Privacy Policy

1. Scope

1.1This Privacy Policy applies when you access or use the HaoAI website, console, APIs, documentation, payments, support, and related services.

1.2HaoAI official service entry points include hao.ai, hao.ai/docs, api.hao.ai, and other official entry points displayed in the console. Independent data processing by non-HaoAI official entry points, third-party websites, or third-party integrations is not directly controlled by this Policy.

1.3This Policy does not apply to independent privacy practices of third-party websites, upstream model providers, payment processors, or other third-party services. Your use of those services may also be governed by their own privacy policies and terms.

1.4If you use HaoAI through a team, organization, invitation link, referral link, or third-party integration, the relevant team administrator, inviter, referrer, or integration provider may see necessary account, invitation, attribution, usage, or status information according to the feature settings.

1.5In this Policy, personal information means information that identifies or can reasonably be linked to an individual. Information that cannot identify a particular person or has been anonymized is generally not personal information.

2. Information We Collect

2.1Account information: email address, username, display name, avatar, login status, language, theme preference, security settings, and account status.

2.2Google sign-in information: if you sign in with Google, we process basic account information returned by Google, such as Google account identifier, email address, email-verification status, name, and avatar, to create or sign in to your HaoAI account, bind the sign-in method, and protect account security. HaoAI does not use Google sign-in to read Gmail, Google Drive, Google Calendar, or other unauthorized data.

2.3Authentication and security information: session identifiers, login times, IP address, device and browser information, risk signals, email-code records, two-step verification status, session-management records, and security logs.

2.4Payment and wallet information: top-up orders, payment status, transaction identifiers, Credits balance, rewards, promotional credits, redemption records, and billing details. Full payment credentials are generally handled by payment processors.

2.5Payment and wallet information may also include refunds, chargebacks, and payment-dispute records. Full card numbers, payment-account credentials, or payment instruments are generally handled by payment processors, and HaoAI receives only information needed to provide the services and reconcile payments.

2.6Referral, invitation, and promotion information: referral codes, invitation links, team invitations, attribution relationships, reward status, commission or promotional credit records, campaign participation, and related risk-control records.

2.7API usage data: API key identifiers, request times, model names, protocol types, token usage, charges, status codes, error information, latency, throughput, cache hits, and balance changes.

2.8API content: prompts, context, attachments, parameters, and model outputs submitted through APIs or chat features. We process this content only as needed to provide the service, troubleshoot, audit security, verify billing, or comply with legal requirements.

2.9Console activity information: page visits, filter choices, model preferences, notification settings, team-management actions, budget changes, API key actions, order actions, and other feature-use records.

2.10Enterprise, team, and organization information: organization name, member attribution, administrator contact details, budget and permission configurations, member removal or role-change records, team invitations, team balance, team orders, and support or dispute records related to organizational use.

2.11Communications: support requests, feedback, attachments, replies, and related records submitted through email, support tools, forms, or other channels.

2.12Team and permission information: team names, member emails, roles, invitation status, budget settings, member actions, API key creators, and usage attribution within team scopes.

2.13Device and network information: access times, referrers, browser language, screen size, operating system, network type, page errors, performance metrics, and necessary security fingerprints.

2.14Compliance and risk information: use-case descriptions, unusual-call signals, abuse reports, payment disputes, refund or chargeback records, sanctions or export-control screening results, and other risk information needed to protect the platform and users.

2.15Information from third parties: where permitted by law and needed for the services, we may receive order status, authentication results, risk signals, error information, and delivery status from payment processors, authentication services, anti-abuse services, security services, upstream providers, or integrations you authorize.

3. How We Use Information

3.1We process information to provide and maintain the services, perform contracts, handle payments, calculate usage, display request logs, protect security, respond to requests, comply with legal obligations, and improve the services.

3.2Specific uses include creating and maintaining accounts, authenticating logins, creating and managing API keys, routing API requests, calculating charges, displaying balance, orders, transactions, and analytics, handling payment and refund disputes, troubleshooting errors, preventing fraud and abuse, sending service notices, and improving performance and user experience.

3.3We also use necessary information to operate team collaboration, member permissions, budget controls, invitation sign-ups, referral rewards, campaign benefits, notification preferences, customer support, dispute handling, compliance review, and enforcement of the Terms of Service.

3.4Where applicable law requires us to identify a legal basis, our bases may include performing our contract with you, complying with legal obligations, protecting legitimate interests of users and the platform, handling disputes, preventing fraud and abuse, or obtaining your consent in specific situations.

3.5Account information obtained through Google sign-in is used only for account authentication, account creation, sign-in binding, security protection, customer support, and compliance purposes. We do not sell this information, and we do not use it for advertising targeting or purposes unrelated to providing HaoAI services.

3.6For platform risk controls, we may use account, device, usage, payment, and security signals to restrict sign-in, suspend some features, require re-verification, or conduct manual review to protect users, upstream providers, and the platform.

3.7Where consent is required, we will request it under applicable law. You may withdraw consent where permitted, but withdrawal does not affect earlier lawful processing and may affect continued use of some features.

