Privacy Policy

1. Introduction

Chillhi, Inc. ("Chillhi," "we," "us" or "our") is a Delaware corporation operating an AI-powered marketing software platform at www.chillhi.com (the "Platform"). We provide our services primarily to marketing agencies and their teams worldwide.

This Privacy Policy explains how we collect, use, store, share and protect personal information when you access or use our Platform. It also sets out your rights in relation to that information.

By using the Platform you confirm that you have read and understood this Privacy Policy. If you do not agree with our practices please do not use the Platform.

2. Who We Are

Chillhi, Inc. is the responsible party and data controller for personal information collected through the Platform.

• Chillhi, Inc.
• 131 Continental Drive, Suite 305, Newark, DE 19713, United States
• admin@chillhi.com
• www.chillhi.com
• Privacy contact: admin@chillhi.com

We have not yet appointed a formal Data Protection Officer (DPO). We will appoint one as our business grows and as required by applicable law.

3. Scope of This Policy

This Policy applies to:

• Visitors to www.chillhi.com
• Users who register for or use the Platform (including free and paid users)
• Employees, contractors and representatives of our agency clients
• Any individual whose personal information we process in connection with providing our services

This Policy does not apply to third-party websites or services linked from our Platform. We are not responsible for the privacy practices of those third parties.

Because we serve users worldwide, this Policy is designed to comply with applicable privacy laws including the US state privacy laws (including CCPA/CPRA for California residents); the EU General Data Protection Regulation (GDPR) and UK GDPR; the South African Protection of Personal Information Act (POPIA); and other applicable national and regional privacy laws.

4. Information We Collect

4.1 Information You Provide Directly

• Account registration details (name, email address, job title, company name)
• Billing and payment information (processed securely by Stripe, we do not store full card details)
• Profile information and user preferences
• Content and data you upload or input into the Platform (campaign briefs, brand assets, creative copy, audience data)
• Communications with our support team
• Survey responses, feedback and testimonials

4.2 Information Collected Automatically

When you use the Platform we automatically collect:

• Log data: IP address, browser type, operating system, referring URLs, pages visited and timestamps
• Device data: device type, screen resolution and unique device identifiers
• Usage data: features used, AI prompts submitted, content generated, session duration and interaction patterns
• Cookie and tracking data (see Section 10)

4.3 Information from Third-Party Integrations

Where you connect third-party accounts to the Platform (such as your Google Analytics or Meta/Facebook advertising accounts), we may receive data from those platforms in order to provide the relevant features. In these cases:

• You are connecting your own accounts and authorizing the data flow
• Chillhi acts as a data processor for information received from your connected accounts
• You remain responsible as data controller for any personal information flowing through your connected accounts
• Your use of those third-party platforms is also governed by their own privacy policies (policies.google.com; facebook.com/policy)

4.4 Payment Information

All payment processing is handled by Stripe, Inc. Chillhi does not store your full credit card number, CVV or other sensitive payment data. Stripe's privacy policy is available at stripe.com/privacy. By making a payment you also agree to Stripe's terms of service.

5. How We Use Your Information

We use personal information for the following purposes:

Service delivery

To provide, operate and maintain the Platform including processing AI requests and generating content outputs.

Account management

To create and manage your account, verify your identity and communicate with you about your account.

Billing and payments

To process subscriptions, invoices and payments through Stripe and to prevent fraud.

Customer support

To respond to enquiries, troubleshoot issues and provide technical assistance.

Analytics and improvement

To analyse usage patterns via Google Analytics and improve the performance, features and user experience of the Platform.

Marketing

With your consent (or where permitted by law) to send you product updates, newsletters and promotional content by email. You can opt out at any time.

Integrations

Where you connect your Meta or Google accounts, to facilitate ad campaign management and reporting on your behalf.

Security

To detect, investigate and prevent fraudulent activity, abuse and security threats.

Legal compliance

To comply with applicable laws including US state privacy laws, GDPR, POPIA and tax requirements.

Aggregated insights

To generate anonymized aggregated insights about Platform usage. This data cannot identify you individually.

AI Model training

We do not use your Customer Content, prompts or Outputs to train or improve our underlying AI models without your explicit prior written consent.

6. Legal Basis for Processing

We process personal information on the following lawful bases:

Contractual necessity

Processing necessary to fulfill our agreement with you (providing the Platform services, billing).

