Privacy Policy
Last updated: May 8, 2026 · Effective: May 8, 2026
SayHaii is operated by Samantha Lee, a Massachusetts-based individual (“we,” “us,” or “SayHaii”). This policy explains what data we collect, how we use it, and your rights.
Version 0.1: pending legal review.This policy reflects current practice in good faith. SayHaii is a single-operator early-stage project; we will engage legal counsel for a formal review before public launch. Substantive changes will be reflected in the “Last updated” date and announced in-app where applicable.
What we collect
Information you provide
Explorer accounts:
- Phone number (for signup verification and Going reminders)
- Display name
- Avatar image (optional)
- Preferred neighborhood and event categories (optional)
Host accounts:
- Email address and password, or Google account login
- Public name, description, host type
- Address and neighborhood (optional, for events)
- Social media links, website, contact email
- Profile and event images
Event content (hosts only):
- Event name, description, dates, location, pricing, category
- Cover images
Information we generate
- Which events you save, mark Going, or flag
- Which hosts you follow
- Event page views (anonymized with session tokens, not tied to your identity)
- Notification delivery records
- Audit logs for account-level actions (deletions, admin decisions)
Information we do NOT collect
- Precise GPS location (we use neighborhood preferences you enter, not device location)
- Contacts, call logs, or messages
- Data from users under 13
How we use your data
| Purpose | Data used |
|---|---|
| Create and manage your account | Phone/email, name, profile info |
| Show you relevant events | Neighborhood preference, category preferences, saves, goings |
| Send notifications | Phone (SMS for Going reminders), in-app for event updates |
| Let hosts understand event interest | Aggregate counts only (e.g., “42 people going”). Never individual explorer identities. |
| Extract event details from text | Text you choose to paste into the host event-creation flow is sent to Anthropic Claude on the server. Opt-in only. See the “AI extraction” section below. |
| Improve the platform | Anonymized usage patterns, aggregate analytics |
| Enforce community standards | Flag reports, admin review of flagged content |
We do not:
- Sell your data to anyone
- Use your data for advertising
- Share individual explorer activity with hosts
- Send marketing SMS. Twilio is used only for signup verification and Going reminders.
Explorer privacy
This is our most important commitment: your identity as an explorer is never exposed to hosts.
- Hosts see aggregate counts (saves, goings); never who saved or who's going
- Hosts cannot see who follows them
- Feedback and flags are aggregated before hosts see them
- No API, query, or interface reveals individual explorer records to hosts
What other users can see
Public, visible to anyone (signed in or not):
- Approved host profiles, including the public name, host type, neighborhood, description, social links, and any contact methods the host has chosen to display
- Active events: title, description, dates, location, cover image, pricing
- Aggregate event interest (number of saves, number of going) without any identifying details
Hidden from other users:
- Your phone number, email, and account identifiers
- Which events you save, mark Going, or follow
- Which hosts you follow
- Feedback or flags you submit
- Any private profile field you have not explicitly chosen to display
Who we share data with
| Service | What they receive | Why |
|---|---|---|
| Supabase | All stored data | Database and authentication provider |
| Vercel | Request logs, server-side code execution | Hosting and deployment |
| Anthropic | Text the host pastes into the event-creation flow (opt-in only). No name, phone, email, or account ID is sent. | AI-powered event detail extraction. Per Anthropic's commercial terms, customer inputs are not used to train their models. Anthropic retains inputs only as their published API data policy permits (primarily for limited periods to detect abuse); we don't control that retention. |
| Twilio (integration ready; not active in prod as of May 8, 2026) | Phone numbers, signup verification codes, Going-reminder SMS bodies | SMS verification at signup and event-reminder messages |
| Stripe (integration ready; not active in prod as of May 8, 2026) | Email, payment info, billing identifiers | Host subscription billing and featured-event placement (when activated) |
| Email (if using Google OAuth) | Authentication only |
We do not share data with data brokers, advertisers, or any other third parties.
We may disclose data if required by law (court order, subpoena, legal process).
AI extraction (Anthropic)
SayHaii offers an optional feature that lets hosts paste a description (for example, a caption from a social-media post or a flyer) into the event-creation flow. The pasted text is sent to Anthropic's Claude API on the server, which returns structured event details (date, location, category, etc.) that pre-fill the form.
