HAMO Privacy Policy
Last updated: April 29, 2026
1. Who We Are and Scope
Hamo AI Technology Ltd. (“Hamo AI”, “we”, “us”, “our”) operates an AI-mediated mental wellness platform (the “Service”). This Privacy Policy explains what personal information we collect, how we use it, with whom we share it, and the rights you have under applicable privacy law.
This Policy forms part of our Terms of Service and is incorporated by reference. Capitalized terms not defined here have the meaning given in the Terms.
This Policy is governed by Canadian privacy law, including:
- the federal Personal Information Protection and Electronic Documents Act (PIPEDA);
- Ontario’s Personal Health Information Protection Act, 2004 (PHIPA); and
- other applicable provincial health-privacy statutes.
You own your conversation data. Hamo AI Technology Ltd. acts as a data processor, not an owner, of the personal information you provide.
2. Information We Collect
2.1 Account Information
- Email address
- Display name
- Date of birth (used solely for age verification)
- Country / region (for crisis-hotline localization and applicable law)
- Language preference
2.2 Health-Adjacent Information
- Your conversations with Avatars (AI therapists)
- Calibration assessment responses
- Mood and progress logs you create
- Personality and Stress Vector State (PSVS) scores derived from your activity
2.3 Authentication and Security
- Multi-factor authentication codes (transient; expire within minutes)
- Session tokens
- Login timestamps and source IP address
2.4 Billing
- Payment-method tokens issued by our payment processor. We do not store full card numbers.
2.5 Service Telemetry
- Browser type, operating system, application version
- Coarse usage patterns (page views, feature interactions)
2.6 What We Do Not Collect
We do not collect MAC addresses, Wi-Fi SSID/BSSID, GPS location, contacts, microphone, or camera data.
3. How We Use Information
We use your information to:
- provide and operate the Service, including AI-mediated conversations, calibration, and progress tracking;
- detect and respond to mental-health crises (see §4);
- match you with — and route alerts to — your assigned licensed therapist;
- process subscription payments and prevent fraud;
- authenticate you and protect your account;
- improve the Service through aggregated, de-identified analysis;
- comply with legal, tax, and regulatory obligations.
3.1 AI Processing
Conversational responses are generated using large language models from the Google Gemini family. We apply post-generation safety filtering and a Chain-of-Verification check to reduce unsupported claims. AI output may still be incomplete or inappropriate; you should not rely on it as the sole basis for any clinical, medical, legal, financial, or life decision (see Terms §5).
We do not use your conversation content to train third-party foundation models, and we do not sell your data to advertisers.
4. Crisis Disclosures
Hamo AI implements a documented Crisis Escalation Protocol (full text at hamo.ai/crisis-protocol).
When the platform detects acute self-harm signals — through keyword pre-screening or a zero-temperature Gemini classifier — the following happens:
- The next AI response is replaced with a fixed, language-localized safety message (not LLM-generated).
- A region-specific crisis hotline banner appears in the chat (e.g., 988 in Canada/U.S.; 120 / 010-82951332 in mainland China).
- The licensed therapist assigned to your account receives a secure email and dashboard notification containing your name, the crisis type, an anonymized excerpt, and a timestamp.
- An immutable audit record is created. After your account is deleted, the record is anonymized (your name is replaced with an opaque hash) and retained for the regulatory period required in your jurisdiction.
4.1 Institutional Sponsorship (Tier-2)
If your account is sponsored by an institutional partner (e.g., your employer’s EAP), the partner may receive a notification — but only if you have explicitly opted in, and the notification will contain only the event type and a timestamp, never conversation content. You may revoke this consent at any time at Settings → Privacy. (This Tier-2 capability is committed for delivery in Q2 2026; see the published Crisis Protocol §5 for details.)
4.2 Limits of the Crisis Mechanism
Hamo AI is not an emergency service and cannot place calls on your behalf. In an immediate emergency, dial 911 (Canada/U.S.) or 120 (mainland China).
