Privacy Policy

1. Introduction

Hellbound Hearts ("we," "our," or "the Platform") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our horror-themed social platform.

2. Information We Collect

Personal Information You Provide:

• Account information (email, username, password)
• Profile information (name, bio, photos, interests)
• Social Encounters profile details (age, preferences, location)
• Content you create (posts, reviews, comments, messages)
• Payment information (for premium features)

Information Collected Automatically:

• Device information (IP address, browser type, operating system)
• Usage data (pages visited, features used, interaction patterns)
• Location data (if you enable location services)
• Cookies and similar tracking technologies

Information from Third Parties:

• OAuth provider information (Google, Discord, Twitter, Apple)
• Public profile information from linked accounts
• Information from other users (tags, mentions)
• Apple Sign In may provide a relay email address instead of your real address; we treat the relay as your account email and never request your real address from Apple

2.5. Mobile App Data Collection

We offer native mobile apps for iOS (App Store) and Android (Google Play). Both apps talk to the same backend as our website and follow the same privacy practices outlined in this policy, with these mobile-specific additions:

Permissions Requested:

• Internet: Required to connect to our servers.
• Photo Library (optional): Only when you tap to attach a photo to a post, comment, or profile. The system permission dialog asks you each time.
• Push Notifications (optional): Only if you accept the prompt. Used to deliver messages, theater-room invites, and match notifications.
• No Background Location, No Microphone, No Camera, No Contacts: We do not request or use these sensors.

Mobile-Specific Data:

• Analytics events: The mobile app sends product-usage events to PostHog (which screens you view, which features you tap, app version, device type). Events are anonymous until you sign in, then linked to your account ID. We never collect message content, photos, or your exact location. You can opt out at any time under Settings → Privacy → Share Anonymous Analytics.
• Crash reports: The iOS app uses Firebase Crashlytics to capture crashes and the stack trace at the moment of failure. Does not include message content or photos.
• Authentication tokens: When you sign in, a JWT bearer token is stored in the iOS Keychain or Android EncryptedSharedPreferences (both encrypted by the operating system). Tokens expire after 7 days of inactivity, refresh automatically while you use the app, and are deleted when you sign out.
• Real-time connection: The app maintains a Pusher WebSocket connection while the app is in the foreground for live messages and theater-room synchronization. Disconnects when the app is backgrounded or loses network.
• Theater-room streaming: When you start or join a theater room, the public-domain video file is streamed directly from the Internet Archive (archive.org). Your IP address is visible to archive.org as a standard video request; we do not proxy this traffic.
• Device Information: Basic device info (model, OS version, app version) is collected for compatibility, debugging, and analytics. No advertising identifier is collected.

App Store Data Disclosures:

Our iOS app's data practices are summarized in the Apple App Store's App Privacy section. Our Android app's data practices are summarized in the Google Play Store's Data Safety section. Both disclosures match the practices described in this policy.

3. How We Use Your Information

We use your information to:

• Create and manage your account
• Provide social and community-matching features
• Match you with compatible users based on preferences
• Display your profile to other users (based on your privacy settings)
• Process payments for premium features
• Send notifications about matches, messages, and platform updates
• Improve our services and develop new features
• Ensure platform safety and prevent abuse
• Comply with legal obligations
• Provide customer support

4. Location Data

We collect location data to provide location-based features such as:

• Finding matches near you
• Showing local horror events and venues
• Displaying distance to potential matches

You can control location sharing through your privacy settings:

• Exact: Share precise location
• City: Share only city-level location
• Hidden: Don't share location

5. Information Sharing

We share information with:

Other Users:

• Your public profile information
• Content you post publicly
• Social Encounters profile (to potential matches)
• Messages (to recipients)

Service Providers:

• PostHog (product analytics) — receives anonymized event data: screens viewed, features used, app version, device type. Does NOT receive: message content, photos, your exact location, your real name, or your date of birth. PostHog is GDPR-compliant. See PostHog's privacy policy.
• Firebase Crashlytics (iOS crash reporting) — receives crash stack traces and the device state at the time of crash. Does not include message content or photos.
• Pusher (real-time delivery) — receives encrypted message metadata and theater-room sync events. Does not see message content (delivered point-to-point) or video content (synchronizes timestamps only).
• Cloudinary (image hosting) — stores profile photos and post images on public-read URLs we control. We can delete images at any time.
• Internet Archive (archive.org) — streams public-domain horror films for theater rooms. When you start a theater session, your IP is visible to archive.org as a standard video request. We do not proxy this. Review their Terms of Use.
• Stripe (payment processing, when paid features are enabled) — handles billing. We never see or store full card numbers. We receive subscription status only.
• Email service providers (transactional email for verification, password reset, notifications)
• Vercel (hosting) — operates our backend infrastructure
• Supabase (database hosting) — stores user data in compliance with the protections in this policy

Legal Requirements:

• When required by law or legal process
• To protect rights, property, or safety
• To investigate fraud or security issues

6. Data Retention

We retain your information for as long as your account is active or as needed to provide services. When you delete your account:

• Profile information is removed within 30 days
• Some data may be retained for legal compliance
• Anonymized data may be kept for analytics
• Messages sent to others remain in their accounts

7. Your Privacy Rights

You have the right to:

• Access your personal information
• Correct inaccurate information
• Delete your account and data
• Download your data (data portability)
• Opt-out of marketing communications
• Control who sees your profile
• Manage notification preferences
• Block or report other users

8. Data Security

We implement security measures to protect your information:

• Encryption of sensitive data in transit and at rest
• Secure password hashing (bcrypt)
• Regular security audits
• Limited access to personal information
• Secure data centers

However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

9. Cookies and Tracking

We use cookies and similar technologies to:

• Keep you logged in
• Remember your preferences
• Analyze platform usage
• Provide personalized content
• Prevent fraud

You can control cookies through your browser settings, but some features may not work properly without them.

10. Children's Privacy

Hellbound Hearts is intended for users aged 18 and older. We do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13, we will delete it as soon as we discover it. Parents or guardians who believe their child has provided us with personal information should contact us at privacy@hellboundhearts.com.

The Social Encounters (matching, in-person meet-ups) feature is restricted to verified accounts aged 18 and older. Age is verified server-side at the time the user opts into the feature, and underage users are prevented from creating a Social Encounters profile.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers.

12. California Privacy Rights (CCPA)

California residents have additional rights under the CCPA:

• Right to know what personal information is collected
• Right to know if information is sold or disclosed
• Right to opt-out of sale of personal information
• Right to non-discrimination for exercising privacy rights

We do not sell personal information to third parties.

13. GDPR Rights (European Users)

If you're in the European Economic Area, you have additional rights:

• Right to be informed about data processing
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making

14. Changes to Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via:

• Email notification
• Platform notification
• Prominent notice on the website

15. Consent

By using Hellbound Hearts, you consent to our Privacy Policy and agree to its terms. For certain data processing activities, we may ask for your explicit consent.