HAHA VENDING Website FAQ
Disclaimer: If there is any inconsistency between this FAQ and the applicable Privacy Policy, Cookie Policy, Terms of Service, User Agreement, or other official policy, the applicable official policy shall prevail.
Part 1: Consumer Purchase and Vending Machine Use
What is the payment process on the vending machine? Is my money and card information secure?
When you swipe, tap, or insert a card to start shopping and pay, payment processors and transaction fulfillment providers that partner with us may collect certain personal information. These partners include Adyen, Stripe, PayPal, Shift4, PAX, Nayax, WizarPos, and Universal PROCESSING.
These payment providers act as independent data controllers with respect to the personal information they process. We do not and cannot control their independent data processing activities. We encourage you to carefully review their respective privacy policies.
For the relevant transaction, these payment providers may provide us with certain personal information, including the truncated bank card number, bank card expiration date, and other transaction-related information, so that we can process your order.
How can I obtain an electronic receipt after purchase?
If you want to receive a receipt after your purchase, you need to scan the QR code on the POS machine and provide your email address to our payment processors and transaction fulfillment providers.
We will then obtain your email address from these payment providers to email you the receipt.
How can I request a refund or contact customer support?
If you want to request a refund, you need to scan the QR code on the POS machine and enter the shopping card number to select the after-sales order.
For the bank card number entered in connection with a refund, we have implemented corresponding technical measures to collect only the truncated bank card number.
If you contact our customer care team, we may collect the information you provide during the interaction, including your contact email, the problem you encountered, and any pictures or videos you provide. If you choose not to provide relevant information, we may be unable to effectively respond to your inquiry or process your request.
Will the cameras on the vending machine affect my privacy? How are captured images handled?
When you open the Vending Machine and take the products you wish to purchase, cameras on the Vending Machine may capture video images that include you.
We have implemented appropriate technical measures to minimize the capture of personal images and have applied desensitization measures to blur and anonymize any personal images inadvertently captured.
To ensure the normal operation of HAHA Vending Machine, we may share the personal information we collect, including truncated bank card numbers and anonymized video images, with our vending machine clients, distributors, and agents, who are also responsible for the daily operation of the vending machine.
Part 2: Merchant Account and Payout Compliance
What core functions does the AI VENDING platform provide for registered merchants?
The main functions of AI VENDING include device activation, device operation and replenishment, inventory management, order management, customer support and complaint handling, device monitoring, and device configuration services.
These functions may change along with product upgrades, and the functions displayed on the product interface shall prevail.
What information do merchants need to provide when registering or completing their account information?
When you register for AI VENDING, you need to provide your country, time zone, device language, company name, email address, password, and phone number to create an account. We will record the email address and password you set and verify them when you log in again to ensure account security.
If you choose to complete your account information, you will need to provide your contact person’s name, contact address, and administrator’s name.
Why do merchants in the United States need to provide sensitive information such as SSN or federal tax ID when applying for a payout account?
For users located in America applying for a payout account, certain information is required for the purpose of processing withdrawals. This may include location information, owner information, company information, and ACH authorization information.
Location information includes address and phone number. Owner information includes name, home address, cellphone number, email address, social security number (SSN), and date of birth. Company information includes legal name, ownership type, corporate address, federal tax ID, and date of business commencement. ACH authorization information includes account type, routing number, account number, name on account, void check, driver license photo, and electronic signature.
We may share this information with PAX for the purpose of processing withdrawals. Before disclosing information, we will require authorized partners to take relevant confidentiality and security measures. We will not share your personal information with third parties for their own marketing or commercial purposes.
What mobile system permissions will the AI VENDING App request? What happens if I deny them?
Certain functions of AI VENDING require your prior consent for us to access relevant system permissions. You can check the opening status of specific permissions and decide whether to turn them on or off through AI Vending App > ME > Settings > Privacy Settings > Permission Settings.
If you close these system permissions, you withdraw your authorization. We will no longer collect and use the corresponding personal information, but we may also be unable to provide the functions corresponding to those permissions.
The App may request camera permission for scanning codes for device activation, restocking, and product identification; photos permission to take product photos and use image recognition; and microphone permission to receive sound input.
What data does the Tencent Cloud Terminal Performance Monitoring Pro SDK collect in the App?
The SDK is integrated into the App to enhance system security and traceability and to determine whether certain sensitive operations are performed by the same person.
The SDK will automatically collect the unique vendor identifier, or vendorId, of the user’s device and report the data to Tencent Cloud. Tencent Cloud will process the relevant data as a personal data controller for the security purposes described above.
Part 3: Website Interaction and Cookie Policies
What information is collected if I fill in website forms or leave my contact details during exhibitions?
If you send an inquiry, contact us, request a quote, leave a message, or request to purchase equipment through the website, you may need to submit information such as your name or full name, phone number, email address, WhatsApp, country, purpose, message, whether you have prior knowledge of vending, and whether you have a location.
If you wish to stay in touch with us during exhibitions or market promotion activities, we may collect your name, phone number, email address, WhatsApp, company name, and job title through an electronic form.
