Privacy Policy

Last Updated: March 13, 2026

1. Introduction

Welcome to Havira ("we," "our," or "us"). This Privacy Policy explains how Engin Deniz Usta collects, uses, discloses, and protects your personal information when you use the Havira mobile application and related services, including publicly accessible share pages (collectively, the "Service").

We are committed to protecting your privacy and ensuring transparency about our data practices. This policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable privacy laws.

Contact Information:

• Service Provider: Engin Deniz Usta
• Email: support@havira.app
• Address: Brennerei 2, 82024, Taufkirchen, Germany

Table of Contents

1. Introduction
2. Information We Collect
   • 2.1 Information You Provide
   • 2.2 Automatically Collected Information
   • 2.3 Information Collected from Share Page Visitors
   • 2.4 Information from Third Parties
3. How We Use Your Information
   • 3.1 Essential Services
   • 3.2 Service Improvement
   • 3.3 Communications
   • 3.4 Analytics
   • 3.5 Legal Compliance and Audit Logging
   • 3.6 Administrative Access to User Content
   • 3.7 Automated Decision-Making
4. Third-Party Services
   • 4.1 OpenAI Moderation API
   • 4.2 OpenAI (Sora)
   • 4.3 Google (Veo)
   • 4.4 Kling AI
   • 4.5 Google Firebase
   • 4.6 Google Analytics
   • 4.7 RevenueCat
   • 4.8 Google Cloud Platform
   • 4.9 AppsFlyer
   • 4.10 Vercel Analytics (Website Only)
   • 4.11 Plausible Analytics (Website Only)
   • 4.12 Tracking Technologies
5. Your Privacy Choices and Rights
   • 5.1 Consent Management
   • 5.2 Your Rights Under GDPR (EU Users)
   • 5.3 Your Rights Under CCPA (California Users)
   • 5.4 Exercising Your Rights
6. Data Retention
   • 6.1 Active Accounts
   • 6.2 Account Deletion and Data Anonymization
   • 6.3 Legal Requirements
7. Data Security
8. Children's Privacy
9. International Data Transfers
10. Changes to This Privacy Policy
11. Contact Us

• 11.1 For EU Users (GDPR)

1. Legal Basis Summary

2. Information We Collect

We adhere to the principle of data minimization as required by Article 5(1)(c) GDPR, collecting only the personal information that is necessary for the specific purposes outlined in this Privacy Policy.

2.1 Information You Provide

• Account Information: User ID and authentication credentials (provided through Firebase Authentication)
• Email Address: Email addresses may be collected through Firebase Authentication and are used solely for the purpose of fulfilling data export requests and other account-related communications as necessary for the provision of the Service
• Video Generation Data:
  • Text Prompts: Text descriptions you provide for video generation
  • Reference Images: Images you upload to guide video generation (maximum 1 image for OpenAI Sora, up to 5 images for Google Veo, and up to 2 images for Kling AI models)
  • Processing: Reference images and prompts are processed for content moderation and safety verification purposes
  • Retention: Reference images are stored temporarily during the video generation process and are deleted when you delete your account or individual video request as described in Section 6
• Payment Information: Transaction data processed through RevenueCat (we do not store credit card details)

2.2 Automatically Collected Information

• Usage Data: Information about how you use our Service, including videos generated and features accessed
• Device Information: Device type, operating system, mobile network information, and vendor-scoped device identifiers (IDFV on iOS, Android ID on Android). These identifiers are used to manage push notification delivery and are not advertising identifiers. We do not collect the Apple Identifier for Advertisers (IDFA) or request App Tracking Transparency (ATT) consent
• Attribution Data: Information collected through our attribution and deep linking provider (AppsFlyer) to understand how you discovered and installed the app, including device identifiers, IP address, app install events, and — when you grant Analytics consent — purchase events (see Section 4.9 for details). On iOS, Apple's SKAdNetwork framework may independently send privacy-preserving, aggregated conversion postbacks to ad networks; these postbacks contain no user-level data and are controlled by Apple, not by us
• Log Data: IP address, access times, app crash reports, user identifiers, and other information necessary for operational, security, and compliance purposes

