🔒Legal

Privacy Policy

Last updated: April 13, 2026

This Privacy Policy describes how Hush ("Company," "we," "us," or "our") collects, uses, shares, and protects information about you when you use our Platform (website, mobile web app, and related services).

We take your privacy seriously. This policy explains your rights and choices with respect to your personal information. By using the Platform, you agree to the collection and use of information as described in this Privacy Policy.

This policy applies to all users: customers, therapists, and business partners. Different sections may apply to different user types — relevant sections are marked accordingly.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, phone number (including WhatsApp number), and any profile information you provide. For Google OAuth sign-in, we receive your name, email, and profile photo from Google.

1.2 Identity Documents (KTP) — Therapists Only

As part of therapist verification, we require you to upload a photo of your Indonesian National Identity Card (KTP — Kartu Tanda Penduduk). This document contains your legal name, date of birth, address, and national ID number.

🔒 How we protect your KTP:

• Stored in a private, encrypted storage bucket (not publicly accessible)
• Access restricted to authorized admin personnel only
• Never shared with customers, other therapists, or third parties
• Used solely for identity verification and age confirmation
• Row-level security policies prevent any unauthorized access

1.3 Location Data & GPS Tracking

We collect location data in several contexts:

Customer location (outcall bookings): Your villa/hotel address is collected to route your therapist. It is shared with your assigned therapist only and only for the duration of the booking.
Therapist GPS tracking (real-time): When a therapist taps "On My Way," their device's GPS location is tracked every 30 seconds via the browser Geolocation API. This live location is shared with the customer to show estimated arrival time. Location updates are stored in our database for operational purposes including GPS anomaly detection (e.g., detecting if a therapist is stalled or has lost signal).
Base location (therapists): Therapists provide a base location used for distance calculations and to appear in area-based searches. This is the approximate neighborhood, not an exact home address.

GPS tracking only occurs during active bookings when the therapist is en route. Tracking stops once the therapist marks "Arrived." Old location updates are purged from our systems on a regular schedule.

1.4 Payment Information

We do not store your full card number, CVV, or bank details on our servers. All payment data is handled directly by Stripe, our PCI DSS Level 1 certified payment processor. We store only:

Stripe Payment Intent IDs and Customer IDs (for reference)
Transaction amounts in IDR and USD
Booking payment status

For therapists, we collect bank account details (bank name, account number, and account holder name) solely for processing payouts via Wise. This information is stored securely and used only for payout processing.

1.5 Booking & Session Data

We collect booking details including service type, duration, location (for outcall), scheduled time, any special requests, session notes, and session completion status. This data is necessary to fulfill the service and resolve any disputes.

1.6 Reviews & Feedback

When you submit a review, we collect your rating, written comment, and booking reference. Reviews are publicly displayed on therapist profiles. If you submit a review as a guest, your name (as provided during booking) will appear on the review.

1.7 Usage & Analytics Data

We collect anonymized analytics events to understand how the Platform is used, improve our service, and troubleshoot issues. This includes pages visited, features used, session duration, device type, and general location (country/city level, not precise GPS). This data is aggregated and not linked to your personal identity.

2. How We Use Your Information

We use your information for the following purposes:

→
To provide the Platform services: Processing bookings, connecting customers with therapists, facilitating payments, and managing the full booking lifecycle.
→
Identity verification: Verifying therapist identity and age using KTP documents to ensure a safe marketplace.
→
Real-time GPS tracking: Providing live location updates to customers during active bookings so they can track their therapist's arrival.
→
Safety and security: GPS anomaly detection, dispute resolution, fraud prevention, and account security.
→
Payments and payouts: Processing customer payments via Stripe and therapist payouts via Wise.
→
Communications: Sending booking confirmations, status updates, review requests, payout notifications, and support messages via WhatsApp (Twilio) and email (Resend).
→
Improving the Platform: Analyzing usage patterns to improve features, fix bugs, and optimize performance.
→
Legal compliance: Complying with applicable laws, regulations, and lawful requests from authorities.

3. Third-Party Service Providers

We work with the following third-party service providers to operate the Platform. Each provider processes your data as described:

💳

Stripe

Payment Processing

Data shared:: Payment card details, billing information, transaction history.
Purpose:: Processing customer payments and managing payment intents.

Stripe Privacy Policy →

💸

Wise

Payout Processing

Data shared:: Therapist bank account details, payout amounts, transfer records.
Purpose:: Processing nightly IDR payouts to therapist Indonesian bank accounts.

Wise Privacy Policy →

🗺️

Google Maps

Location Services

Data shared:: Customer location addresses (for ETA/routing), therapist GPS coordinates during active bookings.
Purpose:: Calculating transport fees, displaying live GPS tracking maps, and estimating arrival times.

Google Maps Privacy Policy →

📱

Twilio

WhatsApp & SMS Communications

Data shared:: Phone numbers (WhatsApp), message content for booking notifications.
Purpose:: Sending booking confirmations, job alerts to therapists, review requests, payout notifications, and AI concierge conversations.

Twilio Privacy Policy →

🗄️

Supabase

Database & Authentication

Data shared:: All platform data including user accounts, bookings, reviews, and location updates.
Purpose:: Storing and managing all platform data with Row Level Security (RLS) policies.

Supabase Privacy Policy →

🤖

Anthropic (Claude)

AI Features

Data shared:: Text content you submit for AI processing (bio generation, support queries, WhatsApp messages for concierge).
Purpose:: Powering the AI bio generator, customer support chatbot, WhatsApp AI concierge, and content moderation.

Anthropic (Claude) Privacy Policy →

📧

Resend

Email Delivery

Data shared:: Email address, email content.
Purpose:: Sending transactional emails including booking confirmations and review requests.

Resend Privacy Policy →

🐞

Sentry

Error Monitoring

Data shared:: Anonymized error reports, device/browser information.
Purpose:: Detecting and diagnosing technical errors to improve Platform reliability.

Sentry Privacy Policy →

☁️

Vercel

Hosting & Deployment

Data shared:: Server access logs, IP addresses.
Purpose:: Hosting the Platform and delivering content to users globally.

Vercel Privacy Policy →

We do not sell your personal information to third parties. We do not use your data for advertising purposes or share it with data brokers.

4. Data Retention

We retain different types of data for different periods:

Data Type	Retention Period
GPS location updates	Purged daily (raw updates older than 30 days)
Account information	For the lifetime of your account + 2 years after deletion
Booking records	7 years (financial records requirement)
Payment transaction data	7 years (financial compliance)
KTP identity documents	For the lifetime of the therapist account + 1 year
Reviews	Indefinitely (unless removed per our content policy)
Analytics events	2 years
Support tickets	3 years after resolution

5. Your Rights & Choices

Depending on your location, you may have the following rights with respect to your personal data:

→
Access: Request a copy of the personal data we hold about you.
→
Rectification: Request correction of inaccurate personal data.
→
Erasure: Request deletion of your personal data, subject to legal retention requirements (e.g., financial records).
→
Portability: Request your data in a machine-readable format.
→
Objection: Object to certain processing activities.
→
Withdraw consent: Where processing is based on consent (e.g., GPS tracking), you can withdraw consent. Note that withdrawing GPS tracking consent will prevent you from using active booking features.

To exercise any of these rights, contact us via WhatsApp support or email privacy@hushbali.com. We will respond within 30 days. We may need to verify your identity before processing certain requests.

6. Security

We implement technical and organizational measures to protect your personal data:

Row Level Security (RLS) on all database tables — data accessible only to authorized users
KTP documents stored in private, encrypted storage — admin access only
All data transmitted over HTTPS/TLS
Payment data handled exclusively by Stripe (PCI DSS Level 1 certified)
API keys and credentials stored as environment variables, never in code
Rate limiting on sensitive endpoints
Regular security monitoring via Sentry error tracking

No system is completely secure. In the event of a data breach affecting your personal data, we will notify you in accordance with applicable law.

7. Children's Privacy

The Platform is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us immediately.

8. International Data Transfers

Hush is a US-based company serving users in Indonesia. Your data may be transferred to and processed in the United States and other countries where our service providers operate (including Stripe, Supabase, Vercel, and others listed above). By using the Platform, you consent to these international transfers.

We ensure that transfers are subject to appropriate safeguards, including standard contractual clauses or the data protection frameworks of our service providers.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or in-app notification and update the "Last updated" date at the top. Your continued use of the Platform after changes constitute your acceptance of the updated policy.

10. Contact Us

For privacy questions, requests to exercise your rights, or to report a privacy concern:

Email: privacy@hushbali.com
WhatsApp: Available via the Support link in your account

We take all privacy inquiries seriously and aim to respond within 5 business days.

Last updated: April 13, 2026