Privacy Policy

1. Introduction & Scope

Hello App, Inc. ("Hello," "we," "us," or "our") operates the Hello mobile application ("App") and the website located at thehelloapp.us ("Website"), collectively the "Service." This Privacy Policy describes how we collect, use, disclose, retain, and safeguard personal information when you use the Service.

By creating an account or otherwise using Hello, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Privacy Policy. If you do not agree, do not use the Service.

This Privacy Policy applies to all users of the Service worldwide. Where local law grants additional rights or imposes additional obligations (such as the EU General Data Protection Regulation, the California Consumer Privacy Act, or applicable U.S. state children's privacy laws), those rights and obligations are incorporated by reference and apply in addition to this Policy.

2. Information We Collect

2.1 Information You Provide

• Account information: Legal first name, legal last name, display name, date of birth, gender, and state/region, as provided during onboarding. We also receive your email address and basic profile data (name and avatar) from Google when you authenticate via Google OAuth 2.0, or from Apple when you authenticate via Sign in with Apple.
• Profile data: Your selected interests, personality quiz answers, personality badge type, and profile photograph.
• Verification data: During the face verification process, we capture multiple camera frames of your face along with associated device sensor data (head rotation angles, eye openness metrics, smile probability, and face bounding-box dimensions). These frames are transmitted to our servers for processing.
• Messages: Text content of messages you send through the Hello chat system. Messages are processed by AI moderation before delivery and may be assigned a moderation status (approved, pending review, or rejected).
• Reports and blocks: If you report a message, we collect the report reason (e.g., harassment, inappropriate content, spam, underage, or other) and any additional details you provide. If you block another user, we record the block relationship.
• Terms acceptance: Timestamp of your acceptance of our Terms of Service.

2.2 Information We Generate

• Verification capture: Upon successful liveness verification, a single face capture ("verification photo") is stored in our encrypted object storage. This serves as your identity anchor for future profile-photo matching.
• Verification record: Method used, verification status, timestamp, and a unique verification identifier.
• Audit log: Records of verification attempts (both successful and failed), spoofing detections, age-mismatch events, face-match outcomes, and moderation decisions. These include the event type, timestamp, anonymized metadata, and the IP address from which the request originated.
• Trust score: A numerical trust indicator derived from your account behavior and verification history.
• Automated report investigation data: When a user reports a message, our system may conduct an automated investigation using AI. During this investigation, the AI reviews the reported message, surrounding conversation context, the reported user's moderation history, enforcement history, and trust score trajectory. The investigation produces a structured decision record including confidence score, recommended action, and reasoning, which is logged to an immutable audit trail.

2.3 Information Collected Automatically

• Device information: Application identifier, application version, and client platform (iOS or Android) are transmitted with each API request for security, rate-limiting, and debugging purposes.
• Network information: IP address, as derived from your network connection. We use IP addresses for rate limiting, fraud prevention, and abuse detection. IP addresses associated with verification events are stored in our audit log.
• Usage data: We use PostHog, a product analytics service provided by PostHog, Inc. (hosted on PostHog US cloud at us.i.posthog.com), to collect usage events such as screen views, onboarding progress, feature usage, and button interactions. Autocapture is disabled — only explicitly defined events are tracked. Analytics events never contain message content, photographs, biometric data, or personally identifiable information (names, email addresses, phone numbers, or dates of birth). A server-side PII linter strips forbidden keys before events are transmitted to PostHog.
• App Tracking Transparency (iOS): On iOS 14.5 and later, Hello presents Apple's App Tracking Transparency (ATT) permission dialog before any tracking identifiers are collected. If you deny the ATT prompt, analytics events are still collected to improve the app experience, but Apple's advertising identifier (IDFA) is not accessed. Regardless of your ATT choice, Hello does not display advertisements, does not sell data to advertising networks, and does not engage in cross-app tracking.

3. Legal Bases for Processing (GDPR)

For users subject to the General Data Protection Regulation, we process your personal data on the following legal bases:

• Contractual necessity (Art. 6(1)(b)): Processing required to provide the Service, including account creation, verification, and profile management.
• Legitimate interest (Art. 6(1)(f)): Fraud prevention, abuse detection, security enforcement, platform integrity, and analytics to improve the Service.
• Legal obligation (Art. 6(1)(c)): Compliance with applicable child safety laws, law enforcement requests, and mandatory reporting requirements.
• Consent (Art. 6(1)(a)): Where we process sensitive data (biometric face verification), we rely on your explicit, informed consent provided during the verification flow. You may withdraw consent by deleting your account, which will trigger deletion of all associated biometric data.

