Privacy Policy
Welcome to Hisubi. We are committed to protecting your privacy and ensuring your digital journey remains as secure as it is meaningful.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at Hisubi.com and use the Hisubi social media platform. This policy is designed to comply with global data protection laws, including the European General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and India's Digital Personal Data Protection Act (DPDPA).
1. Who We Are (Data Controller)
For the purposes of applicable data protection laws, Hisubi acts as the Data Controller (or Data Fiduciary under DPDPA) for the personal information we collect.
Data Protection Officer (DPO) & Grievance Officer:
Akshit Agrawal
F-300/101 Vasundhara Apartment, Harishankar Puram
Gwalior, 474002, Madhya Pradesh, India
privacy@hisubi.com
2. Information We Collect & Lawful Basis
We process your data strictly based on specific legal grounds defined by the GDPR (Article 6) and DPDPA.
| Data Category | Purpose of Processing | Lawful Basis (GDPR / DPDPA) |
|---|---|---|
| Account Data (Email, name, avatar, DOB) | Account creation, age verification, authentication | Contract / Consent |
| User Content (Posts, reflections, comments) | Core social platform functionality | Contract |
| Messages & Chats (End-to-End Encrypted) | Private communication delivery | Contract |
| Technical Data (IP address, device info) | Security, spam prevention, platform stability | Legitimate Interest |
| Analytics Data (via Google Analytics 4) | Understanding usage trends to improve the app | Explicit Consent |
3. Cookies & Tracking
We use cookies and similar technologies to run Hisubi. You can manage your preferences at any time in your Settings.
Essential Cookies (Always On)
Required for the website to function, including authentication (Firebase) and security. These cannot be disabled.
Analytics Cookies (Opt-in)
We use Google Analytics 4 (GA4) to measure traffic and engagement. GA4 sets cookies to distinguish users. These are only loaded if you explicitly grant consent via our cookie banner.
Functional Cookies (Opt-in)
Used to remember your preferences (like Serene Mode) and handle push notification states.
4. Data Sharing & Processors
We do not sell your personal data. We share data only with trusted third-party processors necessary to run the platform. We have Data Processing Agreements (DPAs) in place with these providers:
- Google Firebase & Google CloudUsed for database hosting (Firestore), authentication, and file storage. Data is encrypted at rest.
- Google Analytics (If consented)Used for aggregated usage analytics. IP addresses are anonymized.
User-Generated Content in "Circles"
Posts shared within a Circle are visible to all members of that Circle. Circle administrators can moderate content but cannot access your private messages or personal profile data beyond what you make public.
5. End-to-End Encryption (E2EE)
Messages sent through Hisubi's direct messaging feature are encrypted end-to-end utilizing WebCrypto APIs. This means:
- What is encrypted: The actual content of your private messages.
- What we cannot access: Hisubi staff cannot read the plaintext content of your messages under any circumstances.
- What we can access: Message metadata (sender ID, recipient ID, timestamp, and message size) required for delivery and abuse prevention.
While we cannot decrypt messages even if compelled by law enforcement, metadata may be disclosed in response to valid legal processes.
6. Data Retention
We retain your data only for as long as necessary to fulfill the purposes outlined in this policy:
- Account Data & Posts: Kept until you request account deletion. Upon deletion, data is wiped from active databases immediately and from backups within 30 days.
- Analytics Data: Retained for 14 months before automatic deletion.
- Security Logs: IP logs and security events are retained for 90 days to investigate abuse.
- Consent Records: Retained as long as your account exists to prove compliance in the event of a regulatory audit.
7. Your Privacy Rights
Depending on your location, you have specific rights regarding your personal data. You can exercise most of these directly in the Hisubi Settings dashboard.
Global Rights (Available to all)
- Right to Access & Portability: You can download a JSON archive of your profile, posts, and circles via Settings > Download My Data.
- Right to Deletion: You can permanently delete your account and all associated data via Settings > Erase My Path.
- Right to Correction: You can update your profile information at any time.
EU & UK Users (GDPR)
In addition to the above, you have the right to restrict processing, object to processing based on legitimate interests, and withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
California Users (CCPA)
You have the right to know what personal information is collected, the right to non-discrimination, and the right to opt-out of the "sale" or "sharing" of personal information. Hisubi does not sell your personal information.
Indian Users (DPDPA)
You have the right to grievance redressal and the right to nominate another individual to exercise your rights in the event of death or incapacity. Please contact our Grievance Officer at privacy@hisubi.com to exercise these rights.
8. International Transfers
Hisubi operates globally. Your data may be processed in facilities located outside your home country, primarily on Google Cloud servers located in the United States and India.
For users in the European Economic Area (EEA) and the UK, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission, as activated through our Data Processing Addendum with Google Cloud, to ensure your data receives an adequate level of protection when transferred internationally.
9. Children's Privacy
Hisubi is not intended for use by children. You must be at least 13 years old (or 16 in certain EU jurisdictions) to create an account. We implement technical measures during registration to enforce this limit. If we become aware that we have collected personal data from a child under the required age without verifiable parental consent, we will delete the account and data immediately.
10. Security & Breach Notification
We implement robust technical and organizational security measures to protect your data. However, no system is entirely impenetrable.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authorities (such as the Data Protection Board of India or the relevant EU authority) within 72 hours of becoming aware of it. We will also notify affected users without undue delay so you can take appropriate protective steps.
Questions or Grievances?
If the winds of privacy feel unclear, or if you wish to file a formal grievance, reach out to our team.