Privacy Policy - Haybi by AyalonPlus

Section A

Introduction

AyalonPlus Technologies Private Limited ("AyalonPlus", "we", "our", or "us") operates the Haybi loyalty rewards platform, available as a mobile application and through our website at ayalonplus.com (collectively, the "Platform" or "Service").

We respect your privacy and recognize the fundamental importance of protecting your personal information. This Privacy Policy describes how we collect, receive, store, use, share, and otherwise process personal information — including sensitive personal data — when you access or use the Haybi Platform.

This policy is governed by the Information Technology Act, 2000, SPDI Rules 2011, IT Intermediary Guidelines 2021, and the Digital Personal Data Protection Act, 2023 (DPDPA).

By visiting, registering on, or using our Platform, you expressly agree to the terms of this Privacy Policy and our Terms of Service. If you do not agree, please do not access or use the Platform.

Section B

Application of This Policy

This policy applies to all parties who interact with the Haybi platform:

All users who download, install, register on, or otherwise access the Haybi mobile application, m-site, or website
Partner Merchants and their representatives who interact with our platform
Administrators who access the Haybi Admin Panel
Third-party vendors, service providers, contractors, and partners who act on behalf of AyalonPlus
All employees and officials of AyalonPlus with access to personal data

This policy covers all Haybi features: loyalty points, geofenced check-ins, OTP auth, spin wheel, mini-games, expense tracker, leaderboards, Shorts, Stories, social features, AI chat, and reward redemption.

This policy does not apply to third-party websites or services linked from our Platform. We encourage you to review their privacy policies separately.

Section C

Objectives of This Policy

AyalonPlus collects and processes certain personal information to deliver, improve, and secure the Haybi Service. This policy is designed to:

Inform you clearly about categories of personal information collected, means of collection, purposes of processing, and parties with whom information may be shared
Describe the rights available to you as a data principal and mechanisms for exercising them
Ensure compliance with applicable Indian data protection laws and globally recognized best practices
Establish accountability and transparency in our data governance practices
Protect the rights and interests of users, employees, merchants, and third parties whose data we process

Section D

Information We Collect

D.1 — Information You Provide Directly

a) Account & Identity

Full name and display name
Mobile phone number (primary identifier for OTP verification)
Email address (optional, for communications and account recovery)
Profile photograph (optional)
Date of birth (for age verification)
Gender (optional)

b) Payment & Reward Redemption

UPI ID or bank account details (account number, IFSC code)
Beneficiary name as registered with bank
Transaction reference numbers

We do not store full bank account numbers beyond what is necessary for processing. Payments go through PCI-DSS compliant third-party gateways.

c) OTP Verification

OTPs are time-limited, not stored after validation, and never shared externally.

d) User-Generated Content

Short video uploads ("Shorts"): video files, captions, hashtags, merchant tags
Comments, replies, and reactions on Shorts and Merchant Stories
Reviews and ratings
Profile bio or description text

e) Social & Friends Data

Friend requests sent and received
Friendship status (active, pending, blocked)
Block/unblock actions and optional reason for blocking

f) Support & Communications

Messages sent to our customer support team
Feedback via in-app surveys
Content of complaints or grievance submissions

D.2 — Information Collected Automatically

a) Location Information

Important: Location is collected only when you actively initiate a check-in. We do NOT collect background location data or track your movements continuously.