2.3 Information Collected from Share Page Visitors

When a user shares a generated video, an animated GIF thumbnail becomes publicly accessible via a share link. If you view a shared link (without being a registered user), we collect limited data:

• IP Address: Used for rate limiting and report deduplication (to prevent abuse of the report feature). IP addresses collected for report deduplication are stored temporarily (24-hour retention) and are not linked to any user account
• Server Access Logs: Standard server logs (IP address, User Agent, access time) are collected for security and operational purposes
• View Count: We track aggregate view counts for shared content. This is a counter and does not identify individual viewers

We do not require account registration, cookies, or any form of authentication to view shared content. Our website (havira.app) uses Vercel Analytics and Plausible Analytics for anonymous page view statistics — this applies to all pages, including share pages. Neither service uses cookies, fingerprints users, or tracks users across sites (see Sections 4.10 and 4.11).

2.4 Information from Third Parties

• Authentication Data: We use Firebase Authentication to manage user accounts
• Payment Data: RevenueCat provides us with transaction information for in-app purchases

3. How We Use Your Information

We use your personal information for the following purposes:

3.1 Essential Services (Legal Basis: Contractual Necessity)

• Providing and maintaining the Service
• Processing your video generation requests, including content moderation and safety verification
• Managing your credit balance and transactions
• Authenticating your identity and managing your account
• Processing payments and preventing fraud

3.2 Service Improvement (Legal Basis: Legitimate Interest)

• Collecting anonymized analytics data to analyze usage patterns and improve our Service
• Anonymized analytics are collected automatically and do not include personally identifiable information (PII) or user IDs
• This data helps us develop new features, fix technical issues, and improve the overall user experience
• Anonymized analytics collection cannot be disabled as it is necessary for service improvement under our legitimate interest

3.3 Communications (Legal Basis: Legitimate Interest / Consent)

• Push Notifications (Consent-based): With your explicit consent, we send push notifications about:
  • Video generation status updates (completed, failed, processing)
  • Important service announcements and updates
  • You can manage notification permissions through your device settings at any time
• Email Communications (Legitimate Interest):
  • Responding to your requests and inquiries
  • Sending critical service updates and account-related information
  • Data export delivery (as requested by you)

3.4 Analytics (Legal Basis: Consent)

• With your explicit consent, we use Google Analytics with full tracking capabilities, including linking analytics data to your user account
• When consent is granted, analytics data is linked to your account ID for better insights and personalization
• When consent is granted, purchase events (revenue amount, currency, pack identifier, and credit quantity) are also forwarded to AppsFlyer for campaign attribution measurement (see Section 4.9). No purchase events are sent to AppsFlyer when consent is denied
• When consent is denied, we still collect anonymized analytics (see Section 3.2) but without linking data to your account
• You may grant or withdraw this consent at any time through the Service's consent management features
• Important: Even when you withdraw consent for Analytics, anonymized analytics collection continues automatically for service improvement purposes (see Section 3.2)

3.5 Legal Compliance and Audit Logging (Legal Basis: Legal Obligation / Legitimate Interest)

• Complying with applicable laws and regulations
• Responding to legal requests and preventing misuse
• Maintaining transaction and security-related audit records as required by law
• Recording security- and compliance‑relevant actions (such as account deletion, data export, and certain administrative actions) in secure audit logs
• Maintaining operational logs containing user identifiers and system information necessary for security monitoring and compliance purposes

Law Enforcement and Legal Requests: We may be required to disclose your personal information to law enforcement agencies, regulatory authorities, or other government bodies when we believe in good faith that such disclosure is necessary to: (a) comply with applicable laws, regulations, legal processes, or enforceable governmental requests; (b) enforce our Terms of Service, including investigation of potential violations; (c) detect, prevent, or otherwise address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Havira, our users, or the public as required or permitted by law.

When legally permitted, we will attempt to notify you of such requests. However, we may be prohibited from providing notice in certain circumstances, including when the request includes a court order prohibiting disclosure or when disclosure would compromise an ongoing investigation.

