Privacy Policy

1. CORE PRIVACY PRINCIPLE

HashTalks is built on a fundamental privacy-by-design principle:

• All messages, calls, and files are end-to-end encrypted and accessible only to the communicating parties;
• The Company cannot read, access, or decrypt message, call, or file content at any time;
• The Company does not generate, store, or have access to any User's private or public cryptographic keys;
• The Company operates a zero-knowledge relay infrastructure and has no access to the substantive content of User communications.

2. INFORMATION WE DO NOT COLLECT

Due to the technical design of the Application, the Company does not collect, store, or have access to:

• Message content in any readable or decryptable form;
• Voice or video call audio, video, or recordings;
• File or attachment content in any readable form;
• Encryption keys (private or public);
• Chat history in any readable form;
• Call duration, call participants, or call metadata beyond what is necessary for routing.

3. INFORMATION WE MAY PROCESS

We process only the minimum information necessary to operate the Application:

3.1 Account and Subscription Data

• Subscription status and transaction confirmations (processed by Apple or Google);
• Pseudonymous identifiers necessary to provide service functionality.

3.2 Technical and Diagnostic Data

• Device type, operating system version, and application version;
• Crash reports and diagnostic logs (containing no message content);
• Network performance and connectivity data.

3.3 Minimal Routing Metadata

• Temporary, encrypted routing data necessary to deliver messages to intended recipients;
• Such data is retained only for the period required for delivery and is not used to identify message content.

4. COOKIES AND TRACKING TECHNOLOGIES

The Application itself does not use cookies or persistent tracking technologies. The HashTalks website may use strictly necessary session cookies for functional purposes only. We do not use advertising cookies, behavioral tracking, or third-party analytics that identify individual users across sessions.

5. HOW ENCRYPTION WORKS

Cryptographic keys are generated and stored exclusively on the User's device. Key exchange occurs only between Users who have mutually consented to communication by adding each other as contacts. Messages and calls are encrypted on the sender's device and decrypted only on the recipient's device. Company servers cannot decrypt communications at any stage. Each call session uses unique, one-time encryption keys that are permanently deleted upon call termination.

6. USER RESPONSIBILITIES FOR PRIVACY

The User is solely responsible for:

• Maintaining the security of their device, including keeping the operating system and Application updated;
• Protecting their PIN and cryptographic keys from unauthorized disclosure;
• Ensuring their device is free of malware, spyware, keyloggers, or other software that may compromise device security;
• Understanding that loss or deletion of cryptographic keys may result in permanent and irrecoverable loss of access to associated messages.

The Company assumes no liability for communications compromised as a result of a User's device being infected with spyware, keylogging software, or any other malicious or unauthorized software, or as a result of physical or remote unauthorized access to the User's device.

7. LEGAL BASIS FOR PROCESSING (EU / UK — GDPR)

For Users in the European Union and United Kingdom, we rely on the following lawful bases under the General Data Protection Regulation (GDPR) and UK GDPR:

• Contractual necessity — to provide the Application and associated services;
• Legitimate interests — to maintain, secure, and improve the Application, provided such interests are not overridden by User rights;
• Legal obligation — where processing is required by applicable law.

Where consent is the lawful basis for any processing activity, you have the right to withdraw such consent at any time without affecting the lawfulness of prior processing. To withdraw consent, please contact us at info@hashtalks.app.

The Company's registered data controller is Intelligent Trade SIA, Riga, Latvia, Apuzes iela 5-2/3, LV-1048. For EU/UK data protection matters, please contact us at info@hashtalks.app.

8. CALIFORNIA AND U.S. STATE PRIVACY RIGHTS

We do not sell or share your personal information as those terms are defined under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), or any comparable U.S. state privacy law.

California residents and residents of states with applicable privacy laws (including Virginia, Colorado, Connecticut, Texas, and Montana) may have the following rights:

• Right to know what personal information is collected about you;
• Right to delete personal information we hold about you;
• Right to correct inaccurate personal information;
• Right to opt out of the sale or sharing of personal information (not applicable — we do not sell or share);
• Right to non-discrimination for exercising your privacy rights.

Due to our zero-knowledge architecture, we hold minimal personal information. To exercise any of the above rights, please contact us at info@hashtalks.app. We will respond within the timeframes required by applicable law.

9. CANADIAN USERS — PIPEDA AND QUEBEC LAW 25

For Users in Canada, this Policy is intended to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, including Quebec's Act Respecting the Protection of Personal Information in the Private Sector(Law 25 / Bill 64).

Canadian Users have the right to:

• Access personal information we hold about them;
• Request correction of inaccurate personal information;
• Withdraw consent to collection or use of personal information (subject to legal or contractual restrictions);
• File a complaint with the Office of the Privacy Commissioner of Canada.

Quebec residents have additional rights under Law 25, including the right to data portability and the right to be informed of automated decision-making. We do not engage in automated decision-making that produces legal or similarly significant effects. Privacy inquiries from Canadian Users may be directed to info@hashtalks.app.

10. USERS IN INDIA — DPDP ACT 2023

For Users in India, this Policy is intended to comply with the Digital Personal Data Protection Act, 2023 (DPDP Act). Intelligent Trade SIA acts as a Data Fiduciary in respect of personal data processed in connection with the Application.

As a Data Principal under the DPDP Act, you have the right to:

• Access a summary of personal data we process about you;
• Correct or update inaccurate personal data;
• Erasure of personal data where processing is no longer necessary;
• Grievance redressal in respect of data processing activities;
• Nominate another individual to exercise your rights on your behalf.

