What we collect
- Account details you provide: email, name, username, profile info, date of birth (to confirm 18+), and optionally phone.
- Community activity: Hottubs you join, Soaks you RSVP to and attend, in-room messages, prompts, Heat Checks, and safety reports you submit.
- Sensitive signals you choose to share (e.g., accessibility needs, support-adjacent context) — stored minimally and treated as private.
- Technical data needed to operate and secure the service (e.g., session and device/log data).
- VR Soak data: if you join an immersive (VR) Soak, your headset shares movement (head/hand pose) and spatial audio with the other people in that room so your avatar and voice work. This is processed live to run the room — we do not store your motion or spatial data, and we never collect your headset’s camera feed, room scan, or guardian/boundary geometry.
- Payments/payout data through processors: if you pay or earn, payment processors collect what is needed for billing, payouts, tax rules, fraud prevention, and compliance.
- Reports and moderation records: reports, review notes, enforcement actions, and safety-related records.
How we use it
- To run your communities and gatherings, and to reflect your own activity back to you.
- To keep Hottub safe — reviewing reports, enforcing our Guidelines, and operating Lifeguard/admin moderation.
- To process payments and payouts, and to comply with law.
- To improve warmth: suggesting prompts and rooms, and surfacing better-fit connections. We may learn from the text you write (the prompts and messages you choose to share) to improve the service and these suggestions — but never to rank, score, or profile people. We optimize for belonging outcomes, never for time-in-app.
What’s private by design
- Community Standing / trust signals are private — never shown publicly, never a public score or ranking.
- Sensitive contexts (recovery, accessible-family, care, faith, minors) default to private/approval-required and are kept out of public discovery.
- You control profile visibility (public / people you share a Hottub with / just you) and whether you appear as a “familiar face.”
- Familiar Faces / Embers / connection signals are private according to product rules.
- Exact real-time location is not shared except in limited, opt-in, expiring contexts if ever enabled.
What we do not do
- We do not sell your personal data or content, and we do not share it for cross-context behavioral advertising — not to advertisers, not to data brokers, not to anyone.
- We do not share your exact real-time location (area-level only, opt-in, expiring — if ever).
- We do not run a surveillance ad feed; sponsorships are native and reported in aggregate.
- We do not expose contact info in open rooms — emails/phone numbers shared in a room are redacted.
- We do not set analytics cookies, advertising cookies, or third-party tracking pixels on Hottub domains.
Patent-pending privacy architecture helps Hottub support sponsors and Cabanas without relying on individual behavioral ad profiles.
Hottub Auth (authenticator app)
Hottub Auth is our free authenticator app. Your two-factor (TOTP) codes are generated and stored on your device — in the Keychain on iOS or EncryptedSharedPreferences on Android — and are never synced via iCloud or your Google account. The authenticator works with no Hottub account at all.
- Sign-in approvals. If you connect your Hottub account in the app, we register a device notification token so we can send you “is this you?” prompts to approve or deny new sign-ins to your account. The prompt shows a short match code so you only approve the sign-in in front of you. Sign out of the app to revoke the token.
- Encrypted backup (optional). Your codes never leave the device by default. If you turn on encrypted cloud backup, the app encrypts a copy on your device with a passphrase only you know and uploads only that sealed copy — Hottub cannot read it, and only your passphrase can restore it on a new device. You can delete the backup at any time.
- Stored so it isn’t lost. We build for redundancy so an app crash, a device problem, or a failure on our side doesn’t cost you your codes. On your device, a failed save never overwrites your existing vault. If you turn on encrypted backup, the sealed copy is kept with version history (we retain your last several backups, so a bad or accidental overwrite can’t wipe your only copy), its integrity is checksum-verified every time you restore, and it’s held on Hottub’s servers with automated point-in-time backups. You can also export an encrypted file copy you keep yourself, and you can move to a new phone whenever you choose.
The one thing only you hold is your backup passphrase. Because the backup is zero-knowledge, Hottub cannot see, reset, or recover it — if you lose the passphrase, that cloud copy can’t be opened by anyone, including us (your on-device codes and any file export are unaffected). Please keep your passphrase somewhere safe and keep at least one active device or encrypted export.
Hottub Email
Hottub Email gives each verified member — and, if you set one up, your governed AI actor — a personal @hottub.surf email address, read and sent inside the Hottub Halo browser. Here is what we store and what happens to a message when it arrives:
- What we store. The messages you receive and send, their attachments, and message metadata (such as sender, recipient, subject, and timestamps). We also keep a copy of each inbound message exactly as it arrived — the raw archive — in a private storage bucket; the parsed message text and attachments are stored in Hottub’s database.
- Automated processing only. Incoming mail is scored for spam using heuristics — the message’s authentication results and message patterns — and likely spam is quarantined automatically. Attachments are extracted so you can open them. No AI reads your mail, and no human reads your mail. Your mail is never used for advertising, and — like everything else on Hottub — it is never sold.
