LEGAL

Privacy Policy

How HadalCore LLC (“we,” “us,” or “our”) handles information when you use the WaitWHO website, mobile application, and related services (the “Services”).

Last updated: April 29, 2026

This Privacy Policy explains what information we collect through the Services, how we use and share it, and the choices you have. It should be read together with our Terms of Service.

1. Who we are

The Services are operated by HadalCore LLC, a limited liability company incorporated in the State of Tennessee, United States. WaitWHO is the trade name we use for the Services.

Contact: info@waitwho.app

2. Scope

This policy applies to information collected through the WaitWHO iOS application, our website at https://waitwho.app, and related communications (for example, support email). It does not apply to third-party websites, apps, or services that we link to or that appear in search results.

3. Information we collect

We collect information in the following categories, depending on how you use the Services.

3.1 Account and authentication

If you choose to sign in (for example, with Sign in with Apple), the sign-in provider authenticates you and returns a stable account identifier and, if you grant it, limited profile information such as name or email as provided by that sign-in provider. We use Supabase, Inc. ("Supabase") as our backend authentication, database, and encrypted file-storage provider; Supabase processes account identifiers, session tokens, and the data described elsewhere in this policy on our behalf under a data-processing agreement that obligates Supabase to apply protections at least as protective as those described in this Privacy Policy. Session tokens may be stored on your device so you can stay signed in. For Supabase's own privacy practices, see https://supabase.com/privacy.

3.2 Device and anti-abuse signals

We collect a persistent device identifier generated on your device and technical signals used for fraud prevention, rate limiting, and service integrity (for example, device model, operating system version, screen parameters, locale, and timezone). These are sent to our servers with certain requests so we can enforce subscription and free-tier limits fairly.

3.3 Photos, scans, and search results

When you run a scan, you submit a facial image (or cropped face image) and related metadata (such as a content fingerprint or hash, consent timestamp, and the device and abuse-prevention fields above). We process the image to perform a visual similarity search and to deliver results and in-app interpretations to you.

Reference images and model training. We do not use your uploaded photos to train, fine-tune, or improve machine learning models for ourselves or for sale to others. Third-party face-search providers process images under their own policies; see Section 7.

After processing, we purge reference photos from our active systems when the scan completes (your app may display a purge receipt with a timestamp). We may retain non-image scan metadata and results as described in Section 9.

3.4 Premium monitoring and watchlist

If you use optional premium monitoring (for example, periodic rescans or alerts), we may store one encrypted reference image per active watchlist entry in private cloud storage so scheduled searches can run without you re-uploading each time. That image is deleted when you remove the watchlist entry or delete your account, subject to short backup cycles described in Section 9. We may also store a snapshot of match URLs we have already shown or notified you about so we can detect genuinely new appearances.

3.5 Purchases and subscriptions

Purchases made through Apple are processed by Apple. We use RevenueCat, Inc. ("RevenueCat") to receive subscription status and transaction events from Apple's StoreKit and App Store Server APIs and to maintain your entitlement state across devices. RevenueCat receives Apple-provided transaction identifiers and your account or device identifier so we can unlock paid features and credits. RevenueCat does not receive your payment card number, full Apple ID, or billing address, and we do not receive your full payment card number from Apple for App Store purchases. RevenueCat operates under a data-processing agreement with us. For RevenueCat's own privacy practices, see https://www.revenuecat.com/privacy.

3.6 Push notifications

If you enable notifications, Apple provides a device token that we store and use to send alerts (for example, watchlist or scan-related messages). You can turn off notifications in iOS Settings.

3.7 Support, safety, and integrity

If you contact us, we collect the information you provide (such as email content). If you submit abuse or moderation reports about a result, we collect the details you submit (such as categories, notes, and URLs) so we can review reports and protect users.

3.8 Diagnostics and analytics

We use Functional Software, Inc., d/b/a Sentry ("Sentry") to measure stability and performance — for example, crash reports, error logs, and a sampled subset of performance traces. We have configured Sentry so that: (i) Apple ID, name, and email are never transmitted; (ii) sensitive query parameters and identifiers (including device_id, image_hash, user_id, email, and access tokens) are redacted from any URL or breadcrumb that would otherwise reach Sentry; and (iii) crash and performance reports are correlated only by an anonymous session identifier rather than by your account.

Sentry processes this diagnostic data on our behalf under a data-processing agreement that obligates Sentry to apply protections at least as protective as those described in this Privacy Policy. We may also log non-image product events (such as paywall or scan lifecycle events) tied to pseudonymous identifiers rather than your name. For Sentry's own privacy practices, see https://sentry.io/privacy/.

4. How we use information

We use the information above to:

  • provide, operate, maintain, and improve the Services;
  • authenticate users, sync entitlements, and manage accounts;
  • perform visual similarity searches and deliver results and in-app summaries;
  • operate optional monitoring, rescans, and notifications;
  • enforce our Terms of Service, prevent abuse, and protect security;
  • process payments and subscription state through Apple;
  • communicate with you about the Services, including support responses;
  • comply with law and respond to lawful requests; and
  • generate aggregated or de-identified statistics that do not identify you.

5. Legal bases (where applicable)

If laws such as the GDPR or UK GDPR apply to you, we rely on appropriate bases such as performance of a contract (providing the Services you request), legitimate interests (security, anti-abuse, product improvement, and communications that are not marketing), consent where required (for example, certain notifications or optional processing you explicitly agree to), and legal obligation where the law requires us to process data.

