Privacy Policy

Last updated: May 8, 2026 · Effective: May 8, 2026

SayHaii is operated by Samantha Lee, a Massachusetts-based individual (“we,” “us,” or “SayHaii”). This policy explains what data we collect, how we use it, and your rights.

Version 0.1: pending legal review.This policy reflects current practice in good faith. SayHaii is a single-operator early-stage project; we will engage legal counsel for a formal review before public launch. Substantive changes will be reflected in the “Last updated” date and announced in-app where applicable.

What we collect

Information you provide

Explorer accounts:

  • Phone number (for signup verification and Going reminders)
  • Display name
  • Avatar image (optional)
  • Preferred neighborhood and event categories (optional)

Host accounts:

  • Email address and password, or Google account login
  • Public name, description, host type
  • Address and neighborhood (optional, for events)
  • Social media links, website, contact email
  • Profile and event images

Event content (hosts only):

  • Event name, description, dates, location, pricing, category
  • Cover images

Information we generate

  • Which events you save, mark Going, or flag
  • Which hosts you follow
  • Event page views (anonymized with session tokens, not tied to your identity)
  • Notification delivery records
  • Audit logs for account-level actions (deletions, admin decisions)

Information we do NOT collect

  • Precise GPS location (we use neighborhood preferences you enter, not device location)
  • Contacts, call logs, or messages
  • Data from users under 13

How we use your data

PurposeData used
Create and manage your accountPhone/email, name, profile info
Show you relevant eventsNeighborhood preference, category preferences, saves, goings
Send notificationsPhone (SMS for Going reminders), in-app for event updates
Let hosts understand event interestAggregate counts only (e.g., “42 people going”). Never individual explorer identities.
Extract event details from textText you choose to paste into the host event-creation flow is sent to Anthropic Claude on the server. Opt-in only. See the “AI extraction” section below.
Improve the platformAnonymized usage patterns, aggregate analytics
Enforce community standardsFlag reports, admin review of flagged content

We do not:

  • Sell your data to anyone
  • Use your data for advertising
  • Share individual explorer activity with hosts
  • Send marketing SMS. Twilio is used only for signup verification and Going reminders.

Explorer privacy

This is our most important commitment: your identity as an explorer is never exposed to hosts.

  • Hosts see aggregate counts (saves, goings); never who saved or who's going
  • Hosts cannot see who follows them
  • Feedback and flags are aggregated before hosts see them
  • No API, query, or interface reveals individual explorer records to hosts

What other users can see

Public, visible to anyone (signed in or not):

  • Approved host profiles, including the public name, host type, neighborhood, description, social links, and any contact methods the host has chosen to display
  • Active events: title, description, dates, location, cover image, pricing
  • Aggregate event interest (number of saves, number of going) without any identifying details

Hidden from other users:

  • Your phone number, email, and account identifiers
  • Which events you save, mark Going, or follow
  • Which hosts you follow
  • Feedback or flags you submit
  • Any private profile field you have not explicitly chosen to display

Who we share data with

ServiceWhat they receiveWhy
SupabaseAll stored dataDatabase and authentication provider
VercelRequest logs, server-side code executionHosting and deployment
AnthropicText the host pastes into the event-creation flow (opt-in only). No name, phone, email, or account ID is sent.AI-powered event detail extraction. Per Anthropic's commercial terms, customer inputs are not used to train their models. Anthropic retains inputs only as their published API data policy permits (primarily for limited periods to detect abuse); we don't control that retention.
Twilio (integration ready; not active in prod as of May 8, 2026)Phone numbers, signup verification codes, Going-reminder SMS bodiesSMS verification at signup and event-reminder messages
Stripe (integration ready; not active in prod as of May 8, 2026)Email, payment info, billing identifiersHost subscription billing and featured-event placement (when activated)
GoogleEmail (if using Google OAuth)Authentication only

We do not share data with data brokers, advertisers, or any other third parties.

We may disclose data if required by law (court order, subpoena, legal process).

AI extraction (Anthropic)

SayHaii offers an optional feature that lets hosts paste a description (for example, a caption from a social-media post or a flyer) into the event-creation flow. The pasted text is sent to Anthropic's Claude API on the server, which returns structured event details (date, location, category, etc.) that pre-fill the form.

This feature is opt-in. It only runs when a host actively chooses to paste text and trigger extraction. Hosts can ignore the feature and fill in event details manually.

