🔒 Privacy Policy

HelloFriend LLC ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains what personal information we collect, how we use and share it, how long we retain it, and the rights you have regarding your information when you use the HelloFriend Platform. This policy applies to all users of the Platform, including Pet Owners, Animal Service Providers (ASPs), and visitors to our website. By using the Platform, you agree to the collection and use of information as described in this Policy.

• Account registration: full name, email address, password (hashed), phone number, city, state, user role. • Profile information: profile photo, biography, pet profiles (name, breed, age, photos, medical notes). • ASP-specific information: business name, business address, service descriptions, product listings, pricing, operating hours, and professional credentials. • Identity verification (ASPs only): government-issued photo ID, business license — see Section 1(d) below. • Payment information: collected and processed exclusively by Stripe — we never receive, store, or have access to raw payment card numbers or bank account details. • Communications: messages you send to our support team. • Community content: posts, event listings, comments, photos, and other content you share.

• Device and browser information: device type, operating system version, browser type and version, unique device identifiers, IP address. • Usage data: pages and features accessed, time spent, click patterns, crash reports, and performance data collected via Firebase Analytics. • Location data: general location (city/state) derived from your account profile. We do not collect precise GPS location unless you explicitly enable location sharing in Settings. • Authentication data: session tokens and authentication state managed by Firebase Auth. • Cookies and local storage: used for authentication, preferences, and analytics on the web version. See Section 9.

• Firebase / Google: authentication state, database hosting, analytics aggregates. Subject to Google's Privacy Policy. • Stripe: payment confirmation, payout status, and fraud signals (not full card details). Subject to Stripe's Privacy Policy. • Agora: real-time communication session metadata (if applicable). Subject to Agora's Privacy Policy.

To verify ASP identity, we collect scanned or photographed copies of government-issued photo identification and, where applicable, business licenses. This information is: • Stored securely in Firebase Cloud Storage with restricted access controls. • Accessed only by authorized HelloFriend administrators for verification purposes. • Never shared with other users, third-party advertisers, or sold. • Retained for a maximum of 12 months following permanent account closure, then securely deleted, unless longer retention is required by law. We do not use facial recognition, biometric extraction, or automated identity-matching technology on submitted documents. If you are a resident of Illinois, Texas, or Washington and have concerns about your biometric or identification data, please contact [email protected].

We use the information we collect to: • Operate, maintain, and improve the Platform and its features. • Verify your identity and account eligibility, including ASP onboarding verification. • Process payments and facilitate payouts via Stripe. • Personalize your experience (e.g., showing relevant ASPs or pets in your area). • Communicate with you about your account, transactions, service updates, and security alerts. • Send marketing or promotional messages (only with your consent, and you may opt out at any time — see Section 5). • Enforce our Terms of Service, Community Standards, and platform policies. • Comply with applicable law, legal process, and lawful government requests. • Detect, investigate, and prevent fraud, abuse, spam, and security incidents. • Conduct internal research, analytics, and product development. • Respond to your support inquiries and resolve disputes.

Your public profile information (name, profile photo, bio, city, and publicly listed pets) is visible to other registered users. ASP business information (name, services, location, products, operating hours) is visible to all Platform users and may be indexed by search engines. Private account details (phone number, email, payment info) are never shared with other users.

We share information with trusted third-party vendors who help us operate the Platform, including Google/Firebase (cloud infrastructure, authentication, analytics), Stripe (payment processing), and Agora (real-time communications). These vendors act as data processors on our behalf, are contractually bound to protect your information, and may only use it to provide services to us — not for their own marketing purposes.

We may disclose your information if we have a good-faith belief that disclosure is necessary to: (a) comply with applicable law, legal process, or enforceable government request; (b) enforce our Terms of Service; (c) detect, investigate, or prevent fraud, security, or technical issues; (d) protect the rights, safety, or property of HelloFriend, our users, animals, or the public; or (e) report suspected animal abuse or neglect to relevant animal welfare authorities.

If HelloFriend is involved in a merger, acquisition, financing, reorganization, or sale of all or substantially all of its assets, your information may be transferred as part of that transaction. We will provide at least 30 days' notice via the app and/or email before your information is subject to a materially different privacy policy.

HelloFriend does not sell, rent, lease, or trade your personal information to third parties for their own marketing purposes. This applies to all users, including California residents exercising rights under the CCPA/CPRA.

We retain your personal information for as long as your account is active or as needed to provide services and comply with our legal obligations. Specific retention periods: • Active account data: retained until you request deletion or we close your account. • Deleted account data: personal profile data deleted within 30 days of account closure. • ASP verification documents: retained for 12 months post-closure, then securely deleted. • Transaction records: retained for 7 years for tax and legal compliance purposes. • Community content (posts, comments): may remain visible unless you specifically request removal prior to account closure; we will process removal requests within 30 days. • Security and fraud logs: retained for up to 3 years. • Backup copies: may persist for up to 90 days after deletion from active systems.