Precise GPS coordinates: At check-in initiation (within 100m geofence radius)
Approximate location: For surfacing nearby merchants
Check-in history: Merchant location and timestamp per check-in

b) Device Information

Device type, brand, model, OS version (Android/iOS)
Unique device identifiers (IMEI, Android ID, IDFA/IDFV)
Mobile network operator and connection type
IP address and app version

c) Usage & Behavioral Data

Features accessed and actions taken
Game sessions, scores, and outcomes
Points earned, redeemed, and current balance
Daily challenge participation and streak data
Videos watched, liked, commented on, shared, bookmarked, or reported
Time spent on individual features and screens

d) Technical & Error Data

App crash logs and error reports
Session identifiers and timestamps
API response times and failure events

D.3 — Information from Third Parties

SMS OTP gateways: Message delivery status only
Payment processors: Transaction confirmation and status
Analytics providers: Aggregated and anonymized behavioral analytics
Partner merchants: Confirmation of merchant-side redemption events

Summary Table

Category	Examples	Collected When
Identity	Name, phone, email	Registration
Payment	UPI ID, bank account	Redemption
Location (precise)	GPS coordinates	Check-in initiated
Location (approx.)	City/area	App open (nearby feed)
Device	Model, OS, identifiers	App install & use
Usage	Games played, points, videos	Ongoing use
Content	Shorts, comments, captions	User uploads
Social	Friends list, blocks	Social features
Technical	Crash logs, errors	Automatic

Section E

Information We Do Not Collect

AyalonPlus is committed to data minimization. Here is what we explicitly do not collect:

Background location data or continuous movement tracking
OTP codes stored after validation
Full payment card numbers (credit/debit card data)
Your mobile contacts, address book, or SMS inbox (without explicit permission)
Personally identifiable information sold to third-party advertisers
Personal data from children under 13 without verifiable parental consent
Biometric data (fingerprints, facial recognition) of any kind
Historical, continuous location traces or movement patterns

Section F

How We Use Your Information

F.1 — Service Delivery

Creating, authenticating, and managing your Haybi account
Verifying identity through OTP-based mobile authentication
Validating geofenced check-ins at partner merchants
Crediting, tracking, and displaying your points balance
Operating game sessions (Scratch Card, Trivia, Memory Match, Spin Wheel)
Processing reward redemptions and coordinating with payment processors
Displaying personalized feeds (Shorts For-You, Merchant Stories)
Enabling social features: friend requests, acceptances, and blocking

F.2 — Fraud Prevention & Security

Detecting, investigating, and preventing fraudulent check-ins or points manipulation
AI-assisted fraud detection on anomalous check-in patterns
Monitoring for account takeover or unauthorized access attempts
Enforcing platform abuse prevention rules

F.3 — Communications & Notifications

OTP messages for account verification
Push notifications for points, challenges, rewards, and friend activity
Marketing communications (only with explicit consent; opt-out anytime)

F.4 — Personalization

Curating your Shorts "For You" feed based on viewing behavior
Surfacing nearby merchants relevant to your location
Recommending challenges and games based on activity patterns
Adapting AI chat responses to your account context and loyalty tier

F.5 — Product Improvement & Analytics

Analyzing feature usage to prioritize improvements
A/B testing of new features
Diagnosing technical issues using crash and error logs
Generating aggregate, anonymized reports for internal business planning

F.6 — Legal & Compliance

Maintaining immutable transaction audit logs as required by financial regulations
Responding to valid legal process and government requests
Enforcing our Terms of Service

F.7 — AI-Powered Features

Providing context-aware AI chat assistance personalized to your loyalty activity
Running AI-assisted content moderation checks on uploaded Shorts and comments
Supporting fraud detection using AI analysis of check-in patterns

Section G

Legal Basis for Processing

AyalonPlus processes personal data on the following lawful grounds, consistent with the SPDI Rules 2011 and DPDPA 2023:

Consent — Where you have expressly agreed to a specific processing purpose (e.g., marketing communications, AI chat, location-based check-ins)
Contractual Necessity — Where processing is necessary to deliver requested services (account management, points tracking, reward redemption)
Legal Obligation — Where processing is required by applicable Indian laws (financial transaction records, lawful authority requests)
Legitimate Interests — For fraud prevention, security monitoring, and product analytics, balanced against your rights
Vital Interests — In exceptional circumstances to protect life, health, or safety
Public Interest — Where required for functions of government or public authority

Sensitive personal data (payment information and precise location) is processed only on the basis of explicit, informed, and specific consent as required under the SPDI Rules.

