Privacy Policy

The Data Controller responsible for your personal data is:

Hitoo
Owned by Matteo Pelosi
Country: Italy
Email: hello@hi7o.com
Website: https://hitoo.io

For any questions or requests regarding this Privacy Policy or your personal data, you may contact us at the email address above.

Personal Data
When you register for an account or use our Service, we may collect:

• Full name
• Email address
• Password (stored securely via Supabase Auth)
• Language preferences
• Referral codes
• Payment information (processed by Stripe; we do not store full card details)

Usage Data
We automatically collect information about how you interact with our Service, including:

• Pages visited and features used
• Session duration and frequency
• Call duration and participants (metadata only)
• Chat message metadata (timestamps, language pairs)
• IP address
• Browser type and version
• Operating system
• Referring URLs

Device Data
We collect device-related information through FingerprintJS for device tracking and fraud prevention, including:

• Device type and model
• Screen resolution
• Browser fingerprint
• Operating system version

Cookies and Tracking Technologies
We use cookies and similar technologies as detailed in our Cookie Policy. These include cookies for authentication, language preferences, analytics, and marketing purposes.

We process your personal data for the following purposes:

• Service Provision: To create and manage your account, provide real-time AI translation during video calls via LiveKit, and enable multilingual chat functionality.
• Authentication and Security: To verify your identity via Supabase Auth, protect against unauthorized access, and use Cloudflare Turnstile for bot protection.
• Payment Processing: To process subscription payments and manage billing through Stripe.
• Analytics and Improvement: To analyze usage patterns and improve our Service using Google Analytics, Google Tag Manager, Microsoft Clarity, Vercel Analytics, and Facebook Pixel.
• Communication: To send you service-related notifications, updates, and, with your consent, marketing communications.
• Waitlist Management: To manage early access sign-ups via our Notion-based waitlist system.
• Fraud Prevention: To detect and prevent fraudulent activity using FingerprintJS device tracking and Cloudflare Turnstile.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

• Consent (Art. 6(1)(a)): For marketing communications, analytics cookies, and non-essential tracking technologies. You may withdraw your consent at any time.
• Contractual Necessity (Art. 6(1)(b)): For providing the Service, managing your account, processing payments, and delivering the core translation and video call functionality.
• Legitimate Interest (Art. 6(1)(f)): For improving our Service, fraud prevention, security measures (including FingerprintJS and Cloudflare Turnstile), and basic analytics. We ensure our legitimate interests do not override your fundamental rights and freedoms.
• Legal Obligation (Art. 6(1)(c)): For compliance with applicable laws, tax requirements, and regulatory obligations.

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy:

• Account Data: Retained for the duration of your account and for up to 30 days after account deletion to allow for recovery.
• Usage and Analytics Data: Retained for up to 26 months, in line with standard analytics retention periods.
• Payment Data: Retained as required by applicable tax and financial regulations (up to 10 years for Italian fiscal requirements).
• Communication Data: Retained for up to 12 months after the last interaction.
• Call and Chat Content: Real-time translation data is processed in transit and is not permanently stored. Call metadata is retained for up to 12 months.

After the applicable retention period, your data will be securely deleted or anonymized.

We share your data with the following third-party service providers, each acting as a data processor on our behalf or as an independent controller where indicated:

Provider	Purpose	Data Shared	Location
Supabase	Database hosting, authentication, real-time features	Account data, usage data	EU Region
Stripe	Payment processing	Payment and billing information	USA (EU SCCs)
LiveKit	Video/audio call infrastructure and real-time translation	Audio/video streams, call metadata	USA/EU
Google Analytics / Google Tag Manager	Website analytics and tag management	Usage data, IP address (anonymized)	USA (EU SCCs)
Microsoft Clarity	Session recording and heatmaps	Usage data, interaction patterns	USA (EU SCCs)
Cloudflare (Turnstile)	Bot protection and security	IP address, browser data	Global (EU SCCs)
Vercel	Hosting and web analytics	Usage data, performance metrics	USA (EU SCCs)
Facebook / Meta (Pixel)	Marketing analytics and ad targeting	Usage data, conversion events	USA (EU SCCs)
Notion	Waitlist management	Name, email address	USA (EU SCCs)
FingerprintJS	Device identification and fraud prevention	Device fingerprint, browser data	USA (EU SCCs)

We do not sell your personal data to third parties. We may also disclose your data if required by law or to protect our rights and safety.

Your primary data is stored in Supabase servers located in the EU region. However, some of our third-party providers are based in the United States or other countries outside the European Economic Area (EEA).

When transferring data outside the EEA, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): Approved by the European Commission, in place with all non-EU processors.
• Adequacy Decisions: Where available, we rely on adequacy decisions by the European Commission.
• EU-US Data Privacy Framework: Where applicable, we rely on certifications under the EU-US Data Privacy Framework.

You may request a copy of the safeguards in place by contacting us at hello@hi7o.com.

As a data subject under the GDPR, you have the following rights:

• Right of Access (Art. 15): You have the right to obtain confirmation of whether your personal data is being processed and to access a copy of that data.
• Right to Rectification (Art. 16): You have the right to request the correction of inaccurate personal data or the completion of incomplete data.
• Right to Erasure (Art. 17): You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw your consent.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to Object (Art. 21): You have the right to object to the processing of your personal data based on legitimate interests, including profiling and direct marketing.
• Right to Restriction of Processing (Art. 18): You have the right to request the restriction of processing of your personal data in certain circumstances.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, please contact us at hello@hi7o.com. We will respond to your request within 30 days. You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) at www.garanteprivacy.it.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• End-to-end encryption for video calls
• Encrypted data storage in Supabase (EU region)
• Secure authentication via Supabase Auth with password hashing
• HTTPS/TLS encryption for all data in transit
• Cloudflare Turnstile for bot protection
• Regular security assessments and monitoring
• Access controls and role-based permissions
• Stripe PCI-DSS compliant payment processing

While we strive to protect your personal data, no method of electronic transmission or storage is 100% secure. We encourage you to use strong passwords and to protect your account credentials.

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16 years of age. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at hello@hi7o.com so we can take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify you via email or through a prominent notice on our platform
• Where required by law, obtain your consent to the changes

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

For any questions, concerns, or requests related to this Privacy Policy or our data processing practices, please contact us:

Hitoo
Owned by Matteo Pelosi
Email: hello@hi7o.com
Website: https://hitoo.io

If you are not satisfied with our response, you have the right to lodge a complaint with the Italian Data Protection Authority:

Garante per la protezione dei dati personali
Website: www.garanteprivacy.it
Email: garante@gpdp.it

Applicable Law: Italian law
Competent Court: Court of Mantua, Italy