Privacy Policy

1. Who We Are / Data Controller

honoa is the data controller responsible for the personal data processed in connection with the Service. We are established in and operate from the Netherlands. For the purposes of the GDPR, we determine the purposes and means of the processing of your personal data as described in this Policy. If you have any questions about how we handle your personal data, or wish to exercise your rights, you can contact us at [email protected].

2. What Data We Collect

We collect the following categories of personal data in connection with your use of the Service:

• Account data: your name, email address, and a securely hashed version of your password. We do not store your password in plain text.
• Billing data: payment and billing information is processed and stored by our payment processor, Stripe, which is PCI-DSS compliant. We do not store your full payment card numbers on our systems; we may retain limited information such as billing name, the last four digits of your card, card brand, expiry, transaction identifiers, and invoice records.
• Usage data: information about how you interact with the Service, including pages visited, features used, actions taken, your IP address, and browser and device information. This data is collected in part through our internal analytics and tracking endpoint at /api/track.
• User content: the websites, images, text, products, orders, media, and other content you create, upload, or publish through the Service. This content is stored on our servers and on Amazon Web Services (AWS) S3.
• Communications: the content of support emails and other communications you send to us, including any information you choose to provide.
• Cookies and similar technologies: information collected through cookies and similar technologies, as described in our Cookie Policy.

3. How We Use Your Data

We use the personal data we collect for the following purposes:

• To provide, operate, maintain, and deliver the Service and its features to you;
• To process payments, manage subscriptions, and administer billing through Stripe;
• To send you transactional and service-related communications, such as account notifications, security alerts, billing notices, and support responses;
• To monitor, analyze, maintain, and improve the Service, including understanding how features are used and developing new features;
• To comply with our legal and regulatory obligations;
• To detect, prevent, investigate, and respond to fraud, abuse, security incidents, and violations of our Terms of Service; and
• To establish, exercise, or defend legal claims.

4. Legal Basis for Processing (GDPR)

Where the GDPR applies, we rely on the following legal bases for processing your personal data:

• Performance of a contract: to provide the Service to you under our Terms of Service, including creating and managing your account, hosting your content, and processing your subscription.
• Legitimate interests: to operate, secure, and improve the Service, to analyze usage, to prevent fraud and abuse, and to communicate with you, provided such interests are not overridden by your rights and freedoms.
• Consent: for the use of non-essential cookies and similar technologies, and for any other processing where we ask for your consent. You may withdraw your consent at any time.
• Legal obligation: to comply with applicable laws, such as retaining billing and tax records and responding to lawful requests from authorities.

5. Data Sharing & Disclosure

We share personal data with trusted third-party service providers (processors) only as necessary to operate the Service. These include:

• Stripe — for payment processing and subscription billing;
• Amazon Web Services (AWS) — for media storage (S3) and hosting infrastructure;
• Anthropic — for AI-powered features such as copy generation, SEO analysis, and translation; text you submit to these features is processed by Anthropic to generate output but is not retained or stored by us beyond what is necessary to deliver the feature;
• Google — where you choose to use Google OAuth as an optional login method, for authentication purposes.

We may also disclose personal data where required to comply with applicable law, legal process, or enforceable governmental request; to enforce our Terms of Service; to detect, prevent, or address fraud, security, or technical issues; or in connection with a merger, acquisition, financing, or sale of all or part of our business, subject to appropriate confidentiality protections.

We do not sell your personal data to third parties, and we do not share your personal data for cross-context behavioral advertising. We do not consider our processing activities to constitute a “sale” or “sharing” of personal information under the CCPA.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Our retention periods include:

• Account data: retained for as long as your account is active, and for up to ninety (90) days after account deletion, after which it is deleted or anonymized.
• Billing records: retained for seven (7) years to comply with applicable tax, accounting, and legal obligations.
• User content: deleted within thirty (30) days of account deletion, subject to routine backup cycles.

7. Your Rights (GDPR & CCPA)

Depending on your location and applicable law, you have the following rights with respect to your personal data:

• Right of access: to request confirmation of whether we process your personal data and to obtain a copy of it;
• Right to rectification / correction: to request that we correct inaccurate or incomplete personal data;
• Right to erasure / deletion: to request that we delete your personal data, subject to legal retention obligations;
• Right to data portability: to receive your personal data in a structured, commonly used, machine-readable format;
• Right to restriction of processing: to request that we limit the processing of your personal data in certain circumstances;
• Right to object: to object to processing based on our legitimate interests;
• Right to opt out of sale or sharing: although we do not sell or share your personal data, you have the right to opt out of any such activity;
• Right to non-discrimination: we will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, please email us at [email protected]. We will respond to your request within the timeframe required by applicable law. We may need to verify your identity before fulfilling your request. You also have the right to lodge a complaint with your local data protection authority; in the Netherlands, this is the Autoriteit Persoonsgegevens.

8. International Data Transfers

Your personal data may be transferred to, stored in, and processed in countries outside the European Economic Area (EEA), including the United States, for example through our use of AWS and other service providers. Where we transfer personal data outside the EEA, we put in place appropriate safeguards to ensure an adequate level of protection, including the use of the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, additional technical and organizational measures. You may request more information about these safeguards by contacting us.

9. Security

We implement industry-standard technical and organizational measures designed to protect your personal data against unauthorized access, disclosure, alteration, and destruction, including encryption in transit, access controls, and secure password hashing. However, no method of transmission over the internet or method of electronic storage is one hundred percent (100%) secure, and we cannot guarantee absolute security. To the maximum extent permitted by applicable law, we are not liable for any unauthorized access, breach, loss, or disclosure of data that occurs despite our reasonable security measures or that is outside our reasonable control. You are responsible for keeping your account credentials confidential and for maintaining your own backups of your User Content.

10. Children’s Privacy

The Service is not directed at children under the age of sixteen (16), and we do not knowingly collect personal data from anyone under that age. If you are under sixteen, please do not use the Service or provide any personal data to us. If we become aware that we have inadvertently collected personal data from a child under sixteen without appropriate consent, we will take reasonable steps to delete that data promptly. If you believe that a child has provided us with personal data, please contact us at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will update the “Last updated” date at the top of this page and, where required by applicable law, provide additional notice. We encourage you to review this Policy periodically to stay informed about how we protect your personal data. Your continued use of the Service after any changes take effect constitutes your acknowledgment of the revised Policy.

12. Contact / Data Protection

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, or if you wish to contact our data protection point of contact, please email us at [email protected].