Privacy Policy — Hedotype

Last updated: 2026-05-25 Version: 1 Status: Engineering draft pending counsel review.

This Privacy Policy describes how we collect, use, store, and share information when you use Hedotype (the "Service"). If you do not agree with this Policy, do not use the Service.

1. What we collect

We collect the following categories of information:

Account information you provide directly: your email address, your age self-attestation, optional account display name.
Quiz answers and self-reflection inputs you provide while using the Service.
AI companion conversation messages you exchange with the optional AI companion feature, only when you have explicitly consented to it (Article 9 special-category data — see Section 4).
Technical metadata automatically collected by your browser and our hosting platform: IP address, browser type, request timestamps, geographic country code (derived from IP, used only for the EU geo-block during the testing window).
Payment metadata when you make a purchase, processed by our payment processor (Stripe). We do NOT store full payment card numbers ourselves; Stripe handles that.

2. Why we collect it (lawful bases)

Account information: necessary to perform our contract with you under Article 6(1)(b) GDPR.
Quiz answers: necessary to perform our contract with you (delivering the quiz result) under Article 6(1)(b) GDPR.
AI companion messages: explicit consent under Article 9(2)(a) GDPR.
Technical metadata and payment metadata: legitimate interests in operating, securing, and improving the Service under Article 6(1)(f) GDPR, and contract performance for payment under Article 6(1)(b).

A per-data-category lawful-basis matrix is published at apps/hedotype/docs/legal/lawful-basis-matrix-v1.md for transparency.

3. Retention

Quiz answers and result data: 365 days by default. You can extend retention up to 3 years from /account/privacy, or delete earlier.
AI companion messages: 365 days by default; user-configurable to 3 years. Deletion uses the cryptographic-shred mechanism described in Section 5 — we destroy the per-user encryption key, rendering the ciphertext unrecoverable.
Account metadata: as long as you have an active account; 90 days after you close it (then deleted).
Technical logs: 12 months (for security audit and GDPR Article 30 record-of-processing purposes), then deleted.
Payment records: as long as required by tax and accounting law (typically 7 years in the United States).

4. Article 9 special-category data — explicit consent and withdrawal

Some Service features process data that may reveal information about your sexual orientation, sexual behavior, or other special categories under Article 9 GDPR. We process this data ONLY when you have given explicit, separate, opt-in consent. The consent screen names the specific data category and the processing purpose; you can read the canonical consent text in our public source repository.

You can withdraw consent at any time at /account/privacy/withdraw-companion-consent. Withdrawal triggers:

Immediate end of any active AI companion conversation.
Soft-deletion of your AI companion messages within 30 days.
Cryptographic shred (destruction of the per-user encryption key) 30 days after the withdrawal request, making the ciphertext unrecoverable.

Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. Withdrawal is free of charge.

5. Encryption at rest

Sensitive content (including AI companion messages) is encrypted at rest using a per-user data-encryption key ("DEK") wrapped by a key-management service (KMS) master key. When you delete or withdraw consent, we destroy the per-user DEK after the 30-day grace window. Once the DEK is destroyed, the ciphertext cannot be decrypted by us or anyone else — this is what we call "cryptographic shred."

6. Third-party processors

We share information with the third-party processors listed at /legal/companion-processing. Each row in that list names the processor, the role it plays, the lawful basis for the transfer, and a link to the processor's Data Processing Agreement.

We do NOT sell your personal information. We do NOT share information with partners outside the named processor list. There is no advertising identifier exchange.

7. Cookies and tracking

We use a small number of strictly necessary cookies (session, authentication, anti-CSRF) and a privacy-friendly analytics service (PostHog) for usage statistics. We do not use cross-site tracking cookies. During the testing window, no EU traffic is served the analytics cookie because the EU geo-block redirects EU users to a "not available" page; after the testing window, an EU-compliant cookie banner will be added.

8. Your rights

Depending on where you live, you may have rights including:

Right to know what personal information we hold about you.
Right to delete your personal information.
Right to rectify inaccurate information.
Right to data portability (a machine-readable copy).
Right to withdraw consent (Article 9 data; see Section 4).
Right to lodge a complaint with a supervisory authority.
CCPA non-discrimination: we will not charge you a different price or provide a different level of service if you exercise your CCPA rights.

You can exercise these rights at:

/account/privacy/ccpa — California residents
/account/privacy/gdpr — EU/EEA/UK residents
/account/privacy/withdraw-companion-consent — Article 9 withdrawal

We do NOT sell your personal information; the CCPA "right to opt out of sale" is therefore not applicable to us.

9. Children

The Service is not directed to anyone under 18 and we do not knowingly collect information from minors. If we learn that we have collected information from a minor, we will delete it.

10. Security

We protect information using industry-standard practices including TLS in transit, encryption at rest for sensitive content, principle of least privilege for access, and audit logging on critical operations. No system is perfectly secure; please use a strong password.

11. Contact

Privacy questions and data-rights requests: privacy@hedotype.com.

Draft pending counsel review.