Privacy Policy - Havira AI Video Generator

1. Introduction

Welcome to Havira ("we," "our," or "us"). This Privacy Policy explains how Engin Deniz Usta collects, uses, discloses, and protects your personal information when you use the Havira mobile application and related services (collectively, the "Service").

We are committed to protecting your privacy and ensuring transparency about our data practices. This policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable privacy laws.

Contact Information:

Service Provider: Engin Deniz Usta
Email: support@edusta.dev
Address: Brennerei 2, 82024, Taufkirchen, Germany

2. Information We Collect

We adhere to the principle of data minimization as required by Article 5(1)(c) GDPR, collecting only the personal information that is necessary for the specific purposes outlined in this Privacy Policy.

2.1 Information You Provide

Account Information: User ID and authentication credentials (provided through Firebase Authentication)
Email Address: Email addresses may be collected through Firebase Authentication and are used solely for the purpose of fulfilling data export requests and other account-related communications as necessary for the provision of the Service
Video Generation Data:
- Text Prompts: Text descriptions you provide for video generation
- Reference Images: Images you upload to guide video generation (maximum 1 image for OpenAI Sora, up to 3 images for Google Veo)
- Processing: Reference images and prompts are processed for content moderation and safety verification purposes
- Retention: Reference images are stored temporarily during the video generation process and are deleted when you delete your account or individual video request as described in Section 6
Payment Information: Transaction data processed through RevenueCat (we do not store credit card details)

2.2 Automatically Collected Information

Usage Data: Information about how you use our Service, including videos generated and features accessed
Device Information: Device type, operating system, unique device identifiers, and mobile network information
Log Data: IP address, access times, app crash reports, user identifiers, and other information necessary for operational, security, and compliance purposes

2.3 Information from Third Parties

Authentication Data: We use Firebase Authentication to manage user accounts
Payment Data: RevenueCat provides us with transaction information for in-app purchases

3. How We Use Your Information

We use your personal information for the following purposes:

3.1 Essential Services (Legal Basis: Contractual Necessity)

Providing and maintaining the Service
Processing your video generation requests, including content moderation and safety verification
Managing your token balance and transactions
Authenticating your identity and managing your account
Processing payments and preventing fraud

3.2 Service Improvement (Legal Basis: Legitimate Interest)

Collecting anonymized analytics data to analyze usage patterns and improve our Service
Anonymized analytics are collected automatically and do not include personally identifiable information (PII) or user IDs
This data helps us develop new features, fix technical issues, and improve the overall user experience
Anonymized analytics collection cannot be disabled as it is necessary for service improvement under our legitimate interest

3.3 Communications (Legal Basis: Legitimate Interest / Consent)

Push Notifications (Consent-based):

With your explicit consent, we send push notifications about:

Video generation status updates (completed, failed, processing)
Important service announcements and updates

You can manage notification permissions through your device settings at any time.

Email Communications (Legitimate Interest):

Responding to your requests and inquiries
Sending critical service updates and account-related information
Data export delivery (as requested by you)

3.4 Analytics (Legal Basis: Consent)

With your explicit consent, we use Google Analytics with full tracking capabilities, including linking analytics data to your user account
When consent is granted, analytics data is linked to your account ID for better insights and personalization
When consent is denied, we still collect anonymized analytics (see Section 3.2) but without linking data to your account
You may grant or withdraw this consent at any time through the Service's consent management features
Important: Even when you withdraw consent for Analytics, anonymized analytics collection continues automatically for service improvement purposes (see Section 3.2)

3.5 Legal Compliance and Audit Logging (Legal Basis: Legal Obligation / Legitimate Interest)

Complying with applicable laws and regulations
Responding to legal requests and preventing misuse
Maintaining transaction and security-related audit records as required by law
Recording security- and compliance‑relevant actions (such as account deletion, data export, and certain administrative actions) in secure audit logs
Maintaining operational logs containing user identifiers and system information necessary for security monitoring and compliance purposes

Law Enforcement and Legal Requests:

We may be required to disclose your personal information to law enforcement agencies, regulatory authorities, or other government bodies when we believe in good faith that such disclosure is necessary to: (a) comply with applicable laws, regulations, legal processes, or enforceable governmental requests; (b) enforce our Terms of Service, including investigation of potential violations; (c) detect, prevent, or otherwise address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Havira, our users, or the public as required or permitted by law.

When legally permitted, we will attempt to notify you of such requests. However, we may be prohibited from providing notice in certain circumstances, including when the request includes a court order prohibiting disclosure or when disclosure would compromise an ongoing investigation.

