California Privacy Notice
Last updated: 31st May 2026
This notice supplements our Privacy Policy and is provided in accordance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA"). It explains how Hostigram, Inc. ("Hostigram", "we") collects, uses, discloses, and otherwise processes personal information of California residents, and describes the rights you have under California law and how to exercise them.
Capitalised terms not defined here have the meaning given to them in the CCPA or in our Privacy Policy.
1. Our position on "selling" and "sharing"
We do not sell personal information, and we do not share personal information for cross-context behavioural advertising, as those terms are defined under the CCPA. We have not done so in the preceding 12 months. We have no plans to do so.
We also do not use or disclose sensitive personal information for purposes that, under the CCPA, would give you a right to limit such use. See section 5 for detail.
Because we do not sell or share, there is no "Do Not Sell or Share" action to take. If you arrived at this page through a "Do Not Sell or Share My Personal Information" link, this notice exists to confirm that position and to inform you of the other rights you do have.
If our practices ever change, we will update this notice and provide a working opt-out mechanism before any sale or sharing begins.
2. Personal information we collect
The table below sets out the CCPA categories of personal information we have collected about California residents in the preceding 12 months, the sources, the purposes, and the categories of third parties to whom we disclose each.
We do not sell or share any of the categories below.
| Category (CCPA §1798.140) | Examples we collect | Sources | Disclosed for business purposes to |
|---|---|---|---|
| A. Identifiers | Name, email address, phone number, postal address (if entered), account identifier, IP address, device identifier, online identifier, OAuth provider identifier (e.g. Google) | Directly from you; from your device; from third-party identity providers when you sign in | Service providers (hosting, database, email, error monitoring, authentication, payments) |
| B. Customer records (Cal. Civ. Code §1798.80(e)) | Name, address, telephone number, payment card information (Stripe handles full card data; we receive limited metadata such as last four digits and brand) | Directly from you; from Stripe | Payment processor; service providers; tax and accounting advisers |
| C. Protected classification characteristics | None | N/A | N/A |
| D. Commercial information | Plan purchased, subscription history, billing records, transaction history | Directly from you; from Stripe | Payment processor; service providers; tax and accounting advisers; successor entity in the event of a corporate transaction |
| E. Biometric information | None | N/A | N/A |
| F. Internet or other network activity | Pages viewed, features used, interactions with the Service, referring URL, time and duration of access, error and performance diagnostics, AI usage records | Automatically from your device and browser | Service providers (analytics, error monitoring, AI infrastructure) |
| G. Geolocation data | Coarse, IP-derived approximate location (city/region level). No precise GPS location is collected. | Automatically from your device | Service providers; security and fraud-prevention providers |
| H. Sensory data | Text content of Knowledge Content uploaded by Hosts, and text messages exchanged with the AI assistant. No audio, video, or photographic recordings of you are collected by us, although Hosts may upload their own photographs to a Service Page. | Directly from you (Host or Guest) | Service providers, including our AI sub-processor for the purposes of generating responses |
| I. Professional or employment-related information | Typically none. Hosts may optionally enter a company name or role. | Directly from you | Service providers |
| J. Non-public education information | None | N/A | N/A |
| K. Inferences drawn from the above | Inferred preferences (e.g. likely locale, basic engagement patterns) used to operate and improve the Service | Derived internally from the categories above | Service providers |
| Sensitive personal information (CCPA §1798.140(ae)) | Account log-in credentials (username/email plus password hash), in combination, when you sign in. We do not collect government identifiers, financial-account credentials, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric identifiers, health data, or information about sex life or sexual orientation. | Directly from you | Authentication service provider |
We use account credentials only for the purpose of authenticating you. We do not infer characteristics about you from this category. We do not use or disclose sensitive personal information for any purpose other than those specified in CCPA Regulation §7027(m), and we therefore do not engage the right to limit the use of sensitive personal information.
