Huff Privacy Policy
Last updated: 2026-05-10
This is the privacy policy for Huff. It explains what information we collect, why we collect it, how long we keep it, who we share it with, and how you can exercise your rights under India's Digital Personal Data Protection Act, 2023 ("DPDP Act").
This policy is in plain English. If anything is unclear, email us at privacy@huffme.com and we will explain.
Who we are
Huff is operated by the team contactable at privacy@huffme.com. When this policy says "we" or "Huff", we mean that team.
For the purposes of the DPDP Act, we are the Data Fiduciary for the personal data described below.
What we collect, and why
Information you give us directly
- Your phone number. Required to sign you in. We verify it via Firebase Phone Authentication (a Google service) which sends you an OTP. We store it so we can identify you across sessions and so other people can reach your wishlist if you've shared your number with them.
- Your name (optional). Shown to friends so they can recognise your wishlist. You can leave this blank.
- Your date of birth (optional). Used only to send birthday reminder notifications to your friends so they don't forget. You can leave this blank — we won't send reminders without it.
Information you allow us to collect
- Phone numbers of contacts you've saved on your device, in hashed form. For your friends to see your wishlist, our visibility model needs to confirm that they're in your contacts (not the other way around). To do this, we hash each contact's phone number on your device using a one-way function (Argon2id) before sending the hash — never the actual number — to our server. We never see your friends' real phone numbers. The hash is rotated daily so even old hashes can't be reused indefinitely.
- Your contact list (the act of upload). If you grant the contacts permission, the app reads your address book to compute the hashes above. Reading happens on your device only; the address book itself does not leave your phone.
- Push notification token. A device-specific identifier from Firebase Cloud Messaging that lets us send you birthday reminders and reservation alerts. You can disable notifications in your phone settings.
Information generated as you use Huff
- Your wishlist items. Each time you save a product, we store the link, the product details we scrape from the merchant's page (title, image, price), and any note you wrote.
- Your taps on "Buy now" links. When you click a Buy now button on a friend's wishlist, we record the click so we can attribute the purchase to you (for the affiliate gateway) and place a 30-minute soft reservation on the item to prevent two friends from accidentally double-gifting. The click record persists for revenue reconciliation purposes.
- Anonymous usage analytics, if you've opted in. We send anonymized event data (which screens you visit, which buttons you tap, which platforms — Amazon/Flipkart/Myntra/etc. — you save items from) to Amplitude to understand how the app is being used. We do not send your phone, name, address book, or wishlist contents. This is on by default and can be turned off in Settings → "Share usage data".
Information we do not collect
- We do not collect your address book in plaintext. Only on-device hashes leave your phone.
- We do not track your location.
- We do not access your photos, microphone, camera, calendar, files, or other apps.
- We do not sell or rent your personal data to anyone.
Why we process your data (lawful basis)
We process your personal data based on your consent, which we collect at the point of each step (sign-in, contacts permission, push notifications, optional fields). You can withdraw consent at any time — see "Your rights" below.
We do not currently rely on the "legitimate use" exemptions in DPDP Act § 7. If we ever do (for example, fraud detection), we will update this policy.
Who we share it with
We share data with these third parties only for the specific purposes listed:
| Third party | What they receive | Why |
|---|---|---|
| Google Firebase (Phone Auth, Cloud Messaging, App Check) | Your phone number for OTP delivery; your push notification token | Sign-in; pushes; abuse prevention |
| ScraperAPI | The product URL you save (no identity attached) | To fetch product details from merchant pages |
| Amplitude (analytics) | Pseudonymous event data + your Firebase user ID, only if you opted in | Product analytics |
| Cuelinks / Amazon Associates (planned, not yet active) | A pseudonymous click ID when you tap Buy now | Affiliate revenue attribution |
We do not share your data with any other parties. We do not sell your data.
How long we keep it
| Data | How long |
|---|---|
| Your account, wishlist, and all data tied to you | Until you delete your account in Settings, or for as long as the account is active. |
deleted_phone_hashes cooldown record (a one-way digest of your phone, no name attached) |
90 days after deletion. This stops a carrier-recycled phone number from inheriting your contact-graph relationships when reassigned. |
| Affiliate click records | Retained indefinitely (anonymized — your user ID is set to NULL on deletion) for revenue reconciliation. |
| Analytics events | Per Amplitude's standard retention (default 5 years). |
| Backups | Up to 30 days. |
Your rights under the DPDP Act
You have the following rights, and we have implemented them as described:
- Access (§ 6). You can request a copy of all personal data we hold about you. In the app: Settings → "Download my data" generates a JSON export. You can also email
privacy@huffme.com. - Correction (§ 8). You can correct your name, date of birth, and notification preferences in the app via Settings.
- Erasure (§ 7). Settings → "Delete account" removes your data from our systems. The 90-day phone cooldown described above is the only retained remnant, and contains no recoverable identity information.
- Withdrawal of consent (§ 10). You can withdraw consent for individual purposes (turn off birthday reminders; turn off analytics) or for everything (delete the account).
- Grievance redressal (§ 9). Email
privacy@huffme.com. We acknowledge within 7 calendar days and resolve within 30 days. If unresolved, you may approach the Data Protection Board of India under the DPDP Act § 27.
Data security
- Data is transmitted over HTTPS/TLS.
- Phone numbers other than your own are hashed on your device with Argon2id before being sent to our servers.
- App-level access is gated by Firebase ID tokens + Firebase App Check (so requests from cloned/scripted clients are rejected).
- Database backups and at-rest disk encryption depend on our hosting provider.
In the event of a personal data breach, we will notify the Data Protection Board of India and affected users within 72 hours of becoming aware, as required by DPDP Act § 8(6).
Children
Huff is not intended for users under 18 in India. We do not knowingly collect data from minors. If you believe a minor has registered, contact privacy@huffme.com and we will delete the account.
Changes to this policy
We will update the "Last updated" date at the top of this page when we change anything. Material changes will be flagged in the app via an in-app notice on next launch.
Contact
Email: privacy@huffme.com
Postal: (to be added before public launch)
For the avoidance of doubt — the email above is the official channel for all DPDP-related requests including grievances. We do not currently have a designated Data Protection Officer because Huff has not been classified as a Significant Data Fiduciary under DPDP § 10. We will appoint one if such a designation is made.