What we send to Anthropic:

  • The text you choose to paste, capped at 5000 characters
  • A small server-generated context prompt (today's date, a list of Boston neighborhoods, your host type) that helps the model produce relevant output

What we do not send:

  • Your name, phone number, email, or any account identifier
  • Other events or profile information beyond your host type

What Anthropic does with it:

  • Per Anthropic's commercial terms, customer inputs are not used to train their models.
  • Anthropic retains inputs only as their published API data policy permits, primarily for limited periods to detect abuse. We don't control this retention.

How to avoid this entirely:don't use the “Paste a description” affordance during event creation. Type or paste details directly into individual form fields instead. Those don't go to Anthropic.

Your privacy rights

You have the right to:

  • Access your data, including a copy of what we have about you
  • Correct inaccurate or out-of-date information
  • Delete your account and the data tied to it
  • Opt out of any sale or sharing of your personal information for advertising
  • Withdraw consent for any optional processing

We do not sell or share your personal information for advertising. We have no advertising business model. Any future change here would be announced in advance and require your opt-in.

How to exercise these rights:

  • Most controls are self-service. Edit your profile in-app, opt out of SMS in settings, or delete your account from the profile menu.
  • For a full data export or anything you can't complete in-app, email samatchalee.info@gmail.com. We aim to respond within 7 business days, or as required by your state's law.
  • Authorized agents may submit requests on your behalf with appropriate verification.

Non-discrimination: We will not deny services, charge different prices, or provide a different quality of service because you exercised any of these rights.

California residents: these rights are protected by the California Consumer Privacy Act (CCPA / CPRA). The list above is the standard CCPA rights set, applied to all SayHaii users regardless of state.

Account deletion mechanics

  • SayHaii has per-side delete. “Delete explorer account” (on your explorer profile) removes explorer data. “Delete host account” (on your host profile) removes host data and its events.
  • When you have nothing left on SayHaii, your authentication record is also fully deleted, and your phone or email can be used to sign up again.
  • Audit log entries (recording that a deletion occurred) are retained for 90 days for security purposes.
  • Deletion is permanent and cannot be undone.

International users

SayHaii is operated from the United States. Your data is stored on US-based servers (via Supabase Postgres and Vercel hosting). If you access SayHaii from outside the US, you understand that your information is transferred to and processed in the US, which may have different data protection laws than your country.

We do not currently market or operate SayHaii outside the US. If we expand outside the US, this policy will be updated to reflect the additional protections that apply.

Data retention

Data typeRetention
Active account dataKept while your account is active
Deleted account dataRemoved immediately upon deletion
Event dataRetained after the event ends (part of platform history)
Audit logs90 days after the triggering action
Anonymized event viewsRetained indefinitely (not tied to your identity)

Children's privacy

SayHaii is for users 13 and older. We do not knowingly collect data from anyone under 13. If we learn that a user is under 13, we will delete their account and data promptly. If you believe a child under 13 has created an account, contact us at samatchalee.info@gmail.com.

Cookies and tracking

SayHaii uses:

  • Authentication cookies: httpOnly, secure, SameSite=Lax. Required for login sessions. These are functional, not tracking cookies.
  • Local storage: stores your active host profile selection (if you're a host). Not shared with third parties.

We do not use third-party tracking cookies, advertising pixels, or cross-site trackers.

Do Not Track

Some browsers send a “Do Not Track” (DNT) signal indicating you don't want to be tracked across sites. Because we don't use cross-site tracking, advertising pixels, or third-party trackers, the DNT signal isn't applicable to us. The same applies to “Global Privacy Control” (GPC) signals.

Security

We protect your data with:

  • Encryption in transit (HTTPS/TLS) and at rest
  • Row-level database security (Postgres RLS)
  • Rate limiting on sensitive endpoints
  • Access controls and admin-action audit logs

Changes to this policy

If we make material changes, we'll notify you through the app or via the contact information on your account. The “last updated” date at the top will always reflect the most recent version.

Contact

For privacy questions, data requests, or concerns, reach us at samatchalee.info@gmail.comor via the in-app feedback form (3-dot menu on your profile, then “Send feedback”). We aim to respond within 7 business days.

We do not currently maintain a public mailing address. If you need to contact us in writing for legal or regulatory reasons, email us first and we will provide an address as needed.