Section H

Sharing and Disclosure of Information

We do not sell your personal information. We share only as described below.

H.1 — Partner Merchants

Anonymized confirmation that a check-in event occurred
Aggregate check-in statistics for merchant analytics (no individual identification)
Your name and contact details only if you explicitly redeem a merchant-specific reward

Merchants do not receive your raw GPS coordinates, device data, or game history.

H.2 — Trusted Service Providers

Service Type	Purpose
Cloud Hosting (AWS, Google Cloud)	Infrastructure and data storage
SMS / OTP Gateway	Account verification messages
Payment Processors	Reward redemption transfers
Analytics Platforms	Aggregate usage analytics
Crash Reporting Tools	App stability monitoring
AI API Providers (DeepSeek)	AI chat and moderation features
Customer Support Platforms	Helpdesk and grievance management
Push Notification Services (Firebase)	App notifications

H.3 — User-to-User Visibility

Your display name and profile photo on leaderboards
Public Shorts content you upload (visible to all users)
Comments you post on Shorts or Stories

You control the privacy of your profile through in-app settings.

H.4 — Legal Requirements & Safety

We may disclose information without prior consent when required by a valid court order, demanded by government/law enforcement, necessary to prevent fraud, or to protect rights, property, or safety of AyalonPlus, users, or the public.

H.5 — Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you in advance and the data will remain subject to equivalent privacy protections.

H.6 — Aggregated & Anonymized Data

We may share de-identified aggregate data with business partners and researchers. This data is not personal information and cannot identify any individual.

Section I

Transfer of Information

AyalonPlus is an Indian company and primarily processes your data within India. In cases where we engage cloud infrastructure or AI providers with servers outside India, we ensure:

The transfer is necessary for the performance of the service you requested
The recipient country or provider offers data protection substantially equivalent to Indian standards
Appropriate contractual safeguards (standard contractual clauses or equivalent) are in place
Your explicit consent is obtained where required under applicable law

We will not transfer your sensitive personal data outside India except under the conditions above or as mandated by applicable regulatory requirements.

Section J

Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, and resolve disputes.

Data Category	Retention Period	Basis
Account identity data	Duration + 3 years post-deletion	Legal compliance
Points transaction records	7 years	Financial regulations
Reward redemption records	7 years	Financial regulations
Check-in records	3 years	Fraud prevention
Game session data	1 year	Operational analytics
Location data (check-in)	1 year from collection	Minimization principle
Shorts & video content	Until deleted; 30 days soft-delete	User control
Stories (expired)	Up to 7 days post-expiry	Operational
AI chat history	90 days (or earlier by user)	Service continuity
Crash logs & error data	90 days	Debugging
Marketing preferences	Until opt-out + 1 year	Compliance audit
Deleted account data	Purged within 30 days*	DPDPA 2023

*Except legally required records, retained in isolated access-controlled environment.

After the applicable retention period, data is either securely deleted or anonymized for aggregate analytical use.

Section K

Your Rights as a Data Principal

📂

Right to Access

Request a structured copy of your personal data. Profile → Settings → Privacy → Export My Data. Response within 30 days.

✏️

Right to Correction

Update profile information directly in the app. For other corrections, contact privacy@ayalonplus.com with supporting documentation.

🗑️

Right to Erasure

Delete your account via Profile → Settings → Account → Delete Account. Data purged within 30 days. Some records retained for legal compliance.

🔄

Right to Withdraw Consent

Withdraw consent anytime through in-app settings or privacy@ayalonplus.com. Processed within 7 business days.

⏸️

Right to Restrict

Request limitation of data processing in certain circumstances, such as while a correction is under review.

📤

Right to Portability

Request your data in machine-readable format (JSON or CSV) for portability to another service where technically feasible.

🏛️

Right to Grievance

Raise a complaint with our Grievance Officer. If unresolved, escalate to the appropriate authority under Indian data protection law.

