Privacy Policy

Effective: March 25, 2026

HASHEE AI PTE. LTD. ("Hashee," "we," "us," or "our") operates the Hashee.AI messaging platform, including mobile applications, web interfaces, and developer APIs (collectively, the "Service"). This Privacy Policy describes how we collect, use, store, and protect your information when you use our Service.

By using Hashee, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

1. Information We Collect

Account information: When you register, we collect your email address, display name, and a hashed version of your password (using bcrypt). We never store your password in plaintext.

Device information: We collect device identifiers, operating system version, app version, and device model for authentication, security, and multi-device synchronization.

Usage metadata: We collect message timestamps, conversation membership lists, delivery status indicators, and routing metadata. This information is necessary for message delivery and platform operation.

Verification data: When you verify your email, we temporarily store verification codes. These are automatically deleted after use or expiration.

Agent interaction metadata: If you interact with AI agents, we collect metadata about those interactions (such as which agent you messaged and when) but not the content of those messages.

What we do NOT collect: Message content. All message bodies are encrypted client-side before transmission. Our servers store only ciphertext that we cannot decrypt. We do not collect location data, contact lists, or browsing history.

2. End-to-End Encryption

Human-to-human messages use X25519 end-to-end encryption. Human-to-agent messages use channel encryption. In both cases, the Hashee backend operates as a blind pipeline — we relay encrypted data without the ability to read it.

Your encryption keys are generated on your device and never transmitted to our servers in plaintext. If you enable encrypted backup, your private key is encrypted with a protection password that only you know, using Argon2id key derivation. We cannot recover this password if you forget it.

Because we cannot access message content, we cannot perform content-based moderation, targeted advertising, or AI training on your conversations.

3. How We Use Information

• To deliver messages and maintain conversations
• To authenticate your identity and secure your account
• To synchronize your conversations across your devices
• To prevent abuse through rate limiting and Turnstile verification
• To send transactional emails such as verification codes
• To generate anonymized, aggregated usage analytics for platform improvement
• To respond to support requests you submit to us

We do not sell your information. We do not use your data for advertising. We do not train AI models on your conversations or metadata. We do not create advertising profiles.

4. Cookies and Tracking

Hashee does not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not use pixel trackers, fingerprinting, or any other cross-site tracking technology.

Our web interface may use strictly necessary cookies or local storage for session management (such as keeping you logged in). These are functional only and do not track your activity across websites.

We do not participate in any advertising networks or data broker ecosystems.

5. Data Storage and Security

Account data is stored in PostgreSQL databases hosted by Neon (a cloud database provider). Encrypted message content is stored in Cloudflare infrastructure. All data is encrypted at rest and in transit using TLS 1.3.

We use Cloudflare Workers for edge computing, which means your requests are processed at the Cloudflare data center nearest to you. This improves performance but means your encrypted data may be temporarily processed in multiple geographic locations as part of normal CDN operations.

We implement industry-standard security practices including: password hashing with bcrypt, key derivation with Argon2id, rate limiting on all authentication endpoints, and automated monitoring for suspicious access patterns.

6. Data Retention

Your data is retained for as long as your account is active. Upon account deletion, we initiate a two-phase process:

• Immediate deactivation: Your account is immediately inaccessible and your sessions are invalidated.
• Asynchronous cleanup: All server-side data, including metadata, encrypted content, device records, verification codes, and audit logs, is permanently deleted. This process completes within 30 days.

Verification codes are automatically deleted after use or after their expiration period (typically 10 minutes). Audit logs are retained for up to 90 days for security monitoring and then automatically purged.

7. International Data Transfers

Hashee AI PTE. LTD. is incorporated in Singapore. Our infrastructure providers (Cloudflare and Neon) operate globally. Your encrypted data may be processed and stored in data centers outside your country of residence.

Where your data is transferred internationally, it is protected by:

• End-to-end encryption, which ensures message content is unreadable regardless of where it is stored
• Contractual obligations with our infrastructure providers that meet international data protection standards
• Technical safeguards including encryption at rest and in transit

8. Third-Party Services

We use the following third-party services to operate the platform:

• Cloudflare: Infrastructure, DDoS protection, edge computing, and content delivery. Cloudflare processes requests but does not have access to decrypted message content.
• Neon: PostgreSQL database hosting for account data and metadata.
• Resend: Transactional email delivery. Resend processes only the email address and verification code content necessary for delivery. We do not share any other personal information with Resend.

We do not share your data with any other third parties, except as required by law (see Section 14).

9. Children's Privacy

Hashee is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take immediate steps to delete that information.

If you are a parent or guardian and believe your child under 13 has provided personal information to Hashee, please contact us at admin@hashee.ai and we will promptly remove the information.

For users between 13 and 18 years of age, we recommend using Hashee under parental guidance.

10. Your Rights Under GDPR (European Economic Area Users)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate personal data.
• Right to erasure: You may request deletion of your personal data (right to be forgotten).
• Right to restrict processing: You may request that we limit how we use your data.
• Right to data portability: You may request your data in a structured, machine-readable format.
• Right to object: You may object to processing of your personal data for certain purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

Our legal basis for processing your data is: (a) performance of the contract to provide you the Service, (b) our legitimate interest in operating and securing the platform, and (c) your consent where explicitly requested.

To exercise any of these rights, contact us at admin@hashee.ai. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

11. Your Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: You may request deletion of your personal information.
• Right to opt-out of sale: We do not sell personal information to third parties. There is nothing to opt out of.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

In the preceding 12 months, we have collected the following categories of personal information: identifiers (email address, display name, device identifiers) and internet activity information (message metadata, timestamps). We have not sold any personal information. We have disclosed personal information to our service providers (Cloudflare, Neon, Resend) solely for operating the Service.

To exercise your rights, contact us at admin@hashee.ai. We will verify your identity before processing your request.

12. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users via email within 72 hours of becoming aware of the breach
• Provide a clear description of what happened, what data was affected, and what steps we are taking
• Notify relevant data protection authorities as required by applicable law
• Publish a notice on our website if the breach affects a large number of users

Due to our end-to-end encryption architecture, even in the event of a server-side breach, message content remains encrypted and unreadable without the recipients' private keys.

13. AI Agents and Third-Party Developers

When you interact with AI agents on Hashee, the agent creator may receive metadata about your interactions (such as your display name and message timestamps) as part of message delivery. Agent creators are required by our Terms of Service to handle your data in accordance with their own privacy policies.

Hashee does not control how third-party agent creators process data received through their agents. We recommend reviewing an agent creator's privacy practices before interacting with their agents.

14. Law Enforcement and Legal Requests

We may disclose your information if required to do so by law or in response to valid legal process (such as a court order or subpoena). However, due to our end-to-end encryption architecture, we are unable to provide message content even when legally compelled to do so.

We will notify you of legal requests for your data unless prohibited by law from doing so. We publish a transparency report annually summarizing the number of legal requests received.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Effective" date at the top of this page
• Notify users through the app via an in-app notification
• For significant changes, send an email to registered users

Continued use of the Service after changes constitutes acceptance of the updated policy.

16. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us:

HASHEE AI PTE. LTD.
Email: admin@hashee.ai

We aim to respond to all privacy-related inquiries within 30 days.