ONLYHUGS HOLDING LLC (“OnlyHugs,” “we,” “us,” or “our”) is committed to protecting the personal data, communications, and all information entrusted to us by our users. This Data Security & Information Storage Policy describes the measures we take to safeguard user data, including personal information, chat messages, photos, and all other data collected through our platform.

1. Scope

This policy applies to all data collected, processed, stored, and transmitted by OnlyHugs, including but not limited to:

• Personal information (name, email, phone number, date of birth).
• Profile information (photos, bio, preferences, location).
• Communication data (chat messages, media shared in chats).
• Financial data (transaction records; we do not store full payment card numbers).
• Usage data (IP addresses, device information, activity logs).
• Cookies and tracking data.

2. Data Encryption

2.1. Encryption in Transit

All data transmitted between your device and OnlyHugs servers is encrypted using Transport Layer Security (TLS) 1.2 or higher. This ensures that your personal information, messages, photos, and other data cannot be intercepted or read by unauthorized parties during transmission.

2.2. Encryption at Rest

All sensitive data stored on our servers is encrypted at rest using industry-standard AES-256 encryption. This includes:

• User profile information.
• Chat messages and communication history.
• Photos and media files.
• Payment transaction records.
• Authentication credentials (passwords are hashed using bcrypt with salting and are never stored in plaintext).

3. Chat and Communication Security

We understand that your conversations on OnlyHugs are private and personal. We take the following measures to protect your communications:

• All chat messages are encrypted in transit and at rest.
• Access to message data is strictly limited to authorized personnel who require access for legitimate purposes (e.g., responding to user reports, complying with legal obligations).
• We do not sell, share, or provide access to user chat data to third parties for advertising, marketing, or any commercial purpose.
• Chat data is retained only for as long as necessary to provide the Service, comply with legal obligations, and resolve disputes. Users may request deletion of their chat data.
• Automated systems may scan messages for prohibited content (e.g., spam, scams, exploitation) to maintain platform safety, but human review occurs only when flagged by automated systems or user reports.

4. Photo and Media Security

• All user-uploaded photos and media are stored on secure, encrypted servers.
• Photos undergo moderation to ensure compliance with our Community Guidelines and Photo Upload Guidelines.
• We use secure content delivery networks (CDNs) to serve photos, ensuring fast and protected delivery.
• Deleted photos are permanently removed from our active systems within 30 days. Backup copies are purged according to our data retention schedule.

5. Infrastructure Security

5.1. Server Security

• OnlyHugs infrastructure is hosted on industry-leading cloud platforms with SOC 2, ISO 27001, and other relevant certifications.
• Servers are located in secure data centers with physical security controls including biometric access, 24/7 surveillance, and environmental protections.
• We employ firewalls, intrusion detection and prevention systems (IDS/IPS), and continuous monitoring to protect against unauthorized access.
• Regular security patches and updates are applied to all systems and software.

5.2. Network Security

• Network traffic is monitored for anomalies and potential threats.
• DDoS (Distributed Denial of Service) protection is in place to ensure service availability.
• Internal networks are segmented to limit the impact of any potential breach.
• Access to production systems is restricted through VPN, multi-factor authentication, and the principle of least privilege.

6. Access Controls

• Access to user data is granted on a need-to-know basis only.
• All employees and contractors with access to user data are subject to confidentiality agreements and undergo background checks.
• Multi-factor authentication (MFA) is required for all administrative access.
• Access logs are maintained and regularly audited.
• Employee access is promptly revoked upon termination or role change.

7. Payment Data Security

OnlyHugs does not directly store, process, or transmit full credit card numbers or payment credentials. All payment processing is handled by PCI DSS-compliant third-party payment processors. We store only:

• Transaction identifiers.
• Payment method type (e.g., Visa, Mastercard).
• Last four digits of the card (for user reference only).
• Transaction dates and amounts.

8. Data Retention

We retain user data only for as long as necessary to fulfill the purposes described in our Privacy Policy. Specific retention periods include:

• Active account data: retained for the duration of the account's existence.
• Deleted accounts: personal data is deleted or anonymized within 30 days of account deletion, except where retention is required by law.
• Chat messages: retained for the duration of the account and deleted within 30 days of account deletion.
• Transaction records: retained for up to 7 years as required by tax and financial regulations.
• IP and access logs: retained for up to 12 months for security and fraud prevention purposes.
• Backup data: purged according to backup rotation schedules, typically within 90 days.

9. Incident Response

OnlyHugs maintains a comprehensive incident response plan to address security breaches and data incidents. Our incident response process includes:

• Detection and identification of the incident.
• Immediate containment and mitigation measures.
• Thorough investigation and root cause analysis.
• Notification to affected users within 72 hours of discovery, or as required by applicable law.
• Notification to relevant regulatory authorities as required by law.
• Remediation and implementation of measures to prevent recurrence.
• Post-incident review and documentation.

10. Data Backup and Recovery

• User data is backed up regularly to geographically separate, secure locations.
• Backups are encrypted using the same standards as primary data storage.
• Backup integrity is verified through regular restore testing.
• Disaster recovery plans are in place and tested annually to ensure business continuity.

11. Third-Party Vendors

Where we engage third-party service providers that process user data on our behalf (e.g., cloud hosting, analytics, payment processing), we ensure that:

• Each vendor undergoes a security assessment before engagement.
• Data processing agreements (DPAs) are in place with all vendors.
• Vendors are required to maintain security standards equivalent to or exceeding our own.
• Vendor compliance is reviewed periodically.

12. User Rights and Controls

OnlyHugs provides users with the following controls over their data:

• Access: Users may request a copy of their personal data at any time.
• Correction: Users may update or correct their personal information through their account settings.
• Deletion: Users may request deletion of their account and associated data. Certain data may be retained as required by law.
• Data Portability: Users may request an export of their data in a commonly used, machine-readable format.
• Withdrawal of Consent: Users may withdraw consent to data processing at any time through their account settings or by contacting us.

To exercise any of these rights, please contact us at hello@onlyhugs.me.

13. Security Audits and Testing

• We conduct regular internal security audits and vulnerability assessments.
• Penetration testing is performed at least annually by qualified third-party security firms.
• Code reviews include security-focused analysis.
• We participate in responsible disclosure programs and welcome reports of security vulnerabilities.

14. Employee Training

All OnlyHugs employees and contractors receive regular training on:

• Data protection and privacy best practices.
• Recognizing and responding to security threats (phishing, social engineering).
• Proper handling of user data.
• Incident reporting procedures.

15. Changes to This Policy

OnlyHugs reserves the right to update this Data Security & Information Storage Policy at any time. Material changes will be communicated to users through the Site, app, or email notification. Continued use of the Service after changes are posted constitutes acceptance of the updated policy.