Privacy Policy - Havira AI Video Generator

1. Introduction

Welcome to Havira ("we," "our," or "us"). This Privacy Policy explains how Engin Deniz Usta collects, uses, discloses, and protects your personal information when you use the Havira mobile application and related services (collectively, the "Service").

We are committed to protecting your privacy and ensuring transparency about our data practices. This policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable privacy laws.

Contact Information:

Service Provider: Engin Deniz Usta
Email: support@edusta.dev
Address: Brennerei 2, 82024, Taufkirchen, Germany

2. Information We Collect

We adhere to the principle of data minimization as required by Article 5(1)(c) GDPR, collecting only the personal information that is necessary for the specific purposes outlined in this Privacy Policy.

2.1 Information You Provide

Account Information: User ID and authentication credentials (provided through Firebase Authentication)
Email Address: Email addresses may be collected through Firebase Authentication and are used solely for the purpose of fulfilling data export requests and other account-related communications as necessary for the provision of the Service
Video Generation Data:
- Text Prompts: Text descriptions you provide for video generation
- Reference Images: Images you upload to guide video generation (maximum 1 image for OpenAI Sora, up to 3 images for Google Veo)
- Processing: Reference images and prompts are processed for video generation and content moderation purposes
- Retention: Reference images are stored temporarily during video generation and are deleted when you delete your account or video request as described in Section 6
Payment Information: Transaction data processed through RevenueCat (we do not store credit card details)

2.2 Automatically Collected Information

Usage Data: Information about how you use our Service, including videos generated and features accessed
Device Information: Device type, operating system, unique device identifiers, and mobile network information
Log Data: IP address, access times, app crash reports, user identifiers, and other information necessary for operational, security, and compliance purposes

2.3 Information from Third Parties

Authentication Data: We use Firebase Authentication to manage user accounts
Payment Data: RevenueCat provides us with transaction information for in-app purchases

3. How We Use Your Information

We use your personal information for the following purposes:

3.1 Essential Services (Legal Basis: Contractual Necessity)

Providing and maintaining the Service
Processing your video generation requests
Managing your token balance and transactions
Authenticating your identity and managing your account
Processing payments and preventing fraud

3.2 Service Improvement (Legal Basis: Legitimate Interest)

Collecting anonymized analytics data to analyze usage patterns and improve our Service
Anonymized analytics are collected automatically and do not include personally identifiable information (PII) or user IDs
This data helps us develop new features, fix technical issues, and improve the overall user experience
Anonymized analytics collection cannot be disabled as it is necessary for service improvement under our legitimate interest

3.3 Communications (Legal Basis: Legitimate Interest / Consent)

Push Notifications (Consent-based):

With your explicit consent, we send push notifications about:

Video generation status updates (completed, failed, processing)
Important service announcements and updates

You can manage notification permissions through your device settings at any time.

Email Communications (Legitimate Interest):

Responding to your requests and inquiries
Sending critical service updates and account-related information
Data export delivery (as requested by you)

3.4 Analytics (Legal Basis: Consent)

With your explicit consent, we use Google Analytics with full tracking capabilities, including linking analytics data to your user account
When consent is granted, analytics data is linked to your account ID for better insights and personalization
When consent is denied, we still collect anonymized analytics (see Section 3.2) but without linking data to your account
You can grant or withdraw this consent at any time through the app settings (Settings → Privacy → Analytics & Data Collection)
Important: Even when you disable the Analytics consent toggle, anonymized analytics collection continues automatically for service improvement purposes (see Section 3.2)

3.5 Legal Compliance and Audit Logging (Legal Basis: Legal Obligation / Legitimate Interest)

Complying with applicable laws and regulations
Responding to legal requests and preventing misuse
Maintaining transaction and security-related audit records as required by law
Recording security- and compliance‑relevant actions (such as account deletion, data export, and certain admin actions) in append‑only audit logs
Maintaining operational logs containing user identifiers and system information necessary for security monitoring, debugging, and compliance purposes

4. Third-Party Services

We use the following third-party services to provide and improve our Service:

