← Back to HAQ

Privacy Policy

Last updated: April 23, 2026

This document was prepared by the HAQ team and is not legal advice. Users with specific legal questions should consult a lawyer.

1. Who We Are

HAQ is an AI-powered business operating system built by By-Haki, a sole proprietorship based in Brunei Darussalam. HAQ helps ASEAN founders manage their businesses through an intelligent interface with rooms for finance, marketing, operations, compliance, and logistics.

Company: By-Haki (Sole Proprietor: Baihaqey)
Product: HAQ
Location: Brunei Darussalam
Contact: [email protected]

2. What Data We Collect

Account Information

  • Email address (via Supabase Auth)
  • Business name, industry, and stage
  • Goals, tasks, decisions, and other business data you enter

Social Media Connections

When you connect a social media platform (Instagram, Facebook, X, LinkedIn, TikTok, YouTube), we store:

  • OAuth access tokens and refresh tokens (encrypted at rest with AES-256-GCM)
  • Platform user ID and username
  • Granted permission scopes
  • Connection status and timestamps

We do notstore your social media passwords. Authentication is handled entirely through each platform's official OAuth 2.0 flow.

Content You Create

  • Marketing content (briefs, scripts, images, videos)
  • Financial data (expenses, revenue, invoices, payroll)
  • Compliance items (registrations, licenses, tax obligations)
  • Journal entries and daily focus items
  • Uploaded files (stored in Supabase Storage)

AI Interactions

  • Conversations with Momo (HAQ's AI assistant, powered by Anthropic's Claude API)
  • AI-generated content (directives, briefs, marketing drafts, images)
  • Agent session data (Scout, Architect, Director, Publisher workflows)

Payment Information

Payments are processed by Polar. HAQ does not store credit card numbers, bank account details, or other financial payment instruments. We receive only subscription status, plan tier, and transaction identifiers from Polar.

3. How We Use Your Data

  • To operate and provide the HAQ business management features you use
  • To provide AI-powered services via Momo (content generation, business insights, daily directives)
  • To publish content to your connected social media accounts only when you explicitly request it — HAQ never publishes automatically
  • To calculate business health metrics (runway, compliance status, marketing performance)
  • To send you notifications about important business events
  • To improve the product (via anonymized, aggregated analytics)

We do not use your data to train AI models. Your conversations with Momo are sent to Anthropic's API for processing and are subject to Anthropic's data usage policies.

4. Third Parties We Share Data With

HAQ integrates with the following third-party services:

  • Anthropic (Claude API)— AI assistant (Momo) and content generation. Your prompts and business context are sent for processing.
  • Supabase— database, authentication, and file storage.
  • Polar— payment processing for subscriptions. Polar handles all payment instrument storage.
  • Social media platforms(Meta/Facebook, Instagram, X, LinkedIn, TikTok, YouTube) — content publishing via OAuth when you explicitly request it.
  • PostHog— product analytics (anonymized usage data, no personal identifiers).
  • Railway— application hosting.
  • Upstash— rate limiting infrastructure.

We do not sell, rent, or share your personal data or business data with any third party for advertising or marketing purposes.

5. Data Retention

  • Business data is retained as long as your account is active
  • Social media tokens are retained until you disconnect the platform or they expire
  • After account deletion, all data is permanently removed within 30 days
  • Deleted items within the app are permanently removed — we do not soft-delete
  • Anonymized, aggregated analytics data may be retained indefinitely

6. Your Rights

You have the right to:

  • Access— request a copy of all data we store about you and your business
  • Correction— request correction of any inaccurate data
  • Deletion— request deletion of your data (see Data Deletion)
  • Export— request an export of your data in a machine-readable format
  • Disconnect— disconnect any connected social media platform at any time, immediately revoking our access

To exercise any of these rights, contact us at [email protected].

7. Cookies and Tracking

HAQ uses:

  • Essential cookies— required for authentication and session management (Supabase Auth cookies). These cannot be disabled.
  • Analytics— PostHog for product analytics. This collects anonymized usage data to help us improve the product. No personal identifiers are sent.

We do not use advertising cookies or third-party tracking pixels.

8. GDPR and Data Subject Rights

If you are located in the European Economic Area (EEA) or United Kingdom, you have additional rights under GDPR including the right to data portability, the right to restrict processing, and the right to object to processing.

To exercise these rights or to file a complaint, contact us at [email protected]. You also have the right to lodge a complaint with your local data protection authority.

9. Security Measures

  • All connections use HTTPS/TLS encryption
  • Row Level Security (RLS) enabled on all Supabase database tables — users can only access their own business data
  • Social media OAuth tokens encrypted at rest with AES-256-GCM
  • API keys stored in environment variables, never in source code
  • Rate limiting on all AI and external API calls (via Upstash)
  • Server-side input validation with Zod on all API routes
  • No secrets exposed to the client side

10. Children's Data

HAQ is a business management platform intended for use by business owners and professionals. The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

11. International Data Transfers

Your data may be processed and stored in servers located in the European Union and/or the United States (via Supabase and Railway infrastructure). By using HAQ, you consent to the transfer of your data to these regions.

We ensure that any international transfers comply with applicable data protection laws and that appropriate safeguards are in place.

12. Changes to This Policy

We may update this privacy policy as HAQ evolves. We will notify you of material changes at least 30 days in advance via email or in-app notification. Changes will be reflected in the "Last updated" date at the top.

13. Data Deletion

You can delete your data at any time:

  • Disconnect a platform: Go to Systems → Integrations → click Disconnect next to any connected platform. This immediately revokes the OAuth token and deletes the stored connection.
  • Delete your account: Contact us at [email protected] to request full account deletion. All business data, tokens, files, and conversation history will be permanently deleted within 30 days.
  • Delete specific data: You can delete individual items directly within the HAQ interface.

For more details, see our Data Deletion page.

14. Contact

For questions about this privacy policy or your data, contact:
Email: [email protected]
Product: HAQ by By-Haki
Location: Brunei Darussalam

By-Haki · HAQ · 2026

Terms of ServiceData Deletion