We have designated a Grievance Officer for Indian Users. All grievances may be submitted to info@hashtalks.app with the subject line "DPDP Grievance". We will acknowledge receipt within 72 hours and endeavor to resolve grievances within 30 days. Cross-border transfer of personal data of Indian Users is conducted in accordance with applicable provisions of the DPDP Act and any rules notified thereunder.

11. USERS IN CHINA — PIPL NOTICE

For Users in the People's Republic of China, the Application processes personal information in accordance with the Personal Information Protection Law (PIPL, effective 1 November 2021). Personal information collected from Chinese Users is processed on the basis of necessary performance of the service contract. Cross-border transfers of personal information are conducted subject to applicable PIPL requirements. Chinese Users have the right to access, correct, delete, and transfer their personal information, and to withdraw consent where consent is the basis for processing. To exercise these rights, please contact info@hashtalks.app. Due to the zero-knowledge architecture of the Application, the Company does not store message content or encryption keys and therefore cannot produce such data in response to any regulatory request.

12. DATA RETENTION

We retain minimal technical and operational data only for as long as is necessary for the purposes for which it was collected, and in compliance with applicable law. Specifically:

• Message content and encryption keys are never retained by the Company;
• Routing metadata is retained only for the duration required for delivery;
• Diagnostic and crash logs are retained for a maximum of 90 days;
• Subscription and transaction records are retained for the period required by applicable financial and tax law.

13. DATA SHARING

We do not sell, rent, or share personal data for advertising or commercial profiling purposes.

We may disclose limited data to:

• Platform providers (Apple / Google) for subscription and billing processing;
• Service providers (e.g., hosting, infrastructure) under contractual confidentiality and data protection obligations;
• Competent authorities where required by applicable law or valid legal process.

Due to the end-to-end encryption design, the Company is technically incapable of providing message content, call content, or encryption keys in response to any third-party request, including law enforcement requests.

14. INTERNATIONAL DATA TRANSFERS

Where personal data is transferred outside the European Economic Area or United Kingdom, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• UK International Data Transfer Agreements (IDTAs) where applicable;
• Equivalent legally recognized mechanisms for other jurisdictions.

15. YOUR RIGHTS (ALL USERS)

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you;
• Correct or rectify inaccurate personal data;
• Request erasure of personal data;
• Restrict or object to certain processing activities;
• Receive a portable copy of your personal data;
• Lodge a complaint with a competent data protection supervisory authority.

To exercise any of the above rights, please contact info@hashtalks.app. EU Users may also lodge a complaint with the Latvian Data State Inspectorate (Datu valsts inspekcija, datainspection.lv) or the supervisory authority of your country of habitual residence. Due to our zero-knowledge architecture, we may have limited technical ability to access, modify, or produce data tied to end-to-end encryption.

16. SECURITY

The Company implements appropriate technical and organizational security measures commensurate with the risks associated with the processing of personal data. However, the security of communications also depends upon the integrity of the User's device and operating environment. The Company is not responsible for breaches of security caused by:

• Compromised, rooted, or jailbroken devices;
• Malware, spyware, or keylogging software on the User's device;
• Unauthorized physical or remote access to the User's device;
• Failure to maintain adequate device security practices.

17. CHILDREN'S PRIVACY

The Application is not intended for use by individuals under the age of 16 in the European Union and United Kingdom, under 13 in the United States (COPPA), or under such higher minimum age as may be required by applicable local law. We do not knowingly collect personal data from children below these age thresholds. If we become aware that we have inadvertently collected data from a child below the applicable minimum age, we will take prompt steps to delete such data. If you believe a child has provided us with personal data, please contact info@hashtalks.app.

18. APP STORE AND GOOGLE PLAY COMPLIANCE

Apple App Store: Apple, Inc. is not a party to this Privacy Policy and bears no responsibility for the Application or its privacy practices. Apple has no obligation to provide maintenance, support, or privacy-related assistance in connection with the Application.

Google Play: Google LLC is not a party to this Privacy Policy and is not responsible for the operation of the Application or its privacy practices. Subscription payments processed via Google Play are subject to Google's billing policies.

19. THIRD-PARTY SERVICES

The Application may depend on third-party infrastructure providers (e.g., cloud hosting, crash reporting services). These providers process only the minimum technical data necessary for service operation and are contractually bound by confidentiality and data protection obligations consistent with this Policy. We do not use third-party advertising networks or behavioral analytics providers in connection with the Application.

20. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. Where required by law, we will notify Users of material changes in advance. Continued use of the Application following the effective date of any update constitutes acceptance of the revised Policy. The current version is always available at hashtalks.app/privacy.

21. CONTACT AND DATA CONTROLLER INFORMATION

Data Controller and Privacy inquiries:
Intelligent Trade SIA
Apuzes iela 5-2/3, Riga, LV-1048, Latvia
Email: info@hashtalks.app

For data protection inquiries (EU/UK/EEA), please include "Privacy Inquiry" in the subject line. For DPDP grievances (India), include "DPDP Grievance". For CCPA/CPRA requests (California), include "Privacy Rights Request".

22. IMPORTANT LIMITATION OF DATA ACCESS

Due to the end-to-end encryption design of the Application:

• We cannot recover lost or deleted messages;
• We cannot reset, recover, or restore encryption keys;
• We cannot access, read, or disclose the content of any message, call, or file;
• We cannot comply with requests to produce message or call content, regardless of the source of such requests.