3.6 Administrative Access to User Content (Legal Basis: Legitimate Interest)

Authorized administrative personnel may access user-generated content only when necessary for legitimate business purposes, including but not limited to content moderation, user support, security investigations, fraud prevention, or compliance with legal obligations
Administrative access is restricted to verified personnel and is subject to appropriate access controls and oversight
Access is limited to the minimum content necessary for the stated purpose and is conducted in accordance with the principle of data minimization
Users retain control over their content and may exercise their right to deletion as described in Section 6, which will result in the removal of generated content

3.7 Automated Decision-Making (Legal Basis: Contractual Necessity / Legitimate Interest)

We use automated decision-making processes in the following circumstances:

Content Moderation: All video generation requests are automatically evaluated for compliance with safety policies and usage guidelines. Content that violates these policies is automatically rejected without human review. This automated processing is necessary to ensure the safety and integrity of our Service and to comply with our terms of service.
Account Management: User accounts may be automatically suspended or restricted based on automated analysis of moderation violations and security patterns. Such automated decisions are made in accordance with our terms of service and are necessary to prevent abuse and maintain service security.

Your Rights:

Under GDPR Article 22, you have the right not to be subject to automated decision-making that produces legal effects or similarly significantly affects you. However, automated content moderation and account management decisions are necessary for the performance of our contract with you and for our legitimate interests in maintaining service safety and security. If you believe an automated decision has been made incorrectly, you may contact us to request a review of the decision (see Section 11 for contact information).

4. Third-Party Services

We use the following third-party services to provide and improve our Service:

4.1 OpenAI Moderation API

Purpose: Content moderation and safety verification for all video generation requests submitted through our Service
Data Shared: User-provided text prompts and reference images (if uploaded) are shared with OpenAI's Moderation API for content safety verification
Processing: All video generation content is processed through OpenAI's Moderation API to ensure compliance with safety policies and usage guidelines
Privacy Policy: https://openai.com/policies/privacy-policy

4.2 OpenAI (Sora)

Purpose: Video generation services from text prompts and reference images (maximum 1 image per request)
Data Shared: User-provided text prompts and reference images (if uploaded, limited to 1 image per request)
Processing: Your prompts and images are processed by OpenAI's Sora API for video generation purposes
Privacy Policy: https://openai.com/policies/privacy-policy

4.3 Google (Veo)

Purpose: Video generation services from text prompts and reference images (up to 3 images per request)
Data Shared: User-provided text prompts and reference images (if uploaded, limited to 3 images per request)
Processing: Your prompts and images are processed by Google's Veo API for video generation purposes
Privacy Policy: https://policies.google.com/privacy

4.4 Google Firebase

Purpose: User authentication and push notifications (FCM)
Data Shared: User authentication data, device tokens
Privacy Policy: https://firebase.google.com/support/privacy

4.5 Google Analytics

Purpose: Usage analytics (optional, requires consent for full tracking with account linking)
Data Shared:
- When consent is granted: App usage data linked to your account ID
- When consent is denied: Anonymized app usage data without account linkage (see Section 3.2)
Privacy Policy: https://policies.google.com/privacy
Control: You may enable or disable full analytics (with account linking) through the Service's consent management features. Anonymized analytics collection continues automatically regardless of this preference

4.6 RevenueCat

Purpose: In-app purchase management and subscription processing
Data Shared: Transaction data, user ID
Privacy Policy: https://www.revenuecat.com/privacy

4.7 Google Cloud Platform

Purpose: Storage of generated videos
Data Shared: Generated video files
Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice

4.8 Google AdMob (Future Implementation)

Purpose: If implemented, for displaying advertisements
Data Shared: Device identifiers, usage data (with your consent)
Privacy Policy: https://support.google.com/admob/answer/6128543
Note: Not currently active; you will be notified and asked for consent before implementation

4.9 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide, maintain, and improve our Service. These technologies are implemented through Google Analytics and are categorized as follows:

Required Cookies: These cookies are necessary for the Service to function properly and are processed under contractual necessity pursuant to Article 6(1)(b) GDPR. Required cookies support essential functionality including authentication and session management. These cookies cannot be disabled as they are necessary for the Service to operate.
Analytics Cookies: These cookies are used to understand how users interact with our Service, analyze usage patterns, and improve our Service. Analytics cookies require your consent pursuant to Article 6(1)(a) GDPR. When consent is granted, Analytics cookies enable tracking capabilities including linking analytics data to your user account. When consent is denied, we collect anonymized analytics data without account linkage as described in Section 3.2. You may grant or withdraw consent for Analytics cookies at any time through the Service's consent management features.
Marketing Cookies: These cookies are used for marketing purposes and advertising. Marketing cookies require your explicit consent pursuant to Article 6(1)(a) GDPR and are optional. You may grant or withdraw consent for Marketing cookies at any time through the Service's consent management features.