Legal obligation

Processing required to comply with applicable laws (financial records, regulatory requirements).

Legitimate interests

Processing in our legitimate business interests (improving the Platform, detecting fraud, security monitoring) where those interests are not overridden by your rights.

Consent

Where we rely on consent (marketing emails, analytics cookies, advertising) you may withdraw it at any time without affecting the lawfulness of prior processing.

For California residents we process personal information as a "business" under CCPA/CPRA. For EU/EEA residents this Policy also serves as our transparency notice under Articles 13 and 14 of the GDPR. For South African residents we process personal information in accordance with the eight conditions of POPIA.

7. Sharing Your Information

We do not sell your personal information. We may share it in the following ways:

Stripe (Payment Processing)

We share billing information with Stripe to process payments. Stripe is PCI-DSS compliant. stripe.com/privacy

Google Analytics

We use Google Analytics to understand how users interact with the Platform. Google may process usage data on our behalf. policies.google.com/privacy

Meta (Where Connected)

Where you connect your Meta advertising account, data flows between the Platform and Meta on your behalf. facebook.com/policy

AI Infrastructure providers

Our Platform uses the following third-party AI models and infrastructure to generate outputs: OpenAI (openai.com/privacy); Anthropic (anthropic.com/privacy); and Google Gemini (policies.google.com/privacy). These providers process prompts and inputs submitted to the Platform in order to generate outputs.

Email Service

We use Everlytic to send transactional and marketing emails. Everlytic is a South African email and messaging platform. everlytic.com/privacy

Cloud Hosting

The Platform is hosted on Google Cloud infrastructure located in Johannesburg, South Africa (africa-south1 region). policies.google.com/privacy

Legal disclosures

We may disclose personal information where required by law, court order or valid legal request from a government or regulatory authority.

Business transfers

If Chillhi is involved in a merger, acquisition or sale of assets, your personal information may be transferred as part of that transaction. We will notify you before such a transfer takes effect.

With your consent

We may share your information with other third parties where you have given explicit consent.

8. Data Retention

We retain personal information only for as long as necessary for the purposes described in this Policy or as required by law.

Account data

retained for the duration of your subscription and deleted or anonymized within 3 months of account closure.

Billing records

retained for 7 years as required by US federal and state tax law, regardless of account closure.

Content and AI-generated outputs

retained while your account is active and deleted within 3 months of account closure unless exported by you first.

Support communications

retained for 2 years after resolution.

Log and usage data

retained for 12 months then anonymized or deleted.

Marketing consent records

retained for the duration of our relationship and for a reasonable period thereafter to demonstrate compliance.

9. International Data Transfers

Chillhi is based in the United States. We serve users worldwide and may transfer personal information to service providers and infrastructure located in other countries including within the EU, UK, South Africa and other jurisdictions.

Where we transfer personal information outside of the country where it was collected we ensure appropriate safeguards are in place including:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU/EEA
• UK International Data Transfer Agreements (IDTAs) for transfers from the UK
• Compliance with POPIA requirements for transfers from South Africa
• Other legally recognized transfer mechanisms as required by applicable law

10. Cookies and Tracking Technologies

A cookie is a small text file a website asks your browser to store and send back on later visits. We use cookies and similar technologies to operate the Platform and, with your consent, to understand how it is used. We use the following categories:

Essential cookies

Required for the Platform to function (session authentication, security, load balancing). Cannot be disabled. Includes the chillhi_consent cookie we use to remember your cookie preference for 180 days so we do not have to ask you again on every visit.

Analytics cookies

We use Google Analytics 4 (GA4), provided by Google LLC, to measure aggregated usage of the Platform (page views, traffic sources, broad geography from IP). IP addresses are anonymized before storage. GA4 is loaded with Google Consent Mode v2 and only sets identifying cookies after you click "Accept all" in our cookie banner. Until then, no analytics cookies are written.

The specific cookies set by Google Analytics 4 once enabled are:

• _ga — anonymous visitor identifier (expires after 2 years)
• _ga_G-9TL35EW3JD — GA4 session state for our property (expires after 2 years)

You can read more about how Google handles this data in the Google Privacy Policy and the Google Analytics data practices summary.

Preference cookies

Remember your settings and preferences (language, display options).

