Privacy Policy

Information You Provide Directly

• Account Information: First name, last name, email address, phone number, password (stored hashed, never in plain text), date of birth, and profile photo
• Professional Profile: Business name, professional roles, skills, portfolio links, location/address, and work experience
• Financial Information: Billing address, subscription plan, and payment method details (processed by Stripe; we do not store full credit card numbers)
• Project & Client Data: Job details, client information, event dates, crew members, contracts, proposals, and invoices you create within the platform
• Gallery & Media: Photos, videos, and documents you upload to galleries, albums, or the file transfer system
• Community Content: Posts, comments, reactions, and multimedia content shared in the community feed
• Communications: Messages sent through our in-app messenger, feedback, and support requests
• Contracts & Signatures: Digital contracts, terms of engagement, and electronic signatures
• AI Conversations: Text you enter in our AI assistant chatbot for registration, lead generation, or support

Information Collected Automatically

• Device Information: IP address, browser type and version, operating system, device type, and unique device identifiers
• Usage Data: Pages and features visited, actions taken, time spent on pages, click patterns, and navigation flow
• Location Data: General geographic location derived from your IP address; precise location only if you grant explicit permission
• Cookies & Similar Technologies: Session cookies, authentication tokens, referral tracking cookies, and local storage data (see our Cookie Policy)
• Push Notification Tokens: If you enable push notifications, we store your device token to deliver notifications via Firebase Cloud Messaging (FCM)
• Error & Performance Data: Application errors, crash reports, and performance metrics collected through Sentry for service improvement
• Mobile Device Permissions: If you use our mobile application, we may request access to your device camera and photo library (for profile photos, post media, and gallery uploads), microphone (for voice input and video recording), and contacts (if you choose to invite contacts). Specific permissions vary by platform and device settings. You can manage these permissions at any time through your device settings.
• Biometric Identifiers: If you enable biometric login (fingerprint or facial recognition), biometric data is processed and stored on your device only; Hitbook never receives, transmits, or stores your biometric data on our servers
• Advertising Identifiers: On mobile devices, we may collect your device advertising identifier (such as Android AD_ID) for attribution and install tracking. You can reset or disable this identifier in your device settings

Information from Third Parties

• Google Authentication: If you sign in with Google, we receive your name, email address, and profile picture from your Google account
• Messaging Platforms: If you or your clients interact with us through WhatsApp, Instagram, or Facebook Messenger, we may receive message content, sender information, and conversation metadata through Meta's Business API (see Section 5)
• Referral Data: If you were referred by an affiliate partner, we receive the referral identifier to attribute your registration

Contract Performance (Art. 6(1)(b))

• Creating and managing your account
• Providing the core platform features (projects, jobs, calendar, gallery, contracts, invoicing)
• Processing payments and managing subscriptions via Stripe
• Delivering in-app messaging and notifications
• Providing the client portal for your clients

Consent (Art. 6(1)(a))

• Sending marketing emails and promotional communications
• Processing messages from WhatsApp, Instagram, or Messenger for lead generation
• Using non-essential cookies (analytics, marketing)
• Sharing community feed content publicly

Legitimate Interest (Art. 6(1)(f))

• Improving the Service through usage analytics
• Detecting and preventing fraud, abuse, and security incidents
• Error monitoring and crash reporting via Sentry
• Enforcing our Terms of Service
• Maintaining referral and affiliate program integrity

Legal Obligation (Art. 6(1)(c))

• Tax reporting and invoicing requirements
• Responding to lawful requests from authorities
• Record-keeping obligations under applicable commercial law

How AI Is Used

• Conversational AI Assistant: Our AI chatbot helps new users register, answers platform questions, and assists with lead generation. Conversations with the AI are processed by third-party AI providers (currently Google Gemini).
• Lead Analysis: When enabled, incoming messages from WhatsApp, Instagram, or Messenger may be analyzed by AI to identify potential client leads for your business.