Managing Cookies: You may control your preferences for Analytics and Marketing cookies through the Service's consent management features. Required cookies cannot be disabled as they are necessary for the Service to function. You may also manage tracking preferences through your device settings. For more information about managing cookies and tracking technologies, please refer to your browser or device documentation.

Third-Party Cookies: Cookies and tracking technologies used by our Service are implemented through Google Analytics. For detailed information about Google Analytics cookies and tracking technologies, please refer to Google's privacy policy at https://policies.google.com/privacy. Your use of Google Analytics is subject to Google's privacy policy as described in Section 4.5.

5. Your Privacy Choices and Rights

5.1 Consent Management

You can control the following consent preferences in the app:

Required: Terms of Service and Privacy Policy acceptance (required to use the Service - processed under contractual necessity, not consent)
Analytics: Google Analytics tracking with account linking (optional, requires consent)
Marketing: Marketing communications and advertising (optional, requires consent)

Important:

"Required" processing is not based on consent but on contractual necessity under Article 6(1)(b) GDPR. This means we must process certain data to provide the Service you've requested. The Analytics and Marketing categories are genuinely optional and based on your consent, which you can withdraw at any time without affecting the core functionality of the Service.

Note on Anonymized Analytics:

Even if you withdraw consent for Analytics cookies, we will continue to collect anonymized analytics data for service improvement purposes as described in Section 3.2. This anonymized data does not include your user ID or any personally identifiable information. Your consent preference for Analytics cookies controls whether analytics data is linked to your account; it does not affect anonymized analytics collection.

You may manage your consent preferences at any time through the Service's consent management features, which are accessible through the Service's settings.

5.2 Your Rights Under GDPR (EU Users)

If you are located in the European Economic Area (EEA), you have the following rights:

Right of Access: Request a copy of your personal data
Right to Rectification: Request correction of inaccurate data
Right to Erasure: Request deletion of your data ("right to be forgotten")
Right to Restrict Processing: Request limitation of processing
Right to Data Portability: Receive your data in a machine-readable format
Right to Object: Object to processing based on legitimate interests
Right to Object to Automated Decision-Making: Request human review of automated decisions that significantly affect you (see Section 3.7)
Right to Withdraw Consent: Withdraw consent at any time

5.3 Your Rights Under CCPA (California Users)

If you are a California resident, you have the following rights:

Right to Know: What personal information we collect, use, and disclose
Right to Delete: Request deletion of your personal information
Right to Opt-Out: Opt-out of the sale of personal information (Note: We do not sell personal information)
Right to Non-Discrimination: Equal service regardless of exercising your rights

5.4 Exercising Your Rights

To exercise any of these rights:

Data Export:

You may request a copy of your personal data through the Service's data export features, which are accessible through the Service's settings. Upon request, you will receive your data in a machine-readable format via the email address associated with your account.

The exported data includes:

Account information (user ID, token balance)
Consent preferences and audit trail
Device tokens registered for push notifications
Video generation requests and metadata
Token transaction history
Content moderation violations (if any)
Summary statistics (total tokens earned/spent, videos generated, etc.)

Account Deletion:

You may request deletion of your account and associated personal data through the Service's account deletion features, which are accessible through the Service's settings. Alternatively, you may contact us at support@edusta.dev to request account deletion.

We will respond to your request within:

GDPR: 30 days (extendable by 60 days for complex requests)
CCPA: 45 days (extendable by 45 days)

6. Data Retention

6.1 Active Accounts

We retain your personal information for as long as your account is active or as needed to provide you with our Service.

6.2 Account Deletion and Data Anonymization

When you delete your account using the in‑app tools, we:

Delete your authentication data
Delete or clear your consent preferences
Delete your device tokens (including push notification tokens)
Delete your video requests and all generated content (videos, static thumbnails, and animated GIF thumbnails)
Delete all reference images you uploaded
Delete all associated media files
Delete or anonymize related records where possible

For certain records, instead of full deletion we may anonymize the data by removing or replacing direct identifiers (such as your user ID) while retaining non‑identifiable information. This is necessary to:

Comply with legal and accounting obligations
Maintain accurate aggregate statistics about service usage
Prevent abuse, fraud, and misuse of the Service

6.3 Legal Requirements

We may retain or anonymize certain records for legal and accounting purposes, including:

