Privacy Policy

1) Who we are & contact

Data Controller: Golden Norbert Tyc (company)
Address: Rzetnia 18, 63-600 Kępno, Poland
Email: contact@hustlly.app

You can also lodge a complaint with your local data protection authority. In Poland: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw.

2) What we collect

• Account data: email address, password hash (if you sign up with email), and user ID.
• Profile data (optional): name, age, gender, language, currency, profile settings.
• Content: messages you send to the AI/chat, lesson progress, chat titles.
• Purchase data: subscription status, product IDs, and receipts/transaction identifiers from Apple App Store / Google Play.
• App usage: interactions, timestamps, approximate session length, in-app events.
• Diagnostics: crash logs, performance data, device model, OS version, app version.
• Identifiers: generated user/installation/session IDs (and push notification device tokens if you opt in).
• Website cookies & similar tech: cookies, local storage, pixels (e.g., Google/Meta) for preferences, security, analytics, and (with your consent in EEA/UK) advertising/retargeting.

We do not knowingly collect precise geolocation or your contacts. Sources include information you provide, data from your device/app, and third parties you choose to use with Hustlly (e.g., Apple/Google for sign-in and purchases).

3) Why we use your data & legal bases

You can withdraw consent at any time (e.g., turn off ads/analytics cookies via “Cookie Settings”). If we rely on legitimate interests, you can object.

4) Cookies & similar tech (website & apps)

We use cookies, local storage, SDKs, and pixels (e.g., Google and Meta) to run, secure, measure, and improve our Services. On the website we categorize cookies as:

• Strictly necessary (always active): security, session management, load balancing.
• Functional: remember choices and preferences.
• Analytics: understand usage and performance (e.g., event/page measurement).
• Advertising & retargeting: measure conversions, build audiences, and show relevant ads across our and others’ properties (e.g., Google Ads/Analytics tags, Meta Pixel). Set only with your consent where required (EEA/UK).

You can manage or withdraw your consent anytime via Cookie Settings (preference center) or your browser controls. Blocking some cookies may impact features. For details, see our Cookie Notice.

Partners may receive hashed identifiers, IP address, device/browser info, and event data to attribute conversions and provide aggregated reports. Some partners (e.g., Google/Meta) act as independent controllers for their own ad/measurement purposes—see their privacy policies.

Mobile apps: analytics/crash SDKs (e.g., Firebase) use device identifiers, not browser cookies. Where local law requires consent for analytics/ads, we will seek it in-app. We do not use data to track you across other companies’ apps.

5) How we share information

• Service providers (processors): hosting, analytics, crash monitoring, messaging/push, support—acting on our instructions under data processing agreements.
• Payments: Apple App Store and Google Play process purchases as independent controllers; we receive receipt identifiers to validate your subscription.
• Sign-in providers: if you choose “Sign in with Apple/Google”, they act as independent controllers for that sign-in.
• Advertising & measurement partners (website): if you consent, we allow ad/measurement partners (e.g., Google, Meta) to set cookies/pixels to measure conversions and show ads. They may act as independent controllers—see their policies and opt-outs.
• Legal/safety: where required by law or to protect users, our rights, or the Service.
• Business transfers: in mergers, acquisitions, or reorganization, we’ll ensure protections continue and notify you where required.

We do not sell your personal data.

6) International data transfers

We may process or store data in the EEA/UK and the United States. Our primary cloud region is Firebase us-central1 (USA). When data leaves the EEA/UK, we use appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and, where applicable, providers’ participation in the EU–US Data Privacy Framework.

You can request a copy or summary of the transfer safeguards by contacting us.

7) How long we keep data (retention)

• Account & Profile: for your account lifetime and up to 24 months after inactivity or deletion.
• Content (chats/lessons): for your account lifetime; you can delete content in-app where available. Backups may persist up to 30 days.
• Purchase records: kept for 5–6 years to meet tax/accounting obligations.
• Analytics events: up to 13 months.
• Crash & security logs: typically 90 days unless needed longer for investigations.
• Support communications: 24 months.

We may keep data longer if required by law or to establish/defend legal claims.

8) Your rights (EEA/UK)

• Access your data and obtain a copy
• Correct inaccurate data
• Delete your data (“erasure”)
• Restrict or object to certain processing (especially where we rely on legitimate interests)
• Data portability (receive data in a machine-readable format)
• Withdraw consent at any time (doesn’t affect past processing)
• Complain to a data protection authority

To exercise any right, email contact@hustlly.app. We may need to verify your identity. We’ll respond within one month (extendable by two months for complex requests).

California Privacy (CCPA/CPRA)

If you are a California resident, you have the right to: (i) know/access the categories and specific pieces of personal information we collected about you; (ii) delete personal information; (iii) correct inaccurate personal information; (iv) opt out of the sale or sharing of personal information; and (v) not be discriminated against for exercising your rights.