5. Sharing and Sub-processors
We share your personal information only with:
- your assigned therapist, in their clinical role;
- sub-processors that operate the Service on our behalf, under written data-processing agreements;
- institutional partners, only if you have opted in and only as described in §4.1;
- law enforcement or regulators, when legally required and only to the minimum extent necessary.
5.1 Current Sub-processors
| Sub-processor | Purpose | Region |
|---|---|---|
| Google LLC | Gemini conversational AI processing | United States |
| Amazon Web Services | Hosting, database (DynamoDB), encryption (KMS), email delivery (SES) | Canada (ca-central-1) and United States |
| Stripe Inc. | Payment processing | Canada / United States |
We do not sell, rent, or trade your personal information.
6. Cross-Border Data Transfers
Some of our sub-processors process personal information outside Canada, primarily in the United States. We rely on Standard Contractual Clauses and equivalent safeguards required by PIPEDA’s accountability principle. Where feasible, mental- health data for Canadian users is stored in Canadian AWS regions.
7. Your Privacy Rights
Under PIPEDA, PHIPA, and applicable provincial law, you have the following rights:
| Right | What it means | When we respond |
|---|---|---|
| Access | Request a copy of the personal information we hold about you | Within 30 days, free of charge |
| Correct | Request corrections to inaccurate or incomplete information | Promptly, with confirmation |
| Delete | Request deletion of your account and associated data | Within 7 business days for active deletion; up to 90 days for irrevocable deletion of replicated backups |
| Export | Receive a machine-readable export of your conversation history | Within 14 days |
| Withdraw consent | Stop further processing for analytics, marketing, or institutional notification | Effective immediately for future events |
Submit requests to privacy@hamo.ai. We will not retaliate against you for exercising any right under this Policy.
7.1 Complaint Channels
If you are not satisfied with our response, you may lodge a complaint with:
- the Office of the Privacy Commissioner of Canada — priv.gc.ca
- the Information and Privacy Commissioner of Ontario — ipc.on.ca
- the equivalent privacy regulator in your province or country of residence.
8. Data Retention
| Data type | Retention period |
|---|---|
| Account profile | While account is active |
| Conversation history | While account is active; deleted within 90 days of account deletion |
| Calibration and PSVS data | While account is active; deleted within 90 days of account deletion |
| Crisis-event metadata | Anonymized at account deletion; retained for the period required by applicable law (typically 7 years) |
| Audit logs (MFA verification, access, mutation events) | 7 years |
| Billing records | 7 years (Canadian tax law) |
9. Security
- Data is encrypted in transit using TLS 1.2 or higher.
- Data is encrypted at rest using AWS KMS Customer-Managed Keys (CMKs), with annual key rotation.
- We enforce email-based multi-factor authentication on all logins (PHIPA 6.1.4 compliant).
- Access is enforced by JWT role checks: only the therapist assigned to a client can view that client’s conversations and crisis alerts.
- We maintain a documented PHIPA self-assessment and conduct regular security reviews.
- No security control is perfect. Help us by keeping your password and email account secure.
10. Children and Minors
You must be at least 16 years of age to use the Service in Canada or the United States, or 18 years of age in jurisdictions where the contractual age of majority is higher. Users under 18 should use the Service only with the involvement of a parent or guardian.
We do not knowingly collect personal information from individuals under 16. If we become aware that we have collected such information, we will delete it without undue delay. If you believe a minor has registered, please contact privacy@hamo.ai.
11. Changes to This Policy
We may update this Policy from time to time. Material changes will be notified by email and via in-app banner at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.
12. How to Contact Us
Hamo AI Technology Ltd.
108 College St, Schwartz Reisman Campus, SUITE W640
Toronto ON M5G 0C6
Canada
- General: support@hamo.ai
- Privacy requests: privacy@hamo.ai
- Security: security@hamo.ai
- Legal: legal@hamo.ai
13. Governing Law
This Policy is governed by the laws of the Province of Ontario, Canada, and the federal laws of Canada that apply. Disputes follow the process described in our Terms of Service §13.
Copyright© 2026 Hamo AI Technology Ltd. · Incorporated in Ontario, Canada.