Privacy Policy

This Privacy Policy explains how HayRed (“HayRed,” “we,” “us,” or “our”) collects, uses, stores, and protects your personal data when you use the HayRed platform, including the website, mobile applications, APIs, and all related services (collectively, the “Platform”). This policy is designed to comply with the EU General Data Protection Regulation (GDPR) and applicable Norwegian data protection law. By using the Platform, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy forms an integral part of our Terms of Use.

1. Who we are

HayRed is the data controller responsible for your personal data. This means we determine the purposes and means of processing your personal data in connection with the Platform. If you have any questions about how we handle your data, or if you wish to exercise any of your rights as a data subject, you can contact us at legal@hayred.com.

2. Data we collect

We collect the following categories of personal data:

Account information. When you create an account, we collect your name, email address, and any other information you provide during registration, such as a profile photo, bio, or links to external portfolios. If you sign up using a third-party authentication provider (such as GitHub or Google), we receive limited profile information from that provider as authorized by you.

User Content. Any videos, photos, designs, text, or other materials you upload, post, or submit to the Platform. This content is made available to other users and Discovering Parties in accordance with our Terms of Use.

Usage data. We automatically collect certain technical information when you use the Platform, including your IP address, browser type and version, operating system, device identifiers, pages visited, time spent on pages, referral URLs, and interactions with the Platform (such as clicks, scrolls, and search queries). This data is collected through server logs and analytics tools.

Communications. If you contact us at legal@hayred.com or through any other support channel, we collect the content of your message and any information you choose to provide.

3. How we use your data

We use your personal data for the following purposes:

• To create and maintain your account and authenticate your identity;
• To display your User Content in discovery feeds, search results, and profile pages;
• To operate the algorithmic discovery system that surfaces your content to relevant Discovering Parties;
• To facilitate messaging between users, including creators and Discovering Parties;
• To send you important notifications about your account, including security alerts, Terms updates, and service announcements;
• To detect, prevent, and address fraud, abuse, security incidents, and technical issues;
• To enforce our Terms of Use, including reviewing reported content and messages;
• To analyze usage patterns and improve the Platform’s features, performance, and user experience;
• To comply with legal obligations and respond to lawful requests from public authorities.

We do not sell your personal data. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you, other than the algorithmic discovery system described in our Terms of Use, which determines the visibility of your User Content but does not affect your legal rights.

4. Legal basis for processing

Under the GDPR, we process your personal data on the following legal bases:

• Contract performance (Article 6(1)(b)): processing necessary to provide you with the Platform and fulfill our obligations under the Terms of Use, including account creation, content hosting, discovery, and messaging.
• Legitimate interests (Article 6(1)(f)): processing necessary for our legitimate interests, including fraud prevention, security, Platform improvement, and analytics, provided these interests are not overridden by your fundamental rights. You may object to processing based on legitimate interests at any time.
• Legal obligation (Article 6(1)(c)): processing necessary to comply with applicable laws, regulations, or legal processes, including responding to court orders and law enforcement requests.
• Consent (Article 6(1)(a)): where we rely on your consent, such as for non-essential cookies or optional marketing communications. You may withdraw your consent at any time without affecting the lawfulness of processing that occurred before withdrawal.

5. Cookies and tracking

The Platform uses cookies and similar technologies. Cookies are small text files stored on your device that help us provide, secure, and improve the Platform.

Essential cookies. These are strictly necessary for the Platform to function. They handle authentication, session management, and security. You cannot opt out of essential cookies because the Platform cannot operate without them.

Analytics cookies. These help us understand how users interact with the Platform, which pages are visited most, and where users encounter errors. Analytics cookies are non-essential and are only placed with your consent. You can manage your cookie preferences at any time through the cookie settings available on the Platform.

We do not use advertising or tracking cookies. We do not participate in cross-site tracking or ad networks.

6. Data sharing

We may share your personal data with the following categories of recipients:

• Service providers. Third-party companies that help us operate the Platform, including cloud hosting providers, content delivery networks, analytics services, and email delivery services. These providers process your data only on our behalf, under contractual obligations that require them to protect your data in accordance with the GDPR.
• Other users. Your User Content, profile information, and any other information you choose to make public on the Platform is visible to other users, including Discovering Parties. Your private messages are not shared with anyone other than the participants in the conversation, except as described in Section 7.
• Legal and regulatory authorities. We may disclose your personal data when required by applicable law, court order, or valid legal process, or when we believe disclosure is necessary to protect the rights, property, or safety of HayRed, our users, or the public.
• Business transfers. In connection with a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your personal data may be transferred to the successor entity. We will notify you of any such transfer and any changes to the processing of your personal data.

