hibi - Privacy Policy

Effective date: September 15, 2025

This Privacy Policy explains how Adrien Dulong ("hibi," "we," "our," or "us") collects, uses, and discloses personal information when you use our mobile application and our website at https://hibi.space (together, the "Services"). "Personal information" means any information relating to an identified or identifiable individual.

By using the Services, you agree to the practices described in this Privacy Policy. Your use of the Services is also subject to our Terms of Service.

Who is the data controller?

Controller: Adrien Dulong

Contact (privacy): support@hibi.space

Personal Information We Collect

A. Information You Provide

  • Account Information. Email address, first name, and age.
  • Journal Content. Free-text entries, mood/emotions, relationship mapping, tags, day-shapes/emotion wheels, photos, and audio notes (including transcriptions). If you include personal information in your entries or recordings, we collect that information.
  • Support Communications. If you contact us (email or in-app), we receive your message, attachments, and any contact details you provide.

B. Information Collected Automatically (App & Website)

  • Device & App Metadata (for analytics only). Timestamps, app version, device model/OS, push token, IP address (used to infer coarse location), language/locale, and time zone. We use these solely for analytics and product improvement and do not link them to your identity.
  • Usage Analytics. Screen views, feature usage, session duration, and A/B test variants (aggregated or pseudonymized).
  • Cookies/Local Storage (website). We may use essential and analytics cookies or similar technologies. You can control cookies via your browser settings. Blocking cookies may affect site functionality.
  • Location (precise). If you grant permission, we may collect precise location to power location-aware features. You can disable this in your device settings at any time.
  • Notifications. We collect a device push token to send push notifications if you opt in.

We do not collect crash logs/diagnostics.

C. Information Processed by AI Services

To generate responses and recaps, hibi may send your prompts (e.g., journal text and audio transcripts) to AI/LLM service providers and receive outputs. See "AI & Model Providers" below.

How We Use Personal Information

We use personal information to:

  • Provide and operate the Services (including generating personalized daily/weekly recaps and content).
  • Personalize experiences and recommendations within the app.
  • Communicate with you about the Services (e.g., service messages, support).
  • Send push notifications if you opt in (you can turn these off in settings).
  • Process payments via Apple In-App Purchase.
  • Maintain safety and integrity, detect/prevent fraud or abuse.
  • Research and improve the Services, including analytics and A/B testing (using non-linked or pseudonymized data).
  • Comply with legal obligations and enforce our Terms.

Legal Bases (EEA/UK)

Where GDPR applies, we process personal information under these bases:

  • Contractual Necessity: To provide the Services (account, core functionality).
  • Legitimate Interests: Product improvement, analytics with privacy controls, security/fraud prevention, and support—balanced against your rights.
  • Consent: Push notifications; access to device permissions (microphone, camera, photos, precise location). You may withdraw consent at any time in device settings.

We do not send marketing emails or marketing push notifications.

AI & Model Providers

  • Provider: OpenAI.
  • What we send: To generate responses/recaps, we may send your prompts (journal text and audio transcriptions, and minimal associated metadata necessary to complete the request) to OpenAI and receive outputs.
  • Outputs may reproduce inputs. If your prompt contains personal information, it may appear in the output.
  • Training controls: We configure available settings and include instructions so that your data is not used to train foundation models by providers.
  • Human review: We do not perform human review of private journal content except (i) if you ask us during support or (ii) if required by law.
  • Security: Prompts/outputs are transmitted over encrypted channels. We minimize provider retention where controls are available.

Infrastructure & Service Providers (Processors)

We use trusted vendors to operate the Services. These processors act on our instructions and are bound by appropriate agreements:

  • Hosting & API: Vercel
  • Storage (images/files): AWS
  • Database: Neon
  • Vector/embeddings store: Chroma
  • Real-time messaging: Ably
  • Analytics: PostHog (retention: 13 months)
  • Payments: Apple In-App Purchase (Apple acts as its own controller for payment information)

We may update this list as our Services evolve; material changes will be notified in-app and/or by email.

How We Disclose Personal Information

We may disclose personal information to:

  • Vendors/Service Providers listed above, only as needed to provide the Services.
  • Law Enforcement or Legal Requests where we believe disclosure is required or appropriate (e.g., valid court order), narrowly scoped and with notice to you where legally permitted.
  • Business Transfers in connection with a merger, acquisition, or asset sale. The successor will honor this Privacy Policy for previously collected information.
  • With Your Consent or at your direction.

We do not sell or share personal information for cross-context behavioral advertising.

International Transfers

We store primary data in the EEA and aim to avoid transfers outside the EEA/UK. Some processors (for example, OpenAI or real-time delivery networks) may process data in other countries depending on service configuration. Where international transfers occur, we implement appropriate safeguards—such as the EU Standard Contractual Clauses and supplementary security measures.

Retention

  • Journal Content: Retained for 60 days by default, then deleted or irreversibly de-identified unless we must retain it longer for legal reasons.
  • Account Data: Retained while your account is active; upon deletion, we remove or de-identify it within operationally reasonable timeframes.
  • Analytics Data (PostHog): Aggregated/pseudonymized analytics retained for 13 months.

Backups may persist for a limited period after deletion for security and continuity, then are purged on a rolling schedule.

Your Rights & Choices

In the EEA/UK (and similar jurisdictions), you may:

  • Access, correct, or delete your personal information.
  • Object to or restrict certain processing.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with your local supervisory authority.

How to exercise your rights

Use in-app settings or email support@hibi.space. We will respond within one month (GDPR standard). We may ask for information to verify your identity.

Permissions & Preferences

You can control permissions (camera, microphone, photos, precise location) and push notifications in your device settings at any time.

Data Export

We do not currently offer a self-service data export feature. You can still exercise the GDPR right to data portability by contacting us via the channels above.

Children's Privacy

The Services are not marketed to children.

  • Minimum age: You must be at least 13 years old to use hibi worldwide.
  • EEA/UK: If you are under the age of digital consent in your country (e.g., 15 in France), a parent or legal guardian must provide or authorize consent where consent is the legal basis.

If we learn that we have collected personal information from a child contrary to this section, we will delete it. Contact support@hibi.space.

Security

We use reasonable technical and organizational measures to protect personal information, including encryption in transit (TLS) and at rest, least-privilege access, secret management, and regular backups. No method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

California Privacy Notice (CPRA)

If you are a California resident, you have the right to:

  • Know the categories of personal information we collect and the purposes (see sections above).
  • Access, delete, and correct personal information.
  • Opt-out of "sale" or "sharing" of personal information (we do not sell or share for cross-context behavioral advertising).
  • Limit use of sensitive personal information (we do not collect sensitive categories as defined by CPRA for these purposes).
  • Non-discrimination for exercising your rights.

Submit requests via in-app settings or support@hibi.space. We will verify your request and respond per CPRA timelines.

Third-Party Services and Links

Our Services may link to third-party websites or services. Their privacy practices are governed by their own policies. Please review those policies before providing information to them.

Delete Your Account or Information

You can request deletion by emailing support@hibi.space from the email associated with your account. After verification, we will delete your account and associated personal information (subject to lawful retention needs) within a reasonable time (generally within 30 days), and remove your content from active systems; backups are purged on a rolling schedule.

Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version here and provide in-app notice and email notification for material changes. The revised policy is effective when posted unless otherwise stated.

Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

support@hibi.space

← Back to hibi
Built with v0