4. How We Use Your Information

• Create and maintain your Hello account and profile.
• Verify your identity and age through our multi-step liveness verification system.
• Match your profile photo against your verified face capture to prevent impersonation and catfishing.
• Moderate profile photos for safety, content appropriateness, and quality using AI screening.
• Moderate chat messages using AI to detect and prevent harmful content before delivery to recipients.
• Process user reports of messages (harassment, inappropriate content, spam, underage, or other) and enforce block relationships to prevent unwanted communication between users.
• Automatically investigate reported messages using AI. Based on the investigation, our system may: dismiss clearly frivolous reports, issue warnings, apply temporary communication restrictions (send mutes), suspend accounts, or escalate to human review. High-confidence automated actions are taken only when the AI reaches a confidence threshold of 85% or higher for immediate action, or 75% or higher after deep investigation. When confidence falls below threshold, the report is escalated to human review. All automated enforcement decisions are logged to an immutable audit trail for accountability.
• Allow users subject to automated enforcement decisions to appeal through in-app support (the Finn AI assistant or Intercom live support).
• Enforce our Terms of Service, Community Standards, and zero-tolerance policies.
• Prevent fraud, abuse, and unauthorized access through rate limiting, request signing, and authentication.
• Maintain an audit trail of trust-critical events for safety investigations and compliance.
• Improve the Service, fix bugs, and develop new safety features using aggregated, anonymized analytics.
• Comply with applicable law, including child safety regulations and mandatory reporting obligations.
• Respond to lawful requests from law enforcement and government authorities.

5. Biometric Data & Face Verification

5.1 What We Process

During liveness verification, your device camera captures 2–6 photographic frames as you complete face movement challenges (e.g., turn head, smile, blink, move closer). These frames, along with device sensor data, are transmitted to our server via encrypted HTTPS connection.

5.2 How We Process It

Our server submits the frames to an AI model (hosted by OpenRouter) for analysis. The model evaluates: (a) whether the subject is a real, live person (not a photo, screen, or mask); (b) whether the same person appears across all frames; (c) whether physical motion is detected; and (d) the estimated age of the subject.

5.3 What We Store

Verification frames: Processed in real-time on our server and not persisted after analysis. Frames are held only in server memory during the verification request and are discarded upon response.

Verification photo: Upon successful verification, a single face capture is stored in our private, encrypted object storage bucket. This photo is accessible only via our server using a privileged service-role key and is never exposed via public URL.

5.4 Retention & Deletion

The verification photo and verification record are retained for as long as your account is active. Upon account deletion, the verification photo is permanently deleted from object storage, and the verification record is removed from our database. Audit log entries are anonymized 90 days after account deletion.

5.5 Consent & Withdrawal

You explicitly consent to biometric processing when you initiate the face verification flow. You may withdraw consent at any time by deleting your account, which triggers immediate deletion of your verification photo and associated biometric data.

6. Data Storage & Security

Account data is stored in a PostgreSQL database hosted by Supabase with Row Level Security (RLS) policies that prevent users from accessing or modifying other users' data. Verification photos are stored in a private storage bucket accessible only via privileged service-role key.

All API endpoints require authentication. Mobile API requests are protected by request signature verification (SHA-256 signed payloads with timestamp-based replay prevention), per-user and per-IP rate limiting, and short-lived session tokens. All data in transit is encrypted via TLS 1.2+. Data at rest is encrypted using AES-256 by our hosting provider.

7. Data Retention

You may delete your account at any time from within the App (Profile → Delete Account). Account deletion is immediate and permanently removes your stored files, profile data (which cascade-deletes related records including messages, reports, and blocks), and your authentication credentials. Alternatively, you may request deletion by contacting us at privacy@thehelloapp.us.

• Account data: Retained while your account is active. Permanently deleted upon account deletion.
• Verification photo: Retained while your account is active. Permanently deleted from object storage upon account deletion.
• Verification frames: Not persisted. Processed in memory and discarded immediately after analysis.
• Chat messages: Retained while your account is active. Deleted upon account deletion as part of the cascade deletion of your profile data.
• Reports and blocks: Retained while your account is active. Deleted upon account deletion. Reports related to safety investigations may be retained in anonymized form.
• Audit log entries: Retained for 2 years for safety and compliance, then permanently deleted.
• Analytics events: Retained per PostHog's standard retention policy. Events do not contain photographs or biometric data.

8. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information. We share data only with:

• Supabase (Supabase Inc.): Database hosting, authentication, and private object storage under a Data Processing Agreement.
• OpenRouter (OpenRouter, Inc.): AI model hosting. OpenRouter routes requests to the bytedance-seed/seed-1.6-flash model. OpenRouter is used for: liveness verification analysis, face matching, profile photo moderation, real-time chat message moderation, the Finn AI support assistant, and automated report investigation. Face frames, profile photos, and message content are transmitted for processing only — neither Hello nor OpenRouter retains message content after processing is complete, and OpenRouter does not retain submitted images after analysis. All AI API calls are logged to an internal cost and audit database (recording token counts, latency, and cost — no message content is included in these logs).
• PostHog (PostHog, Inc.): Product analytics. Receives anonymized usage events only. Does not receive photographs or biometric data.
• Google (Google LLC): OAuth 2.0 authentication. We receive your email and basic profile data. We do not transmit Hello data back to Google.
• Apple (Apple Inc.): Sign in with Apple authentication. We receive your email (which you may choose to hide) and name. We do not transmit Hello data back to Apple.
• Intercom (Intercom R&D Unlimited Company): In-app customer support. We share your user identifier, display name, and email address with Intercom to provide customer support services. Message content from Hello chats is not shared with Intercom. Intercom processes the data we share under their Data Processing Agreement.
• Google AdMob (Google LLC): In-app advertising. AdMob serves ads within the Hello app and may collect device identifiers, ad interaction data (impressions, clicks), and general device information (device type, OS version) to serve and measure ads. AdMob does not receive your messages, photos, profile content, or biometric data. On iOS, personalized ads require your consent via the App Tracking Transparency prompt — if you deny tracking, AdMob serves contextual (non-personalized) ads only. Ad content is restricted to Teen-appropriate ratings. We do not sell your data to advertisers. Google processes ad data under their Privacy Policy.

We may also disclose personal information: (a) to comply with applicable law or governmental request; (b) to enforce our Terms of Service; (c) to protect the rights, property, or safety of Hello, our users, or the public; (d) in connection with a merger, acquisition, or sale of assets; or (e) with your consent.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. When we transfer data internationally, we implement appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate personal information.
• Deletion: Delete your personal information by using the self-service account deletion feature in the App (Profile → Delete Account), which immediately and permanently removes your data. You may also request deletion by contacting us.
• Portability: Request a machine-readable copy of your data.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interest.
• Withdrawal of consent: Withdraw consent at any time by deleting your account through the self-service deletion feature in the App or by contacting us.
• Non-discrimination: Exercise your privacy rights without receiving discriminatory treatment.

To exercise these rights, contact us at privacy@thehelloapp.us. We will respond within 30 days (or sooner if required by applicable law).

11. Children's Privacy

Hello is designed for users aged 13 and older. We do not knowingly collect personal information from children under 13. Our age verification system includes AI age estimation specifically designed to prevent underage access.

If you are a parent or guardian and believe your child under 13 has provided personal information to Hello, contact us immediately at privacy@thehelloapp.us. We will promptly investigate and, if confirmed, delete the child's account and all associated data within 48 hours.

For users between 13 and 17, we require that a parent or legal guardian has reviewed and consented to our Terms of Service and this Privacy Policy. We apply additional safeguards to minor accounts, including enhanced content moderation.

12. U.S. State Privacy Rights

California residents (CCPA/CPRA): You have the right to know what personal information we collect, request deletion, opt out of any sale (we do not sell personal information), and not be discriminated against for exercising your rights.

Illinois residents (BIPA): We collect biometric data (face geometry) during face verification. We obtain your informed written consent before collecting this data. Biometric data is stored securely and deleted upon account deletion or within 3 years of your last interaction with the Service, whichever comes first.

Other U.S. states: Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana) may exercise their applicable rights by contacting us.

13. Do Not Track, App Tracking Transparency & Automated Decision-Making

13.1 Do Not Track

Hello does not respond to Do Not Track (DNT) browser signals.

13.2 App Tracking Transparency (iOS)

On iOS 14.5 and later, Hello presents Apple's App Tracking Transparency (ATT) permission dialog on first launch. If you deny the ATT prompt, analytics events are still collected to improve the app experience, but Apple's advertising identifier (IDFA) is not accessed. Hello does not display advertisements, does not sell data to advertising networks, and does not engage in cross-app tracking. PostHog analytics are used solely to improve the app experience.

13.3 Automated Decision-Making

Our verification system uses automated AI analysis to estimate age and detect spoofing. Automated decisions resulting in denial of service can be reviewed by contacting us.

Our automated report investigation system uses AI to review reported messages and may take enforcement actions (warnings, communication restrictions, or account suspensions) without human intervention when the AI reaches a high confidence threshold (85% or higher for immediate action, 75% or higher after deep investigation). When confidence is below the applicable threshold, reports are escalated to human review. All automated enforcement decisions are logged to an immutable audit trail. Users subject to automated enforcement can appeal through in-app support.

We do not use automated decision-making for profiling purposes.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will: (a) update the "Last updated" date; (b) notify you through the App or by email at least 14 days before the changes take effect; and (c) where required by law, obtain your renewed consent. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.