We do not sell, rent, or trade your personal data to third parties for their own marketing or commercial purposes.

7. Messaging and encryption

All messages exchanged through the Platform are protected by end-to-end encryption. This means that the content of your conversations is encrypted on your device before transmission and can only be decrypted by the intended recipient. HayRed does not hold the encryption keys necessary to read your messages and cannot access message content under normal operations.

When you report a message, the content of the reported message is decrypted on your device and submitted to HayRed as part of the report. This is the only mechanism by which message content becomes accessible to HayRed. We process reported message content solely for the purpose of investigating the report and enforcing our Terms of Use.

We store messaging metadata, including the identities of participants, timestamps, and message delivery status. This metadata is necessary to operate the messaging service and may be disclosed in response to valid legal process. Message metadata does not include the content of your conversations.

8. Data retention

We retain your personal data for as long as your account remains active and as necessary to provide you with the Platform. Specific retention periods vary by data type:

• Account information: retained for the lifetime of your account. Upon account deletion, your account data is permanently deleted within thirty (30) days, except where retention is required by law.
• User Content: retained for as long as you choose to keep it on the Platform. When you delete content, it is removed from public-facing areas immediately and permanently deleted from our systems within thirty (30) days. Cached or archived copies in third-party systems (such as search engine indices) may persist beyond our control.
• Usage data: retained in identifiable form for up to twenty-four (24) months, after which it is either deleted or anonymized for aggregate statistical analysis.
• Support communications: retained for up to thirty-six (36) months after the last interaction, for quality assurance and to resolve recurring issues.
• Reported message content: retained for the duration of the investigation plus an additional twelve (12) months for audit and appeals purposes, then permanently deleted.

Where we are required by law to retain certain data beyond these periods (for example, for tax, accounting, or regulatory compliance), we will do so for the minimum duration required and restrict access to the data during the extended retention period.

9. Your rights

Under the GDPR, you have the following rights with respect to your personal data:

• Right of access (Article 15): you have the right to request a copy of the personal data we hold about you, together with information about how it is processed.
• Right to rectification (Article 16): you have the right to request correction of inaccurate personal data or completion of incomplete data.
• Right to erasure (Article 17): you have the right to request deletion of your personal data, subject to certain legal exceptions (such as data we are required to retain by law).
• Right to restriction of processing (Article 18): you have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
• Right to data portability (Article 20): you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to object (Article 21): you have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent (Article 7(3)): where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.

To exercise any of these rights, contact us at legal@hayred.com. We will respond to your request within thirty (30) days. If we need additional time, we will inform you of the extension and the reasons within the initial thirty-day period. We may request proof of identity before processing your request to protect your data from unauthorized access.

If you believe that we have violated your data protection rights, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no, or with the supervisory authority in the EU/EEA member state where you reside or work.

10. International data transfers

HayRed is based in Norway, within the European Economic Area (EEA). Some of our service providers may process your personal data in countries outside the EEA that may not provide the same level of data protection as Norwegian or EU law.

Where we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards may include: (a) transfers to countries that have received an adequacy decision from the European Commission; (b) Standard Contractual Clauses (SCCs) approved by the European Commission; or (c) other legally recognized transfer mechanisms. You may request information about the specific safeguards applied to transfers of your data by contacting us at legal@hayred.com.

11. Children’s privacy

The Platform is not intended for children under the age of sixteen (16). We do not knowingly collect personal data from children under 16. If you are between 16 and 18 years of age, your parent or legal guardian must consent to these terms and this Privacy Policy on your behalf, as described in our Terms of Use. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that data as promptly as possible. If you believe a child under 16 has provided us with personal data, please contact us at legal@hayred.com.

12. Data security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to: encryption of data in transit and at rest, end-to-end encryption for messaging, access controls and authentication for internal systems, regular security assessments and vulnerability testing, and incident response procedures.

While we strive to protect your personal data, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach and will notify affected individuals without undue delay where the breach is likely to result in a high risk, in accordance with Articles 33 and 34 of the GDPR.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. When we make material changes, we will update the “Last updated” date at the top of this policy and notify you through the Platform or via the email address associated with your account. Your continued use of the Platform after the effective date of any updated Privacy Policy constitutes your acknowledgment of and agreement to the updated policy. We encourage you to review this policy periodically.