HAHA Vending Machine Privacy Policy
Release Date: 03, 2026
Effective Date: 03, 2026
Version No.: 03, 2026 v1.0
Introduction
HAHA Vending Machine and its related services (hereinafter referred to as “Product” ,“Service”) are provided by Wuhan Haha Bianli Science and Technology Co., Ltd. and its affiliated companies (hereinafter referred to as “we”, “us”, or “our”).
We highly value your privacy. This Privacy Policy (hereinafter referred to as “Policy”) describes how we collect, use, disclose, process, and store any personal information that you provided to us or that we collect from you when you use our products and services. If you are under 16 or otherwise regarded as a minor in your jurisdiction, please do not use our product and/or service and provide your any personal information with us.
This Policy only applies to the Product that refers to or links to this Privacy Policy. It also describes your rights and available choices regarding your personal information.
Data Controller: Wuhan Haha Bianli Science and Technology Co., Ltd. and its affiliated companies are the controller (or similar term under applicable laws) of any information processed in connection with this Policy.
We reserve the right to change the provisions of this Policy from time to time. The up-to-date version of the Privacy Policy can be accessed directly via “POS Machine→Home Page” at any time. We encourage you to periodically review this page for the latest information on our privacy practices.
The Privacy Policy consists of two parts: (I) General Provisions and (II) Special Provisions.
1) The "General Provisions" shall apply to our users in the EU and the United States.
2) The "Special Provisions", as an integral part of this Policy, shall apply only where HAHA Vending Machine provides products and/or services in specific jurisdictions, and only to HAHA Vending Machine users located in such applicable jurisdictions.
3) In the event of any inconsistency between the General Provisions and the Special Provisions, the Special Provisions shall prevail to the extent necessary.
The Policy will help you understand the following:
Section I: General Provisions 3
1. How We Collect and Use Your Personal Data 3
2. Cookies and Other Similar Technologies 5
3. How We Store Your Personal Information 5
4. How We Entrust, Share, Transfer and Publicly Disclose Your Personal Information 6
5. How We Protect Your Personal Information 7
7. How We Process Children’s Personal Information 10
8. How Your Personal Information is Transferred Globally 10
9. How This Policy is Updated 10
Section II: Special Provisions 12
12. Special Provisions for the United States 12
The term of “personal information” or “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal information does NOT include “anonymized” information, which is data we collect about the use of our Service or about a group or category of products, services or users, or other data from which individual identities or other personal information has been removed so that the individual concerned cannot be identified directly or indirectly. Such data helps us understand trends and our users’ needs so that we can better consider new features or otherwise tailor our Service. This Policy in no way restricts or limits our collection and use of such information.
We may collect information that is automatically collected by us, as well as certain information that you choose to provide. More information about the categories and sources of information is provided below.
Support service information
If you contact our customer care team, we will collect the information you give us during the interaction, including contact email, the problem you have encountered and the pictures/videos. If you choose not to provide the relevant information, we may be unable to effectively respond to your inquiry, process your request, or provide the necessary customer support services.
The legal basis for processing the aforementioned data is that it is necessary for the performance of the relevant transaction and your prior consent.
Get refund
If you want to get refund, you need to scan the QR code on the POS machine and enter the shopping card number to select the after-sales order. Please note that for the bank card number you entered, we have implemented corresponding technical measures to collect only the truncated bank card number.
The legal basis for processing the aforementioned data is that it is necessary for the performance of the relevant transaction and your prior consent.
Swipe, tap or insert card to start shopping and pay
When you swipe, tap or insert cards to start shopping and pay, the payment processors and transaction fulfillment providers (Adyen, Stripe, PayPal, Shift4, PAX, Nayax, WizarPos, Universal PROCESSING), which partner with us may collect your certain personal information. Please note that we do not and cannot control any data processing activities conducted independently by Adyen, Stripe, PayPal, Shift4, PAX, Nayax, WizarPos, Universal PROCESSING. Adyen, Stripe, PayPal, Shift4, PAX, Nayax, WizarPos, Universal PROCESSING act as independent data controllers with respect to any personal information they process, and we encourage you to carefully review their respective privacy policies.
For the above data processing activity, these payment providers (Adyen, Stripe, PayPal, Shift4, PAX, Nayax, WizarPos, Universal PROCESSING) will provide certain personal information they collect from you, including the truncated bank card number, bank card expiration date and other transaction-related information to us to process your order.
The legal basis for processing the aforementioned data is that it is necessary for the performance of the relevant transaction and your prior consent.
Obtain a Receipt
If you want to receive a receipt after your purchase, you need to scan the QR code on the POS machine and provide our payment processors and transaction fulfillment providers (Adyen, Stripe, PayPal, Shift4, PAX, Nayax, WizarPos, Universal PROCESSING) with your email address, we will then obtain your email address from these payment providers to email you the receipt .
The legal basis for processing the aforementioned data is that it is necessary for the performance of the relevant transaction and your prior consent.
When you open the Vending Machine and take the products you wish to purchase, our cameras on the Vending Machine may capture video images that include you. We have implemented appropriate technical measures to minimize the capture of personal images and have applied desensitization measures to blur and anonymize any personal images inadvertently captured.
For the bank card numbers that we collected directly from you and/or our payment processors and transaction fulfillment providers (Adyen, Stripe, PayPal, Shift4, PAX, Nayax, WizarPos, Universal PROCESSING) when you request a refund or make a payment as described above, these numbers are also truncated.
We also want to kindly remind you to exercise caution and avoid sharing such sensitive information about yourself (or others) unless necessary, when using our Services.
Many browsers enable you to control the use of cookies at the individual browser level. Cookies are small text files that are stored on your device by us to ensure that the Services’ normal operation and your convenient access to it. Cookies usually contain identifiers, site names, and some numbers and characters. These cookies do not store information that directly identifies you. However, where Internet Protocol (IP) addresses or other identifiers collected through these technologies are considered personal data under applicable law.
You can manage or delete cookies through your browser or device settings. Most browsers allow you to block or delete cookies, though doing so may affect the availability or functionality of certain features. Certain strictly necessary cookies may not be disabled, as doing so would prevent the Services from operating correctly.
We do not use cookies and similar technologies currently. If cookie or similar technologies are introduced in the future due to product updates, we will update this Policy accordingly and obtain your consent where required by applicable laws and regulations.
The personal information we collect and generate in our operations is stored in a third-party cloud storage located in United States of America. Tencent Cloud serves as our selected cloud service provider.
We store your Personal Data in strict compliance with our internal data retention policies. To determine the appropriate retention period for personal information, we will consider the following factors on a case-by-case basis:
the amount, nature and sensitivity of the personal data;
the potential risk of harm from unauthorized use or disclosure of your personal data;
the specific purposes for which we process your personal data and whether we can achieve those purposes through other means; and
the applicable legal, regulatory, tax, accounting, or other statutory requirements.
The retention period for Personal Data shall be the minimum time necessary to achieve the stated purposes. We shall immediately cease retaining such personal data and implement measures to delete or anonymize it without undue delay, upon the earliest of the following events: (i) the fulfillment of the original collection purposes; (ii) the termination of the operation of the corresponding product or service; or (iii) our confirmation of your valid erasure request.
We may retain your personal information for a longer period only if one of the following conditions is met: (i) a complaint has been filed in connection with our services; (ii) we hold a reasonable and substantiated belief that litigation may arise in relation to our relationship with you; (iii) such retention is mandated by applicable laws and regulations; or (iv) we have obtained your prior explicit consent. Once the legitimate basis for extended retention no longer exists, we will promptly remove the relevant personal data from our systems and records and/or take steps to anonymize it, ensuring that you can no longer be identified from the processed data.
We have entrusted Tencent Cloud to store your Personal Data as listed in Section 3 of the Privacy Policy. We have entered into data processing agreements to ensure that appropriate technical and organizational measures are adopted to protect your rights and interests regarding Personal Data.
For the performance of certain features or to provide you with better Services and a better user experience, some components of our Services will be supported by our authorized partners.
To ensure the normal operation of HAHA Vending Machine, we may share your personal information we collected (the truncated bank card number and the anonymized video images) with our vending machine clients, distributors, and agents, who are also responsible for the daily operation of the vending machine.
When you swipe, tap or insert cards to start shopping and pay, the payment processors and transaction fulfillment providers (Adyen, Stripe,PayPal,Shift4,PAX, Nayax, WizarPos, Universal PROCESSING), which partner with us may collect your certain personal information. Please note that we do not and cannot control any data processing activities conducted independently by Adyen, Stripe, PayPal, Shift4, PAX, Nayax, WizarPos, Universal PROCESSING. Adyen, Stripe, PayPal, Shift4, PAX, Nayax, WizarPos, Universal PROCESSING act as independent data controllers with respect to any personal information they process.
This means that once your data is transmitted to them, they independently determine the purposes and means of their subsequent data processing. We do not take responsibility for their independent processing activities. Each company maintains its own data processing practices, and we encourage you to carefully review their respective privacy policies. If you object to personal data transmission to them, please refrain from using HAHA Vending Machine.
We uphold the principles of data minimization, necessity, and legality to carry out such disclosing. Before disclosing information, we will require authorized partners to take relevant confidentiality and security measures to process personal information in accordance with this Policy and applicable laws in your jurisdiction.
We will not share your personal information with third parties for their own marketing or commercial purposes.
Where a merger, acquisition or bankruptcy liquidation takes place, if transfer of personal information is involved, we will request the new company or organization which obtains your personal information to be subject to this Policy, otherwise we will ask such company or organization to acquire your authorization and consent again.
We will only publicly disclose your Personal Data after obtaining your express consent or it is mandatorily required by laws, such as in compliance with subpoena, legal proceedings, legal actions or compulsory request by supervisory department of government agencies.
We encrypt a lot of information. We periodically review practices regarding information collection, storage and possessing(including physical security measures), to prevent various systems from unauthorized access.
With regard to the security control of data access and use, we have implemented a strict data authorization control mechanism. The core production database is restricted to internal network access and does not open public network ports. The production and testing environments are isolated by network segments. Manual execution of SQL is conducted through the auditing function built into the data management tool. The database operates in a primary-backup mode.
The security of your information is extremely important to us. Therefore, we endeavour to ensure the security of your Personal information and implement measures such as security encryption during storage and transmission to prevent your information from unauthorized access, use, or disclosure.
As the subject of the personal information, you are entitled to have the rights provided by the privacy laws in your jurisdiction. Your rights may include part or all of those described underneath. You can exercise your rights entitled by the privacy laws in your jurisdiction at any time by sending your requests to +1(323)767-7987 or service@hahavending.com. Your rights may include:
We publish this Policy to inform you of how we handle your personal information, how we use it, and who we share it with. We are committed to the transparency of the use of your information.
You have the right to access personal information we hold about you.
You have the right to correct your information where that information is not accurate. You can correct your personal information by contacting us via the methods stated in this Policy. When your identity is confirmed, we will rectify it accordingly.
You can remove certain personal information that we have stored about you. However, please note that we may need to retain personal information if there are valid grounds under data protection laws for us to do so (e.g., for the defense of legal claims or freedom of expression) but we will respond to you and let you know if that is the case.
You are entitled to request us to restrict processing of your personal data under the following circumstances:
You contest the accuracy of your personal data, for a period enabling us to verify the accuracy of the personal data;
The process is unlawful, and you oppose the erasure of your personal data and requests the restriction of their use instead;
We no longer need your personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defence of legal claims;
You have objected to processing, pending the verification whether the legitimate grounds of us override those of you.
You can request a copy of certain data in a machine-readable form that can be transferred to another provider if such right is requested by the privacy laws in your jurisdiction.
You have the right to object at any time to processing personal data concerning you which is based on performance of a task carried out in the public interest or in the exercise of official authority vested in us or based on the purposes of the legitimate interests pursued by us or by a third party. We shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of you or for the establishment, exercise or defense of legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
You may withdraw your consent for the processing of your personal information by submitting a request to us via email. We will deal with your request within a reasonable time frame from the time when the request was received, and thereafter not process your personal information as per your request.
Please note that your withdrawal of consent could result in certain legal consequences. Depending on the extent to which you authorize us to process your personal information, it may mean that you will no longer be able to enjoy the use of our services. However, any decision on your part to withdraw your consent or authorization will not affect personal information processing previously performed with your permission.
You may have rights not to be bound by automatic decisions, including user profiling, if such right is requested by the privacy laws in your jurisdiction. However, at present, we do not use your Personal Data for automated decision-making, including user profiling.
