Privacy Policy & Cookie Settings

Privacy Policy

Effective Date: May 5, 2026
Website: haloxlabs.ai
Service: HaloX
Operator / Data Controller: Afterwork Lab
Privacy Contact: afterwork@afterworkai.club

This Privacy Policy explains how Afterwork Lab ("we", "us") collects, uses, shares, and protects personal data when you use haloxlabs.ai (the "Website") and HaloX (the "Service").

1. Personal data we collect

1.1 Data you provide

• Account & workspace: email address, name, workspace settings.
• Email subscription: email address, subscription preferences.
• Contact / suggestions: email address and the information you include in your message.

1.2 Data collected automatically

When you visit the Website, we may collect:

• Device and log data: IP address, timestamps, browser type, operating system, referrer URL, pages visited.
• Usage data: page views, clicks, scrolls, engagement events.
• Cookies and identifiers: cookie IDs, local storage IDs, advertising/analytics identifiers.

1.3 Google Analytics 4 (GA4) data — accessed with your authorization

With your explicit authorization via Google OAuth 2.0, we access GA4 reporting data (read-only) for the properties you select, which may include:

• Session counts, active user counts, new vs. returning users.
• Engagement metrics (engagement rate, average engagement time, events per session).
• Traffic source / medium / channel grouping (including AI referral sources).
• Page-level metrics (page views, landing pages, exit pages).
• Conversion events (Key Events) you have configured in GA4.

We use this data solely to power the HaloX GA4 analytics dashboard and to generate SEO/GEO optimization insights for the workspace owner who authorized the connection.

1.4 Google Search Console (GSC) data — accessed with your authorization

With your explicit authorization via Google OAuth 2.0, we access Google Search Console data (read-only) for the verified properties you select, which may include:

• Search queries (keywords) that bring users to your site.
• Clicks, impressions, click-through rate (CTR), and average position.
• Top landing pages and their search performance.
• Country and device breakdowns of search traffic.
• Sitemap submission status and indexing coverage information.
• List of verified site properties available in your Search Console account.

We use this data solely to power the HaloX GSC dashboard, generate keyword/page-level SEO insights, and (where the user explicitly enables it) seed Generative Engine Optimization (GEO) prompt analyses for the workspace owner who authorized the connection.

2. How we use personal data

We use personal data to:

• Provide and secure the Service (security, debugging, abuse prevention).
• Understand content performance and improve the Service (analytics).
• Display ads, measure ad performance, and prevent invalid traffic (monetization) — does not apply to Google user data.
• Send subscription emails you requested and manage unsubscribes.
• Respond to inquiries and suggestions.

3. AI/ML model training restriction

We do not use Google user data (including GA4 data, Google Search Console data, or any data derived from them) to develop, train, fine-tune, or improve any generalized or non-personalized AI or machine learning models, including any third-party large language models such as Google Gemini, OpenAI GPT, or Anthropic Claude.

AI features inside HaloX (e.g., GEO prompt analysis, content suggestions) operate on aggregated, anonymized signals and on content/keywords the user has explicitly chosen to analyze, not on raw Google user data harvested for training purposes.

4. Legal bases (depending on your location)

Depending on applicable law, we may process personal data based on:

• Consent (e.g., cookies, analytics, personalized ads, Google OAuth authorization).
• Legitimate interests (e.g., security, basic service improvement where permitted).
• Contract necessity (e.g., delivering the Service you signed up for).
• Legal obligations where applicable.

5. Cookies, analytics, and advertising

5.1 Google AdSense (Advertising)

We use Google AdSense to display ads and monetize the Website. Third-party vendors, including Google, use cookies to serve ads based on a user's prior visits to this Website and/or other websites.

5.2 Consent management (EEA/UK/Switzerland)

Google's EU User Consent Policy applies to end users located in the EEA, the UK, or Switzerland. We use Google AdSense "Privacy & messaging" to meet these requirements.

5.3 Amplitude (Analytics)

We use Amplitude to understand how visitors engage with our content and to improve the Service. Amplitude may use cookies or local storage to store identifiers and record events, subject to your region and consent settings.

6. How we share personal data (service providers)

We share personal data only as needed to operate the Service and for the purposes described above. Our providers may include:

• Supabase — database, authentication, and backend infrastructure (SOC 2 Type II).
• Google Analytics 4 — read-only access with explicit user OAuth authorization.
• Google Search Console — read-only access with explicit user OAuth authorization.
• Google AdSense — advertising delivery on the marketing website (does not use Google user data).
• Amplitude — product analytics (engagement performance).
• Resend — transactional and subscription email delivery.
• Cloudflare / Netlify — hosting, CDN, performance, and security.

We do not sell Google user data, GA4 data, or GSC data, and we do not share it with any third party for advertising or AI training purposes.

7. International data transfers

Our service providers may process data on servers located outside your country. Where required, we apply appropriate safeguards.

8. Data retention & deletion

We retain personal data only as long as needed:

• Account & workspace data: retained while your account is active. Deleted (or anonymized) within 30 days after account deletion request.
• GA4 / Google Search Console cached data: cached for performance for up to 90 days, after which it is automatically refreshed or purged. When you disconnect a Google integration, all associated cached data is deleted within 30 days.
• OAuth refresh tokens: stored encrypted and revoked immediately when you disconnect the integration in HaloX settings or in your Google Account permissions page.
• Email subscriptions: until you unsubscribe (and a limited period thereafter for suppression-list compliance).
• Logs / analytics: retained per provider settings, then deleted or anonymized where feasible.

To request deletion of your data, contact afterwork@afterworkai.club.

9. Your rights and choices

Depending on your location, you may have rights to access, correct, delete, or restrict processing of your personal data, and withdraw consent where processing is based on consent. You can revoke HaloX's access to your Google data at any time:

• From HaloX: Settings → Integrations → Disconnect Google.
• From Google: myaccount.google.com/permissions.

10. Security

We use reasonable administrative, technical, and organizational measures to protect personal data, including encryption in transit (TLS 1.2+) and at rest, encrypted OAuth token storage, Row Level Security on databases, and least-privilege access controls.

11. Children's privacy

The Website is not intended for children under 13, and we do not knowingly collect personal data from children under 13.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version with a revised effective date on haloxlabs.ai.

13. Contact

Privacy-related questions/requests: afterwork@afterworkai.club