You may access and update most of your personal information directly in the App (Settings → Edit Profile). For information you cannot update yourself, contact [email protected].

You may request a copy of your personal data in a machine-readable format via Settings → Download My Data or by emailing [email protected]. We will fulfill portability requests within 30 days.

You may request deletion of your account and personal data at any time via Settings → Billing → Delete Account, or by emailing [email protected]. We will process deletion requests within 30 days, subject to legal retention requirements (e.g., transaction records). Note: deletion is permanent and cannot be undone.

You may opt out of marketing emails at any time by clicking "Unsubscribe" in any marketing email or by adjusting your notification preferences in Settings. You cannot opt out of transactional messages (account security alerts, payment confirmations, verification codes) as these are necessary for the service.

To opt out of non-transactional SMS messages, reply STOP to any text from us. You may also adjust your SMS preferences in Settings. Opting out of verification SMS may affect your ability to use certain features.

California residents have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA): • Right to Know: request disclosure of the categories and specific pieces of personal information we have collected, used, disclosed, or sold. • Right to Delete: request deletion of your personal information, subject to exceptions. • Right to Correct: request correction of inaccurate personal information. • Right to Opt-Out: opt out of the sale or sharing of personal information — we do not sell or share your personal information for cross-context behavioral advertising. • Right to Limit Sensitive Data Use: limit our use of sensitive personal information. • Right to Non-Discrimination: we will not discriminate against you for exercising your CCPA/CPRA rights. To exercise these rights, contact us at [email protected]. We will respond within 45 days (extendable by 45 days with notice).

If you are located in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or equivalent legislation, including the right to: access your data, rectify inaccuracies, erasure ("right to be forgotten"), data portability, object to processing, and restrict processing in certain circumstances. Our legal bases for processing are: (a) performance of a contract (providing you the Platform services); (b) your explicit consent (e.g., marketing emails, location sharing); and (c) our legitimate interests (security, fraud prevention, product improvement). To exercise GDPR rights, contact [email protected]. You also have the right to lodge a complaint with your local data protection authority.

We implement industry-standard technical and organizational security measures to protect your personal information, including: • Encrypted data transmission (HTTPS/TLS 1.2+) for all Platform communications. • Firebase Security Rules restricting database read/write access to authenticated users. • Role-based access controls for HelloFriend staff accessing user data. • Payment data handled exclusively by Stripe (PCI-DSS Level 1 certified). • Regular security reviews and vulnerability assessments. However, no system is completely secure. We cannot guarantee that unauthorized parties will never access your information. In the event of a data breach affecting your rights or freedoms, we will notify affected users and relevant authorities as required by applicable law.

HelloFriend is not directed at individuals under the age of 18 and does not knowingly collect personal information from minors. In compliance with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.), if we learn that we have collected information from a person under 18 years of age, we will promptly delete that information and terminate the associated account. If you believe a minor has created an account on our Platform, please contact [email protected] immediately.

During the Beta period, we may: • Collect additional diagnostic, crash, and performance data to improve stability. • Review user-submitted content more frequently for quality assurance and moderation. • Contact you directly via email for feedback about your experience. • Reset or migrate data as part of infrastructure improvements — we will provide advance notice before any action that would result in permanent data loss. Beta participant information (name, email, city, state, role, device type) submitted via the sign-up process is stored in Firebase Firestore and used exclusively for Beta program management. It is not shared with third parties or used for advertising.

The web version of HelloFriend uses the following cookies and local storage technologies: • Authentication cookies (Firebase Auth): strictly necessary to keep you signed in. Cannot be disabled without logging out. • Analytics cookies (Firebase Analytics): help us understand how users interact with the Platform. Aggregated and anonymized. You may opt out via your browser settings or the "Usage Data Sharing" toggle in Settings → Privacy. We do not use third-party advertising cookies, cross-site tracking pixels, or sell cookie data to advertisers. You may configure your browser to refuse cookies; however, disabling authentication cookies will prevent you from accessing your account.

The Platform may contain links to third-party websites (e.g., ASP external websites, social media profiles, Stripe payment pages). We are not responsible for the privacy practices, content, or availability of any third-party service. We encourage you to review the privacy policies of any third-party service before providing personal information. HelloFriend's Privacy Policy applies only to information collected directly by the Platform.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting a prominent notice within the app and/or sending an email to the address on file at least 14 days before the change takes effect. Non-material changes (such as typographical corrections) may be made without notice. Continued use of the Platform after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree, you must stop using the Platform and may request account closure.

If you have questions, concerns, requests, or complaints regarding this Privacy Policy or our data practices, please contact our Privacy team: HelloFriend LLC — Privacy [email protected] Charlotte, North Carolina We aim to respond to privacy inquiries within 5 business days and to fulfill data rights requests within 30 days (or 45 days for CCPA requests). California residents may also contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov. EEA/UK residents may contact their local data protection authority.