Privacy Policy

Last updated: 16 October 2025

1. Overview

This Privacy Policy explains how Zoo Holdings Ltd ("we", "us", or "our") collects, uses, and protects personal information when you use Haystack (the "Service") at https://hstck.link. By using the Service, you agree to the practices described in this policy.

2. Information We Collect

We collect the following categories of information:

  • Account Information: When you sign up or sign in, we receive your email address and password (or OAuth identity from a provider such as Google). Authentication is provided by our infrastructure partner Supabase. We do not store your raw password; Supabase manages credentials and session tokens on our behalf.
  • Profile Information: Optional details like your full name, avatar image, and a generated share code. Avatar images you upload are stored in a public storage bucket so they can be displayed in the app; this means the image URL may be accessible to anyone who has the link.
  • Quiz Responses and Derived Results: Your answers to quiz questions and the resulting personality metrics we compute (e.g., Big Five traits, Love Languages, Attachment indicators, and Haystack archetypes), plus composite indices derived from your responses.
  • Connections Data: If you connect with another user (e.g., via share code), we generate and store compatibility scores and connection visibility preferences for that pair.
  • Usage and Technical Information: As you use the Service, our systems and hosting provider may collect basic technical details such as IP address, device/browser information, and server logs necessary to operate the Service securely and reliably.

3. How We Use Information

We use your information to:

  • Provide, maintain, and improve the Service and its features;
  • Authenticate you and manage sessions;
  • Compute and display your personality profile and compatibility insights;
  • Facilitate connections you choose to make with other users;
  • Communicate with you about updates, security, or support;
  • Protect against fraud, abuse, and misuse of the Service;
  • Comply with legal obligations.

4. Legal Bases (EEA/UK)

Where applicable, we process personal data under these legal bases:

  • Performance of a contract: To provide the Service you request;
  • Consent: For optional features (e.g., uploading an avatar) where required;
  • Legitimate interests: To operate, secure, and improve the Service;
  • Legal obligations: To comply with applicable laws and regulations.

5. Sharing and Disclosure

We do not sell your personal information. We may share information with:

  • Service Providers: We use Supabase for authentication, database, and storage services, and may use OAuth providers (e.g., Google) for sign-in. These providers process data under our instructions and agreements.
  • Other Users You Connect With: If you choose to connect using a share code, limited profile information and compatibility insights may be shared between connected users. You can control whether your connection is anonymous in certain contexts.
  • Legal and Safety: We may disclose information if required by law or to protect the rights, safety, and security of users, the public, or the Service.

Note: Avatar images are stored in a public bucket so that they can be displayed in the app. Public storage means anyone with the direct URL could access the image. You can remove or replace your avatar at any time.

6. Data Storage and Security

We host our application and data using Supabase. We implement reasonable technical and organizational measures designed to protect your information. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

7. International Transfers

Your information may be processed and stored in regions where our infrastructure providers operate. If data is transferred outside of your jurisdiction, we rely on appropriate safeguards as required by law.

8. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. You may request deletion of your account and associated data as described below.

9. Your Rights

Depending on your location, you may have rights to access, correct, delete, or export your data, as well as to object to or restrict certain processing. To exercise these rights, contact us at luke@zoo.studio. We may need to verify your identity before responding to your request.

10. Cookies and Similar Technologies

We use essential cookies set by Supabase to manage authentication sessions and keep you signed in. At this time, we do not use analytics or advertising cookies within the Service. If this changes, we will update this policy and, where required, request your consent.

11. Children's Privacy

The Service is intended for adults (18+) and is not directed to children. We do not knowingly collect personal information from children. If you believe a child has provided us information, please contact us so we can take appropriate action.

12. Automated Decision-Making and Profiling

We compute personality and compatibility insights from your quiz responses. These insights are intended for guidance and reflection only and do not produce legal or similarly significant effects.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice as required by law. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

14. Contact Us

Zoo Holdings Ltd
71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
luke@zoo.studio