Your Rights Regarding AI Processing

• You have the right to know when you are interacting with an AI system rather than a human
• No binding decisions about your account, access, or pricing are made solely by AI without human review
• You may request to opt out of AI-powered lead analysis by contacting us at privacy@hitbook.io
• AI conversation data is generally retained for a limited period for service improvement and may be periodically purged

What Data Is Processed

• Message content and metadata (sender name, phone number or profile, timestamps)
• Conversation context for lead identification
• Delivery and read receipts

How This Data Is Used

• To display incoming messages within Hitbook's unified inbox
• To analyze message content for lead generation (with the photographer's consent)
• To send replies on behalf of the photographer

Important Information for Message Senders

• If you send a message to a business using Hitbook through WhatsApp, Instagram, or Messenger, your message may be received, stored, and processed by Hitbook on behalf of that business
• Your message may be analyzed by AI to identify if you are a potential client
• You can request deletion of your messages by contacting the business directly or by emailing us at privacy@hitbook.io
• This processing is governed by Meta's own Platform Terms and data policies in addition to this Privacy Policy

Service Providers

• Stripe (USA) - Payment processing, subscription billing, and financial operations. Stripe receives your name, email, and payment method details. See Stripe's Privacy Policy.
• Google Cloud Platform (USA/Global) - Cloud hosting, data storage, and compute infrastructure
• Cloudflare R2 (Global) - Media file storage for photos, videos, and documents you upload
• Pusher (UK) - Real-time messaging infrastructure for in-app chat
• Firebase / Google FCM (USA) - Push notification delivery to mobile devices
• Twilio (USA) - SMS delivery for OTP verification codes
• SendGrid (USA) - Transactional and marketing email delivery
• Google Gemini (USA) - AI language model for the conversational assistant, lead analysis, and content generation
• Sentry (USA) - Error monitoring and crash reporting
• Meta Business API (USA/Global) - WhatsApp, Instagram, and Messenger message delivery and receipt

Other Sharing Scenarios

• Your Clients: When you share galleries, contracts, or project details through the client portal, your clients can access that content
• Community & Public Activity: Content you post in the community feed (including posts, replies, comments, albums, and embedded media) is visible to other Hitbook users. Your professional profile information may also be visible to other users through search, browsing, and discovery features, depending on the feature and your settings
• Affiliate Partners: If you participate in our affiliate program, we share referral attribution data with the referring partner (no personal details of referred users are shared)
• Legal Obligations: We may disclose data when required by law, court order, or government request
• Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity

Data Controller & Processor Responsibilities

Hitbook's data processing role varies depending on the type of data involved:

• Hitbook as Controller: For data collected directly from you in connection with your use of the Service (e.g., your account information, usage data, community posts, billing information, and communications with us), HITBOOK INC acts as the data controller. We determine the purposes and means of processing this data as described in this Privacy Policy.
• Hitbook as Processor/Service Provider: When you use the platform to store, manage, or process personal data about your clients, contacts, leads, crew members, event participants, or other third parties (e.g., client CRM data, project participant information, gallery recipients, contract signers, or Meta messaging contacts), Hitbook acts as a data processor or service provider on your behalf. You remain the data controller for this data.

As the data controller for client, contact, and business data you upload or process through the platform, you are solely responsible for:

• Ensuring you have a lawful basis (e.g., consent, contractual necessity, or legitimate interest) to collect, store, process, and share personal data through the platform
• Providing appropriate privacy notices to your clients, contacts, and other data subjects about how their data will be processed
• Obtaining any required consents from individuals whose data you upload, store, or process through the platform
• Responding to data subject access requests, deletion requests, and other privacy rights requests from individuals whose data you control
• Ensuring your use of the platform complies with applicable data protection laws (including GDPR, CCPA, and other local privacy regulations)
• Evaluating whether the platform's technical and organizational measures are appropriate for the types of personal data you process

Hitbook will process such data solely in accordance with your instructions as implemented through the Service's features and settings, and in compliance with applicable law.

Retention Periods

• Account Data: Retained for the lifetime of your account. After a deletion request, data is removed within a reasonable period, subject to legal retention obligations
• Financial Records: Retained for 7 years as required by applicable tax law and commercial regulations
• Chat Messages: Retained for the lifetime of your account; generally deleted within a reasonable period of account closure
• Gallery & Media Files: Retained until you delete them or close your account; deleted within a reasonable period of account closure
• AI Conversation Logs: Generally retained for a limited period for service improvement, then periodically purged
• Meta Messaging Data: Incoming messages retained for a limited period or until the lead is converted or dismissed
• Lead Data: Retained for the lifetime of the business user's account who generated or received the lead, or until explicitly deleted by the business user
• Error & Performance Logs: Retained for a limited period consistent with our service provider retention policies
• Cookies: Session cookies expire when you close your browser; persistent cookies expire after 7 days (authentication) or 30 days (referral)
• Community Feed Posts: Retained until you delete them or close your account

Your CCPA Rights

• Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you
• Right to Delete: You can request that we delete your personal information, subject to certain exceptions
• Right to Opt-Out: We do not sell your personal information. If this changes, we will provide a "Do Not Sell My Personal Information" link
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights