Privacy Policy

Hadithi ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have. By using Hadithi ("the Service"), you agree to the practices described in this policy.

This policy applies to all users of the Service, including visitors to our website, waitlist subscribers, and registered users.

1. Information We Collect

1.1 Information you provide directly

1.2 Information collected automatically

1.3 Information from third parties

• OAuth providers (Google, LinkedIn): When you sign in with Google or LinkedIn, we receive your name, email address, and profile picture as authorized by you during the OAuth flow. We also receive OAuth tokens, which are encrypted at rest.
• Payment processors: If you use a paid plan, our payment processor may share transaction confirmations and billing status with us. We do not receive or store your full credit card number.

2. How We Use Your Information

We use the information we collect for the following purposes:

We do not use your personal information for automated decision-making or profiling that produces legal effects or similarly significant effects on you.

3. AI Processing

Hadithi uses third-party AI models (including models by Anthropic and Google) to power core features. Understanding how your data is processed by AI is important:

What is sent to AI providers

• Voice analysis: Your writing samples are sent to the AI provider to generate a voice profile (tone, style, patterns).
• Topic research: Your topic prompts and follow-up questions are sent to generate research panels (quotes, data, angles, insights).
• Draft generation: Your topic, research context, voice profile, and editorial preferences are sent to generate drafts.
• Rewrites: Selected text and rewrite instructions are sent for content refinement.

How AI providers handle your data

• We select AI providers that commit to not using customer inputs to train their models under their standard API terms.
• AI providers may temporarily process your data in memory to generate responses, but do not retain your inputs beyond what is needed for the request.
• We maintain data processing agreements with our AI providers where available.
• AI providers' own privacy policies and terms govern their processing. We encourage you to review them.

Our commitments

• We do not use your content to train Hadithi's own models or any third-party models.
• We do not share your content with AI providers for any purpose other than providing the specific Service feature you requested.
• We send only the minimum data necessary for each AI request.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

Service providers

We use third-party companies and individuals to perform services on our behalf ("Service Providers"). These include:

• AI processing: Anthropic, Google (for content generation and analysis)
• Hosting and infrastructure: Cloud hosting providers for application and database hosting
• Email delivery: Transactional email services for account notifications
• Payment processing: Payment gateway providers (they receive payment details directly; we do not store credit card numbers)
• Analytics: Privacy-respecting analytics tools for usage insights
• Waitlist management: Formspree (for processing waitlist form submissions)

Service Providers are contractually bound to use your data only as instructed and for the purposes specified. They are required to maintain appropriate security measures.

Authentication providers

When you sign in with Google or LinkedIn, these providers receive and share data during the OAuth flow according to their own terms. We receive only the profile information you authorize.

Legal and safety

We may disclose your information if we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request
• Enforce our Terms & Conditions, including investigation of potential violations
• Detect, prevent, or address fraud, security, or technical issues
• Protect against harm to the rights, property, or safety of Hadithi, our users, or the public

Business transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

With your consent

We may share your information with third parties when you have given us explicit consent to do so.

5. Data Retention

We retain your data only for as long as necessary to fulfill the purposes for which it was collected:

We may retain anonymized or aggregated data that cannot be used to identify you for longer periods for analytical purposes.

When retention is required by law (such as tax records or legal disputes), we will retain only the minimum necessary data for the legally required period.

6. Data Security

We implement reasonable and appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Technical measures

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security).
• Encryption at rest: Sensitive fields (such as OAuth tokens and refresh tokens) are encrypted at the application level using Active Record encryption.
• Access controls: Database access is restricted to authorized services and personnel. Administrative access requires multi-factor authentication.
• Secure authentication: Passwords are hashed using industry-standard algorithms. OAuth tokens are encrypted and never exposed in logs or responses.
• Input validation: All user inputs are validated and sanitized to prevent injection attacks and other vulnerabilities.

Organizational measures

• Access to personal data is limited to personnel who need it to perform their duties.
• We conduct regular security reviews of our codebase and infrastructure.
• Service Providers are required to maintain appropriate security standards.

