HaptoPrivacy Policy
We respect your privacy. This explains what we collect, why, how long we keep it, and your rights — with particular care for any photos you upload to our AI products.
1. The short version
- We process content you provide only to deliver the service you asked for, then delete it.
- We never use your uploaded photos or content to train AI models.
- We never sell your content.
- Uploaded photos are deleted within 30 days, and sooner on request.
- You can ask us to delete your data anytime at [email protected].
2. Photos of people are special-category data
A photo of a person's face can be biometric / special-category personal data under laws such as the GDPR (Art. 9), BIPA, and the CCPA/CPRA. Where a Hapto product accepts such uploads, we process them only with your explicit, opt-in consent, given at upload, and only to produce your requested result. Before generating, we also automatically screen uploaded photos for prohibited content (recognizable public figures, apparent minors, explicit imagery) and block violations (see §6).
3. What we collect
- Content you provide (e.g. photos you upload) and the results you create.
- Account & usage data — an account identifier, balances, history, and basic device/log data to run and secure the Services.
- Payment data — handled by our Merchant(s) of Record; we do not store full card details.
- Email, if you give it to us for updates, a waitlist, or support.
4. Retention & deletion
Uploaded photos are stored in private, access-controlled storage and are automatically deleted within 30 days (sooner on request). Generated results are kept so you can re-access them, and are deleted when you delete them or close your account. Account and transaction records are kept only as long as needed and to meet legal/tax obligations.
5. We do not train AI on your content
Your uploads and results are not used to train, fine-tune, or improve any AI model — ours or anyone else's. They are used only to fulfil your specific request.
6. Who processes data for us
We use a small set of vetted providers strictly to operate the Services, each under data-processing terms: cloud storage and delivery (e.g. Amazon Web Services); content-safety screening (Amazon Rekognition), which screens the photos you upload for prohibited content (recognizable public figures, apparent minors, and explicit imagery) before generation and is not permitted to retain them; AI model providers for generation (instructed not to train on your content); and payment Merchants of Record (e.g. Creem internationally and Razorpay in India). We share only what each provider needs.
7. International transfers
We are based in India and our providers may process data elsewhere. Where personal data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses.
8. Your rights
Depending on where you live, you may access, correct, delete, port, or restrict your data, withdraw consent, and object to certain processing. Email [email protected] to exercise any right — including deleting uploaded photos. You may also complain to your local data-protection authority.
EEA/UK (GDPR): our legal basis for processing uploaded face photos is your explicit consent (Art. 9(2)(a)), withdrawable at any time; you may complain to your supervisory authority. California (CCPA/CPRA): you may know, access, delete, and correct your personal information and opt out of its sale or sharing — and we do not sell or share your personal information.
9. Children
Our Services are not for anyone under 18, and we do not knowingly collect data from minors or accept photos of them.
10. Security & contact
We protect data with encryption in transit and at rest, private storage, access controls, and short-lived signed links for any media delivery. Data controller: Asif Iqbal, Bengaluru, Karnataka, India. Privacy requests: [email protected].