Hegai Privacy Policy (Mobile App)

Last updated: 24 May 2026. Document version: 1.1 (Android + iOS).

This Policy explains what data the Hegai mobile apps for Android and iOS (the "App") collect, how we use it, with whom we share it, and what rights you have. The Policy is written to align with the EU General Data Protection Regulation (GDPR) and Russian Federal Law No. 152-FZ on Personal Data.

1. Who we are

Data controller: Pavel Khegai, an individual acting as an independent app developer. Address: jl padang kartika 3, Denpasar 80117, Republic of Indonesia.

Contact for any data request (DSR): support@hegai.net (secondary: info@heg.ai).

Website: https://hegai.net Android app package: net.hegai.android. iOS app bundle: com.pavelhegai.hegassenger.

2. What data we collect

2.1. Data you give us

Email — used for signup, login, and service notifications.
Name and profile photo — filled in on your member profile.
Optional profile fields (city, company, industry, interests, short bio, phone number) — populated at your discretion.
Messages in chats, groups, comments, polls, checklists.
Voice notes and AI-assistant audio — captured only while the microphone feature is active.
Photos, videos, documents you attach to messages or upload as avatar.
Linked Telegram account — if you use Telegram login, we receive your Telegram user ID and username.

2.2. Data collected automatically

Firebase Cloud Messaging (FCM) token — used to deliver push notifications.
App-usage metadata (which events you RSVPed to, which media items you watched, who you chat with) — required for the app to work.
Anonymized usage analytics via Yandex AppMetrica — events (app starts, screens, session duration), install identifier, device model, OS version, UI language. Used solely for debugging and product improvement.
Server-side request logs (IP, timestamp, response status) — minimal logs kept for security and debugging.

We do not collect: location, health data, web browsing history, calendar. The app contains no third-party advertising SDKs and does not share data with ad partners.

Address-book contacts are covered by a separate, strictly opt-in feature described in section 2.3 below. They are not collected unless you explicitly turn the feature on.

2.3. Phone contacts matching (iOS only, opt-in)

This feature works only after you explicitly enable it in the app's settings and grant the iOS system prompt for contacts access. It is off by default; declining has no effect on the rest of the app.

What happens:

Hashing happens on your device. The app normalises each phone number from your address book to the E.164 international format (e.g. +19255551234) and computes its SHA-256 hash. SHA-256 is a one-way cryptographic function — the original number cannot be recovered from the hash.
Only the hashes are sent to the server. The phone numbers themselves, the contact names, and every other address-book field never leave your device and are never transmitted to Hegai servers or any third party.
The server compares your hashes against the hashes of registered Hegai users' phone numbers. When a match is found, we surface that contact's Hegai member profile to you.
What we store: only hashes tied to your user_id, plus the fact that a particular hash matched a particular Hegai member. We do not store:
- phone numbers of other people;
- the names you have those contacts saved under (we don't see them);
- any contact information of people who are not themselves Hegai members.
Why we do this: (a) to show you which of your existing contacts are already in Hegai, making in-community networking easier; (b) to improve smart-intro recommendations (two people who know each other outside Hegai is a strong signal for proposing a connection).

Retention and deletion:

Hashes are deleted automatically on logout.
Hashes are deleted when you delete your account.
You can disable the feature at any time in app settings ("Contacts → Stop syncing") — all previously uploaded hashes are deleted immediately.
An explicit deletion endpoint DELETE /api/community/contacts is also available (mapped to a "Delete my contacts" button in app settings).

Legal basis: your explicit consent (GDPR Art. 6(1)(a); RU FZ-152 Art. 6(1.1)). Consent is given by a dedicated toggle in app settings and may be withdrawn at any time with the same toggle.