4.1 OpenAI (Sora and Moderation API)

Purpose: Video generation from text prompts and reference images (max 1 image); content moderation and safety checks
Data Shared: User-provided text prompts and reference images (if uploaded)
Processing: Your prompts and images are sent to OpenAI's API for processing and generation
Privacy Policy: https://openai.com/policies/privacy-policy

4.2 Google (Veo)

Purpose: Video generation from text prompts and reference images (up to 3 images)
Data Shared: User-provided text prompts and reference images (if uploaded)
Processing: Your prompts and images are sent to Google's API for processing and generation
Privacy Policy: https://policies.google.com/privacy

4.3 Google Firebase

Purpose: User authentication and push notifications (FCM)
Data Shared: User authentication data, device tokens
Privacy Policy: https://firebase.google.com/support/privacy

4.4 Google Analytics

Purpose: Usage analytics (optional, requires consent for full tracking with account linking)
Data Shared:
- When consent is granted: App usage data linked to your account ID
- When consent is denied: Anonymized app usage data without account linkage (see Section 3.2)
Privacy Policy: https://policies.google.com/privacy
Control: You can enable or disable full analytics (with account linking) in app settings. Anonymized analytics collection continues automatically regardless of this setting

4.5 RevenueCat

Purpose: In-app purchase management and subscription processing
Data Shared: Transaction data, user ID
Privacy Policy: https://www.revenuecat.com/privacy

4.6 Google Cloud Platform

Purpose: Storage of generated videos
Data Shared: Generated video files
Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice

4.7 Google AdMob (Future Implementation)

Purpose: If implemented, for displaying advertisements
Data Shared: Device identifiers, usage data (with your consent)
Privacy Policy: https://support.google.com/admob/answer/6128543
Note: Not currently active; you will be notified and asked for consent before implementation

5. Your Privacy Choices and Rights

5.1 Consent Management

You can control the following consent preferences in the app:

Required: Terms of Service and Privacy Policy acceptance (required to use the Service - processed under contractual necessity, not consent)
Analytics: Google Analytics tracking with account linking (optional, requires consent)
Marketing: Marketing communications and future advertising (optional, requires consent)

Important:

"Required" processing is not based on consent but on contractual necessity under Article 6(1)(b) GDPR. This means we must process certain data to provide the Service you've requested. The Analytics and Marketing categories are genuinely optional and based on your consent, which you can withdraw at any time without affecting the core functionality of the Service.

Note on Anonymized Analytics:

Even if you disable the Analytics consent toggle, we will continue to collect anonymized analytics data for service improvement (see Section 3.2). This anonymized data does not include your user ID or any personally identifiable information. The Analytics toggle controls whether analytics data is linked to your account; it does not stop anonymized analytics collection.

To manage your consent preferences:

Open the Havira app
Go to Settings → Privacy & Consents
Toggle your preferences for Analytics and Marketing

5.2 Your Rights Under GDPR (EU Users)

If you are located in the European Economic Area (EEA), you have the following rights:

Right of Access: Request a copy of your personal data
Right to Rectification: Request correction of inaccurate data
Right to Erasure: Request deletion of your data ("right to be forgotten")
Right to Restrict Processing: Request limitation of processing
Right to Data Portability: Receive your data in a machine-readable format
Right to Object: Object to processing based on legitimate interests
Right to Withdraw Consent: Withdraw consent at any time

5.3 Your Rights Under CCPA (California Users)

If you are a California resident, you have the following rights:

Right to Know: What personal information we collect, use, and disclose
Right to Delete: Request deletion of your personal information
Right to Opt-Out: Opt-out of the sale of personal information (Note: We do not sell personal information)
Right to Non-Discrimination: Equal service regardless of exercising your rights

5.4 Exercising Your Rights

To exercise any of these rights:

Data Export:

Open the Havira app
Go to Settings → Privacy
Tap "Export My Data"
You will receive a JSON file containing all your data via the email address associated with your account

Account Deletion:

Open the Havira app
Go to Settings → Account
Tap "Delete Account"
Confirm the deletion

Alternatively, email us at support@edusta.dev with your request.

