about

contact

join






PRIVACY POLICY

Heatwave Social Inc.

Last Updated: March 2026

Introduction

Welcome to Heatwave ("we," "our," or "us"), operated by Heatwave Social Inc. This Privacy

Policy explains how we collect, use, disclose, and safeguard your information when you use the

Heatwave mobile application (the "App"). We believe in being straightforward about our data

practices — no legalese, no hidden practices. If you do not agree with the terms of this Privacy

Policy, please do not access or use the App.

Information We Collect

We collect the following categories of information:

Account Data — When you register, we collect: email address; date of birth (used solely for age

verification — we do not display your age or birthday publicly); username (stored alongside a

lowercase copy for case-insensitive uniqueness enforcement); profile information you choose to

provide (display name, bio, profile picture); and phone number (optional — if you provide one,

we store only a one-way SHA-256 hash of it, never the raw number).

Content Data — When you use Heatwave, we collect: posts, photos, and videos you create

(including edited and compressed versions, as well as automatically generated thumbnails at

200px and 480px resolutions); comments and replies; flame, unlock, and repost activity;

messages sent through Unlock Chats; shared post messages in your inbox; and hashtags

parsed from your captions.

Purchase Data — If you buy tokens: transaction IDs and purchase receipts from the Apple App

Store or Google Play Store; token balance and transaction ledger (all credits and debits). We do

NOT receive or store your credit card number, billing address, or any payment details — all

payment processing is handled entirely by Apple, Google, and our payment partner

RevenueCat.

Usage & Device Data — We automatically collect: device type, operating system, and app

version; IP address (logged for security and abuse prevention); usage patterns (screens viewed,

features used, session duration); crash reports and performance diagnostics (via Firebase

Crashlytics); push notification tokens (via Firebase Cloud Messaging); and Firebase App Check

attestation signals (device integrity verification — no personal data, just a device legitimacy

check).

What We Do NOT Collect

We want to be explicit about the data we do not collect:

• Precise GPS location — we do not access or store your device location






  • • Raw phone numbers — we store only SHA-256 hashes, which cannot be reversed to

    reveal the original number

    • Biometric data — we do not use facial recognition or any biometric analysis on user

    photos or videos

    • Contact details — during friend discovery, only hashed phone numbers leave your

    device, and they are not retained after comparison

    • Cross-app tracking data — we do not track you across other apps or websites

    • Advertising identifiers — we do not use IDFA, GAID, or any advertising identifiers for any

    purpose

    How We Currently Use (and Do Not Use) Your Data

    As of the date of this Privacy Policy:

    • We currently do not sell, rent, or trade your personal data to anyone

    • We currently do not display third-party advertisements in the App

    • We currently do not build advertising profiles or behavioral profiles about you

    • We do not use your content, posts, messages, or any personal data to train artificial

    intelligence or machine learning models

    • We currently do not share your data with data brokers

    • We currently do not perform cross-app or cross-site tracking

    • Our revenue currently comes from in-app token purchases

    If we ever introduce advertising or materially change how we use your data, we will update this

    Privacy Policy, notify you in advance through the App, and where required by law, obtain your

    consent before any such changes take effect.

    Contacts & Friend Discovery

    If you choose to use the "Find Friends from Contacts" feature, here is exactly what happens:

    1. We ask for permission to access your device contacts. 2. Phone numbers from your contacts

    are hashed on your device using SHA-256 (a one-way cryptographic function) before anything

    leaves your phone. 3. Only the hashes are sent to our server — we never see, transmit, or store

    raw phone numbers from your contacts. 4. We compare these hashes against hashes of other

    users who have opted in to be discoverable by phone number. 5. Matching hashes are used to

    suggest friends; the hashes from your contacts are not retained on our servers after the

    comparison is complete.

    You can add your own phone number in your profile settings to let your contacts find you. If you

    do, we store only the SHA-256 hash of your normalized phone number — never the number

    itself. You can remove your phone number hash at any time from your profile settings, and it will

    be deleted from our servers.

    This feature is entirely optional. You can use Heatwave fully without ever granting contacts

    access, and the core functionality of the App is not affected.