👤

Right to Nominate

In the event of death or incapacity, you may nominate a person to exercise your data rights on your behalf as permitted by applicable law.

Section L

Consent Management

L.1 — How We Obtain Consent

Registration flow (explicit tick-box acceptance of this policy and Terms of Service)
In-app permission dialogs before accessing device capabilities (camera, location, notifications)
Feature-specific consent dialogs (AI chat, background data sync)

Consent is recorded with a timestamp and the version of the policy in effect at the time.

L.2 — Granular Consent Options

Manage consent via Profile → Settings → Privacy:

Location access (precise GPS)
Push notification categories (points alerts, marketing, friend requests, game reminders)
AI chat feature activation
Data sharing for personalization
Marketing communications by email and SMS

L.3 — Withdrawing Consent

Withdraw via in-app settings or by contacting privacy@ayalonplus.com. We process your request within 7 business days.

L.4 — Consequences of Withdrawal

We will inform you which features will become unavailable before you withdraw consent. We will not penalize you beyond the necessary functional limitations.

L.5 — Marketing Opt-Out

Toggle off Promotional Notifications in app settings
Click "Unsubscribe" in any marketing email
SMS STOP to our registered sender ID

You will continue to receive transactional messages (OTPs, redemption confirmations, security alerts) even after opting out of marketing.

Section M

Data Security

M.1 — Technical Safeguards

Encryption in transit: TLS 1.2+ (HTTPS/SSL) for all data transmission
Encryption at rest: AES-256 for sensitive database fields
Password security: All admin passwords hashed with bcrypt; user accounts use OTP (no stored passwords)
Token security: JWT tokens include type-checking to prevent confusion attacks; refresh tokens stored hashed
API security: Rate limiting, input validation, and parameterized queries against injection attacks
File upload security: Validation for type, size, and malicious content before processing

M.2 — Organizational Safeguards

Strict role-based access controls (RBAC): SUPER_ADMIN, MANAGER, and SUPPORT roles
All staff with access to personal data bound by confidentiality obligations
Regular security awareness training
Immutable Admin Audit Log for all administrative actions
Vendor agreements require equivalent security standards

M.3 — Infrastructure Safeguards

Hosting on SOC 2 Type II compliant cloud providers
Regular vulnerability assessments and penetration testing
Automated backups with tested restoration procedures
Incident response plan with defined escalation procedures

M.4 — Data Breach Response

Contain the breach and notify our security incident response team immediately
Notify affected users within 72 hours of becoming aware, where required by law
Report to competent authorities with: nature of breach, categories and volume of data, likely consequences, and remediation measures
Maintain a record of all breaches and response actions

No method of data transmission over the internet is 100% secure. While we implement commercially reasonable measures, we cannot guarantee absolute security. You are responsible for maintaining the security of your device.

Section N

Children's Privacy

The Haybi Service is intended for users aged 13 years and above. Users between 13–18 may use the Service only with verifiable parental or guardian consent.

We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided personal information, we will take immediate steps to delete such data.

If you are a parent or guardian and believe your child under 13 has created a Haybi account, please contact us immediately at privacy@ayalonplus.com. We will verify and, where confirmed, delete the information.

We use the date of birth provided at registration to verify age eligibility and process data of minor users (13–18) in a manner that prioritizes their best interests.

Section O

Cookies, Tracking & Device Technologies

O.1 — Mobile Application

Technology	Purpose
Device identifiers	Fraud prevention, device recognition
Firebase Analytics SDK	App usage analytics (anonymized)
Firebase Cloud Messaging	Delivery of push notifications
Crashlytics	App stability monitoring and bug diagnosis
Local device storage	Caching user preferences and offline data

We do not use mobile advertising identifiers (IDFA/GAID) for cross-app advertising tracking without your explicit consent.

