Privacy Policy

1. Data Controller

The data controller is:

Philippe Jondet — Entrepreneur individuel Nom commercial : Fabrica Digitalis SIRET : 514 568 641 00021 Adresse : 6 Impasse des Cyclamens, 74150 Sales, France Email : dpo@hugete.com

2. Data Collected

We collect the following categories of data:

• Registration data: first name, email address, password (hashed). • Profile data: preferred language, subscription plan. • Content data: Hugz (texts, photos, videos, audio), names and contact details of HugOnes and HugGuards. • Payment data: processed exclusively by Stripe. Hugete does not store any credit card numbers. • Technical data: IP address, browser type, login timestamps (server logs). • Certification data: SHA-256 hash, blockchain transaction identifier (HugCert).

3. Purposes and Legal Bases

Your data is processed for the following purposes:

• Performance of a contract (art. 6.1.b GDPR): provision of the Service, management of your account, sending and delivery of Hugz, subscription management, operation of HugVeille and HugSafe. • Consent (art. 6.1.a GDPR): analytical cookies, sending marketing communications. • Legitimate interest (art. 6.1.f GDPR): improvement of the Service, abuse prevention, security. • Legal obligation (art. 6.1.c GDPR): retention of billing data.

4. Data Retention Periods

• Active account: data retained for the duration of use of the Service. • After account deletion: erasure within 30 days, unless legally required otherwise. • Billing data: retained for 10 years (accounting obligation). • HugBox: accessible for 12 months (Premium) or 24 months (Premium+), then deleted. • Deactivated Hugz (following a downgrade): retained for 2 months, then deleted. • Server logs: retained for 12 months. • HugCert certification data: the hash and blockchain transaction identifier are retained indefinitely (by nature of the blockchain). The certification PDF follows the same retention period as account data.

5. Data Recipients

Your data may be shared with the following recipients:

• Stripe, Inc. (USA, standard contractual clauses): payment processing. • Brevo (Sendinblue, France): transactional emails and reminders. • Hetzner Online GmbH (Germany): server and data hosting. • Polygon Network: storage of HugCert certification hashes (public and pseudonymized data).

No personal data is sold to third parties. No data is transferred outside the European Union, with the exception of Stripe, which applies the standard contractual clauses approved by the European Commission.

6. Cookies and Trackers

Hugete uses the following categories of cookies:

• Strictly necessary cookies (exempt from consent): authentication session, language preference, cookie consent. • Analytical cookies (subject to consent): anonymized audience measurement to improve the Service.

Hugete does not use any advertising or targeting cookies. You can manage your cookie preferences at any time via the consent banner or your browser settings.

7. User Rights

In accordance with the GDPR, you have the following rights:

• Right of access: obtain a copy of your personal data. • Right to rectification: correct inaccurate or incomplete data. • Right to erasure: request the deletion of your data (subject to legal obligations). • Right to data portability: receive your data in a structured, machine-readable format. • Right to object: object to processing based on legitimate interest. • Right to restriction: restrict processing in certain cases. • Right to withdraw consent: at any time, without affecting the lawfulness of prior processing.

To exercise your rights, contact us at: dpo@hugete.com

You also have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés): cnil.fr.

8. Data Security

Hugete implements the following security measures:

• Encryption of communications (HTTPS/TLS). • Hashed passwords (bcrypt algorithm). • Server access restricted by SSH key. • Database accessible only via private network (not exposed to the Internet). • File storage (MinIO) on private network. • Encrypted daily backups. • Principle of least privilege for all access.

9. Hosting

All data is hosted in Hetzner data centers located in Germany (European Union). The servers are organized as follows:

• Application server: Next.js, workers, Redis. • Database server: PostgreSQL (private network). • Storage server: MinIO for media files (private network).

No data is stored outside the European Union.

10. Minors

The Service is restricted to individuals of legal age (18 years or older). Hugete does not knowingly collect personal data from minors. If a parent or legal guardian discovers that a minor has registered without authorization, they may request the deletion of the account at dpo@hugete.com.

11. Policy Amendments

This policy may be amended at any time. In the event of substantial changes, users will be notified by email at least 30 days before the changes take effect. The date of the last update is indicated at the top of this page.

12. Contact

For any questions regarding the protection of your personal data:

Data Protection Officer: Philippe Jondet Email: dpo@hugete.com Address: 6 Impasse des Cyclamens, 74150 Sales, France