If a Host uploads Knowledge Content or a Guest sends chat messages that incidentally include information that would otherwise be sensitive personal information, we do not use it to draw inferences about the individual and we do not retain it for purposes beyond providing the Service.
3. Why we collect personal information
We collect, use, and disclose personal information for the following business and commercial purposes, all of which are permitted purposes under CCPA Regulation §7027:
- to perform the services you have asked us to provide, including operating Hostigram accounts, running Service Pages, generating AI responses, and processing payments;
- to maintain the security and integrity of the Service, prevent fraud and abuse, and investigate incidents;
- to debug, identify, and repair errors;
- to provide customer support;
- to communicate with you about your account, including transactional notifications, security alerts, and (where you have consented) product updates;
- to comply with legal obligations, respond to lawful requests from authorities, and exercise or defend legal claims;
- to perform internal analytics in order to understand and improve the Service;
- to enforce our Terms of Service and acceptable-use policies;
- in connection with a merger, acquisition, financing, or sale of all or part of our business, on terms that preserve the protections described in our Privacy Policy.
We do not use personal information for purposes that are materially different from, or incompatible with, the purposes for which it was collected without providing you a further notice.
4. How long we keep personal information
We retain personal information only for as long as we need it for the purposes described in section 3, after which we delete or anonymise it. Specific retention periods, broken down by data type, are listed in section 8 of our Privacy Policy.
In summary:
- Account data is kept for the life of your account, plus a brief operational wind-down period.
- Chat content is kept for 13 months by default and can be configured down to 30 days by the Host who controls the Service Page.
- Billing records are kept for at least seven years where required by US tax and accounting law.
- Backups are retained for up to 30 days on a rolling basis.
5. Sensitive personal information
As noted above, the only category of sensitive personal information we collect is your account credentials, used to log you in. We do not:
- use sensitive personal information to infer characteristics about you;
- disclose sensitive personal information to third parties for purposes other than authenticating you and providing the Service;
- sell or share sensitive personal information.
For this reason, the CCPA right to limit the use and disclosure of sensitive personal information is not engaged in practice. If you nevertheless wish to make a request relating to sensitive personal information, contact us using the methods in section 7 and we will respond.
6. Your California rights
If you are a California resident, you have the following rights under the CCPA, regardless of whether you have an account with us:
6.1 Right to know
You may request that we disclose to you, free of charge, twice in any 12-month period:
- the categories and specific pieces of personal information we have collected about you;
- the categories of sources from which we collected it;
- the business or commercial purposes for collecting, selling, or sharing it (we sell and share none);
- the categories of third parties to whom we disclosed it.
6.2 Right to delete
You may request that we delete personal information we have collected from you, subject to the exceptions in CCPA §1798.105(d) (such as completing the transaction for which it was collected, complying with legal obligations, ensuring security, exercising free speech, or for internal uses reasonably aligned with the consumer's expectations).
6.3 Right to correct
You may request that we correct inaccurate personal information we hold about you.
6.4 Right to opt out of sale or sharing
This right is engaged only where a business sells or shares personal information for cross-context behavioural advertising. We do not, so there is nothing to opt out of. If our practices change, we will provide a working opt-out mechanism before any sale or sharing begins.
6.5 Right to limit the use of sensitive personal information
This right is engaged only where a business uses sensitive personal information for purposes beyond those specified in CCPA Regulation §7027(m). We do not, so this right is not engaged in practice.
6.6 Right to non-discrimination
We will not discriminate against you for exercising any of your rights. We will not deny you the Service, charge you different prices, provide a different level or quality of Service, or suggest that we might do any of those things in retaliation for a rights request.
6.7 Right to data portability
Where you request access to specific pieces of personal information you have provided to us, we will provide it in a portable and, to the extent technically feasible, readily usable format that allows you to transmit it to another entity without hindrance.
7. How to submit a request
You can submit a rights request in either of two ways:
By email: [email protected], with "California Rights Request" in the subject line. Describe the request and confirm that you are a California resident.