O.2 — Website (ayalonplus.com)

Cookie Type	Purpose	Consent Required
Essential / Strictly Necessary	Login sessions, CSRF protection, security	No (required for functionality)
Analytics	Page view measurement, traffic analysis	Yes
Preference	Language and display settings	Yes
Marketing	Targeted promotions (if applicable)	Yes (explicit opt-in)

Section P

AI-Powered Features

Haybi includes AI-powered features to enhance your experience. Your data may be processed by our AI systems as follows:

💬 AI Chat Assistant

Context-aware responses about your loyalty activity. Powered by DeepSeek API. Rate limited to 10 messages/min and 100/day. Chat history retained 90 days.

🔍 AI Fraud Detection

Analyzes check-in patterns and account behavior for potential abuse. No fully automated decisions — human review required for account suspension.

🛡️ AI Content Moderation

Reviews Shorts and comments for Community Guidelines compliance. Flags content for human review — no permanent action from automation alone.

⚙️ AI Feature Flags

All AI features can be individually enabled or disabled via Profile → Settings → Privacy → AI Features. Disabling AI does not affect core loyalty features.

Messages sent to the AI chat are transmitted securely to DeepSeek and are not used to train third-party models under our current agreements.

Section Q

Transparency & Accountability

Q.1 — Privacy by Design

Data minimization: we collect only the minimum data necessary for each function
Privacy settings default to the most protective configuration
Privacy impact assessments conducted before launching features with new data categories
Data processing pipelines documented and reviewed by our privacy team

Q.2 — Transparency Reports

We are committed to publishing information about: categories of personal data collected, processing purposes and legal bases, government data requests (where legally permissible), and security incidents affecting users.

Q.3 — Security Audits

We commission independent security audits at least annually. Audit findings are reviewed by senior management and remediation tracked to closure.

Q.4 — Data Protection Impact Assessments (DPIA)

Before introducing processing activities that may create material privacy risks, we conduct a DPIA and document our findings and mitigation measures.

Q.5 — Record Keeping

We maintain accurate records of: key data processing activities, consent records (user ID, timestamp, policy version), security incidents and responses, data subject rights requests, and third-party vendor agreements.

Section R

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or new features. When we make changes:

The "Last Updated" date at the top will be revised
The version number will be incremented

For material changes (new categories of data collected, new processing purposes, or changes to your rights), we will notify you via:

In-app notification at least 15 days before the change takes effect
Email to your registered address (if provided)
A prominent notice on our website

Your continued use of the Platform after the effective date of a revised policy constitutes acceptance of the updated terms. All prior versions are archived and available upon request at privacy@ayalonplus.com.

Section S

Grievance Officer / Nodal Officer

In accordance with the Information Technology Act, 2000, SPDI Rules 2011, and DPDPA 2023, AyalonPlus has designated a Grievance Officer to address privacy-related concerns:

Grievance Officer — AyalonPlus Technologies Private Limited

privacy@ayalonplus.com Subject: "Privacy Grievance – [Brief Description]"

Acknowledgement within 48 hours; resolution within 30 days Response Time

Escalation Process

Submit your grievance to the Grievance Officer with a detailed written description of your concern
If not acknowledged within 48 hours or resolved within 30 days, escalate to senior management at support@ayalonplus.com with subject "Escalation – Unresolved Privacy Complaint"
If still dissatisfied, approach the appropriate authority under applicable Indian data protection law

Employee Grievances: Employees with privacy-related complaints should raise the matter with their HR representative first. If unresolved, escalate to the Grievance Officer.

Section T

Contact Us

For any questions, requests, or concerns about this Privacy Policy or our data practices:

AyalonPlus Technologies Private Limited — Data Protection Office

privacy@ayalonplus.com Privacy Inquiries

support@ayalonplus.com General Support

ayalonplus.com Website

For urgent security concerns (suspected account compromise, data breach), email support@ayalonplus.com with the subject line "URGENT – Security Concern."

We are committed to responding to all privacy-related inquiries within 30 days.