Privacy Policy

Hadoona ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application, web platform, and related services (collectively, the "Service").

Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

1. Information We Collect

1.1 Information You Provide Directly

When you create an account, use our Service, or contact us, you may provide the following types of information:

• Account Information: Email address, password (encrypted), full name, phone number, profile picture, and timezone preferences.
• Organization Information: Organization name, description, logo, website URL, billing email address, and team member details.
• Form Submissions: Any data you enter into forms created within the Service, including text responses, numeric values, dates, and selections.
• Photos and Media: Images, videos, and other files you upload through forms or the Service, including associated metadata such as file name, file size, file type, and upload timestamp.
• Communication Data: Messages, feedback, and support requests you send to us.

1.2 Location Information

Our Service collects precise location data to enable mapping and field data collection features:

• GPS Coordinates: Latitude and longitude data collected when you submit forms or use mapping features.
• Location Accuracy: The accuracy of your GPS position in meters at the time of data collection.
• Continuous Location: When using mapping features, we may collect location data continuously to display your position on maps.
• Offline Location Data: Location information may be stored locally on your device when offline and transmitted when you regain connectivity.

Important: Location collection requires your explicit permission. You can disable location services in your device settings at any time, though this may limit certain features of the Service.

1.3 Automatically Collected Information

When you access or use our Service, we automatically collect certain information:

• Device Information: Device type, operating system, unique device identifiers, browser type, and mobile network information.
• Usage Data: Pages viewed, features used, actions taken, time and date of access, and referring URLs.
• Log Data: IP address, access times, app crashes, system activity, and hardware settings.
• Diagnostic Information: Error reports, performance data, and crash logs to help us improve the Service.

1.4 Payment Information

Payment processing is handled by Stripe, Inc., a PCI Service Provider Level 1 certified payment processor. We do not store your full credit card number, CVV, or other sensitive payment details on our servers. We only retain:

• Stripe Customer ID (to manage your subscription)
• Subscription status and plan type
• Billing email address
• Invoice history and payment status

1.5 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your interactions with our Service:

• Essential Cookies: Required for authentication and security features.
• Preference Cookies: Remember your settings and preferences (theme, language).
• Analytics Cookies: Help us understand how the Service is used and improve functionality.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery

• Create and manage your account
• Process and store form submissions
• Display your location on maps and attach coordinates to submissions
• Store and display uploaded photos and media files
• Enable team collaboration and data sharing within your organization
• Synchronize data between your devices and our servers
• Provide offline functionality and data caching

2.2 Service Improvement

• Analyze usage patterns to improve features and user experience
• Debug and fix technical issues
• Monitor and improve Service performance and reliability
• Develop new features based on user needs

2.3 Communications

• Send transactional emails (account verification, password resets, billing receipts)
• Notify you about changes to the Service or your account
• Respond to your inquiries and support requests
• Send product updates and announcements (with your consent)

2.4 Security and Compliance

• Detect, prevent, and address fraud, unauthorized access, and other illegal activities
• Enforce our Terms of Service and other policies
• Comply with legal obligations and respond to legal requests
• Protect the rights, property, and safety of Hadoona and our users

3. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

3.1 Within Your Organization

Data you submit may be visible to other members of your organization based on their role and permissions. Organization administrators have access to all data within their organization.

3.2 Service Providers

We share information with third-party service providers who perform services on our behalf:

• Supabase: Database hosting, authentication, and file storage (SOC 2 Type 2 compliant, HIPAA ready)
• Stripe: Payment processing (PCI Level 1 certified)
• Sentry: Error tracking and performance monitoring (receives crash reports and diagnostic data, including user identifiers for debugging purposes)
• Mapbox: Map rendering and geolocation services
• Vercel: Web hosting and deployment

3.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order or government agency request).

3.4 Business Transfers

If Hadoona is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

3.5 With Your Consent

We may share your information for other purposes with your explicit consent.

4. Data Storage and Security

4.1 Data Storage

Your data is stored using the following infrastructure:

• Cloud Database: Data is stored on Supabase's PostgreSQL infrastructure with automatic daily backups and point-in-time recovery capabilities.
• File Storage: Photos and media files are stored in Supabase Storage with access controls.
• Local Storage (Mobile): When using offline mode, data is stored locally on your device using encrypted SQLite databases until synchronization.

4.2 Security Measures

We implement industry-standard security measures to protect your data:

• Encryption at Rest: All data stored in our databases is encrypted using AES-256 encryption.
• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
• Access Controls: Role-based access control ensures users only access data they are authorized to view.
• Authentication: Secure authentication with encrypted password storage and session management.
• Infrastructure Security: Our infrastructure is hosted by SOC 2 Type 2 compliant providers.

4.3 Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and applicable regulatory authorities within 72 hours as required by applicable law.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide you with the Service. Specific retention periods include:

• Account Data: Retained while your account is active and for 30 days after account deletion.
• Form Submissions: Retained while the associated project is active. Archived projects retain data based on your organization's retention settings.
• Photos and Media: Retained for as long as the associated form submission exists.
• Diagnostic Data: Error logs and crash reports are retained for up to 90 days.
• Billing Records: Retained for 7 years as required for tax and legal purposes.
• Offline Data: Local data on your device is retained until synchronized or manually deleted.

When you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required by law or for legitimate business purposes.

6. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

6.1 Access and Portability

You have the right to request a copy of the personal information we hold about you. You can export your data through the Service's data export feature.

6.2 Correction

You can update your account information at any time through your profile settings. If you believe any information we hold is inaccurate, please contact us.

6.3 Deletion

You can request deletion of your account and associated personal data. Note that organization owners must transfer ownership or delete the organization before deleting their account.

6.4 Opt-Out Rights

• Marketing Communications: Unsubscribe using the link in our emails or through notification settings.
• Location Services: Disable location permissions in your device settings.
• Push Notifications: Manage through your device's notification settings.
• Cookies: Adjust browser settings to refuse cookies (may affect functionality).

6.5 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

6.6 European Economic Area Residents (GDPR)

If you are in the EEA, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority

Our legal bases for processing your personal data include: performance of a contract, your consent, our legitimate interests, and compliance with legal obligations.

7. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we discover that a child under 16 has provided us with personal information, we will delete such information from our servers.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.

Specifically, our servers are located in the United States, and our third-party service providers operate around the world. This means that when we collect your personal information, we may process it in any of these countries.

We have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Policy, including using Standard Contractual Clauses approved by the European Commission for transfers of personal information from the EEA to countries outside the EEA.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email for material changes (if you have an account)
• Post a notice on our website prior to the changes becoming effective

Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.

10. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about our data practices, please contact us:

We will respond to your request within 30 days. For complex requests or requests involving verification of your identity, we may need additional time and will notify you of any delay.