3.8We may also use de-identified, aggregated, or statistical data to analyze service quality, model availability, latency, error rates, cost trends, product usage, and security risks. This data is not used to identify a particular person.

3.9We do not sell your personal information, and we do not use API content for purposes unrelated to providing the services unless we have necessary authorization or another lawful basis.

4. API Content and Upstream Providers

4.1HaoAI is a unified API gateway. To complete your requests, we may send necessary API content, parameters, and request metadata to the upstream model provider and infrastructure services you call or configure.

4.2Different upstream providers may have their own data processing, retention, security, and compliance practices. You should evaluate whether a provider or model is appropriate for the data you submit.

4.3Unless otherwise stated, authorized by you, or required by law, we do not use your API content to train our own models. You should avoid submitting unnecessary sensitive personal information, trade secrets, restricted data, or data you are not authorized to process.

4.4If you use the services on behalf of a team or organization, team owners, administrators, or authorized members may see team-scoped API keys, usage, charges, request status, error information, and attribution information. Allocate permissions carefully before submitting or assigning data in a team context.

4.5HaoAI may temporarily process, cache, queue, retry, route, or transform request content, metadata, or outputs to complete model calls, maintain availability, reduce latency, troubleshoot issues, or verify billing.

4.6To support billing review, troubleshooting, and security auditing, we may retain necessary request metadata, such as time, model, API key identifier, status, latency, tokens, charge, error code, and routing result. We seek to minimize retention of API content itself.

4.7If you submit personal information, sensitive information, children's information, health information, financial information, identity information, trade secrets, export-controlled technical materials, or other restricted data to the services, you must ensure that you have a lawful basis and necessary authorization. We may restrict, delete, or refuse to process related data based on security, compliance, upstream requirements, or the Terms of Service.

5. Cookies and Similar Technologies

5.1We use necessary cookies and similar technologies to maintain login state, security settings, language, theme, and basic feature preferences. Some services may not function without them.

5.2We may also use analytics or performance technologies to understand page visits, errors, feature usage, and device environment so we can improve service stability and experience. You may limit or delete cookies in your browser, but doing so may affect login and console functionality.

5.3Where browsers provide Do Not Track or similar signals, we respect those preferences where technically feasible and required by applicable law. Necessary cookies are not used for targeted advertising.

6. Sharing and Disclosure

6.1We do not sell your personal information. We share information only where needed to provide services and operate the platform.

6.2We may share necessary information with upstream model providers, cloud infrastructure providers, payment processors, email services, security and anti-abuse services, logging and analytics services, customer-support tools, and professional advisors.

6.3For team, organization, referral, invitation, and promotion features, we may disclose necessary status, attribution, role, usage, reward, and account information to the relevant team owner, administrator, inviter, referrer, or eligible participant according to the product configuration.

6.4We may also disclose necessary information for legal, regulatory, court, law-enforcement, dispute-resolution, user-safety, platform-safety, Terms-enforcement, corporate-transaction, or user-authorized reasons.

6.5When we receive requests from government, regulatory, court, law-enforcement, payment-dispute, upstream-provider, or rights-holder channels, we assess legality, scope, and necessity where permitted by applicable law and disclose only reasonably necessary information.

6.6Third-party service providers, upstream model providers, payment processors, email services, security services, logging services, and customer-support tools we use may process necessary information as subprocessors or in similar roles. We select, review, and bind providers according to service needs and applicable law, but we do not guarantee that all subprocessors, data centers, or upstream nodes will remain fixed.

6.7We require service providers that process personal information to use it only for authorized purposes, within necessary scope and reasonable retention periods, and to apply confidentiality, security, and access-control measures.

6.8If we are involved in a merger, split, acquisition, asset transfer, reorganization, or similar transaction, relevant information may be transferred as part of that transaction. We will require the receiving party to continue protecting information to a standard no less protective than this Policy.

7. Retention

7.1We retain information only for as long as necessary for the purposes described in this Policy, unless legal, tax, accounting, audit, security, dispute-resolution, or compliance obligations require longer retention.

7.2Account information is generally retained while the account exists. Orders, invoices, Credits changes, and payment records are retained as needed for financial and compliance purposes. API usage metadata is retained as needed for billing, risk controls, troubleshooting, statistics, and auditing.

7.3Referral, promotion, team, and payment-dispute records may be retained as needed to calculate rewards, prevent abuse, process accounting records, handle chargebacks, investigate disputes, and meet compliance obligations.

7.4Retention of API content depends on feature configuration, operational needs, troubleshooting, and security requirements. We seek to minimize API-content retention and restrict access through access controls.

7.5When retention periods expire, processing purposes no longer exist, or you lawfully request deletion and we no longer need to retain the information, we will delete, anonymize, or otherwise handle it reasonably. Backup-system deletion may be delayed during secure rotation cycles.

7.6After account closure, team dissolution, member removal, or API key deletion, some order records, billing records, request metadata, security logs, risk-control records, referral records, and dispute records may still be retained for a necessary period for financial, audit, security, anti-fraud, dispute-resolution, legal-compliance, and user-protection purposes.

8. Security

8.1We use reasonable technical and organizational measures to protect information, including encryption in transit, access controls, permission separation, audit logs, security monitoring, key management, backups, and anomaly detection.