- Blocks apply, silently. If a platform-level block exists between you and another member, email between your @hottub.surf addresses silently stops — the same way blocks work everywhere else on Hottub. You can also block specific senders or domains yourself.
- Retention & deletion. Your messages are kept until you delete them; trash and spam auto-delete after 30 days. Deleting your Hottub account deletes all of your messages and stored attachments, including the raw archive, and your @hottub.surf address is permanently retired — it is never reissued to anyone else.
Recordings of live Soaks
Standard Soaks are live Audio sessions; other participants hear you only if you unmute. Hottub does not currently offer live video in Soaks. If Hottub enables recording, live video, captions, or recaps for a future Soak, we indicate that before you join and handle the data like the rest of your community activity above: minimally, to operate and keep Hottub safe, never sold, and retained only as long as needed for that purpose and our legal and safety obligations. The same applies to immersive (VR) Soaks; a recording, if any, captures what’s shared in the room (voice and what your avatar does), not your headset’s sensors.
If you earn money on Hottub
If you earn through Hottub — for example as the Host of a paid Soak or the steward of a sponsored Hottub — our payment processor collects what’s needed to pay you and to meet tax rules (such as identity and tax details, and a US W-9 / 1099 where thresholds apply). We receive payout and transaction records, not your full financial-account details. See the Payments section of our Terms for how splits and payouts work.
Cookies & local storage
Hottub uses only strictly-necessary cookies — the ones the site can’t operate without. We don’t set analytics cookies, advertising cookies, or third-party tracking pixels, on any of our web surfaces (marketing, app, or admin). Because none of our cookies are non-essential, we don’t show a cookie consent banner; under GDPR / ePrivacy, strictly-necessary cookies are exempt from consent requirements. We still disclose every cookie below in full so you can verify what’s set.
Both cookies are first-party (set by Hottub itself, not a third party), SameSite=Lax, and Secure in production. They’re sent only to Hottub.
Third-party cookies
None on Hottub’s domains. Payments are handled by Stripe, which we invoke as a server-side redirect — your browser interacts with Stripe on stripe.com, and any cookies Stripe sets there are governed by Stripe’s own privacy policy. Hottub Audio and VR voice use WebRTC voice connections; where direct peer-to-peer connection is not possible, relay servers may carry encrypted media so the room still works. As with any WebRTC voice connection, peers exchange network connection details (including IP addresses) to reach each other, and we keep rooms small. No third-party tracking pixels.
Mobile apps (iOS & Android)
The native mobile apps don’t use cookies. Authentication tokens are kept in the OS’s secure storage — Keychain on iOS, EncryptedSharedPreferences on Android — and never synced via iCloud or Google account. We don’t bundle any analytics, crash-reporting, or advertising SDKs in the apps at launch.
Sharing & processors
We share data only with service providers needed to run Hottub, under contract, and when required by law or to protect people’s safety. Processor categories include: hosting/infrastructure, email delivery, payments/payouts when enabled, live voice transport when enabled, moderation/safety tooling where applicable, and legal/compliance where required. We do not sell your data.
Retention & your choices
We keep data while your account is active and as needed for safety and legal obligations. You can edit your profile, change visibility, block users, close your account, export a copy where available, request deletion, and unsubscribe from nonessential emails. To exercise these, contact [email protected].
- Account data is retained while your account is active.
- Safety/moderation records are retained as needed.
- Legal/tax records are retained as required.
- Backups may persist for a limited time.
- Deleted content may remain if needed for legal, safety, tax, audit, or fraud-prevention reasons.
Your privacy rights
Depending on where you live, you may have some or all of these rights over your personal data:
- Know & access — what we hold about you, and a copy of it.
- Correct — fix inaccurate data.
- Delete — ask us to erase your data, subject to legal and safety exceptions.
- Portability — receive a copy in a portable format.
- Opt out of sale or sharing — though there is nothing to opt out of: we do not sell or share your personal data for cross-context behavioral advertising.
- Limit use of sensitive information — we already minimize sensitive signals and keep them private by design.
- Object, restrict, or withdraw consent — where processing relies on your consent or our legitimate interests.
- Non-discrimination — we will never treat you worse for exercising any of these rights.
For users in the EEA and UK, our legal bases are: performing our contract with you (running the service), your consent (optional features), our legitimate interests (safety, security, and improving Hottub), and compliance with law. To exercise any right, email [email protected]. We may need to verify your identity; you may use an authorized agent; and we’ll respond within the time the law allows. If we decline a request, you may appeal by replying, and you may complain to your local data-protection authority (or, in California, the Attorney General). We honor browser Global Privacy Control (GPC) signals where required.
International data transfers
Hottub is operated from the United States. If you use it from elsewhere, your data is processed in the US and in other countries where our service providers operate, with appropriate safeguards (such as standard contractual clauses) where required.
Changes to this policy
We may update this policy; we’ll note the date above and, for material changes, give notice. Continued use after a change means you accept the updated policy.
Children
Hottub is for adults (18+). We do not knowingly collect data from minors, and there are no public child profiles, ever.
Contact
Privacy questions or requests? Contact [email protected].