    How We Use Your Information






  • We use your information to:

    • Provide, operate, and maintain the Heatwave App and all its features

    • Process in-app purchases and manage your token balance

    • Deliver push notifications you have opted into (flames, comments, follows, unlocks,

    messages, and other activity)

    • Enforce our age verification requirement (18+ only)

    • Moderate content using automated systems to ensure platform safety

    • Detect and prevent fraud, abuse, spam, and security threats

    • Analyze aggregated and anonymized usage data to improve the App

    • Comply with legal obligations, including mandatory CSAM reporting to NCMEC and

    Cybertip.ca

    • Respond to your support requests and communications

    Content Moderation & AI

    We use automated systems to keep Heatwave safe. Here is exactly what we use and why:

    Image & Video Moderation — When you upload a photo or video, it is screened by NudeNet (an

    open-source classifier that runs entirely on our servers — your content is not sent to a third

    party for this check) and Amazon Web Services (AWS) Rekognition (detects explicit,

    suggestive, or violent visual content). For video content, frames are sampled at 2 frames per

    second for moderation analysis. This sampling process does NOT affect video playback quality

    or resolution. Based on the results, content is approved, flagged for human review, or rejected.

    Content flagged as potential CSAM is immediately reported to the appropriate authorities and

    retained as required by law.

    Message Moderation — When you send a message in an Unlock Chat or share a post

    message, the text is screened by the OpenAI Moderation API for hate speech, harassment,

    threats, self-harm content, violence, and child sexual exploitation material. This is a one-time

    safety check. OpenAI does not retain your message text after the moderation check completes,

    and your messages are not used to train any AI models. We allow normal adult conversation,

    including sexually suggestive language between consenting adults. We block content involving:

    minors in any sexual context, hate speech, credible threats of violence, self-harm promotion,

    and targeted harassment.

    These automated systems may produce errors. If your content is incorrectly flagged or rejected,

    you may contact us at support@heatwavesocial.com for a human review. We review all appeals

    in good faith and retain final discretion over content moderation decisions.

    By using Heatwave, you consent to automated content moderation as a condition of using the

    platform.

    Screenshot Protection

    Heatwave employs technical measures designed to discourage unauthorized capture of

    unlocked content within the App. These measures operate on a best-effort basis. No technology

    can fully prevent screenshots, screen recording, or capture by external devices (such as

    photographing a screen with another device). We make reasonable efforts to protect content






  • creators, but we cannot guarantee that these protections will prevent all forms of unauthorized

    capture. We are not liable for content that is captured despite these protective measures.

    Unlock Chats (Ephemeral Messaging)

    When you spend a token to unlock someone’s post, a temporary direct message channel

    ("Unlock Chat") is created between you and the post’s author. Here is how your data is handled:

    The post author has 24 hours to respond. If they do, the chat becomes active for another 24

    hours. Additional unlocks on the same author’s posts extend the chat window. After the chat

    expires, messages are retained for 90 days for safety, abuse investigation, and legal

    compliance, then permanently deleted from our servers. If a chat is reported or involves a

    blocked user, messages are retained for up to 1 year to support any investigation. Chat

    metadata (participants, timestamps, chat status) is retained separately from message content.

    All messages pass through our automated moderation system before delivery.

    Sharing Your Information

    We share your information in the following situations and no others:

    With Other Users — Your public profile (username, display name, bio, profile picture) is visible

    to other users. Posts you create are visible based on your privacy settings (public or followers-

    only). Your flame and unlock activity is visible to post authors (they can see who flamed or

    unlocked their post). Messages you send in Unlock Chats are visible to the other participant.

    Shared post messages are visible to the recipient.

    With Service Providers (Data Processors Acting on Our Behalf) — We use the following third-

    party services that process your data strictly on our behalf and under our instructions: Firebase /

    Google Cloud Platform (hosting, database, authentication, cloud functions, push notifications,

    crash reporting via Firebase Crashlytics); Cloudflare R2 (content delivery network for media

    files, stores approved content only); RevenueCat (in-app purchase management, receives

    purchase receipts from Apple/Google, not your payment details); Amazon Web Services (AWS)

    Rekognition (image and video content moderation, receives uploaded media only); OpenAI

    (message text moderation only, receives message text for a one-time safety check, does not

    retain your data and does not train on it); and Apple Push Notification Service / Firebase Cloud

    Messaging (push notification delivery).

    We do NOT sell your personal data to anyone. Ever.

    For Legal Reasons — We may disclose your information when required to: comply with

    applicable law, regulation, or legal process; protect the rights, safety, or property of Heatwave,

    our users, or the public; report suspected CSAM to NCMEC and Cybertip.ca as required by law;

    or respond to lawful requests by law enforcement or government authorities.

    Analytics

    We use Firebase Analytics (Google Analytics for Firebase) to understand how Heatwave is

    used. This collects: app opens, screen views, and feature usage; device type and operating

    system; general geographic location (country and region level only — NOT precise or GPS-

    based location); and crash reports and performance metrics (via Firebase Crashlytics for

    stability monitoring).

Privacy Policy

Privacy Policy

last updated:

last updated:

about

contact

join

For creators

For investors

Privacy policy

Terms & services