Privacy Policy

3.1 We collect personal information from you in various ways, depending on whether you are an audience member, an artist, or another type of user.

3.2 When you use the Platform as an audience member, we may collect your full name, email address, phone number (if applicable), payment information (processed through third-party payment providers), and your interactions with the Platform, such as the content you view, the artists you support, and your participation in chat or interactive features. We may also collect technical information, including your IP address, device identifiers, browser type, and platform usage statistics. For California residents, we collect the following categories of personal information under CCPA/CPRA: identifiers (name, email, IP address, device ID), commercial information (payment history, content viewed, artists supported), internet/network activity (browsing history, interactions with Platform), geolocation data, and inferences drawn from the above to create user profiles for personalization.

3.3 When you use the Platform as an artist or creator, we may collect your full name, email address, phone number, bank account details, government-issued identification documents for Know Your Customer (KYC) compliance (such as driver's license, state ID, passport, or for non-US artists, equivalent government-issued identification), as well as the content you upload or stream, and any optional information you choose to provide, such as your social media handles. For US-based artists receiving payments exceeding $600 annually, we collect taxpayer identification numbers (Social Security Number or Employer Identification Number) as required by IRS reporting obligations.

3.4 In addition, we automatically collect certain technical information from all users through cookies and other tracking technologies, including device information, IP address, geolocation data, and information about your use of the Platform.

3.5 We do not knowingly collect sensitive personal information as defined under CCPA/CPRA, including precise geolocation (within 1,850 feet), racial or ethnic origin, religious beliefs, genetic data, or biometric data processed for identification purposes, unless explicitly authorized by you for specific purposes. If we process sensitive personal information, you have the right to limit such processing under applicable state laws.

4.1 We collect information directly from you when you register an account, upload or stream content, make or receive payments, or communicate with us. Some information is collected automatically when you use the Platform, through cookies, analytics tools, and other technologies that help us understand and improve how our services are used.

4.2 We may also receive limited personal information from third-party services when you choose to log in using an integrated account, such as Google. Additionally, we may obtain information from our analytics service providers, including Google Analytics, MsClarity, and PostHog, which collect aggregated data on how users interact with the Platform. We do not purchase personal information from data brokers or third-party data aggregators. Information from third parties is limited to authentication services (e.g., Google OAuth), payment processors (transaction confirmation), and analytics providers (aggregated usage data).

4.3 Do Not Track Signals: Our Platform currently does not respond to "Do Not Track" (DNT) browser signals or similar mechanisms. However, California residents may exercise opt-out rights under CCPA/CPRA through our designated privacy controls, including the "Limit the Use of My Sensitive Personal Information" and "Do Not Sell or Share My Personal Information" options available in account settings.

6.1 Where required by law, we process your personal information on one or more of the following legal bases:

• Consent: where you have given clear consent for us to process your personal information for a specific purpose, such as receiving marketing communications.
• Performance of a contract: where processing is necessary to deliver the services you have requested.
• Compliance with a legal obligation: where we are required to process your data to meet our legal responsibilities.
• Legitimate interests: where processing is necessary for our legitimate business purposes, provided these are not overridden by your fundamental rights and freedoms.
• Public Interest: where processing is necessary to comply with legal obligations, protect public safety, or cooperate with law enforcement; and
• Vital Interests: where processing is necessary to protect the life or physical safety of individuals.

6.2 For US residents: We process personal information based on your consent (where required), to perform our contract with you (to provide Platform services), to comply with legal obligations (tax, KYC, AML requirements), and for our legitimate business interests (fraud prevention, analytics, service improvement) where not overridden by your privacy rights.

7.1 We may share your personal information with trusted third parties in the following circumstances:

• Payment processors for processing transactions securely. We are not a bank and do not provide banking services.
• Analytics providers (including Google Analytics, MsClarity, and PostHog) for performance monitoring and service optimization.
• Cloud hosting providers (such as Amazon Web Services or Google Cloud) that store our data securely.
• Regulatory authorities or law enforcement agencies when required by law or to protect our legal rights.
• Business partners with whom we collaborate for promotional activities, only where you have given consent.
• In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred to the acquiring entity.

7.2 We do not sell your personal information to third parties for monetary consideration. However, we may "share" personal information for cross-context behavioral advertising as described in our California-specific disclosures.

8.1 As a global platform, your personal information may be transferred to, stored in, and processed in countries other than your country of residence. These countries may have data protection laws that are different from those in your jurisdiction and, in some cases, may not provide the same level of protection. Whenever we transfer your personal information to another country, we ensure that appropriate legal, technical, and organisational safeguards are in place to protect it in accordance with applicable laws.

8.2 Such safeguards may include implementing data transfer agreements incorporating standard contractual clauses approved by relevant regulatory authorities, ensuring the recipient is located in a jurisdiction that has been recognised as providing an adequate level of data protection, or relying on other legally recognised transfer mechanisms. Additionally, we require all third parties that process personal information on our behalf to comply with strict contractual obligations, including security and confidentiality requirements, regardless of the country in which they are located.

8.3 By using the Platform, you acknowledge and agree to the transfer of your personal information to countries outside your country of residence, subject to the protections outlined in this Privacy Policy.

11.1 Depending on your location, you may have certain rights in relation to your personal information, including the right to access, correct, delete, or restrict processing, the right to object to processing, the right to withdraw consent, and the right to data portability.

