities on disclosure of personal information that is reasonably necessary for that activity.

Prohibited: We will NOT require a child to disclose more information than is reasonably necessary to participate in an activity.

Example:

• Requiring email for account recovery → Reasonably necessary
• Requiring phone number for a drawing app → NOT reasonably necessary

Support for Child-Directed Content (if applicable)

Not Child-Directed: Our Services are NOT directed to children under 13 and are designed for general audiences aged 18 and older.

COPPA Contact Information

COPPA Inquiries: Parents with questions about our COPPA compliance should contact:

• Email: support@hashedhorizon.com (Subject: "COPPA Inquiry")
• Phone: +48-22-000-0000
• Mail: Hashed Horizon Sp. z o.o., Attn: Privacy Compliance / COPPA, ul. Marszałkowska 1, 00-624 Warsaw, Poland

FTC Complaints: Parents may file complaints with the Federal Trade Commission:

• FTC Consumer Response Center
• 600 Pennsylvania Avenue NW
• Washington, DC 20580
• Phone: 1-877-FTC-HELP (1-877-382-4357)
• Online: https://reportfraud.ftc.gov

COPPA Updates

Notice of Changes: If we make material changes to our COPPA practices:

1. We will update this Privacy Policy with prominent notice
2. We will notify parents via email at least 30 days before changes take effect
3. We will re-obtain parental consent if required by changes

Parental Review: We recommend parents review this section periodically.

Educational Use

Reporting Underage Use

If you suspect a child under 18 is using our Services without parental consent:

Report to: support@hashedhorizon.com with subject "Underage User Report"

Information to Provide:

• Account email or username (if known)
• Reason you believe the user is underage
• Any evidence supporting the claim

Investigation: We will promptly investigate and take appropriate action.

Confidentiality: We treat reports confidentially and do not disclose the reporter's identity.

Third-Party Services

Some of our Subprocessors may also collect data from users:

• Google Cloud AI (Gemini): Separate privacy policy applies - Google Cloud AI (Gemini) Privacy

• Vercel: Separate privacy policy applies - Vercel Privacy

• Neon: Separate privacy policy applies - Neon Privacy

• Sentry: Separate privacy policy applies - Sentry Privacy

• Stripe: Separate privacy policy applies - Stripe Privacy

• Apple (App Store / Apple Pay): Separate privacy policy applies - Apple (App Store / Apple Pay) Privacy

• Google (Play Store / Google Pay): Separate privacy policy applies - Google (Play Store / Google Pay) Privacy

Parent Responsibility: Parents should review Subprocessor privacy policies to understand how they handle children's data.

Changes to Children's Privacy Practices

If we make material changes to our children's privacy practices, we will:

1. Update this Privacy Policy with at least 30 days' notice
2. Notify parents via email (if we have parental contact information)
3. Re-obtain parental consent if required by law

Changes to This Privacy Policy

Right to Modify

We reserve the right to update this Privacy Policy to reflect:

• Changes in our data processing practices
• New features or Services
• Changes in applicable laws or regulations
• Technological developments
• Feedback from users or regulators

Notice of Material Changes

Advance Notice: We will provide at least 30 days' advance notice of material changes by:

1. Email Notification: Sent to your registered email address
2. Website Notice: Prominent banner on https://thisone.app
3. In-Service Notification: Alert when you log in to your Account
4. Privacy Policy Update: "Last Updated" date at the top of this Policy

Material Changes Include:

• Changes to purposes of processing or legal basis
• Addition of new categories of Personal Data collected
• Changes to data retention periods
• Addition of new Subprocessors or recipients
• Changes to international transfer mechanisms
• Reduction of your rights or increase of our data use

Non-Material Changes

Immediate Effect: Non-material changes take effect immediately upon posting:

• Clarifications of existing practices
• Corrections of typos or formatting
• Updates to contact information
• Addition of examples or explanatory text
• Organizational or structural improvements

Last Updated Date: The "Last Updated" date at the top indicates when changes were made.

How We Notify You

Primary Method: Email to your registered Account email address

Delivery: Emails are sent at least 30 days before material changes take effect

Subject Line: "Important: Privacy Policy Update - Action May Be Required"

Email Content:

• Summary of changes
• Effective date
• Link to updated Privacy Policy
• Link to comparison showing changes
• Your options if you object to changes

Delivery Failure: If email bounces or fails, we will:

• Display in-service notification when you log in
• Restrict service access until you acknowledge the changes (for material changes)

Review of Changes

Change Log: We maintain a change log showing:

• Date of change
• Summary of modifications
• Reason for change
• Effective date

Comparison View: We provide side-by-side comparison of old and new versions for material changes

Your Options

If you object to material changes:

1. Continue Using Services

Acceptance: Continued use of Services after the effective date constitutes acceptance of the updated Privacy Policy