• Sale/Share: We do not sell personal information. On our website, use of third-party advertising and measurement cookies/pixels (e.g., Google/Meta), if enabled, may be considered “sharing” for cross-context behavioral advertising under California law. You can opt out at any time via Cookie Settings.
• How to submit requests: Email contact@hustlly.app. We may need to verify your request. You may designate an authorized agent with proof of authorization.
• Notice at collection: The categories of data we collect and the purposes are described in this Privacy Policy. Retention periods are listed in “How long we keep data”.

Shine the Light (Cal. Civ. Code §1798.83)

We do not disclose personal information to third parties for their own direct marketing purposes. California residents may request information about our practices by contacting contact@hustlly.app.

Under-18 content removal

If you are under 18, reside in California, and have a registered account, you may request removal of content you publicly posted on our Services by emailing contact@hustlly.app with the email tied to your account and a description/URL of the content. We will make the content no longer publicly visible on the Services; removal may not be complete from all systems (e.g., backups) as allowed by law.

9) Security

• Encryption in transit (TLS) and at rest (where supported)
• Least-privilege access, multi-factor authentication, and access logging
• Regular backups, vulnerability management, and incident response procedures
• Vendor due diligence and data processing agreements

No method is 100% secure. Please use a strong, unique password and keep your device secure.

10) AI/chat content

We use OpenAI as our processor (via API) to generate responses to your prompts. API data is not used for model training by default. Providers may retain limited logs for abuse detection, security, or reliability, and may process data on servers outside your country. We minimize personal data in prompts and disable optional logging where feasible.

Do not include sensitive information in chat prompts. In particular, do not submit: passwords/OTPs/recovery keys/API keys/seed phrases; payment card or banking details; government IDs (e.g., PESEL, passport/ID numbers); health/medical/genetic/biometric data; precise location; or other special-category data (e.g., racial/ethnic origin, political opinions, religion, trade-union membership, sexual life/orientation).

If you inadvertently share such data, contact us at contact@hustlly.app. Once content is sent to an AI provider, full recall from provider logs may not be possible; we will process your request consistent with applicable law.

11) Children

Hustlly is intended for users aged 13 and older. We do not knowingly collect personal data from children under 13 or otherwise below the applicable digital consent age in your country.

For users in the EEA/UK: if you are under your country’s digital consent age (which is set between 13–16 depending on the country), you may use Hustlly only with verifiable consent of your parent or legal guardian. We may request a parent/guardian email or other reasonable verification. If we learn that a user is under the applicable age and no parental consent was obtained, we will delete the account and related data.

If you believe a minor has used Hustlly without appropriate consent, contact us at contact@hustlly.app.

12) Your choices & controls

• Account settings: update profile and preferences in-app.
• Delete account: request deletion in-app (where available) or email us; we’ll delete or anonymize data except where law requires retention.
• Marketing push: you can opt in/out any time in your device’s notification settings.
• Cookie preferences (website): manage or withdraw your consent anytime via Cookie Settings or browser controls.

13) Changes to this Policy

We’ll update this Policy when needed. If changes are material, we’ll notify you in-app, by email, or on our website before they take effect. We’ll keep the “Effective date” at the top.

14) Contact

Data Controller: Golden Norbert Tyc (company)
Email: contact@hustlly.app
Postal address: Rzetnia 18, 63-600 Kępno, Poland

15) Our service providers (public list)

• Google LLC (Firebase) — hosting, authentication, analytics, crash reporting, cloud functions, and push notifications (FCM). Primary region: us-central1 (USA). Safeguards: SCCs and (where applicable) Data Privacy Framework. See: firebase.google.com/support/privacy.
• OpenAI, L.L.C. — AI/chat processing via API. Acts as our processor; API data not used for training by default. Typical location: USA. Safeguards: SCCs (and equivalents).
• Apple Inc. — App Store payments and “Sign in with Apple” (independent controller).
• Google LLC — Google Play payments and “Sign in with Google” (independent controller).
• RevenueCat, Inc. — in-app subscriptions, subscription lifecycle management, purchase validation, and subscription analytics. Acts as our processor; receives user identifiers (e.g., user ID), transaction/receipt identifiers, and subscription status from Apple App Store / Google Play. Typical processing location: USA. Safeguards: SCCs and, where applicable, the Data Privacy Framework. See: www.revenuecat.com/privacy.
• Advertising & measurement partners (website) — e.g., Google Ads/Analytics and Meta Pixel, used only with your consent where required. These partners may act as independent controllers for their own purposes—see their privacy policies for details and opt-outs.

We may update this list as our infrastructure evolves. We maintain data processing agreements with all processors.