11.2 California Rights: Residents have the right to know what personal information is collected, the right to delete personal information, the right to correct inaccurate personal information, the right to opt out of the "sale" or "sharing" of personal information, and the right to non-discrimination for exercising these rights.

11.3 Exercising Your Rights: To exercise these rights, please contact us at care@hiffi.com. We will verify your identity before processing your request.

11.4 Verification Process: To protect your privacy, we will take steps to verify your identity before fulfilling your request. This may include asking you to provide:

• Confirmation of the email address associated with your account
• Account username or user ID
• Answers to security questions or confirmation codes sent to your email/phone

For deletion requests involving sensitive information, we may require additional verification such as government-issued ID or notarized affidavit.

11.5 Authorized Agents - California residents may designate an authorized agent to submit privacy requests on their behalf. Authorized agents must provide:

• Signed written authorization from the consumer
• Proof of the agent's identity

We may require the consumer to verify their identity directly and confirm they authorized the agent

11.6 Response Timeframes: We will respond to verified requests within 45 days of receipt. If we require additional time (up to 90 days total), we will inform you of the reason and extension period.

11.7 Appeals Process: If we deny your privacy request in whole or in part, you have the right to appeal our decision. To appeal, email care@hiffi.com within 30 days of receiving our denial. We will respond to appeals within 45 days. Virginia, Colorado, Connecticut, and Utah residents may also contact their state Attorney General to submit complaints.

12.1 We implement industry-standard technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. We also maintain strict internal policies on data handling, require our employees and contractors to sign confidentiality agreements, and ensure that any third-party service providers processing data on our behalf adhere to equally robust security standards.

12.2 However, no security system is impervious to all threats. In the event of a data breach affecting personal information, we will notify affected users and relevant regulatory authorities as required by applicable law:

• California residents: Within the timeframe required by California Civil Code § 1798.82 and CPRA breach notification requirements
• Other state residents: As required by applicable state data breach notification laws
• All users: Via email to the address on file and/or prominent notice on the Platform

12.3 Notification will include the nature of the breach, types of information compromised, steps taken to address the breach, and recommendations for protecting affected individuals. Where required by law, we will offer credit monitoring or identity theft protection services at no cost to affected individuals.

12.4 We conduct regular security audits and risk assessments in compliance with CCPA/CPRA cybersecurity audit requirements effective January 1, 2026.

13.1 Age Restrictions: The Platform is not directed to children under the age of thirteen (13) in the United States or under the applicable age of majority in other jurisdictions. We do not knowingly collect, solicit, or process personal information from children under 13 without verifiable parental consent as required by the Children's Online Privacy Protection Act (COPPA).

13.2 Parental Consent Requirements: If we learn that we have collected personal information from a child under 13, or if we intend to offer services to children under 13 in the future, we will:

• Obtain verifiable parental consent before collecting personal information
• Provide clear notice to parents about what information we collect, how we use it, and our disclosure practices
• Obtain separate consent for internal use and disclosure to third parties
• Allow parents to review, delete, and refuse further collection of their child's information
• Limit collection to information reasonably necessary for participation in Platform activities
• Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of children's personal information.

13.3 Enhanced Privacy Protections: In accordance with COPPA Rule amendments effective April 22, 2026:

• We will not condition a child's participation in any activity on the disclosure of more personal information than is reasonably necessary.
• We will clearly distinguish between consent for internal use and consent for disclosure to third parties.
• Our privacy notices will include specific identities of third parties receiving children's information and the purposes for such disclosures.
• We will implement heightened data security measures for any children's information collected.
• We will retain children's personal information only as long as necessary to fulfill the purpose for which it was collected.
• Biometric identifiers (fingerprints, voice prints, facial recognition) will not be collected from children.

13.4 Reporting Suspected Underage Accounts: If you are under 18, you should not attempt to register an account, use payment features, or provide personal information to us through the Platform without parental supervision. Parents or legal guardians who believe their child has provided personal information to us without consent should contact us immediately at care@hiffi.com so that we can investigate and take appropriate action, including account deletion and information purging, in accordance with COPPA and other applicable laws.

13.5 Third-Party Content: We take reasonable measures to ensure that third-party services integrated with the Platform comply with COPPA requirements. However, parents should review the privacy policies of third-party services their children may access through external links.

16.1 Categories of Personal Information Collected (Last 12 Months):

16.2 Categories of Sensitive Personal Information: We do not intentionally collect sensitive personal information as defined under CPRA (precise geolocation, racial/ethnic origin, religious beliefs, genetic data, biometric identifiers for identification purposes, health information, sex life/sexual orientation). If such information is inadvertently provided, you may request deletion.

16.3 Financial Incentives: We do not currently offer financial incentives or price differences based on collection, sale, or deletion of personal information. If we introduce such programs in the future, we will provide separate terms and opt-in consent mechanisms as required by CCPA/CPRA.

17.1 We do not sell personal information for monetary consideration. However, under CCPA/CPRA definitions, "sharing" personal information with analytics providers for cross-context behavioral advertising may constitute a "sale" or "share."

17.2 To opt out:

• Click "Do Not Sell or Share My Personal Information" in the footer of our website
• Adjust privacy settings in your account dashboard
• Email care@hiffi.com with subject line "Opt Out Request"

17.3 We honor Global Privacy Control (GPC) signals as an opt-out mechanism for California residents. When we detect a GPC signal from your browser, we will apply opt-out preferences to that browser on our Platform. We do not have actual knowledge that we sell or share personal information of consumers under 16 years of age