Implications: You agree to the new data processing practices

2. Object to Changes

Before Effective Date: Contact dpo@hashedhorizon.com within the 30-day notice period to object

Your Rights:

• Request data deletion (GDPR Art. 17)
• Request data portability (GDPR Art. 20)
• Close your Account before changes take effect

Our Response: We will consider your objection and may:

• Maintain previous practices for your Account (if feasible)
• Offer alternative solutions
• Explain why changes are necessary

3. Terminate Your Account

Right to Terminate: You can close your Account at any time before changes take effect

Data Deletion: Upon Account closure, your Personal Data will be deleted according to our retention schedule (see Retention Periods)

No Penalty: There is no penalty or fee for closing your Account due to Privacy Policy changes

Pro-Rata Refund: If you have an active Subscription and close your Account due to material Privacy Policy changes we initiate, you may be entitled to a pro-rata refund of prepaid fees.

Consent for New Purposes

If we wish to process your Personal Data for a new purpose not covered by this Privacy Policy:

Compatibility Assessment: We will first assess whether the new purpose is compatible with the original purpose (GDPR Art. 6(4))

If Compatible: We may proceed with processing under the original legal basis, after notifying you

If Incompatible: We will:

1. Notify you of the new purpose and legal basis
2. Obtain your explicit consent (if no other legal basis applies)
3. Provide option to opt out

No Surprise Processing: We will NOT process your Personal Data for new purposes without proper legal basis and transparency.

Regulatory Changes

Legal Requirement: If changes are required by new laws, regulations, or regulatory guidance:

Shorter Notice: We may implement changes with shorter notice if legally required

Explanation: We will explain the legal requirement necessitating the change

Your Rights Preserved: Changes required by law do not diminish your GDPR rights

Merger or Acquisition

If Hashed Horizon is acquired or merges with another entity:

Successor's Privacy Policy: The acquiring entity's Privacy Policy may apply

Advance Notice: We will provide at least 30 days' notice before transferring Personal Data to a successor with different privacy practices

Your Options: You can:

• Request data deletion before the transfer
• Exercise data portability to move to another service
• Object to the transfer

Continuity: Ideally, the successor will honor this Privacy Policy or provide equivalent or better protections

Questions About Changes

For questions about Privacy Policy changes:

• Email: dpo@hashedhorizon.com
• Subject: "Privacy Policy Changes - Question"

Clarification: We will clarify how changes affect your Personal Data and rights.

Contact Us

General Privacy Inquiries

For questions, concerns, or requests regarding this Privacy Policy or our data processing practices:

Email: support@hashedhorizon.com

Subject Line Format: "Privacy Inquiry - [Brief Description]"

Response Time: We aim to respond within 5 business days for general inquiries.

Data Protection Contact

Our Data Protection Contact is responsible for overseeing our data protection strategy and GDPR compliance:

Email: dpo@hashedhorizon.com

Subject Line: "Data Protection - [Topic]"

Responsibilities:

• Advising on GDPR compliance
• Monitoring data protection practices
• Serving as contact point for supervisory authorities
• Responding to data subject rights requests
• Conducting Data Protection Impact Assessments (DPIAs)

When to Contact Our Data Protection Team:

• Exercising GDPR rights (access, erasure, portability, etc.)
• Reporting data protection concerns
• Requesting Data Protection Impact Assessments
• Lodging internal complaints about data handling

Note on Data Protection Officer: Under GDPR Art. 37, a formal Data Protection Officer (DPO) is required only when:

• Processing is carried out by a public authority
• Core activities involve large-scale systematic monitoring of individuals
• Core activities involve large-scale processing of special category data

Hashed Horizon is not currently required to appoint a formal DPO because our photo editing services do not involve biometric identification, large-scale special category data processing, or systematic monitoring. Our Data Protection Contact provides the same level of expertise and accessibility for all data protection matters.

We will appoint a formal DPO if our processing activities meet the GDPR Art. 37 thresholds in the future.

UK Representative (UK GDPR Art. 27)

UK Representative Status: We have not appointed a formal UK representative under UK GDPR Art. 27.

Why Not Required: UK GDPR Art. 27 requires EEA companies to appoint a UK representative only when processing substantial amounts of UK personal data. Our current UK operations do not meet this threshold. We will appoint a UK representative if our UK data processing activities increase to meet the Article 27 criteria.

UK User Contact: UK residents may contact our Data Protection team directly:

Email: dpo@hashedhorizon.com

Address: ul. Marszałkowska 1, 00-624 Warsaw, Poland

You may also contact the UK Information Commissioner's Office (ICO) directly regarding our UK processing activities:

• Website: https://ico.org.uk/make-a-complaint/
• Phone: 0303 123 1113

Exercising Your GDPR Rights

To exercise your rights under GDPR Art. 15-22 (see California Privacy Rights section below for details):

Email: dpo@hashedhorizon.com

Subject Line Format: "GDPR Art. [XX] - [Right Name] Request"

Examples:

• "GDPR Art. 15 - Access Request"
• "GDPR Art. 16 - Rectification Request"
• "GDPR Art. 17 - Erasure Request"
• "GDPR Art. 20 - Data Portability Request"
• "GDPR Art. 21 - Objection to Processing"

Required Information:

1. Your full name and Account email address
2. Description of your request
3. Preferred response format (email, postal mail)
4. Any supporting documentation

Identity Verification: We will verify your identity before processing requests to prevent unauthorized access to Personal Data.

Response Time: 30 days (extendable by 2 months for complex requests under GDPR Art. 12(3))

Security Issues

For urgent security matters or suspected data breaches:

Email: support@hashedhorizon.com

Subject Line: "URGENT: Security Issue - [Brief Description]"

Priority Handling: Security reports receive immediate attention with acknowledgment within 2 hours during business hours.

What to Report:

• Suspected unauthorized access to your Account
• Discovery of security vulnerabilities
• Suspected Personal Data breaches
• Phishing attempts impersonating Hashed Horizon

Responsible Disclosure: If you discover a security vulnerability, please report it privately and allow us reasonable time to address it before public disclosure.

Postal Mail

For formal legal notices or if you prefer postal communication:

Mailing Address: Hashed Horizon Sp. z o.o. Attn: Data Protection / Privacy Team ul. Marszałkowska 1, 00-624 Warsaw, Poland

Processing Time: Postal mail is processed within 10 business days of receipt.

Verification: We may request additional identity verification for postal requests.

Complaints to Supervisory Authorities

If you are unsatisfied with our response to your privacy concerns, you have the right to lodge a complaint with a data protection supervisory authority:

United Kingdom Supervisory Authority

Information Commissioner's Office (ICO)

Website: https://ico.org.uk

Email: casework@ico.org.uk

Phone: 0303 123 1113 (UK) / +44 1625 545 745 (International)

Postal Address: Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF United Kingdom

Online Complaint Form: https://ico.org.uk/make-a-complaint/

Live Chat: Available on ICO website during business hours

Other EU/EEA Countries: If you are in another EU/EEA country, you can lodge a complaint with your national data protection authority. Find your authority at: https://edpb.europa.eu/about-edpb/board/members_en

Your Right: Under GDPR Art. 77, you have the right to lodge a complaint with a supervisory authority in:

• Your habitual residence
• Your place of work
• The place of alleged infringement

No Retaliation: We will not retaliate against you for lodging a complaint with a supervisory authority.

Feedback and Suggestions

We welcome feedback on our privacy practices:

Email: support@hashedhorizon.com

Subject: "Privacy Feedback - [Topic]"

Topics:

• Suggestions for improving privacy transparency
• Requests for additional privacy features
• Feedback on this Privacy Policy
• Questions about data processing practices

No Obligation: While we appreciate feedback, we have no obligation to implement suggestions.

Language and Translation

Primary Language: English is the primary language for all privacy communications.

Translation Requests: If you require communication in another language:

• Email: dpo@hashedhorizon.com
• Subject: "Translation Request - [Language]"

EU Consumer Rights: For EU consumers, if your Member State law requires communications in a specific language, we will provide translation. In such cases, both English and local language versions are equally authoritative.

Accessibility

If you require this Privacy Policy in an alternative format due to a disability:

Email: support@hashedhorizon.com

Subject: "Accessibility Request - Privacy Policy"

Available Formats:

• Large print PDF
• Screen reader-optimized HTML
• Plain text version

Response Time: We will provide alternative formats within 10 business days.

Contact Information Summary

Order of Precedence

In the event of any conflict or inconsistency between legal documents, the following order of precedence applies (highest to lowest):

1. Enterprise Addendum - Controls enhanced terms for Enterprise Customers
2. Data Processing Agreement (DPA) - Controls data processing terms for Business Customers
3. Order Form (if any) - Controls service-specific terms and pricing
4. Privacy Policy - Controls personal data processing and privacy rights (for data protection matters)
5. Terms of Service - Controls general use, liability, and dispute resolution
6. Cookie Policy - Controls cookie use and consent management

Interpretation Rules:

• Specific Prevails Over General: More specific provisions prevail over general provisions
• Later Prevails Over Earlier: In case of amendments, the most recent version prevails
• Mandatory Law Prevails: Nothing in these documents limits rights granted by mandatory consumer protection, data protection, or other applicable laws

For Business Customers: The DPA and Enterprise Addendum (if applicable) take precedence over consumer-focused provisions in the Terms of Service and Privacy Policy.

For Consumer Customers: Consumer protection laws (GDPR, ePrivacy Directive, national consumer laws) prevail over any conflicting contractual terms.

Effective: 2025-10-25 | Version: 5.0.0