Payment transaction data (as required by tax and financial regulations)
Security and audit logs for fraud prevention and legal compliance

The retention period for such records typically does not exceed 7 years or as required by applicable law.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

Encryption: Data is encrypted in transit (TLS/SSL) and at rest
Access Controls: Restricted access to personal data on a need-to-know basis
Secure Infrastructure: Use of Google Cloud Platform with industry-standard security
Regular Updates: Security patches and updates are applied promptly
Authentication: Secure user authentication through Firebase
Incident Response: We maintain procedures to detect, respond to, and report security incidents

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify Supervisory Authority: Report the breach to the relevant supervisory authority (in Germany, the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit) within 72 hours of becoming aware of it, as required by GDPR Article 33. The notification will include information about the nature of the breach, the categories and approximate number of affected individuals, the likely consequences, and the measures we propose to address the breach.
Notify Affected Users: If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, as required by GDPR Article 34. The notification will be sent to the email address associated with your account and will include: (a) a description of the nature of the breach; (b) the name and contact details of our data protection contact point; (c) a description of the likely consequences of the breach; and (d) a description of the measures we have taken or propose to take to address the breach and mitigate its possible adverse effects.

We may delay notification to users if doing so would impede a criminal investigation or if we have implemented appropriate technical and organizational measures that render the data unintelligible to unauthorized persons (such as encryption). We will document all breaches, including the facts relating to the breach, its effects, and the remedial action taken.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

8. Children's Privacy

Our Service is not intended for users under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@edusta.dev, and we will delete such information promptly.

9. International Data Transfers

We are based in Germany and process data within the European Economic Area (EEA). However, some of our third-party service providers may process data outside the EEA, including:

OpenAI (United States): For video generation and content moderation
Google (United States): For video generation (Veo), cloud infrastructure, and analytics
RevenueCat (United States): For payment processing

When we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions by the European Commission
EU-U.S. Data Privacy Framework (DPF) for transfers to certified U.S. organizations
Other appropriate safeguards as required by applicable data protection laws

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We track all versions of this Privacy Policy and will notify you of significant changes by:

Updating the "Last Updated" date at the top of this policy
Displaying a notification in the app when you open it, prompting you to review the updated policy
For material changes, requesting renewed consent where required

Notification Method:

We notify you of Privacy Policy updates through notifications provided when you access the Service. We do not send email notifications or push notifications for Privacy Policy updates. You will be prompted to review and accept updated policies when you access the Service.

We encourage you to review this Privacy Policy periodically.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@edusta.dev

Postal Address:
Engin Deniz Usta
Brennerei 2
82024 Taufkirchen
Germany

11.1 For EU Users (GDPR)

As a Germany-based service provider, we serve as the data controller for your personal information.

Data Protection Officer: We do not currently have a designated Data Protection Officer (DPO) as our processing activities do not meet the thresholds requiring mandatory DPO appointment under GDPR Article 37. For data protection inquiries, please contact us using the information provided in Section 11.

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, place of work, or place of alleged infringement.

German Data Protection Authority:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Website: https://www.bfdi.bund.de

12. Legal Basis Summary

For quick reference, here's how we process your data:

Purpose	Legal Basis (GDPR Article 6)	Can Opt-Out?	Reference
Account management	Contractual necessity (Art. 6(1)(b))	No (service won't work)	Section 3.1
Video generation	Contractual necessity (Art. 6(1)(b))	No (core feature)	Section 3.1
Payment processing	Contractual necessity (Art. 6(1)(b))	No (required for purchases)	Section 3.1
Service improvement	Legitimate interest (Art. 6(1)(f))	Limited (anonymized analytics always collected)	Section 3.2
Analytics (with account linking)	Consent (Art. 6(1)(a))	Yes (through consent management)	Sections 3.4, 5.1
Push notifications	Consent (Art. 6(1)(a))	Yes (through device settings)	Section 3.3
Marketing	Consent (Art. 6(1)(a))	Yes (through consent management)	Section 5.1
Legal compliance & audit logs	Legal obligation (Art. 6(1)(c)) / Legitimate interest (Art. 6(1)(f))	No (required by law)	Section 3.5
Administrative access	Legitimate interest (Art. 6(1)(f))	No (necessary for service operation)	Section 3.6
Automated decision-making	Contractual necessity (Art. 6(1)(b)) / Legitimate interest (Art. 6(1)(f))	Limited (human review available on request)	Section 3.7

Note: "Required" functionality in the app settings (Section 5.1) refers to processing based on contractual necessity, not consent.

Thank you for trusting Havira with your personal information. We are committed to protecting your privacy and providing you with transparency and control over your data.