For producers How it works FAQ Contact About
Verify a license
Sign in
Legal

Privacy Policy

Last updated: April 8, 2026

1. Introduction

Hasta Haus ("we", "us", "our") is committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, disclose, and protect personal information when you use the Hasta Haus platform ("Platform") accessible at hastahaus.com and hastahouse.com.

This Policy is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, the laws of British Columbia, Canada. If you are located outside Canada, additional laws may apply and are addressed in Section 15.

By using the Platform you consent to the collection and use of your personal information as described in this Policy. If you do not agree, do not use the Platform.

2. Who we are

Hasta Haus is an online beat auction platform operated from British Columbia, Canada. For the purposes of applicable privacy law, Hasta Haus is the data controller responsible for the personal information collected through the Platform.

For all privacy-related inquiries contact our Privacy Officer at privacy@hastahaus.com.

3. Privacy by design

Hasta Haus is built with privacy as a foundational principle rather than an afterthought. This means:

  • We collect only the minimum personal information necessary to operate the Platform
  • Payment card data is never transmitted to or stored on our servers — it goes directly to Stripe
  • Passwords are never stored in plain text — only hashed using industry-standard algorithms
  • Access to personal data is restricted to authorized personnel on a need-to-know basis
  • Privacy impact is assessed before introducing new features that involve personal data
  • Data Processing Agreements are in place with all third party service providers who process personal data on our behalf, including Stripe, Supabase, and Netlify

4. Information we collect

We collect the following categories of personal information:

Account information

  • Username, email address, and password (stored in hashed form — never plain text)
  • Account type (buyer or producer)
  • Date of account creation
  • Profile information you choose to provide

Identity verification information (producers only)

  • Legal name, date of birth, and address collected by Stripe Connect for KYC and AML compliance
  • Government-issued identification documents processed directly by Stripe — we do not receive or store copies of these documents
  • Tax identification numbers where required by Canadian law
  • Stripe's identity verification process may involve document scanning and facial comparison technology. By completing identity verification you consent to this processing by Stripe under their Privacy Policy.

Payment information

  • Payment card details are collected and stored exclusively by Stripe — we never see, receive, or store your card number, CVV, expiry date, or full card details
  • Billing address associated with your payment method
  • Transaction history including bid amounts, auction outcomes, deposit holds, and payout records

Auction and transaction data

  • Bids placed, auctions won, and auctions listed
  • Beat files uploaded by producers
  • Auction metadata including timestamps, bid history, and outcomes

Technical and usage data

  • IP address and approximate geographic location derived from IP
  • Browser type, version, and operating system
  • Device identifiers
  • Pages visited, time spent, and interactions with the Platform
  • Referring URLs
  • Error logs and diagnostic data

Sensitive personal information

We do not intentionally collect sensitive categories of personal information such as racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation. However, government-issued identification documents submitted through Stripe's KYC process may incidentally contain sensitive information. Such documents are processed solely by Stripe and are not accessed by Hasta Haus. You should be aware that submitting identity documents to any platform carries inherent privacy considerations.

Communications

  • Emails or messages you send to us including support requests and legal notices
  • Your marketing communication preferences and consent records

5. How we collect information

We collect personal information through the following means:

  • Directly from you when you register, update your account, place bids, list beats, or contact us
  • Automatically through cookies, server logs, and similar tracking technologies when you use the Platform
  • From Stripe when payment processing events occur such as successful charges, refunds, deposit holds, or identity verification outcomes
  • From third party authentication providers if you use social login features introduced in the future

6. Cookies and tracking technologies

We use cookies and similar technologies to operate and improve the Platform. Cookies are small text files stored on your device. We use the following types:

  • Essential cookies — required for the Platform to function, including session authentication and security. These cannot be disabled as they are necessary for the Platform to operate.
  • Functional cookies — remember your preferences such as display settings and session state
  • Analytics cookies — help us understand how the Platform is used so we can improve it. Data is aggregated and anonymized where possible.
  • Security cookies — used to detect fraud, abuse, and unauthorized access attempts

Non-essential cookies are not set until you provide consent through our cookie consent mechanism. You may withdraw consent or manage cookie preferences at any time through your browser settings or our cookie preference center. Disabling certain cookies may affect Platform functionality.

We do not use advertising cookies or third party behavioral tracking cookies. We do not sell data derived from cookies to any third party.

Do Not Track — some browsers transmit Do Not Track (DNT) signals. We currently honor DNT signals by disabling non-essential analytics tracking for users who have DNT enabled. We do not represent that all third party service providers honor DNT signals.

