Privacy Policy

Halo — AI Voice Companion

Last updated: April 20, 2026

This Privacy Policy describes how Lahoika OÜ (“we”, “us”, “our”), a company registered in Estonia (registry code 17475517), operates the Halo mobile application (“Halo”, “the App”) and how we collect, use, and protect your personal data.

By using Halo, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the App.

1. Who We Are

Data Controller: Lahoika OÜ

Registered Office: Harju maakond, Tallinn, Kristiine linnaosa, Hane tn 4, 13418, Estonia

Contact: hello@speaktohalo.com

We are subject to the European Union General Data Protection Regulation (GDPR) and Estonian data protection laws.

2. What Data We Collect

2.1 Data You Provide

• Your name (provided during onboarding via voice or text)
• Your voice recordings during sessions (processed in real-time, see Section 3)
• Your mood selections (mood slider input)
• Your account credentials (if you sign in with Apple or Google)

2.2 Data We Generate

• Conversation transcripts (created from your voice input via speech-to-text)
• AI-generated journal summaries, mood labels, and themes
• Emotional analysis data (mood color, intensity, detected emotions)
• Session metadata (date, time, duration, session type)
• Streak and usage statistics

2.3 Data Collected Automatically

• Device information (device model, operating system, app version)
• Analytics events (screen views, feature usage — via Mixpanel)
• Attribution data (install source, campaign data — via AppsFlyer)
• Push notification tokens (via Firebase Cloud Messaging)
• Crash reports and performance data

2.4 Data We Do NOT Collect

• We do not collect your location data
• We do not access your contacts, photos, or other apps
• We do not collect biometric data (your voice is processed for transcription only, not for identification)
• We do not sell your personal data to third parties

3. How We Use Your Data

3.1 Voice Data Processing

When you speak to Halo, your voice is captured by your device’s microphone and streamed in real time to Google’s Gemini Live API, which both transcribes your speech and generates Halo’s spoken replies. The resulting text transcript is stored in our database so you can read your journal entries. Raw voice audio is not retained — it is processed during the session and discarded when the session ends.

3.2 AI Processing

Your voice input and conversation transcripts are processed by Google’s Gemini Live API to generate Halo’s real-time voice responses, journal summaries, emotion analysis, and pattern detection. Voice audio is streamed directly to Google for processing and is not retained by us. Google processes your data according to its Gemini API terms and does not use your data to train its models under our API agreement.

3.3 Purposes of Processing

• To provide the core journaling and conversation experience
• To generate journal entries, summaries, and mood tracking
• To detect emotional patterns and provide insights (premium feature)
• To personalize your experience (e.g., remembering your name, session preferences)
• To send push notifications (daily reminders, weekly digests)
• To process payments and manage your subscription
• To analyze app usage and improve the product
• To measure advertising effectiveness

3.4 Legal Basis (GDPR)

• Contract performance: providing the App’s core features (Art. 6(1)(b))
• Legitimate interest: analytics, product improvement, fraud prevention (Art. 6(1)(f))
• Consent: push notifications, marketing communications (Art. 6(1)(a))

4. Third-Party Services

We use the following third-party services that may process your data:

Supabase (Authentication, Database) — EU-hosted. Stores your account data, journal entries, and conversation history.

Google (Gemini Live API — AI voice & language model) — Processes voice audio and text to generate Halo’s real-time voice responses, transcripts, journal summaries, and pattern analysis. Data is not used for model training under our API agreement.

Adapty (Payments) — Processes subscription purchases. Receives transaction data from Apple App Store / Google Play.

Mixpanel (Analytics) — Receives anonymized usage events. No conversation content is sent.

AppsFlyer (Attribution) — Tracks app install sources for advertising measurement. Receives device identifiers and install/purchase events.

Firebase Cloud Messaging (Push Notifications) — Delivers push notifications to your device. Receives your device token.

Apple / Google (Authentication, App Distribution) — If you sign in with Apple or Google, they provide authentication. App Store and Google Play process your subscription payments.

5. Data Storage and Security

Your data is stored on Supabase servers located in the European Union. We implement the following security measures:

• All data is encrypted in transit (TLS/HTTPS) and at rest
• Authentication is handled via Supabase Auth with industry-standard protocols
• Row Level Security (RLS) ensures you can only access your own data
• API keys and credentials are stored securely and never exposed to clients
• We conduct regular security reviews of our codebase

6. Data Retention

• Account data: retained while your account is active, deleted within 30 days of account deletion
• Journal entries and transcripts: retained while your account is active
• Voice audio: not stored permanently; processed in real-time and discarded
• Analytics data: retained for up to 24 months in anonymized form
• Payment records: retained as required by applicable tax and financial laws

7. Your Rights (GDPR)

As a user in the European Economic Area, you have the following rights:

• Right of access: request a copy of your personal data
• Right to rectification: correct inaccurate personal data
• Right to erasure: request deletion of your personal data (“right to be forgotten”)
• Right to data portability: receive your data in a machine-readable format
• Right to restrict processing: limit how we use your data
• Right to object: object to processing based on legitimate interest
• Right to withdraw consent: withdraw consent at any time (e.g., for push notifications)

To exercise any of these rights, contact us at hello@speaktohalo.com. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at aki.ee.

8. Children’s Privacy

Halo is intended for users aged 18 and older. We do not knowingly collect personal data from children under 18. If we become aware that we have collected data from a child under 18, we will take steps to delete that data promptly. If you believe a child under 18 is using Halo, please contact us at hello@speaktohalo.com.

9. International Data Transfers

Your data is primarily stored within the EU. Some third-party services may process data outside the EU (e.g., Google in the United States). Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Cookies and Tracking

Halo is a mobile application and does not use cookies. We use mobile analytics (Mixpanel) and attribution tools (AppsFlyer) that use device identifiers for analytics and advertising measurement. You can opt out of personalized advertising through your device settings (iOS: Settings > Privacy > Tracking; Android: Settings > Google > Ads).

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the App or via email. The “Last updated” date at the top indicates the most recent revision. Continued use of Halo after changes constitutes acceptance of the updated policy.

12. Contact Us