We may use the personal information you provide to further communicate with you about our products and services, and for profiling, targeted advertising, and sending marketing text messages or emails. You can refuse to receive such messages or opt out of targeted advertising and profiling by contacting us at service@hahavending.com.
Which strictly necessary cookies does the official website use?
We use necessary cookies to provide a properly functioning website and enable users to use the services we offer. If these cookies are blocked, you may not be able to use the website properly.
PHPSESSID is a first-party, session-based cookie used to maintain user session and login status and ensure basic website access functionality. It collects user session status and login information data, which will not be disclosed to any third party and is only used to maintain website session and access control.
cf_clearance and __cf_bm are third-party, session-based cookies used to provide Cloudflare anti-bot verification and security protection to ensure normal website access. They collect user access behavior, device, and network environment data and disclose such data to Cloudflare for implementing security protection, anti-attack measures, and stable service operation.
Which non-necessary cookies and similar technologies may be used on the website?
Based on your consent, the website may use non-necessary cookies and similar technologies for analytics, marketing attribution, online customer service, and website performance optimization.
The Language Setting cookie remembers your language preferences and is not disclosed to any third party. The ga, ga*, and _gcl_au cookies collect website visit data and user behavior and may disclose or share such data with Google LLC for website traffic statistics and analysis.
The pys_* and last_pys_* series collect website visit data and conversion data from social media advertising channels and may disclose or share interaction data with Meta Platforms, Inc. for advertising attribution and audience optimization. The sbjs_* series tracks traffic sources and access paths for internal marketing attribution analysis and is not disclosed to any third party.
TawkConnectionTime, twk_idm_key, and twk_uuid_* collect user session, device, and online behavior data and disclose such data to Tawk.to Ltd. to provide online customer service and maintain customer service sessions. lscache_vary is used for website cache optimization and is not disclosed to any third party.
_uetsid, _uetvid, MUID, _clck, clsk, CLID, and MR track advertising conversion from Microsoft search engine and analyze real-time interaction behavior. The relevant data may be disclosed or shared with Microsoft Corporation for advertising effectiveness evaluation, user experience optimization, and security maintenance.
If I withdraw my cookie consent, will the website automatically delete existing cookies?
When you withdraw your consent, we will stop placing new non-necessary cookies, and existing cookies stored in your browser will be deactivated and will no longer collect your personal information.
However, withdrawing consent will not automatically delete cookies previously stored on your device. You must manually delete these cookies through your browser settings, such as Google Chrome, Firefox, Safari, or Microsoft Edge.
Part 4: Global Data Storage, Security, and Compliance
Can minors use the vending machines or register on AI VENDING?
Our services are mainly adult-oriented, and we do not offer services directly to children or use children’s personal information for marketing purposes. A child should not create a user account.
To be eligible to register to use AI VENDING, you must be the age of majority in your jurisdiction.
We treat anyone under 16 years old, or the equivalent minimum age in the relevant jurisdiction, as a child. If we become aware that a child or anyone under the age of 16 has registered with us and provided personal information, we will take steps to terminate that person’s registration and delete the relevant personal information immediately.
Where is personal information stored? Who can access or obtain it?
The personal information we collect and generate in our operations is stored in third-party cloud storage located in the United States of America.
Tencent Cloud serves as our selected cloud service provider for the vending machine system and AI VENDING system. Hostinger provides cloud storage services for the website.
For necessary maintenance of the services and daily operations, personal data may be accessed by our personnel in China. We will implement corresponding protective measures in accordance with applicable data protection laws to ensure data security.
What technical measures are used to protect databases and data transmission?
For data transmission security, we adopt cryptographic technologies such as transport layer security protocols and deploy HTTPS to help prevent transmission links from being eavesdropped on or intercepted, and to help ensure the confidentiality and integrity of data.
For data access and use, we implement strict data authorization control mechanisms. The core production database is restricted to internal network access and does not open public network ports.
The production and testing environments are isolated by network segments. Manual execution of SQL statements is conducted through the auditing function built into the data management tool. The database operates in a primary-backup mode to support high availability and system reliability.
How will users be notified if a cybersecurity incident or data breach occurs?
When an incident endangering cybersecurity occurs, we will activate the cybersecurity incident emergency response plan, take corresponding remedial measures, and report to the relevant competent authorities in accordance with applicable requirements.
If a personal information security incident is likely to result in a high risk to the rights and freedoms of personal information subjects, we will inform affected users by email, letter, telephone, push notice, or other means as required by applicable laws and regulations. Where it is difficult to inform data subjects one by one, we will publish an announcement in a reasonable and effective way.
What privacy rights do users have, and how long does it take to receive a response?
Depending on the laws of your jurisdiction, you may have rights such as the right to be informed, access, correction, deletion, restriction of processing, data portability, refusal, withdrawal of consent, and refusal of automated decision-making and profiling.
To verify your identity and protect data security, we may require you to provide sufficient proof of identification before processing your request. Generally, we will reply within one month after receiving your request. If necessary, such as when the request is complex or there are many requests, we may extend the response period by an additional forty-five days as permitted by law and inform you of the reason for the extension within the initial thirty-day period.