Privacy Policy

HiyaMojo ("we", "us", or "our") operates the HiyaMojo web application (the "Service"). This Privacy Policy explains what personal data we collect, how and why we use it, who we share it with, and the choices and rights you have.

HiyaMojo is operated by an individual sole trader based in Vilnius, Lithuania (European Union). For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, we are the data controller for your personal data. Our contact details are in the "Contact Us" section at the end of this policy.

We serve users worldwide, so this policy is written to meet the GDPR and UK GDPR, the California Consumer Privacy Act as amended by the CPRA (together, "CCPA"), and general good-practice standards. Where a specific law gives you rights, the relevant section below tells you how to use them.

Account information

Information you provide while using the Service

Information we collect automatically

Visitor data (before you have an account)

We use the information we collect to:

• provide, maintain, and operate the Service and your account;
• authenticate you and keep your account secure;
• save and display your tasks, progress, and preferences;
• send you service emails (such as verification and password reset) and, where enabled, reminder and summary emails;
• respond to your enquiries and support requests;
• detect, prevent, and address security issues, fraud, and abuse;
• understand how the Service is used and improve it (with your consent for non-essential analytics); and
• comply with our legal obligations.

We use the third-party tools below to understand usage and measure our marketing. With the exception of essential cookies, these tools load only after you choose "Agree" on our cookie prompt. If you choose "Disagree", they are not loaded (or are switched off). Our consent prompt is currently a single all-or-nothing choice that covers all of the technologies in this section; essential cookies needed to run the Service are always active.

• PostHog (product analytics and session replay): hosted on PostHog's EU Cloud (eu.i.posthog.com). PostHog records product events (for example, creating or logging a task) and can record replays of your session - your clicks, navigation, and interactions - so we can see how features are used and fix problems. Form inputs are masked, so the content you type (such as passwords or task text) is not captured in replays. When you are signed in, we associate analytics with an identifier and may attach your user ID, email, signup date, marketing attribution, founder status, and account age.
• Google Analytics 4 (usage analytics): provided by Google (United States). We use Google Consent Mode so that analytics and advertising storage are only enabled after you consent. GA4 collects page views, feature-usage events, and general device and approximate-location information.
• Reddit Pixel and Conversions API (advertising measurement): provided by Reddit (United States). If you consent, we measure conversions from Reddit advertising. For better matching, we may send Reddit a cryptographically hashed (SHA-256) version of your email address and an account identifier; we do not send your email in plain text.
• Google reCAPTCHA v3 (anti-abuse): provided by Google (United States) and used on our registration, contact, and password-reset forms to tell humans from bots. reCAPTCHA collects your IP address and interaction signals and is subject to Google's privacy policy and terms.

You can withdraw consent at any time by clearing this site's cookies and storage in your browser, which makes the consent prompt appear again so you can change your choice.

We use the following cookies and browser-storage items:

• Session cookie (hiyamojo_session): essential - keeps you logged in and secures your session. Set as Secure and HttpOnly.
• "Remember me" cookie: optional - keeps you logged in for up to 30 days if you choose it.
• Consent and app preferences (local/session storage): your cookie-consent choice (cookieConsent) and small flags that remember in-session state.
• Analytics and advertising cookies: set by Google Analytics, PostHog, and Reddit only after you consent.

Essential cookies cannot be switched off because the Service cannot run without them. All other technologies are controlled by your consent choice. Loading some assets (for example, country-flag images via FlagCDN) may expose your IP address to that content provider, as is normal for any website.

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract: to create your account and provide the Service you ask for.
• Legitimate interests: to keep the Service secure, prevent fraud and abuse, and maintain basic operational logs - balanced against your rights.
• Consent: for all non-essential analytics, session replay, and advertising technologies. You can withdraw consent at any time.
• Legal obligation: where we must process data to comply with the law.