No method of electronic transmission or storage is 100% secure. While we strive to protect your data using commercially reasonable means, we cannot guarantee absolute security. If you become aware of a security vulnerability or breach, please report it to security@hadithi.org.

7. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify affected users without undue delay, and within 72 hours of becoming aware of the breach where required by applicable law (such as the GDPR)
• Notify the relevant supervisory authority where required by law
• Provide details about the nature of the breach, the data involved, the likely consequences, and the measures taken to address it
• Take immediate steps to contain, investigate, and remediate the breach

8. Your Rights

Depending on your jurisdiction, you have certain rights regarding your personal data. We honor these rights regardless of where you are located, to the extent technically feasible:

For all users

• Access: You can request a copy of the personal data we hold about you.
• Correction: You can request that we correct inaccurate or incomplete personal data.
• Deletion: You can request that we delete your personal data. You can also delete your account directly through the Service.
• Data portability: You can request a copy of your data in a structured, commonly used, machine-readable format.
• Withdraw consent: Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
• Opt-out of marketing: You can unsubscribe from marketing communications at any time using the link in the email or by contacting us.

Additional rights under the GDPR (EEA/UK users)

• Restriction of processing: You can request that we restrict the processing of your personal data in certain circumstances.
• Object to processing: You can object to processing based on legitimate interests. We will stop processing unless we demonstrate compelling legitimate grounds.
• Lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

Additional rights under the CCPA/CPRA (California residents)

• Right to know: You have the right to know what personal information we collect, use, disclose, and sell.
• Right to delete: You can request deletion of your personal information.
• Right to opt-out: We do not sell personal information. If this changes, we will provide a clear opt-out mechanism.
• Non-discrimination: We will not discriminate against you for exercising your CCPA rights.
• Categories of information: In the preceding 12 months, we may have collected the following categories of personal information: identifiers (name, email, IP address), internet or electronic activity (usage data), and professional information (writing samples, content). We do not collect sensitive personal information as defined under the CPRA.

How to exercise your rights

To exercise any of these rights, contact us at privacy@hadithi.org. We will respond to your request within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing your request.

If you make a request, we have one month to respond to you. If your request is complex or you have made multiple requests, we may extend this period by up to two additional months, with prior notice.

9. Cookies and Similar Technologies

Cookies are small text files placed on your device when you visit a website. We use cookies as follows:

What we do NOT use:

• Third-party advertising or tracking cookies
• Cross-site tracking pixels or beacons
• Social media tracking cookies

If we use analytics in the future, we will use privacy-respecting tools that do not track individuals across sites and do not use third-party cookies. This policy will be updated accordingly.

Most browsers allow you to control cookies through settings. Disabling essential cookies may prevent you from using the Service.

10. Children's Privacy

Hadithi is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at privacy@hadithi.org. If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information promptly.

11. International Data Transfers

Your data may be transferred to, stored in, and processed in countries other than the one in which you reside. These countries may have data protection laws that differ from those in your jurisdiction.

Where we transfer personal data from the European Economic Area (EEA), United Kingdom (UK), or Switzerland to countries that have not been deemed to provide an adequate level of protection, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with appropriate security and confidentiality obligations
• Transfers to countries recognized as providing adequate protection

You can request information about the safeguards in place for international transfers by contacting us.

12. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. Since there is no industry consensus on how to respond to DNT signals, we do not currently respond to them. However, as described in Section 9, we do not use third-party tracking cookies or cross-site tracking technologies.

13. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites or services. We encourage you to review the privacy policy of every site you visit.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

• Material changes: We will notify you by email and/or through a prominent notice on the Service at least 30 days before the changes take effect.
• Non-material changes: We may update this policy without prior notice for minor corrections, formatting, or clarifications.

Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes. If you do not agree with the revised policy, you should stop using the Service and delete your account.

The "last updated" date at the top of this page reflects the most recent revision. We encourage you to review this policy periodically.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.