To help us verify that you are the subject of personal information and exercise your rights outlined above, we may require you to provide sufficient proof of identification. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
If you are concerned about the way in which we manage your personal information and think we may have breached any relevant laws and obligations, please contact us.
We will respond and reply to you as soon as possible. Generally, we will reply to you within one (1) month upon receipt of your request (If necessary, we may extend it by an additional forty-five (45) days as permitted by law. We will inform you of the reason for the extension within the aforementioned 30-day period, such as the request is too complicated or too much in volume).
If you feel we have not resolved your concern, you have the right to get in touch with us and/or lodge a complaint with your local privacy or data protection regulator.
Our Services are mainly adult-oriented, and we do not offer services directly to a child or use personal information of children for the purposes of marketing. We treat anyone under 16 years old (or equivalent minimum age in relevant jurisdiction) as a child. We do not knowingly collect any information about or market to children, minors or anyone under the age of 16. If you are less than 16 years old, we request that you do not submit information to us. If we become aware that a child, minor or anyone under the age of 16 has provided us with personal information, we will take steps to delete relevant personal information immediately.
Generally, data from users is stored in a third-party cloud storage located in United States. For the purpose of necessary maintenance of the Services, your personal data may be accessed by our personnel in China. We will implement corresponding protective measures in accordance with the requirements of applicable data protection laws to ensure data security. By agreeing to this Privacy Policy and using our products, you consent to our processing of such international data transfers.
Where personal data is generated within the European Economic Area (“EEA”) is transferred to countries outside the EEA, we will ensure that appropriate protective measures are taken to comply with General Data Protection Regulation (“GDPR”).
If you have any question regarding your personal data’s security and/or our international transfer manners or would like to withdraw your consent to the international transfer, please contact us via: service@hahavending.com.
We reserve the right to update or modify this Policy from time to time. For significant changes to our Privacy Policy, we will push the updated Privacy Policy to you.
In case of any inconsistency between this Policy and other privacy policies on personal information management related to the Services, the latest policy content shall prevail.
If you have any concerns or doubts about our Privacy Policy, please contact us via:
Phone:+1(323)767-7987
Email: service@hahavending.com
If you are residents of the United States and where we meet the relevant threshold tests, the following additional terms apply. If any conflict arises between the main Privacy Policy, the following terms shall prevail:
1) De-identified information.Where we maintain or use de-identified data, we will continue to maintain and use the de-identified data only in a de-identified fashion and will not attempt to re-identify the data.
2) Your Rights.You are able to exercise your privacy rights described in the “ 6.Your Rights” of the Privacy Policy in accordance with the applicable law as well as subject to certain limitations at law. These rights are not absolute and are subject to certain exceptions.
We do not sell personal information and do not use personal information for the purpose of targeted advertising and profiling, and therefore we do not process requests for opt-out of sale, targeted advertising and profiling.
We will not unlawfully discriminate against you for exercising your rights.
If we refuse to take action on your request, you may appeal this refusal within a reasonable period after you have received notice of the refusal. You may file an appeal by sending emails to service@hahavending.com.
Once we receive your request, we may verify it by requesting information sufficient to confirm your identity. If you would like to use an authorized agent to exercise your rights, we may request evidence that you have provided such agent with power of attorney or that the agent otherwise has valid written authority to submit requests to exercise rights on your behalf. Not all kinds of requests can be made by authorized agents in all states.
If you are a consumer resident in California and where we meet the relevant threshold tests, the following provisions shall apply.
1) Notice at Collection, Use, and Disclosure of Personal InformationAs described above, we have disclosed the information about our collection, use and disclosures of your personal information in “ 1. How We Collect and Use Your Personal Data ”, “4.How We Entrust, Share, Transfer and Publicly Disclose Your Personal Information” of the Policy.
As required by certain state laws, we use extra tables below to explain the personal information we collected and disclosed in the preceding 12 months.
Category of Personal Information (Corresponding to the categories listed in CCPA § 1798.140 (v)(1)) | Collected | Data source | Business or commercial purpose for collecting and using | Disclosed | To whom we disclose and the purposes of disclosures |
|---|---|---|---|---|---|
| A. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. | contact email |
|
| √ |
|
| B. Personal information as defined in the related California customer records law, such as name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. | the truncated bank card number, bank card expiration date |
|
| √ |
|
| C. Characteristics of protected classifications under California or federal law. | N/A | N/A | N/A | N/A | N/A |
| D. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | transaction-related information | Provided by the payment providers (Adyen, Stripe, PayPal, Shift4, PAX, Nayax, WizarPos, Universal PROCESSING) | process your order | √ |
|
| E. Biometric information. | N/A | N/A | N/A | N/A | N/A |
| F. Internet or other electronic network activity information, such as browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement. | N/A | N/A | N/A | N/A | N/A |
| G. Geolocation data. | N/A | N/A | N/A | N/A | N/A |
| H. Audio, electronic, visual, thermal, olfactory, or similar information. | N/A | N/A | N/A | N/A | N/A |
| I. Professional or employment-related information. | N/A | N/A | N/A | N/A | N/A |
| J. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99). | N/A | N/A | N/A | N/A | N/A |
| K. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. | N/A | N/A | N/A | N/A | N/A |
| L. Sensitive personal information | N/A | N/A | N/A | N/A | N/A |
We do not knowingly collect the personal information of consumers under 13 years of age thus we do not sell personal information of consumers under 13 years of age or share personal information of consumers under 13 years of age for cross-context behavior advertising.
In the preceding 12 months, we have not sold personal information (including sensitive personal information) or shared personal information (including sensitive personal information) for cross-context behavior advertising.
We do not use or disclose sensitive personal information for purposes not permitted by applicable laws.
As described above in more detail in “ 4. How We Entrust, Share, Transfer and Publicly Disclose Your Personal Information”, we may also disclose your personal information as part of, or during negotiations of, any merger, sale, divestiture, or transfer of all or a portion of the company assets, financing or acquisition or in any other situation where personal information may be transferred as one of our business assets. We may also disclose personal information as required by law, regulations or court order; to respond to governmental and/or law enforcement requests.
As described above in more detail in “3. How We Store Your Personal Information” of the Policy, we retain personal information only as long as necessary to provide you with the Services, our legitimate interests or our business purposes. For the criteria used to determine the period of time your personal information will be retained, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements. And we may continue to retain certain data to the maximum extent permitted by applicable laws.
2)Your Rights
You have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Acts (“CCPA”), and you may exercise your following extra privacy rights by sending your requests through the contact information described in Section 6 of this Policy. Please note that if you submit a request to exercise the following rights, you will be asked to verify your identity in accordance with the law.
(i)The right to know: You have the right to request that we disclose to you the following information covering the 12 months preceding your request:
the categories of personal information we collected about you and the categories of sources from which we collected such personal information;
(ii) The right to correct. You have the right to request the correction of your personal information if it is inaccurate.
(iii) The right to delete: You have the right to request that we delete your personal information that we collected from you, subject to certain exceptions. Subject to certain exceptions, we will notify service providers or contractors, where applicable, to delete your personal information from their records.
(iv)The right to non-discrimination for the exercise of your privacy rights. You have the right not to receive discriminatory treatment by us for the exercise of your privacy rights conferred by the CCPA.
3) Authorized AgentIf you would like to use an authorized agent to exercise your rights, we may request evidence that you have provided such agent with power of attorney or that the agent otherwise has valid written authority to submit requests to exercise rights on your behalf.
We do not sell personal information or share personal information for cross-context behavior advertising and do not use personal information for the purpose of targeted advertising and profiling, and therefore we do not process requests for opt-out of sale, sharing for cross-context behavior advertising, targeted advertising and profiling.
We only use or disclose (if applicable) sensitive personal information for purposes set forth in applicable laws thus do not process requests to limit use and disclosure of sensitive personal information.
We do not provide any financial incentives tied to the collection, sale, or deletion of your personal information.
In addition, under California law, operators of online services are required to disclose how they respond to “do not track” signals or other similar mechanisms that provide consumers the ability to exercise choice regarding the collection of personal information of a consumer over time and across third party online services, to the extent the operator engages in that collection. Currently, we do not track individuals’ personal information over time and across third-party online services. This law also requires operators of online services to disclose whether third parties may collect personal information about their users’ online activities over time and across different online services when the users use the operator’s service. We do not knowingly permit third parties to collect personal information about an individual’s online activities over time and across different online services.
4) California “Shine the Light” LawFor consumers located in California, we do not share your personal information with third parties for those third parties’ direct marketing purposes.