Privacy Policy
Last updated: 5 July 2026 · Version 1.0
1. Who is the data controller
Octanen.com OÜ, a limited company registered in Estonia (registry code 17467469, EU VAT number EE102971590), with its registered office at Sepapaja tn 6, 15551 Tallinn, Harju Maakond, Estonia, is the data controller for personal data processed through Hi Hiro ("we", "us"). Contact us at artur@octanen.com for any privacy questions or to exercise your rights below.
We have not appointed a Data Protection Officer, as we are not required to under GDPR Art. 37. For any data protection matter, use the contact address above.
2. What data we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, password (hashed by Firebase Auth), or Google account ID/name/email if you sign in with Google | You, or Google (OAuth) |
| Profile & usage data | Plan type, number of briefs/CVs generated, login timestamps | Generated automatically |
| Career documents | CV/resume content you upload or generate, job titles, target companies, role descriptions | You |
| AI-generated outputs | Company research briefs, tailored CVs, interview prep content | Generated by us via Anthropic Claude / Exa, based on your input |
| Technical data | IP address, browser type, device info, and anti-abuse signals (rate limiting, bot protection) | Automatically, via Firebase |
| Billing data | [Once Stripe is live: payment method last 4 digits, billing address — Stripe is the processor, we don't store full card numbers] | You, via Stripe |
3. Why we process your data & legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Generating company briefs, CVs, and interview prep | Performance of a contract (Art. 6(1)(b)) |
| Billing for paid plans | Performance of a contract / legal obligation (invoicing) |
| Fraud prevention & abuse detection (rate limiting, bot/abuse protection) | Legitimate interest (Art. 6(1)(f)) |
| Service emails (e.g. account, billing notices) | Performance of a contract / legitimate interest |
| Marketing emails (if any, opt-in) | Consent (Art. 6(1)(a)) — withdrawable anytime |
| GDPR/RODO consent record itself | Legal obligation to demonstrate consent (Art. 7(1)) |
4. Who we share data with (sub-processors)
We use the following third-party services to operate Hi Hiro. Each acts as a data processor under a data processing agreement, and only receives the data necessary to perform its function:
- Google Firebase / Google Cloud (Authentication, Firestore database, Hosting, Cloud Functions) — stores your account data and app data. Your data is stored in the EU: the Firestore database is in the europe-west3 (Frankfurt, Germany) region, and Cloud Functions run in europe-west1 (Belgium).
- Anthropic (Claude API) — processes the company/role information and uploaded CV text you submit in order to generate briefs, CVs, and interview prep. Anthropic does not use API inputs/outputs to train its models by default.
- Exa (web search API) — used to retrieve live, public web information about companies you research. We send the company/role name you provide; we do not send your personal CV content to Exa.
- Stripe [once payments launch] — processes billing/payment data for paid plans.
We do not sell your personal data to third parties, and we do not share it for third-party advertising purposes.
5. International data transfers
Some of our sub-processors (e.g. Anthropic, Exa) may process data outside the EU/EEA, including in the United States. Where this happens, transfers are covered by the EU Standard Contractual Clauses (SCCs) set out in each sub-processor's Data Processing Agreement, together with any additional safeguards they provide.
6. How long we keep your data
- Account data: kept while your account is active. When you delete your account, your profile and generated documents are removed from our active systems immediately; residual copies in system backups are purged within 30 days.
- Generated briefs/CVs: kept while your account is active so you can re-download them; deleted on account deletion or earlier if you delete them yourself.
- Billing records: kept for 7 years, as required by Estonian accounting law.
- Technical/security logs: typically retained for a short period (e.g. 30–90 days) for abuse prevention.
7. Your rights (GDPR / RODO)
If you are in the EU/EEA or UK, you have the right to:
- Access — get a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — request deletion of your account and data.
- Restriction — limit how we use your data in certain cases.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interest, or to direct marketing.
- Withdraw consent — where processing is based on consent, withdraw it anytime without affecting prior processing.
- Lodge a complaint — with your local data protection authority, or with our lead supervisory authority, the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
Two of these are self-service: from your account Settings you can export a copy of all your data (Access / Portability) and permanently delete your account and everything associated with it (Erasure), at any time, without contacting us. For any other request, email artur@octanen.com and we'll respond within 30 days as required by law.
8. Cookies & similar technologies
Hi Hiro uses essential cookies/local storage for authentication (Firebase session tokens) and basic anti-abuse protection. These are strictly necessary for the service to work and do not require consent. We do not currently use third-party advertising, analytics, or tracking cookies. If we introduce any in the future, we will update this policy and add a cookie consent banner where required.
9. Security
We use industry-standard measures to protect your data, including encrypted connections (HTTPS/TLS), Firebase Authentication for credential management (we never store raw passwords), Firestore security rules restricting access to your own data, and abuse-rate limiting on AI generation endpoints. No system is 100% secure, and we encourage you to use a strong, unique password.
10. Children's privacy
Hi Hiro is not directed at children under 16. We do not knowingly collect data from children under this age. If you believe a child has provided us data, contact us and we'll delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice, and the "Last updated" date and version number above will reflect the change. Continuing to use Hi Hiro after changes take effect means you accept the updated policy.
12. Contact
Questions, requests, or concerns about your data? Email artur@octanen.com.