Privacy Policy

Last updated: February 13, 2026

1. Data Controller

The data controller responsible for your personal data is:

Hapt
Lisbon, Portugal
Email: privacy@hapttouch.com

Hapt ("we", "our", "the app") is a companion app for Totwoo smart bracelets that enables couples to stay connected through touch, light, and encrypted messaging. Your privacy is fundamental to our design.

2. Information We Collect and Legal Basis

Under GDPR Article 6, we process personal data only with a valid legal basis. The table below describes each category of data, its purpose, and the legal basis for processing.

Data	Purpose	Legal Basis (Art. 6)
Authentication data (name, identifier via Apple/Google Sign-In)	Account creation, login	Contract performance (6(1)(b))
Invite code	Link you with your partner	Contract performance (6(1)(b))
Bracelet identifier (Bluetooth address)	Auto-reconnection, bracelet binding	Contract performance (6(1)(b))
Encrypted messages (ciphertext, nonce, sender ID, timestamp)	Deliver E2E encrypted messages	Contract performance (6(1)(b))
Encrypted photo files	Ephemeral transit storage (deleted after download)	Contract performance (6(1)(b))
Encrypted thumbnails	Message preview	Contract performance (6(1)(b))
Firebase Cloud Messaging token	Push notifications for messages and touch events	Contract performance (6(1)(b))
Partner link (partner ID, partner name)	Enable pair communication	Contract performance (6(1)(b))
Status updates	Share availability with your partner	Contract performance (6(1)(b))

Data processed only on your device (not transmitted to our servers)

Battery level: Read from the bracelet over Bluetooth, displayed locally only.
Touch events: Detected locally via Bluetooth. Only an encrypted notification is sent to your partner.
Decrypted messages and photos: Exist only in device memory while the app is active and your bracelet is connected.

3. Information We Do NOT Collect

We do not collect analytics, usage statistics, or behavioral data.
We do not use advertising SDKs or tracking pixels.
We do not read, process, or store your messages or photos in unencrypted form.
We do not collect your location, contacts, or any data beyond what is listed above.

4. End-to-End Encryption

All messages and photos are encrypted on your device using X25519 key exchange and AES-256-GCM symmetric encryption before transmission. Your private encryption key is generated on your device, encrypted with a key derived from your bracelet, and stored in your device's secure enclave (iOS Keychain / Android Keystore). We never have access to your private key and cannot decrypt your content.

5. Data Storage, Security, and International Transfers

Infrastructure: Account data and encrypted messages are stored on Google Firebase (Firestore, Authentication, Cloud Storage), with primary hosting in the EU (europe-west1).
Sub-processors: Google LLC (USA) acts as our data processor under their Data Processing Terms. International transfers of personal data to Google outside the EEA are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, as detailed in Google's Data Processing Addendum.
Local data: When your bracelet disconnects, all decrypted data is cleared from device memory and local encrypted cache.

6. Data Sharing

We do not sell, rent, or share your personal information with any third party for their own purposes. Your data is processed only by:

Your partner: Encrypted messages and touch events are delivered to the partner linked to your account.
Google Firebase: As our infrastructure processor, under contractual data processing terms with appropriate safeguards.

We may disclose personal data if required by law, court order, or regulatory authority, limited to the minimum necessary to comply.

7. Data Retention

Data	Retention period
Encrypted messages	Until you delete your account, or 2 years of account inactivity
Encrypted photo files	Deleted from cloud storage immediately after recipient downloads, or automatically after 7 days if undelivered
Account data	Until you delete your account, or 2 years of account inactivity
FCM device tokens	Refreshed automatically; removed on account deletion
Bracelet binding	Until you unbind or delete your account

Upon account deletion, all associated data (account information, encrypted messages, partner links, bracelet bindings, and device tokens) is permanently removed within 30 days.

8. Your Rights (GDPR Articles 15–22, 77)

Under the General Data Protection Regulation, you have the following rights:

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate personal data.
Right to erasure (Art. 17): Request deletion of your account and all associated data. You can delete your account in-app via Settings → Account → Delete Account, or by emailing privacy@hapttouch.com.
Right to restriction of processing (Art. 18): Request that we restrict processing of your data under certain conditions.
Right to data portability (Art. 20): Request export of your data in a structured, machine-readable format.
Right to object (Art. 21): Object to processing of your personal data under certain conditions.
Right to lodge a complaint (Art. 77): You have the right to lodge a complaint with a supervisory authority. For Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD) at www.cnpd.pt.

To exercise any of these rights, contact us at privacy@hapttouch.com. We will respond within 30 days.

9. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority (CNPD) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (Article 34).

Due to end-to-end encryption, a server-side breach would expose only encrypted ciphertext that cannot be decrypted without your private key.

10. Children's Privacy

Hapt is not intended for children under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child under 16 has created an account, we will delete the account and associated data promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the app or by updating the date at the top of this page. Continued use of the app after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

Email: privacy@hapttouch.com
Support: support@hapttouch.com
Lisbon, Portugal