3.6 Administrative Access to User Content (Legal Basis: Legitimate Interest)

• Authorized administrative personnel may access user-generated content only when necessary for legitimate business purposes, including but not limited to content moderation, user support, security investigations, fraud prevention, or compliance with legal obligations
• Administrative access is restricted to verified personnel and is subject to appropriate access controls and oversight
• Access is limited to the minimum content necessary for the stated purpose and is conducted in accordance with the principle of data minimization
• Users retain control over their content and may exercise their right to deletion as described in Section 6, which will result in the removal of generated content

3.7 Automated Decision-Making (Legal Basis: Contractual Necessity / Legitimate Interest)

We use automated decision-making processes in the following circumstances:

• Content Moderation: All video generation requests are automatically evaluated for compliance with safety policies and usage guidelines. Content that violates these policies is automatically rejected without human review. This automated processing is necessary to ensure the safety and integrity of our Service and to comply with our terms of service.

• Account Management: User accounts may be automatically suspended or restricted based on automated analysis of moderation violations and security patterns. Such automated decisions are made in accordance with our terms of service and are necessary to prevent abuse and maintain service security.

Your Rights: Under GDPR Article 22, you have the right not to be subject to automated decision-making that produces legal effects or similarly significantly affects you. However, automated content moderation and account management decisions are necessary for the performance of our contract with you and for our legitimate interests in maintaining service safety and security. If you believe an automated decision has been made incorrectly, you may contact us to request a review of the decision (see Section 11 for contact information).

4. Third-Party Services

We use the following third-party services to provide and improve our Service:

4.1 OpenAI Moderation API

• Purpose: Content moderation and safety verification for all video generation requests submitted through our Service
• Data Shared: User-provided text prompts and reference images (if uploaded) are shared with OpenAI's Moderation API for content safety verification
• Processing: All video generation content is processed through OpenAI's Moderation API to ensure compliance with safety policies and usage guidelines
• Privacy Policy: https://openai.com/policies/privacy-policy

4.2 OpenAI (Sora)

• Purpose: Video generation services from text prompts and reference images (maximum 1 image per request)
• Data Shared: User-provided text prompts and reference images (if uploaded, limited to 1 image per request)
• Processing: Your prompts and images are processed by OpenAI's Sora API for video generation purposes
• Privacy Policy: https://openai.com/policies/privacy-policy

Variation When you use the Variation feature on a Sora-generated video, the video is referenced by its Sora-internal identifier and reprocessed within OpenAI's infrastructure. No additional video data is transmitted — Sora accesses the video it already holds from your original generation.

4.3 Google (Veo)

• Purpose: Video generation services from text prompts and reference images (up to 5 images per request: first frame, last frame, and up to 3 reference images)
• Data Shared: User-provided text prompts and reference images (if uploaded, limited to 5 images per request)
• Processing: Your prompts and images are processed by Google's Veo API for video generation purposes
• Privacy Policy: https://policies.google.com/privacy

Extend When you use the Extend feature on a Veo-generated video, the video's storage path in Google Cloud Storage is passed back to Google's Veo API to generate a 7-second continuation. The video remains within Google's infrastructure throughout this process.

4.4 Kling AI

• Purpose: Video generation services from text prompts and reference images (up to 2 images per request: first frame and last frame)
• Data Shared: User-provided text prompts and reference images (if uploaded, limited to 2 images per request)
• Processing: Your prompts and images are processed by Kling AI's API (operated by Kuaishou Technology) for video generation purposes
• Privacy Policy: https://klingai.com/global/docs/privacy-policy

fal.ai

• Purpose: AI video generation services
• Data Shared: User-provided text prompts and reference images; video source URLs when using the Remix feature
• Processing: Your prompts and images are processed by fal.ai (Fal AI Inc., United States) for video generation purposes
• Privacy Policy: https://fal.ai/privacy

Generated Video Reprocessing (Remix) When you use the Remix feature, the video you previously generated may be sent to Kling AI for processing. This video may contain your likeness if you used a reference photo during the original generation. The video is transmitted via a short-lived, time-limited HTTPS URL (valid for 1 hour) and is used solely to generate your requested remix. After transmission, Kling AI processes the video according to their own privacy policy.