Through your account settings: if you are a Host, the data export and account deletion tools in your account settings provide self-serve mechanisms for the rights to know, delete, and portability. Using these tools is the fastest way to obtain your data.
For Guests who do not have accounts, the Host who configured the Service Page you used is the controller of your chat data. You may contact us at the email above and we will route the request appropriately, including, where we are able to identify the relevant Host, forwarding the request to that Host.
We will acknowledge your request within 10 business days of receipt, and respond substantively within 45 calendar days, with a single 45-day extension if reasonably necessary. We will inform you in writing if we need an extension and the reason for it.
We do not charge a fee for responding to a rights request unless your request is manifestly unfounded, excessive, or repetitive. If we believe a fee is justified, we will tell you and explain why before charging it.
8. Authorised agents
You may use an authorised agent to submit a rights request on your behalf. To submit a request through an agent, the agent must provide:
- written permission, signed by you, authorising the agent to act on your behalf, and
- proof of the agent's identity, and
- enough information for us to verify your identity (see section 9), or in the alternative, a power of attorney granted under the California Probate Code §§4000 to 4465.
We may deny a request from an agent that does not submit proof of authorisation.
9. Verifying your identity
To protect your privacy and the security of your information, we need to verify your identity before responding to most requests. The level of verification we require depends on the sensitivity of the data and the type of request:
- For a request to know specific pieces of personal information, we apply a "reasonably high degree of certainty" standard. We will typically ask you to confirm at least three pieces of personal information matching what we hold and to send the request from the email address associated with the account, plus a signed declaration under penalty of perjury that you are the consumer whose information is the subject of the request.
- For other requests, we apply a "reasonable degree of certainty" standard, typically matching two pieces of personal information.
- For non-account holders, we may need to ask additional questions because we do not hold an existing identity record for you.
If we are unable to verify your identity, we will tell you and explain why. We will use the personal information you provide for verification only for that purpose.
10. Minors
We do not knowingly sell or share the personal information of California residents under the age of 16. As described above, we do not sell or share personal information of any consumer.
The Service is not directed at children under 13, and we do not knowingly collect personal information from children under 13 within the meaning of the Children's Online Privacy Protection Act ("COPPA"). If you believe a child under 13 has provided personal information to the Service, contact us at [email protected] and we will take appropriate steps to delete it.
Hosts must not configure Service Pages that target children or that solicit personal information from children without appropriate parental consent under applicable law.
11. "Shine the Light" (California Civil Code §1798.83)
If you are a California resident, California's "Shine the Light" law permits you to request, once per year, information about our disclosure of certain categories of personal information to third parties for those third parties' own direct marketing purposes.
We do not disclose personal information to third parties for those third parties' direct marketing purposes.
If you wish to submit a Shine the Light request anyway, write to [email protected] with "Shine the Light Request" in the subject line.
12. Notice at Collection
This section serves as the "notice at collection" required by the CCPA. At or before the point at which we collect your personal information, you are entitled to know the categories of personal information we collect and the purposes for which we use it. Those categories and purposes are set out in sections 2 and 3 above. As stated in section 1, we do not sell or share personal information.
Where additional personal information is collected through specific features of the Service (for example, the WhatsApp channel when a Host enables it), additional context is provided at the relevant point in the Service interface.
13. Changes to this notice
We may update this notice from time to time. When we do, we will revise the Last updated date at the top of this page and, where the change is material, we will provide additional notice consistent with the requirements of California law and our Privacy Policy.
14. How to contact us
For any question about this notice or to submit a California rights request:
Hostigram, Inc. 124 City Road, London, England, EC1V 2NX
Email: [email protected] (subject line: "California Rights Request") General support: [email protected]
If you have a disability and require this notice in an alternative format, contact us at [email protected] and we will accommodate the request.
This notice describes our current practices in respect of California residents. It supplements, but does not replace, our Privacy Policy, which applies to all users of the Service. It is not legal advice.