This feature is opt-in. It only runs when a host actively chooses to paste text and trigger extraction. Hosts can ignore the feature and fill in event details manually.
What we send to Anthropic:
- The text you choose to paste, capped at 5000 characters
- A small server-generated context prompt (today's date, a list of Boston neighborhoods, your host type) that helps the model produce relevant output
What we do not send:
- Your name, phone number, email, or any account identifier
- Other events or profile information beyond your host type
What Anthropic does with it:
- Per Anthropic's commercial terms, customer inputs are not used to train their models.
- Anthropic retains inputs only as their published API data policy permits, primarily for limited periods to detect abuse. We don't control this retention.
How to avoid this entirely:don't use the “Paste a description” affordance during event creation. Type or paste details directly into individual form fields instead. Those don't go to Anthropic.
Your privacy rights
You have the right to:
- Access your data, including a copy of what we have about you
- Correct inaccurate or out-of-date information
- Delete your account and the data tied to it
- Opt out of any sale or sharing of your personal information for advertising
- Withdraw consent for any optional processing
We do not sell or share your personal information for advertising. We have no advertising business model. Any future change here would be announced in advance and require your opt-in.
How to exercise these rights:
- Most controls are self-service. Edit your profile in-app, opt out of SMS in settings, or delete your account from the profile menu.
- For a full data export or anything you can't complete in-app, email samatchalee.info@gmail.com. We aim to respond within 7 business days, or as required by your state's law.
- Authorized agents may submit requests on your behalf with appropriate verification.
Non-discrimination: We will not deny services, charge different prices, or provide a different quality of service because you exercised any of these rights.
California residents: these rights are protected by the California Consumer Privacy Act (CCPA / CPRA). The list above is the standard CCPA rights set, applied to all SayHaii users regardless of state.
Account deletion mechanics
- SayHaii has per-side delete. “Delete explorer account” (on your explorer profile) removes explorer data. “Delete host account” (on your host profile) removes host data and its events.
- When you have nothing left on SayHaii, your authentication record is also fully deleted, and your phone or email can be used to sign up again.
- Audit log entries (recording that a deletion occurred) are retained for 90 days for security purposes.
- Deletion is permanent and cannot be undone.
International users
SayHaii is operated from the United States. Your data is stored on US-based servers (via Supabase Postgres and Vercel hosting). If you access SayHaii from outside the US, you understand that your information is transferred to and processed in the US, which may have different data protection laws than your country.
We do not currently market or operate SayHaii outside the US. If we expand outside the US, this policy will be updated to reflect the additional protections that apply.
Data retention
| Data type | Retention |
|---|---|
| Active account data | Kept while your account is active |
| Deleted account data | Removed immediately upon deletion |
| Event data | Retained after the event ends (part of platform history) |
| Audit logs | 90 days after the triggering action |
| Anonymized event views | Retained indefinitely (not tied to your identity) |
Children's privacy
SayHaii is for users 13 and older. We do not knowingly collect data from anyone under 13. If we learn that a user is under 13, we will delete their account and data promptly. If you believe a child under 13 has created an account, contact us at samatchalee.info@gmail.com.
Cookies and tracking
SayHaii uses:
- Authentication cookies: httpOnly, secure, SameSite=Lax. Required for login sessions. These are functional, not tracking cookies.
- Local storage: stores your active host profile selection (if you're a host). Not shared with third parties.
We do not use third-party tracking cookies, advertising pixels, or cross-site trackers.
Do Not Track
Some browsers send a “Do Not Track” (DNT) signal indicating you don't want to be tracked across sites. Because we don't use cross-site tracking, advertising pixels, or third-party trackers, the DNT signal isn't applicable to us. The same applies to “Global Privacy Control” (GPC) signals.
Security
We protect your data with:
- Encryption in transit (HTTPS/TLS) and at rest
- Row-level database security (Postgres RLS)
- Rate limiting on sensitive endpoints
- Access controls and admin-action audit logs
Changes to this policy
If we make material changes, we'll notify you through the app or via the contact information on your account. The “last updated” date at the top will always reflect the most recent version.
Contact
For privacy questions, data requests, or concerns, reach us at samatchalee.info@gmail.comor via the in-app feedback form (3-dot menu on your profile, then “Send feedback”). We aim to respond within 7 business days.
We do not currently maintain a public mailing address. If you need to contact us in writing for legal or regulatory reasons, email us first and we will provide an address as needed.