8.2Security controls may include email verification codes, Google sign-in verification, two-step verification, session monitoring, rate limits, abuse detection, permission checks, and API key management features.

8.3No internet transmission or electronic storage method is completely secure. If a security incident may affect your rights, we will take remedial steps and provide notices required by applicable law.

8.4You should configure strong passwords, two-step verification, least-privilege roles, budget limits, API key rotation, offboarding, log monitoring, and anomaly alerts based on your own business risk. Risks caused by failing to apply reasonable security controls, sharing credentials, exposing keys, or improper authorization may be your or the relevant team's responsibility.

8.5You should also protect your account credentials and API keys, and avoid exposing keys in clients, public repositories, logs, screenshots, or untrusted environments.

8.6Our personnel, partners, and service providers may access information only where needed for their responsibilities. We use permissions, audit controls, and internal procedures to reduce access risk.

9. Your Rights

9.1Depending on applicable law, you may have rights to access, correct, delete, restrict, object to processing, obtain a copy, transfer personal information, withdraw consent, or lodge a complaint.

9.2You can manage some account information, API keys, notification preferences, team settings, security settings, sessions, and account bindings in the console. For requests that cannot be completed directly, contact us.

9.3You may request account closure or deletion where permitted by law. We may retain records that are required for billing, tax, audit, security, fraud prevention, dispute handling, legal compliance, or protection of other users and the platform.

9.4To protect account security, we may need to verify your identity. We will respond within the timeframe required by applicable law.

9.5In some cases, we may not be able to fully satisfy a request, for example where records must be retained for financial, audit, dispute-resolution, security, or legal obligations, or where the request affects others' rights, platform safety, or normal service operation.

9.6If your request involves a team, organization, referral attribution, payment dispute, API call record, or third-party processing, we may need to verify the matter with relevant team administrators, payment processors, upstream providers, or other necessary parties while avoiding unnecessary disclosure.

10. Cross-Border and Third-Party Processing

10.1Because HaoAI uses infrastructure, upstream models, payment, email, security, and support services in multiple locations, your information may be processed, accessed, or transferred across different countries or regions.

10.2Where cross-border or third-party processing occurs, we apply reasonable safeguards under applicable law, such as contractual commitments, access controls, encryption, data minimization, and vendor review.

10.3By using the services, you understand that completing cross-location model calls, payments, email notices, security checks, and support may require processing necessary information in different locations.

10.4Unless we enter into an express data-localization, dedicated-region, dedicated-upstream, or enterprise data-processing agreement with you, HaoAI does not promise that all information will be processed only in one country, region, data center, or specific upstream provider.

10.5If your business is subject to industry-specific, government-procurement, export-control, data-localization, transfer-assessment, or customer-contract restrictions, you should complete your own compliance assessment before submitting data to HaoAI and submit only data you are authorized to transfer or entrust for processing.

10.6Cross-border processing may involve data-protection laws in different regions. We use reasonable contractual, technical, and organizational safeguards, but those safeguards do not mean HaoAI completes all compliance obligations under your industry, region, or customer contracts on your behalf.

11. Minors

11.1The services are not directed to individuals under 18. We do not knowingly collect personal information from individuals under 18.

11.2Minors may not independently register, top up, create API keys, call APIs, or use the console. If a school, institution, parent, or other organization wants to use HaoAI in a legally authorized setting, an authorized adult or organization administrator must be responsible for the account, authorization, notices, and data-processing compliance.

11.3If we discover that an account was created or used by a minor, or receive a valid notice from a guardian, school, organization, or competent party, we will take reasonable steps after verification, which may include restricting the account, closing the account, deleting or anonymizing related personal information, or retaining necessary records where required for law, disputes, security, or audit.

11.4If you believe a minor has provided personal information to us, contact us through the channels listed in this Policy and provide information sufficient to help us locate the account or record. To protect account and individual safety, we may need to verify the requester's identity and authority.

12. Updates

12.1We may update this Privacy Policy to reflect service, technical, legal, or business changes. Material changes may be announced through the website, console, email, or other reasonable means.

12.2If a change materially affects how we process personal information, we will take reasonable steps to provide notice before or when the change becomes effective where required by applicable law.

12.3The "Last updated" date at the top shows the most recent revision. Continued use after changes take effect means you accept the updated Privacy Policy.

13. Disputes and Complaints

13.1If you believe our processing of personal information creates an issue, please contact us first through the channels listed in this Policy. We will review and respond after verification.

13.2This Policy does not limit any right you may have under applicable law to lodge a complaint, report an issue, or seek relief from a competent authority.

14. Other Terms

14.1Headings in this Policy are for convenience only and do not affect interpretation. If any part of this Policy is found invalid, the remaining parts continue to apply.

14.2This Policy and the Terms of Service together govern data processing and service use for HaoAI. If they conflict on personal-information processing matters, this Policy controls for those matters.

15. Contact

15.1If you have questions about this Privacy Policy, personal-information processing, or rights requests, contact us at:

15.2WILLWAY INTERNATIONAL LIMITED Email: support@hao.ai Website: hao.ai