We will respond to your request within:

GDPR: 30 days (extendable by 60 days for complex requests)
CCPA: 45 days (extendable by 45 days)

6. Data Retention

6.1 Active Accounts

We retain your personal information for as long as your account is active or as needed to provide you with our Service.

6.2 Account Deletion and Data Anonymization

When you delete your account using the in‑app tools, we:

Delete your authentication data from Firebase Authentication
Delete or clear your consent preferences
Delete your device tokens (including push notification tokens)
Delete your video requests and all generated content (videos, thumbnails)
Delete all reference images you uploaded
Delete all associated media files stored in our infrastructure
Delete or anonymize related records in our databases where possible

For certain records, instead of full deletion we may anonymize the data by removing or replacing direct identifiers (such as your user ID) while retaining non‑identifiable information (for example, token transaction history or moderation events without a user link). This is necessary to:

Comply with legal and accounting obligations
Maintain accurate aggregate statistics about service usage
Prevent abuse, fraud, and misuse of the Service

6.3 Legal Requirements

We may retain or anonymize certain records for legal and accounting purposes, including:

Payment transaction data (as required by tax and financial regulations)
Security and audit logs for fraud prevention and legal compliance

The retention period for such records typically does not exceed 7 years or as required by applicable law.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

Encryption: Data is encrypted in transit (TLS/SSL) and at rest
Access Controls: Restricted access to personal data on a need-to-know basis
Secure Infrastructure: Use of Google Cloud Platform with industry-standard security
Regular Updates: Security patches and updates are applied promptly
Authentication: Secure user authentication through Firebase
Incident Response: We maintain procedures to detect, respond to, and report security incidents

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay as required by GDPR Article 34.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

8. Children's Privacy

Our Service is not intended for users under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@edusta.dev, and we will delete such information promptly.

9. International Data Transfers

We are based in Germany and process data within the European Economic Area (EEA). However, some of our third-party service providers may process data outside the EEA, including:

OpenAI (United States): For video generation and content moderation
Google (United States): For video generation (Veo), cloud infrastructure, and analytics
RevenueCat (United States): For payment processing

When we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions by the European Commission
EU-U.S. Data Privacy Framework (DPF) for transfers to certified U.S. organizations
Other appropriate safeguards as required by applicable data protection laws

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by:

Updating the "Last Updated" date at the top of this policy
Sending you a notification through the app or via email
For material changes, requesting renewed consent where required

We encourage you to review this Privacy Policy periodically.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@edusta.dev

Postal Address:
Engin Deniz Usta
Brennerei 2
82024 Taufkirchen
Germany

11.1 For EU Users (GDPR)

As a Germany-based service provider, we serve as the data controller for your personal information. You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, place of work, or place of alleged infringement.

German Data Protection Authority:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Website: https://www.bfdi.bund.de

12. Legal Basis Summary

For quick reference, here's how we process your data:

Purpose	Legal Basis (GDPR Article 6)	Can Opt-Out?	Reference
Account management	Contractual necessity (Art. 6(1)(b))	No (service won't work)	Section 3.1
Video generation	Contractual necessity (Art. 6(1)(b))	No (core feature)	Section 3.1
Payment processing	Contractual necessity (Art. 6(1)(b))	No (required for purchases)	Section 3.1
Service improvement	Legitimate interest (Art. 6(1)(f))	Limited	Section 3.2
Analytics	Consent (Art. 6(1)(a))	Yes (in app settings)	Sections 3.4, 5.1
Push notifications	Consent (Art. 6(1)(a))	Yes (in device settings)	Section 3.3
Marketing (future)	Consent (Art. 6(1)(a))	Yes (in app settings)	Section 5.1
Legal compliance & audit logs	Legal obligation (Art. 6(1)(c)) / Legitimate interest (Art. 6(1)(f))	No (required by law)	Section 3.5

Note: "Required" functionality in the app settings (Section 5.1) refers to processing based on contractual necessity, not consent.

Thank you for trusting Havira with your personal information. We are committed to protecting your privacy and providing you with transparency and control over your data.

Privacy Policy for Havira