3. Purposes and legal bases

Purpose	Data	Legal basis
Sign-up, authentication	Email, password, Telegram ID	Performance of a contract (Terms of Service); GDPR Art. 6(1)(b)
Core community features (chat, events, members)	Profile, messages, attachments	Performance of a contract
Push notifications	FCM token	Consent — granted via `POST_NOTIFICATIONS` prompt — GDPR Art. 6(1)(a)
Voice AI assistant	Audio stream, transcript	Consent
Security, abuse prevention	Request logs, IP	Legitimate interests — GDPR Art. 6(1)(f)
Service emails	Email	Performance of a contract
Phone contacts matching (only when feature enabled)	SHA-256 hashes of address-book phone numbers	Consent — GDPR Art. 6(1)(a); RU FZ-152 Art. 6(1.1)

4. Retention

Account and linked data — as long as the account is active. Upon a deletion request, within 30 days.
Chat messages — until deleted by the user or until the community shuts down. The local cache is wiped on logout and on app uninstall.
Address-book contact hashes — while the contacts-matching feature is enabled and you are logged in. Deleted immediately on logout, on feature disable, and on account deletion.
Request logs / technical telemetry — up to 90 days.
Backups — up to 30 days from creation.

5. Where data is stored and processed

Primary infrastructure is hosted at web.hegai.net. Service infrastructure and backups may be located in a data center outside the user's country of residence; the exact location may change when the hosting provider changes. All network traffic between the app and the server is over a secure channel (TLS 1.2+).

Third parties that receive part of the data:

Google Firebase Cloud Messaging — FCM token and push payload, to deliver to the device. Policy: https://firebase.google.com/support/privacy
Yandex AppMetrica — anonymized app-usage data (events, session duration, install identifier, device model, OS version). Used for debugging and product improvement. Policy: https://yandex.com/legal/appmetrica_agreement
Telegram Bot API — if you log in through Telegram, your Telegram user ID and username. Policy: https://telegram.org/privacy

No other third parties receive your personal data.

6. International transfers

The data controller and the web.hegai.net infrastructure are located outside the European Union and the Russian Federation, so personal data of EU and RF users may be processed in another jurisdiction. In addition, data is transferred to the third-party services listed in section 5 (Google, Yandex, Telegram), each of which processes data in its own infrastructure subject to its own privacy policy.

By using the App and accepting this Policy, you provide your consent to the international transfer of your personal data necessary for the App to function. You may withdraw this consent by deleting your account (see section 8).

7. Security

All network traffic is HTTPS (TLS 1.2+).
Credentials and tokens are stored in EncryptedSharedPreferences with the key held in the Android Keystore.
Sensitive messages are encrypted client-side (AES-GCM) before upload.
Employee access to production is scoped and audit-logged.

Despite these measures, no system is perfectly secure. Report any suspected breach or vulnerability to support@hegai.net.

8. Your rights

Under GDPR and Russian FZ-152 you have the right to:

access your personal data and obtain a copy;
rectify inaccurate or incomplete data;
erase your data ("right to be forgotten");
restrict processing;
withdraw consent where consent was the legal basis;
port your data in a machine-readable format;
lodge a complaint with a supervisory authority (Roskomnadzor in Russia, your local DPA in the EU).

To exercise any of these rights, email support@hegai.net with the subject [DSR]. We respond within 30 days.

9. Children

The App is not directed at users under 16. We do not knowingly collect data from children. If you believe we have, write to support@hegai.net and we will delete it.

10. Cookies and similar technologies

The mobile app does not use cookies. No embedded web-browsing trackers.

11. Changes to this Policy

We may update this Policy. The current version is always at https://hegai.net/privacy. We will notify users of material changes via push or an in-app banner. Continued use of the App after an update means you accept the revised Policy.

12. Contact

Email: support@hegai.net (secondary: info@heg.ai).
Postal address: jl padang kartika 3, Denpasar 80117, Republic of Indonesia.
Privacy contact: Pavel Khegai (info@heg.ai). Designation of a Data Protection Officer under GDPR Art. 37 is not required, as the controller does not meet the mandatory triggers (large-scale systematic monitoring, large-scale processing of special category data, public authority).