7. How we use your information

We use your personal information for the following purposes:

Platform operations

  • Creating and managing your account
  • Processing bids, payments, and payouts
  • Facilitating auction listings and beat delivery
  • Providing customer support
  • Enforcing our Terms of Service

Fraud prevention and security

  • Detecting and preventing fraudulent bids, payments, and account activity
  • Fraud risk scoring on transactions using automated signals including IP address, device fingerprint, and bid behavior patterns. Where fraud scoring produces a flag, a human review is conducted before any action is taken against an account.
  • Monitoring for money laundering indicators as required under the PCMLTFA
  • Investigating reports of prohibited conduct

Legal and compliance

  • Verifying user identity and age eligibility
  • Complying with PIPEDA, PCMLTFA, FINTRAC, CASL, and other applicable laws
  • Retaining transaction records for tax and regulatory purposes
  • Responding to lawful requests from government authorities

Platform improvement

  • Analyzing usage patterns to improve features and user experience
  • Diagnosing technical issues and improving Platform stability
  • Conducting internal research and analytics using aggregated, anonymized data

Communications

  • Sending transactional emails including auction updates, payment confirmations, and payout notifications
  • Sending marketing communications where you have provided express consent
  • Notifying you of changes to our Terms or Privacy Policy

We do not sell your personal information to third parties under any circumstances. No personal information is used for advertising purposes or shared with advertisers.

8. Legal basis for processing

We process your personal information on the following legal bases:

  • Contractual necessity — processing required to fulfill our obligations to you under our Terms of Service, including account management, auction facilitation, and payment processing
  • Legal obligation — processing required to comply with applicable laws including PIPEDA, PCMLTFA, tax laws, and FINTRAC regulations
  • Legitimate interests — processing necessary for fraud prevention, Platform security, and service improvement, where these interests are not overridden by your privacy rights
  • Consent — processing for marketing communications and non-essential cookies, where you have provided express opt-in consent and may withdraw at any time without affecting other processing

9. How we share your information

We share personal information only in the following circumstances:

Service providers under Data Processing Agreements

  • Stripe — payment processing, identity verification, and producer payouts. Data processed by Stripe is subject to Stripe's Privacy Policy. Stripe's servers are located in the United States.
  • Supabase — database hosting and user authentication. Supabase operates on Amazon Web Services infrastructure. Data may be stored in US-East (Northern Virginia) or other AWS regions. Supabase complies with SOC 2 Type 2 standards.
  • Netlify — Platform hosting and content delivery. Netlify operates globally distributed servers.
  • All service providers are bound by Data Processing Agreements that restrict their use of personal data to the purposes for which it was shared.

Between users

  • Usernames and bid amounts are visible to other users in auction bid histories
  • Producer display names and beat metadata are publicly visible
  • Your legal name, email address, and payment details are never shared with other users

Legal requirements

  • We may disclose personal information to law enforcement, regulators, or government authorities when required by law or valid legal process
  • We may disclose information to FINTRAC as required under the PCMLTFA
  • We publish an annual transparency report summarizing the number and nature of government data requests received. This report does not include information that would compromise active investigations.

Business transfers

  • In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal information may be transferred to the successor entity. We will notify registered users by email at least 30 days before such a transfer and provide an opportunity to delete your account prior to the transfer.

We never sell, rent, or trade personal information to any third party for their marketing or commercial purposes.

10. Data storage, security, and breach notification

Personal information is stored on Supabase's encrypted servers operating on AWS infrastructure. We implement the following security measures:

  • Encryption of all data in transit using TLS 1.2 or higher
  • Encryption of sensitive data at rest using AES-256 or equivalent
  • Password hashing using bcrypt or equivalent — passwords are never stored in plain text
  • Role-based access controls limiting data access to authorized personnel only
  • Regular security reviews and vulnerability assessments
  • Stripe's PCI DSS Level 1 compliance for all payment data
  • Multi-factor authentication required for administrative access

No security system is impenetrable. While we implement reasonable safeguards we cannot guarantee absolute security against all threats.

In the event of a data breach that poses a real risk of significant harm to users, we will notify affected users and report to the Office of the Privacy Commissioner of Canada within 72 hours of becoming aware of the breach, as required by PIPEDA's mandatory breach reporting requirements. Notifications will describe the nature of the breach, the information affected, steps taken to address it, and recommended actions for affected users.