6. How we share information

We share information only as needed to operate the Services and only with parties bound by data-processing terms that require them to use the data solely for the purposes we direct and to apply protections that are at least as protective as those described in this Privacy Policy. The categories of recipients are:

  • FaceCheck.id, operated by Tech Solutions (Belize) — our face-search provider, which performs visual similarity matching against publicly indexed web content and returns match URLs and confidence scores. See Section 7. https://facecheck.id/Face-Search/Privacy
  • Supabase, Inc. — backend authentication, database hosting, and encrypted file storage. https://supabase.com/privacy
  • RevenueCat, Inc. — subscription, entitlement, and consumable-credit accounting against Apple's App Store and StoreKit APIs. https://www.revenuecat.com/privacy
  • Functional Software, Inc. d/b/a Sentry — crash and performance diagnostics. https://sentry.io/privacy/
  • Apple Inc. — for Sign in with Apple, App Store purchases, and Apple Push Notification service, under Apple's own privacy policy. https://www.apple.com/legal/privacy/
  • Professional advisers or authorities — if required to comply with law, enforce our terms, or protect rights, safety, and security.

We do not sell your personal information for money. We do not share photos with advertisers for ad targeting. We do not transfer your data to any third party that we have not bound to data-protection terms substantially equivalent to this Privacy Policy.

7. Third-party face search and indexing

WaitWHO performs visual similarity matching using FaceCheck.id, a face-matching service operated by Tech Solutions (a company based in Belize) ("FaceCheck.id"). FaceCheck.id operates an index of publicly available web content. When you submit a scan, we send FaceCheck.id the cropped face image you submit (or, where you grant camera or photo-library access, the photo you capture or select), along with a content fingerprint sufficient for caching and abuse prevention. We do not send FaceCheck.id your name, email address, account identifier, device identifier, or IP address linked to your account; the request is forwarded as an anonymous query through our servers.

FaceCheck.id processes the image to perform similarity matching against its index and returns match URLs and confidence scores to us. FaceCheck.id processes images under its own privacy policy and retention schedule, which we do not control.

We selected FaceCheck.id because their published practices were, at the time of selection, compatible with our product commitments — including their representations about not retaining submitted reference images after matching and not using submitted images to train or expand their index. We rely on those representations but cannot guarantee them; you should review FaceCheck.id's terms and privacy policy at https://facecheck.id/Face-Search/Privacy before using the Services if this matters to you. If FaceCheck.id is replaced or supplemented by another face-matching provider in a future version of the Services, we will update this Privacy Policy and provide notice as described in Section 15.

8. Cookies and similar technologies

Our website may use minimal cookies or local storage necessary for basic functionality. The iOS app does not use browser cookies; it uses app storage and secure tokens as described above.

9. Retention

We retain information only as long as needed for the purposes described in this policy, unless a longer period is required by law. Scan reference images are purged from our systems after processing completes, except for the optional encrypted watchlist image described in Section 3.4, which is retained only while the feature is active.

We may retain scan metadata (such as scan identifiers, timestamps, result summaries, and moderation annotations) for operational, safety, accounting, and legal reasons. Backup systems may retain deleted data for a limited period before being overwritten.

10. Security

We use administrative, technical, and organizational measures designed to protect information against unauthorized access, loss, or alteration. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

11. Your choices and rights

Depending on your location, you may have rights to:

  • access or receive a copy of certain personal information;
  • correct inaccurate information;
  • delete certain information, subject to legal exceptions;
  • object to or restrict certain processing;
  • withdraw consent where processing is consent-based; or
  • lodge a complaint with a supervisory authority (EEA/UK users).

To submit a request, email info@waitwho.app. We may need to verify your identity before responding. Authenticated users can also use in-app account or support flows where available.

12. U.S. state privacy notices

Residents of certain U.S. states may have additional rights under local privacy laws (including rights to know, delete, correct, and opt out of certain “sales” or “sharing” as defined by those laws). WaitWHO is not directed at children, and we do not knowingly sell personal information of minors under 16.

California Shine the Light. California residents may request certain information about disclosures of personal information to third parties for their direct marketing purposes. We do not knowingly disclose personal information to third parties for their direct marketing purposes in the traditional sense described by that law.

California Consumer Protection. If you are a California resident, you may contact the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs in writing at 1625 North Market Blvd., Suite N 112, Sacramento, CA 95834, or by telephone at (800) 952-5210 or (916) 445-1254.

13. International users

We are based in the United States. If you access the Services from other countries, your information may be transferred to, stored in, and processed in the United States or other jurisdictions where we or our providers operate. Those jurisdictions may have different data protection laws than your home country. Where required, we use appropriate safeguards for international transfers. In particular, when you use the visual similarity search feature, your scan image is processed by our face-matching provider in Belize, as described in Section 7.

14. Children’s privacy

The Services are intended for users who are at least 18 years old. We do not knowingly collect personal information from anyone under 18. If you believe we have collected information from a minor, contact us and we will take appropriate steps to delete it.

15. Changes to this policy

We may update this Privacy Policy from time to time. We will revise the “Last updated” date above when we do and, where appropriate, provide additional notice (such as an in-app message or email). Your continued use of the Services after the effective date of an update constitutes your acknowledgment of the revised policy, unless applicable law requires additional consent.

16. Contact

Questions about this Privacy Policy or our data practices: info@waitwho.app