We do not sell your personal data for money. We share data only with the service providers ("processors") that help us run HiyaMojo, each under a data-processing agreement:

• Google Cloud Platform (United States) - hosting, database, and infrastructure.
• SendGrid (Twilio) (United States) - sending our emails.
• PostHog (EU Cloud) - product analytics and session replay (consent).
• Reddit (United States) - advertising measurement (consent).
• Google (United States) - Google Analytics, reCAPTCHA, and Google sign-in.
• Meta / Facebook (United States) - Facebook sign-in, if you use it.
• ip-api.com - country lookup from your IP address at registration, login, and contact.

We may also disclose data where required by law, to enforce our Terms, or to protect the rights, safety, and security of our users, the public, or HiyaMojo.

A note for California residents: we do not "sell" your data for money. However, using advertising and analytics tools such as the Reddit Pixel and Google Analytics may be treated as "sharing" or a "sale" under California law. You can opt out of this by choosing "Disagree" on our cookie prompt, and we honour Global Privacy Control (GPC) signals where applicable.

We are based in the EU, and several of our processors are located in the United States. This means your personal data may be transferred to, and processed in, the United States and other countries. Where we transfer data outside the EU/EEA or the UK, we rely on appropriate safeguards, such as the providers' certification under the EU-US Data Privacy Framework (and the UK extension) and/or the European Commission's Standard Contractual Clauses. We deliberately keep our PostHog analytics on EU servers.

• Account and productivity data: kept for as long as your account is active.
• Activity and visitor logs: retained while needed for security, abuse prevention, debugging, and legal compliance. We are working towards a defined maximum retention window for these logs.
• Contact-form messages: kept as long as needed to handle your request and our records of it.

When you delete your account, we describe exactly what is removed and what is retained in the "Data Deletion" section below.

EU, EEA, and UK users (GDPR / UK GDPR)

California residents (CCPA / CPRA)

How to exercise your rights

You must be at least 13 years old to use the Service, and we do not knowingly collect personal data from children under 13. In the EU, EEA, and UK, the minimum age for consent to online services ranges from 13 to 16 depending on the country; if you are under the digital-consent age in your country, you may use the Service only with the consent of a parent or guardian.

If you believe a child has provided us with personal data without the required consent, please contact us and we will delete it.

We use technical and organisational measures to protect your personal data, including:

• passwords stored only as salted, one-way hashes;
• encryption of all traffic in transit (HTTPS/TLS) and encryption at rest;
• Secure, HttpOnly session cookies;
• CSRF protection, rate limiting, and reCAPTCHA on sensitive endpoints;
• HTTP security headers and database row-level locking;
• least-privilege access controls for our infrastructure.

No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work hard to protect your data and to respond quickly to any issue.

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page, and for material changes we will also make reasonable efforts to notify you by email or in the app. Your continued use of the Service after an update means you accept the revised policy.

You can delete your HiyaMojo account at any time:

• In the app: go to Settings → Profile Settings → Delete Account.
• By email: send a request to support@hiyamojo.com from your registered email address.

What happens when you delete your account:

• Your personal content - tasks, tags, daily logs, medals, Mojo history, and rest records - is deleted.
• Your account is deactivated and your identifying details are removed or de-identified so the account can no longer be used or logged into.
• If you signed in with Google or Facebook, that connection is removed.
• We retain a limited record of the deletion, and certain activity/security logs, where necessary for security, fraud prevention, and legal compliance.
• This action cannot be undone.

In-app deletions take effect immediately; email requests are handled within a few business days. Residual copies may remain in encrypted backups for up to 30 days before they are overwritten.

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact the data controller:

• HiyaMojo (operated by an individual sole trader)
• Address: Šv. Ignoto g. 5-8, Vilnius 01144, Lithuania
• Email: support@hiyamojo.com
• Contact form: www.hiyamojo.com/contact

You also have the right to lodge a complaint with your local data protection authority (for Lithuania, the State Data Protection Inspectorate, vdai.lrv.lt).