11. Data retention and account inactivity

We retain personal information for the following periods:

  • Active account data — retained for the duration of your account
  • Deleted account data — deleted within 30 days of account deletion, subject to legal hold exceptions below
  • Transaction and payment records — retained for a minimum of 7 years following the transaction date for tax, legal, and regulatory compliance, regardless of account status
  • Beat files — retained for the duration of an active listing plus 90 days following auction close, then permanently deleted unless subject to a legal hold or active dispute
  • Communications and support records — retained for 3 years from the date of the communication
  • Technical and usage logs — retained for 12 months then deleted or anonymized
  • Identity verification records — retained as required by Stripe Connect and applicable KYC and AML regulations, typically 5-7 years
  • Consent records — retained for the duration of the consent plus 3 years as evidence of compliance

Account inactivity — accounts with no login activity for 24 consecutive months will be flagged as inactive. We will send an email notification to the registered address giving 30 days notice before any action is taken. If no response is received, the account may be suspended and personal data not subject to legal retention requirements will be deleted. Transaction records will be retained as required by law.

When retention periods expire, data is securely deleted or anonymized in a manner that makes re-identification impossible.

12. Your rights

Under PIPEDA and applicable Canadian privacy law you have the following rights:

  • Right to access — request a copy of the personal information we hold about you, including the purposes for which it is used and the third parties it has been shared with
  • Right to correction — request correction of inaccurate or incomplete personal information
  • Right to withdrawal of consent — withdraw consent to processing where consent is the legal basis, including marketing communications and non-essential cookies, without affecting the lawfulness of prior processing
  • Right to deletion — request deletion of your personal information, subject to legal retention obligations. We will inform you of any information we are unable to delete and the reason why.
  • Right to complain — lodge a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca

To exercise any of these rights submit a written request to privacy@hastahaus.com. We will acknowledge your request within 5 business days and respond in full within 30 days. We may require identity verification before processing your request to protect against unauthorized access to your data.

Certain rights are subject to limitations. We cannot delete information we are legally required to retain including transaction records required for tax and regulatory compliance. We will always inform you of any limitation and its legal basis.

13. Children's privacy

The Platform is strictly for users aged 18 and over. We do not knowingly collect personal information from minors. If we become aware that a minor has created an account we will immediately suspend the account and delete all associated personal information that is not subject to legal retention requirements.

If you believe a minor has registered on the Platform notify us immediately at privacy@hastahaus.com.

14. Marketing communications and CASL compliance

Hasta Haus complies with Canada's Anti-Spam Legislation (CASL). We send two categories of email:

Transactional emails — sent without requiring separate marketing consent, including auction updates, bid notifications, payment confirmations, payout notifications, account security alerts, and policy change notices. These are necessary for the operation of your account.

Marketing emails — sent only with your separate express opt-in consent. Each marketing email includes a clear and functional unsubscribe mechanism. You may withdraw consent at any time by clicking unsubscribe in any marketing email, emailing privacy@hastahaus.com, or updating your preferences in account settings. Withdrawal is processed within 10 business days.

We maintain records of all marketing consents including the date, method, and scope of consent given, retained for 3 years as required by CASL.

15. International users and cross-border data transfers

Hasta Haus is operated from British Columbia, Canada. Personal information collected through the Platform is stored and processed in Canada and the United States through our service providers.

Users in the United States — your information may be subject to access by US authorities under applicable US law when processed by US-based service providers including Stripe and Netlify. By using the Platform you acknowledge and consent to this possibility.

Users in the European Economic Area — if you are located in the EEA you may have additional rights under the General Data Protection Regulation (GDPR) including the right to data portability and the right to object to processing based on legitimate interests. Contact privacy@hastahaus.com to exercise GDPR rights. Cross-border transfers to Canada from the EEA are made under the European Commission's adequacy decision for Canada under PIPEDA.

Users in other jurisdictions — you are responsible for ensuring your use of the Platform complies with applicable local laws. Hasta Haus makes no representation that the Platform is appropriate or legally compliant for use in all jurisdictions.

All cross-border transfers of personal information are made with appropriate contractual safeguards in place with receiving parties.

16. Third party links

The Platform may contain links to third party websites or services. This Privacy Policy applies only to the Hasta Haus Platform. We are not responsible for the privacy practices of third party sites and encourage you to review their privacy policies independently.

17. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email at least 14 days before taking effect. The date at the top of this Policy indicates when it was last updated. Your continued use of the Platform after the effective date of any update constitutes acceptance of the revised Policy.

18. Contact and complaints

For all privacy inquiries, access requests, correction requests, or complaints contact our Privacy Officer:

privacy@hastahaus.com

If you are not satisfied with our response you have the right to escalate to the Office of the Privacy Commissioner of Canada:

  • Website: priv.gc.ca
  • Phone: 1-800-282-1376
  • Mail: 30 Victoria Street, Gatineau, Quebec K1A 1H3

Privacy Officer: privacy@hastahaus.com

Hasta Haus — British Columbia, Canada

Hasta Haus — Est. 2025 Terms  ·  Privacy  ·  Licensing