HHexxsupport@hexx.co

Privacy Policy

Last updated: May 14, 2026

Hexx is operated by Intrinsic Thinking, Inc. (“Hexx,” “we,” “us,” or “our”). This Privacy Policy explains how we collect, use, share, and protect information when you use our mobile applications, websites, and related services (the “Service”). By using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.

1. Information we collect

Information you provide

  • Account information. Email address, password (stored as a salted hash), display name, and any optional profile details.
  • Reference content. Photos and short videos you upload as inputs for AI generation.
  • Face data. Images of your face, and the facial features and biometric representations derived from those images, that you choose to upload so the Service can create content with generative models. See Face data below for the full description of how this information is collected, used, disclosed, shared, and retained.
  • Prompts and parameters. Style selections and any text or settings you provide.
  • Generated outputs. Photos and videos created from your inputs and stored in your library.
  • Communications. Messages you send to support, feedback, and survey responses.
  • Payment metadata. When you subscribe through Apple, Google, or another processor, that processor handles your payment details. We receive only metadata such as transaction identifiers, subscription status, and country.

Information collected automatically

  • Device and technical data: device model, operating system, app version, language, time zone, IP address, and crash diagnostics.
  • Usage data: style packs viewed, generations attempted and completed, errors encountered, screens viewed, and session duration.
  • Cookies and similar technologies: session cookies for authentication and limited analytics identifiers. We do not use third-party advertising cookies.
  • Push notification tokens, if you opt in to notifications.

Information from third parties

  • Sign-in providers (such as Apple or Google), which provide a verified email and a stable identifier.
  • Subscription and payment processors (such as Apple App Store, Google Play, Stripe, and RevenueCat), which provide receipts and entitlement status.
  • Fraud-prevention and identity-verification services, where applicable.

2. How we use information

  • Operate and provide the Service, including processing your inputs through AI models and returning generated outputs.
  • Authenticate your account and maintain your session.
  • Process subscriptions, manage entitlements, and prevent fraud.
  • Respond to your support requests and send service announcements.
  • Improve quality, reliability, and safety, including evaluating new style packs and detecting abuse.
  • Personalize the in-app feed and recommended styles.
  • Send transactional notifications such as receipt confirmations and security alerts.
  • Comply with legal obligations and enforce our Terms & Conditions.

3. AI processing of your content

When you submit a reference photo, video, or prompt, your input is transmitted to AI inference providers we work with for the limited purpose of generating the requested output. We do not use your reference content to train general-purpose AI models without your explicit, separate consent. Generated outputs remain in your library until you delete them. We may analyze prompts, parameters, and quality signals in aggregated and de-identified form to improve the Service.

4. Face data

Collection

When you choose to use features that work from your likeness, the Service collects images of your face that you upload or capture, and generates the facial features and biometric representations needed to create content with generative models. We collect face data only when you actively submit it; we do not scan your photo library or camera feed in the background.

Use

We use face data solely to generate the photos, videos, and other outputs you request, to display previews and your library to you, and to operate, secure, and troubleshoot the Service. We do not use face data for advertising, and we do not use it to train general-purpose AI models without your explicit, separate consent.

Disclosure and sharing

To produce the outputs you request, we may share face data with generative model providers and the cloud infrastructure they run on for the limited purpose of generating the requested content. These providers act as our processors under written contracts and may not use your face data for their own purposes except as required by law. We may also disclose face data to comply with legal process or to protect rights, property, or safety, and as part of a business transfer as described in the sharing section below. We do not sell face data and do not share it for cross-context behavioral advertising.

Retention

Face data is retained until you explicitly delete it. You can delete individual face data items, or your entire account, from within the Service at any time; on deletion, the underlying records and derived biometric representations are removed from our active systems, with short-lived encrypted backups rotating out on their ordinary schedule. We do not apply a separate time-based expiry to face data.

5. How we share information

We share information only as described below:

  • Service providers and subprocessors. Cloud infrastructure (e.g., Amazon Web Services, Cloudflare), AI inference providers (e.g. fal.ai, Google), analytics (e.g. PostHog), error tracking, push delivery (e.g., Apple Push Notification service, Firebase Cloud Messaging), and customer-support platforms. These providers process information on our behalf under written contracts and may not use your data for their own purposes except as required by law.
  • Subscription processors. Apple, Google, Stripe, Adapty, and similar entities for managing payments and entitlements.
  • Legal and safety. Where required by law, valid legal process, or to protect rights, property, or safety.
  • Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred subject to this Policy.
  • With your consent. For any other purpose at your direction.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

6. International data transfers

Information we process may be stored and handled in jurisdictions other than where you live, including the United States. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) for transfers from the European Economic Area, United Kingdom, or Switzerland.

7. Data retention

  • Account data. Retained while your account is active. After deletion, we remove or anonymize your account within thirty (30) days, except where retention is required by law.
  • Reference content. Retained while your account is active; you may delete individual items at any time.
  • Face data. Retained until you explicitly delete it (per face data item, or by deleting your account); not subject to a separate time-based expiry.
  • Generated outputs. Retained in your library until you delete them.
  • Logs and operational data. Retained for up to twelve (12) months in the ordinary course.
  • Backups. May persist for a short additional period in encrypted form before scheduled rotation.

8. Your rights

Depending on where you live, you may have the right to:

  • access the personal information we hold about you,
  • correct inaccurate or incomplete information,
  • delete your information,
  • restrict or object to certain processing,
  • portability of information you provided to us,
  • withdraw consent (where processing is based on consent), and
  • lodge a complaint with a supervisory authority.

To exercise these rights, contact support@hexx.co. We will verify your identity before responding.

California residents. You have rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to know, delete, correct, and limit use of sensitive personal information. We do not sell your personal information or share it for cross-context behavioral advertising.

EEA/UK residents. Where we process your information, our lawful bases include performance of a contract with you, our legitimate interests in operating and improving the Service, your consent (where applicable), and compliance with legal obligations.

9. Security

We use technical and organizational safeguards designed to protect your information, including encryption in transit, encryption at rest where feasible, access controls, and isolation of sensitive workloads. No system is perfectly secure, and you use the Service at your own risk.

10. Children

The Service is not directed to children under thirteen (13), or under the minimum age in your jurisdiction. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact support@hexx.co and we will take appropriate action.

11. Third-party links and services

The Service may contain links to or integrate with third-party services we do not control. Their privacy practices are governed by their own policies, and we are not responsible for them.

12. Changes to this policy

We may update this Privacy Policy. If changes are material, we will provide reasonable notice (for example, in-app or by email). Your continued use of the Service after changes take effect constitutes acceptance.

13. Contact

Intrinsic Thinking, Inc.
support@hexx.co