Privacy Policy

Last updated: March 2026

1. Who We Are

HiBFF Ltd ("HiBFF", "we", "us") operates the HiBFF social intelligence platform at hibff.com. HiBFF helps users build real-world social skills through AI-powered practice sessions. We are registered in the United Kingdom.

Data Protection Contact: privacy@hibff.com

2. What Data We Collect

We collect only what is necessary to provide the service:

  • Account information: Name, email address, date of birth, password (hashed — we never store your actual password).
  • Practice session data: Messages exchanged with your Practice Partner, session timestamps, and interaction mode (text/voice/both).
  • Progress data: Real-world challenge logs, badges earned, streak counts, mood entries, and Social Score.
  • Technical data: Browser type, IP address (not stored long-term), and device information for security purposes.
  • Payment data: Processed by Airwallex. We do not store card numbers — only subscription status and transaction references.

3. HiBFF Privacy Shield

Before any message reaches our AI coach, our Privacy Shield automatically strips out personal details:

  • Names, school names, and workplace names are replaced with anonymous codes.
  • Email addresses, phone numbers, postcodes, and ID numbers are removed.
  • Social media handles and URLs are redacted.

The AI model only ever sees anonymous codes, not who you are or where you go to school. The mapping between codes and real data exists only in memory during your session and is never stored.

4. How We Use Your Data

  • To provide and personalise your practice sessions.
  • To track your progress (challenges, badges, Social Score).
  • To process subscription payments via Airwallex.
  • To enforce safety guardrails (blocked content is logged for platform safety, not shared externally).
  • To generate aggregated analytics (no individual data is shared with third parties).

We do not sell your data. We do not use your data for advertising. We do not share individual conversation content with anyone, including parents.

5. Children's Privacy (COPPA)

HiBFF takes the privacy of young people seriously:

  • Under 13: We do not allow registration for children under 13.
  • Ages 13-17: A parent email is required at registration. Parents can view their teen's activity (not conversation content), export their teen's data, and request deletion.
  • Teen image library: Teens only see age-appropriate avatar images (Anime, Young Adults). Adult-presenting images are not shown to teen accounts.
  • Stricter guardrails: Teen accounts have additional content filtering beyond the standard safety rules.

6. Data Retention

  • Practice sessions and conversations: Automatically deleted after 90 days.
  • Account data: Retained until you delete your account.
  • Audit logs: Retained for compliance and security purposes.
  • Payment records: Retained as required by financial regulations.

7. Your Rights (GDPR)

You have the right to:

  • Access: Export all your data from Settings at any time.
  • Rectification: Update your profile information in Settings.
  • Erasure: Delete your account and all associated data from Settings.
  • Withdraw consent: Toggle marketing and data processing consent in Settings.
  • Portability: Download your data as a JSON file.

To exercise any of these rights, go to Settings or email privacy@hibff.com.

8. Third-Party Services

  • Anthropic (Claude): Provides the AI conversation engine. Messages are sent with PII stripped (see Privacy Shield above).
  • OpenAI: Provides text-to-speech voice synthesis. Only the text is sent — no user identifiers.
  • Airwallex: Processes payments. Card data is handled entirely by Airwallex — we never see or store it.
  • Cloud Infrastructure: Hosts the application and database within enterprise-grade secure infrastructure with SOC 2 attestation.

9. Safety Guardrails

HiBFF monitors 9 content domains to keep users safe. The AI will not discuss: mental health diagnoses, medical advice, self-harm, clinical guidance, politics, military topics, sexually explicit content, violence/bullying, or provide legal advice. If a user raises a serious concern, the AI provides crisis helpline numbers and encourages them to speak to a trusted adult.

10. SOC 2 Type II Readiness

HiBFF is built with SOC 2 Type II controls from the ground up:

  • Audit logging: All user actions, admin actions, guardrail events, data access, and system changes are logged with timestamps and user IDs.
  • Access controls: Role-based access control (RBAC) with five roles — user, parent, teacher, school_admin, admin. Each role has defined permissions.
  • Encryption: Passwords hashed with bcrypt. All data in transit encrypted via HTTPS/TLS. PII stripped before reaching third-party AI providers.
  • Incident management: Security incidents are logged and tracked via our incident reporting system.
  • Data retention: Automated 90-day TTL on conversation data. Configurable retention policies per data type.
  • Change management: All code changes tracked via version control with audit trail.
  • Monitoring: System health dashboard with DB response times, error rates, and service status monitoring.

For SOC 2 compliance documentation or security questionnaire responses, contact security@hibff.com.

11. Cookies

HiBFF uses essential cookies only:

  • Authentication token: Keeps you logged in (session cookie).
  • Preferences: Stores your theme and dashboard layout choices (local storage).

We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

12. Changes to This Policy

We may update this policy from time to time. We will notify users of significant changes via email or an in-app notification. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact Us

If you have questions about this policy or your data:

HiBFF uses essential cookies only — to keep you logged in and remember your preferences. We do not use advertising or tracking cookies. Privacy Policy