Marketing and advertising cookies

We do not currently use marketing or advertising cookies (such as Meta Pixel or Google Ads remarketing tags). If we add them in future, this section and the cookie banner will be updated so that they remain off by default and only run after you opt in.

You can manage your choice at any time using the "Manage cookies" link in the footer, which re-opens the consent banner. You can also clear cookies through your browser settings. Disabling certain cookies may affect your ability to use some Platform features.

11. Marketing Communications

With your consent we may send you marketing emails including product updates, feature announcements, tips and promotional offers. We use a third-party email service provider to deliver these communications.

You can opt out of marketing emails at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your preferences in your Account settings
• Contacting us at admin@chillhi.com

Opting out of marketing emails does not affect transactional emails related to your account such as billing receipts, password resets or service notifications.

Where required by applicable law (including CAN-SPAM, GDPR and POPIA) we will only send marketing communications with your prior consent and will honor opt-out requests promptly.

12. Your Rights

Depending on your location you may have the following rights regarding your personal information:

Right of access

Request a copy of the personal information we hold about you.

Right to rectification

Request correction of inaccurate or incomplete information.

Right to erasure

Request deletion of your personal information, subject to legal retention obligations.

Right to restrict processing

Request that we limit how we process your information in certain circumstances.

Right to data portability

Request your data in a structured machine-readable format.

Right to object

Object to processing based on legitimate interests or for direct marketing.

Right to withdraw consent

Withdraw consent at any time where processing is consent-based, without affecting prior lawful processing.

Right to non-discrimination (California)

We will not discriminate against you for exercising your CCPA rights.

Right to lodge a complaint

Lodge a complaint with your local data protection authority (e.g. relevant EU supervisory authority, UK ICO, South African Information Regulator at inforeg@justice.gov.za).

To exercise any of these rights please contact us at admin@chillhi.com. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights.

In the past 12 months we have collected the following categories of personal information: identifiers (name, email, IP address); commercial information (subscription and billing data); internet and network activity (usage data, log data); and inferences drawn from usage data to improve the Platform.

We do not sell or share personal information for cross-context behavioral advertising as defined under CCPA/CPRA. We do not use sensitive personal information beyond what is necessary to provide the Platform.

To submit a verifiable consumer request to know, delete or correct your personal information please contact admin@chillhi.com. We will not discriminate against you for exercising your rights.

14. Children's Privacy

The Platform is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. By using the Platform you represent that you are at least 18 years old.

If we become aware that we have collected personal information from a person under 18 we will take steps to delete it promptly. If you believe we have inadvertently collected such information please contact us at admin@chillhi.com.

15. Agency Client Data

Our customers are typically marketing agencies who use the Platform to create content for their own clients. In this context:

• The agency is the data controller for any personal information belonging to their clients that they upload or process through the Platform
• Chillhi acts as a data processor in relation to such data
• Agencies are responsible for ensuring they have the necessary rights and consents to upload client data into the Platform
• We will process such data only in accordance with our agreement with the agency and this Privacy Policy
• A Data Processing Agreement (DPA) is available upon request for agencies who require it for GDPR or POPIA compliance

16. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration or destruction. These include:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls and role-based permissions
• Regular security assessments
• Incident response and breach notification procedures
• Employee training on data protection obligations

In the event of a personal data breach likely to result in harm to you we will notify you and the relevant regulatory authority as required by law. For GDPR this is within 72 hours of becoming aware of the breach. For POPIA this is as soon as reasonably possible.

17. Third-Party Links

The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policies of any third-party sites you visit.

18. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes we will:

• Update the "Last Updated" date at the top of this Policy
• Notify you by email or via an in-Platform notification
• Where required by law seek your fresh consent before changes take effect

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the revised Policy.

19. Contact Us

If you have questions, concerns or requests relating to this Privacy Policy please contact:

• Chillhi, Inc.
• 131 Continental Drive, Suite 305, Newark, DE 19713, United States
• admin@chillhi.com
• www.chillhi.com

For EU/EEA residents: if you are not satisfied with our response you may lodge a complaint with your local supervisory authority.

For South African residents: you may lodge a complaint with the Information Regulator at inforeg@justice.gov.za or 010 023 5200.

For California residents: you may contact the California Privacy Protection Agency at cppa.ca.gov.