Privacy Policy

Last updated: 10/27/2025

1. Information We Collect

We collect the following information to operate the Haystack platform:

Account Registration

  • First name: Used to generate your unique username (e.g., "sarah1234")
  • Email address: For authentication and account recovery
  • Password: Securely hashed and stored (never stored in plain text)
  • Age verification: Confirmation that you are 18 years or older (no date of birth stored)

Profile Information

  • Username: Auto-generated from your first name plus 4 random digits
  • Profile photo: Optional, stored in secure cloud storage
  • Account balance: Your current balance in USD
  • Role: Whether you are an initiator or recipient (determined by conversation behavior)

Messages and Communications

  • Message content: Text messages (encrypted at rest using AES-256-GCM)
  • Photos: Photos sent or received through the platform (encrypted)
  • Read receipts: Last message read in each conversation
  • Conversation history: Who you messaged, when, and conversation status

Payment Information

  • Stripe Customer ID: If you make deposits (links your account to Stripe)
  • Stripe Connect Account ID: If you receive payouts (links your account to Stripe)
  • Transaction records: Deposits, withdrawals, message payments, and platform fees
  • Payment method information: Stored and processed by Stripe (not stored by Haystack)

Note: Credit card numbers, bank account details, and sensitive payment information are handled exclusively by Stripe and never stored in our database.

Security and Moderation

  • Blocked users: List of users you have blocked
  • Reports filed: Reports you submit (report type, reported user, description, timestamp)
  • Message acceptance patterns: How often your messages are accepted or rejected

Technical Data

  • Authentication cookies: Supabase session tokens (essential for login)
  • IP addresses: Logged by our hosting providers (Vercel and Supabase) for security and debugging
  • Login timestamps: When you access the platform
  • Browser information: Basic browser type and version (for compatibility)

Note: We do NOT collect device fingerprints, precise location data, or browsing history outside of Haystack.

What We Don't Collect

We do not collect: date of birth, phone number, home address (except via Stripe for payouts), social security number, analytics or tracking data, advertising identifiers, or your activity on other websites.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Haystack service
  • Process payments and send transaction notifications
  • Calculate earnings and charges based on word counts
  • Investigate harassment reports and enforce our Terms of Service
  • Provide customer support and respond to your questions
  • Prevent fraud, spam, and abuse
  • Comply with legal obligations and law enforcement requests

3. Are My Messages Encrypted?

Yes, your messages are encrypted.

All messages and photos are encrypted and stored securely on our servers. Haystack does not read your conversations.

Our approach to privacy:

  • Encrypted at rest: Messages and photos are encrypted in our database
  • Adults being adults: We don't monitor or moderate your private conversations
  • Self-policing tools: You control your safety with Block and Report features
  • Legal compliance only: We only decrypt messages when required by law (court orders, valid warrants)

When we decrypt messages:

We will only decrypt your messages when legally required to do so:

  • Valid court orders or subpoenas
  • Law enforcement requests with proper warrants
  • Legal obligations to prevent serious harm

What about harassment reports?

When you report a user, we track the report and investigate patterns of behavior (number of reports, blocks, rejection rates). We do NOT decrypt message content to review harassment claims. Instead, multiple reports against a user trigger automatic investigation and potential account suspension. You are encouraged to block users immediately if you experience harassment.

We never read your messages for advertising, analytics, or to sell your data to third parties.

4. Information Sharing

We share your information with third-party service providers who help us operate Haystack:

  • Supabase: Database and authentication hosting (stores all platform data)
  • Vercel: Web hosting (handles HTTP requests and server-side rendering)
  • Stripe: Payment processing (handles deposits, withdrawals, and payouts)

We may also share information:

  • With your consent
  • To comply with legal obligations or valid legal requests
  • To protect our rights, safety, or property
  • In connection with a business transfer (merger, acquisition, etc.)

We do not sell, trade, or rent your personal information to third parties for marketing purposes.

5. Data Security

We implement security measures to protect your information:

  • Encrypted connections: All data transmitted via HTTPS
  • Database security: Row-level security policies restrict data access
  • Password protection: Passwords are securely hashed, never stored in plain text
  • Access controls: Limited staff access to sensitive data, with audit logging
  • Secure payments: Payment information handled exclusively by Stripe (PCI-DSS compliant)

However, no internet transmission or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Your Privacy Controls

You can control your privacy on Haystack:

  • Block users: Instantly end conversations and prevent future contact
  • Report violations: Report harassment, spam, or inappropriate content
  • Delete conversations: Remove conversation history
  • Delete account: Permanently delete your account and associated data

7. Your Rights

You have the right to:

  • Access: Request a copy of the personal information we have about you
  • Correct: Update or correct inaccurate information
  • Delete: Request deletion of your account and data
  • Export: Download your data in a portable format
  • Opt-out: Unsubscribe from promotional emails

To exercise these rights, contact us at privacy@haystackapp.com

7A. California Privacy Rights (CCPA)

California Residents

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA).

Your CCPA Rights:

  • Right to Know: You can request disclosure of the categories and specific pieces of personal information we collected about you
  • Right to Delete: You can request deletion of your personal information
  • Right to Opt-Out: You can opt-out of the sale of your personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

We Do Not Sell Your Personal Information

Haystack does not sell, rent, or trade your personal information to third parties for monetary consideration. We do not share your data with advertisers or data brokers.

To exercise your CCPA rights, contact us at privacy@haystackapp.com or use the account settings in your dashboard.

8. Data Retention

We retain your information for as long as your account is active or as needed to provide services. Specifically:

  • Messages: Retained until you delete your account
  • Transaction records: Retained for 7 years (legal requirement)
  • Account information: Deleted within 30 days of account deletion request

9. Age Requirement

Haystack is intended for users who are 18 years of age or older. We do not knowingly collect information from individuals under 18. If you believe we have collected information from someone under 18, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on the platform or sending you an email. Your continued use of Haystack after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or your data, please contact us:

Email: privacy@haystackapp.com

← Back to Home