Cross-Provider Note: Generated videos may be processed by different AI providers than the one that originally created them. Specifically, any generated video may be sent to Kling AI if you choose to use the Remix feature.

4.5 Google Firebase

• Purpose: User authentication, push notifications (FCM), and crash reporting (Crashlytics)
• Data Shared: User authentication data, device tokens (FCM tokens), vendor-scoped device identifiers (IDFV on iOS, Android ID on Android), and crash reports (stack traces, device state, app version)
• Device Identifiers: We collect vendor-scoped device identifiers solely for operational purposes, including associating push notification tokens with devices and preventing duplicate registrations. These identifiers are not advertising identifiers and are not shared with third parties for tracking or advertising purposes
• Crash Reporting: Firebase Crashlytics collects crash reports automatically for app stability monitoring (Legal Basis: Legitimate Interest, see Section 3.2). When analytics consent is granted, crash reports are linked to your account ID. When consent is denied, crash reports are anonymized (no user ID attached)
• Privacy Policy: https://firebase.google.com/support/privacy

4.6 Google Analytics

• Purpose: Usage analytics (optional, requires consent for full tracking with account linking)
• Data Shared:
  • When consent is granted: App usage data linked to your account ID
  • When consent is denied: Anonymized app usage data without account linkage (see Section 3.2)
• Privacy Policy: https://policies.google.com/privacy
• Control: You may enable or disable full analytics (with account linking) through the Service's consent management features. Anonymized analytics collection continues automatically regardless of this preference

4.7 RevenueCat

• Purpose: In-app purchase management and subscription processing
• Data Shared: Transaction data, user ID
• Privacy Policy: https://www.revenuecat.com/privacy

4.8 Google Cloud Platform

• Purpose: Storage of generated videos
• Data Shared: Generated video files
• Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice

4.9 AppsFlyer

• Purpose: Mobile attribution, deep linking services (including deferred deep linking), and campaign performance measurement
• Data Shared:
  • Device identifiers: IP address, User Agent, Android ID (Android), IDFV (iOS). We do not collect the Apple Identifier for Advertisers (IDFA) on iOS or the Google Advertising ID (GAID) on Android
  • Device information: Device model, OS version, system language, timezone
  • App events: App install event, deep link click data
  • Purchase events (consent-gated): When you grant Analytics consent, successful in-app purchases are reported to AppsFlyer with the following parameters: revenue amount, currency, pack identifier, and credit quantity. These events are used solely for campaign attribution measurement. When Analytics consent is denied, no purchase events are sent to AppsFlyer
• SKAdNetwork (iOS only): We participate in Apple's SKAdNetwork (SKAN) framework on iOS. SKAN enables privacy-preserving, aggregated conversion postbacks that are sent by Apple directly to ad networks. SKAN postbacks contain no user-level data — they are crowd-anonymized by Apple and cannot be used to identify or track individual users. SKAN postbacks operate independently of your Analytics consent preference because they are controlled by Apple's privacy framework, not by our app
• Data NOT Collected: AppsFlyer does not collect precise GPS location data through our integration. We do not collect the IDFA or request App Tracking Transparency (ATT) consent on iOS
• Processing: AppsFlyer processes this data as a data processor on our behalf, subject to AppsFlyer's Data Processing Addendum (DPA) and in accordance with applicable data protection laws
• Legal Basis: AppsFlyer operates under two legal bases depending on your consent state: (1) Legitimate interest (Art. 6(1)(f) GDPR) for install attribution and deep link resolution — the SDK runs in anonymized mode by default, collecting only non-identifiable technical data sufficient for probabilistic attribution and deep linking; (2) Consent (Art. 6(1)(a) GDPR) for de-anonymized attribution and purchase event reporting linked to your user account, controlled by your Analytics consent preference (see Section 5.1). When you deny Analytics consent, the SDK continues to operate in anonymized mode for deep link functionality, but no data is attributed to your account and no purchase events are sent. SKAdNetwork postbacks on iOS operate under Apple's own privacy framework and do not require consent, as they contain only aggregated, crowd-anonymized data
• Privacy Policy: https://www.appsflyer.com/legal/services-privacy-policy/
• Opt-Out: You may opt out of personalized AppsFlyer data collection and purchase event reporting through: (1) denying Analytics consent in the Service's consent management features (see Section 5.1), which anonymizes all ongoing AppsFlyer data collection and stops purchase event reporting (the SDK continues to operate in anonymized mode for deep link functionality); (2) your device's advertising settings (resetting or opting out of your advertising identifier); or (3) AppsFlyer's global opt-out page at https://www.appsflyer.com/legal/opt-out/. When Analytics consent is denied, the AppsFlyer SDK remains active for deep link resolution but operates in anonymized mode — no data is attributed to your account, no purchase events are sent, and all collected data is anonymized at the server level. Note: SKAdNetwork postbacks on iOS cannot be opted out of through our app, as they are managed by Apple at the operating system level

4.10 Vercel Analytics (Website Only)

• Purpose: Anonymous website analytics (page views, Web Vitals performance metrics) for havira.app
• Data Collected: Page URL, referrer URL, browser type, device type, operating system, geographic region (country-level). No cookies are set, no user fingerprinting is performed, and no cross-site tracking occurs
• Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR) — we have a legitimate interest in understanding aggregate website usage to maintain and improve our web presence. This processing is minimal, anonymous, and does not affect your rights or freedoms
• Data NOT Collected: Vercel Analytics does not collect IP addresses for analytics purposes, does not use cookies or localStorage for tracking, and does not identify or track individual visitors across sessions
• Privacy Policy: https://vercel.com/legal/privacy-policy

4.11 Plausible Analytics (Website Only)

• Purpose: Privacy-friendly website analytics for havira.app. We chose Plausible because it is built with privacy by design — it gives us the aggregate traffic insights we need without any of the data collection typical analytics tools require
• Data Collected: Page URL, referrer URL, UTM campaign parameters (source, medium, campaign), browser type, device type, operating system, and country-level geographic region. All statistics are aggregated — individual visits are never stored or identifiable
• No Cookies, No Personal Data: Plausible does not use cookies or any persistent identifiers. It does not collect or store IP addresses. It does not fingerprint users. It does not track users across sessions or across websites. No personal data is processed
• GDPR / KVKK / CCPA: Because Plausible collects no personal data and uses no cookies, it does not require a consent banner and is fully compliant with GDPR, ePrivacy Directive, CCPA, and KVKK by design
• Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR) — we have a legitimate interest in understanding aggregate website traffic to maintain and improve our web presence. This processing is minimal and anonymous, and does not affect your rights or freedoms
• Data Location: Plausible is an EU-based company; all data is processed and stored on EU infrastructure
• Privacy Policy: https://plausible.io/privacy

4.12 Tracking Technologies

We use tracking technologies to provide, maintain, and improve our Service. These technologies are implemented through Google Analytics, AppsFlyer, and Firebase, and are categorized as follows:

• Essential: These tracking technologies are necessary for the Service to function properly and are processed under contractual necessity pursuant to Article 6(1)(b) GDPR. They support essential functionality including authentication and session management. These cannot be disabled as they are necessary for the Service to operate.

• Analytics: These tracking technologies are used to understand how users interact with our Service, analyze usage patterns, and improve our Service. Analytics tracking requires your consent pursuant to Article 6(1)(a) GDPR. When consent is granted, analytics capabilities include linking data to your user account. When consent is denied, we collect anonymized analytics data without account linkage as described in Section 3.2. You may grant or withdraw consent for Analytics at any time through the Service's privacy preferences.

• Marketing: Marketing consent is used for push notifications about product updates, new AI providers, new content, and other service announcements. We do not use Marketing consent for personalized advertising or third-party ad tracking. Marketing consent requires your explicit consent pursuant to Article 6(1)(a) GDPR and is optional. You may grant or withdraw consent for Marketing at any time through the Service's privacy preferences.

Managing Preferences: You may control your preferences for Analytics and Marketing through the Service's privacy preferences. Essential tracking cannot be disabled as it is necessary for the Service to function. You may also manage tracking preferences through your device settings. For more information about managing tracking technologies, please refer to your device documentation.

Third-Party Tracking: Tracking technologies used by our Service are implemented through Google Analytics (https://policies.google.com/privacy), AppsFlyer (https://www.appsflyer.com/legal/services-privacy-policy/), and Firebase (https://firebase.google.com/support/privacy). For detailed information about each provider's tracking technologies, please refer to their respective privacy policies as described in Sections 4.5, 4.6, and 4.9.

5. Your Privacy Choices and Rights

5.1 Consent Management

You can control the following privacy preferences in the app:

• Essential: Terms of Service and Privacy Policy acceptance (required to use the Service - processed under contractual necessity, not consent)
• Analytics: Google Analytics tracking with account linking, AppsFlyer measurement, and purchase event reporting to AppsFlyer (optional, requires consent). When denied, AppsFlyer data collection is anonymized, no purchase events are sent to AppsFlyer, and no data is attributed to your account (see Section 4.9)
• Marketing: Push notifications about product updates, new AI providers, new content, and other service announcements (optional, requires consent). We do not use this for personalized advertising.

Important: "Essential" processing is not based on consent but on contractual necessity under Article 6(1)(b) GDPR. This means we must process certain data to provide the Service you've requested. The Analytics and Marketing categories are genuinely optional and based on your consent, which you can withdraw at any time without affecting the core functionality of the Service.

Note on Anonymized Analytics: Even if you withdraw consent for Analytics, we will continue to collect anonymized analytics data for service improvement purposes as described in Section 3.2. This anonymized data does not include your user ID or any personally identifiable information. Your consent preference for Analytics controls whether analytics data is linked to your account; it does not affect anonymized analytics collection.

You may manage your privacy preferences at any time through the Service's settings.

5.2 Your Rights Under GDPR (EU Users)

If you are located in the European Economic Area (EEA), you have the following rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of processing
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Object to Automated Decision-Making: Request human review of automated decisions that significantly affect you (see Section 3.7)
• Right to Withdraw Consent: Withdraw consent at any time

5.3 Your Rights Under CCPA (California Users)

If you are a California resident, you have the following rights:

• Right to Know: What personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of the sale of personal information (Note: We do not sell personal information)
• Right to Non-Discrimination: Equal service regardless of exercising your rights

5.4 Exercising Your Rights

To exercise any of these rights:

Data Export: You may request a copy of your personal data through the Service's data export features, which are accessible through the Service's settings. Upon request, you will receive your data in a machine-readable format via the email address associated with your account.

The exported data includes:

• Account information (user ID, credit balance)
• Consent preferences and audit trail
• Device tokens and device identifiers registered for push notifications
• Video generation requests and metadata
• Credit transaction history
• Content moderation violations (if any)
• Summary statistics (total credits earned/spent, videos generated, etc.)

Account Deletion: You may request deletion of your account and associated personal data through the Service's account deletion features, which are accessible through the Service's settings. For step-by-step instructions, visit https://havira.app/account/delete. Alternatively, you may contact us at support@havira.app to request account deletion.

We will respond to your request within:

• GDPR: 30 days (extendable by 60 days for complex requests)
• CCPA: 45 days (extendable by 45 days)

6. Data Retention

6.1 Active Accounts

We retain your personal information for as long as your account is active or as needed to provide you with our Service.

6.2 Account Deletion and Data Anonymization

When you delete your account using the in‑app tools, we:

• Delete your authentication data
• Delete or clear your consent preferences
• Delete your device tokens (including push notification tokens) and associated device identifiers
• Delete your video requests and all generated content (videos, static thumbnails, and animated GIF thumbnails)
• Delete all reference images you uploaded
• Delete all associated media files
• Delete or anonymize related records where possible

Videos created through Remix, Variation, or Extend operations are stored and deleted under the same policy as originally generated videos.

For certain records, instead of full deletion we may anonymize the data by removing or replacing direct identifiers (such as your user ID) while retaining non‑identifiable information. This is necessary to:

• Comply with legal and accounting obligations
• Maintain accurate aggregate statistics about service usage
• Prevent abuse, fraud, and misuse of the Service

6.3 Legal Requirements

We may retain or anonymize certain records for legal and accounting purposes, including:

• Payment transaction data (as required by tax and financial regulations)
• Security and audit logs for fraud prevention and legal compliance

The retention period for such records typically does not exceed 7 years or as required by applicable law.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

• Encryption: Data is encrypted in transit (TLS/SSL) and at rest
• Access Controls: Restricted access to personal data on a need-to-know basis
• Secure Infrastructure: Use of Google Cloud Platform with industry-standard security
• Regular Updates: Security patches and updates are applied promptly
• Authentication: Secure user authentication through Firebase
• Incident Response: We maintain procedures to detect, respond to, and report security incidents

Data Breach Notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify Supervisory Authority: Report the breach to the relevant supervisory authority (in Bavaria, the Bayerisches Landesamt für Datenschutzaufsicht — BayLDA) within 72 hours of becoming aware of it, as required by GDPR Article 33. The notification will include information about the nature of the breach, the categories and approximate number of affected individuals, the likely consequences, and the measures we propose to address the breach.

• Notify Affected Users: If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, as required by GDPR Article 34. The notification will be sent to the email address associated with your account and will include: (a) a description of the nature of the breach; (b) the name and contact details of our data protection contact point; (c) a description of the likely consequences of the breach; and (d) a description of the measures we have taken or propose to take to address the breach and mitigate its possible adverse effects.

We may delay notification to users if doing so would impede a criminal investigation or if we have implemented appropriate technical and organizational measures that render the data unintelligible to unauthorized persons (such as encryption). We will document all breaches, including the facts relating to the breach, its effects, and the remedial action taken.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

8. Children's Privacy

Our Service is not intended for users under the age of 18. We do not knowingly collect personal information from minors. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@havira.app, and we will delete such information promptly.

9. International Data Transfers

We are based in Germany and process data within the European Economic Area (EEA). However, some of our third-party service providers may process data outside the EEA, including:

• OpenAI (United States): For video generation and content moderation
• Google (United States): For video generation (Veo), cloud infrastructure, and analytics
• Kling AI (China/Singapore): For video generation services
• fal.ai (United States): For AI video generation services
• RevenueCat (United States): For payment processing
• AppsFlyer (Israel/United States): For mobile attribution and deep linking services

When we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• EU-U.S. Data Privacy Framework (DPF) for transfers to certified U.S. organizations
• Other appropriate safeguards as required by applicable data protection laws

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We track all versions of this Privacy Policy and will notify you of significant changes by:

• Updating the "Last Updated" date at the top of this policy
• Displaying a notification in the app when you open it, prompting you to review the updated policy
• For material changes, requesting renewed consent where required

Notification Method: We notify you of Privacy Policy updates through notifications provided when you access the Service. We do not send email notifications or push notifications for Privacy Policy updates. You will be prompted to review and accept updated policies when you access the Service.

We encourage you to review this Privacy Policy periodically.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@havira.app

Postal Address:
Engin Deniz Usta
Brennerei 2
82024 Taufkirchen
Germany

11.1 For EU Users (GDPR)

As a Germany-based service provider, we serve as the data controller for your personal information.

Data Protection Officer: We do not currently have a designated Data Protection Officer (DPO) as our processing activities do not meet the thresholds requiring mandatory DPO appointment under GDPR Article 37. For data protection inquiries, please contact us using the information provided in Section 11.

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, place of work, or place of alleged infringement.

Competent Data Protection Supervisory Authority: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18, 91522 Ansbach Website: https://www.lda.bayern.de

12. Legal Basis Summary

For quick reference, here's how we process your data:

Note: "Essential" functionality in the app's privacy preferences (Section 5.1) refers to processing based on contractual necessity, not consent.

---

Thank you for trusting Havira with your personal information. We are committed to protecting your privacy and providing you with transparency and control over your data.