Privacy policy

Overview

Hipo.ai (including our affiliates, “Hipo.ai”, “we”, “us”, or “our”) provides web and API-based machine learning and productivity services (collectively, the “Services”). This Privacy Policy covers Personal Information we collect when you use our website, applications, APIs, or otherwise interact with us. This policy does not govern Personal Information that we process on behalf of our business customers under a separate customer agreement (those arrangements are governed by our customer contracts and applicable Data Processing Agreements).

Contacts: For privacy inquiries: [email protected]. For data subject requests (DSARs): [email protected]. For security incidents or vulnerability reports: [email protected].

1. Personal information we collect

We collect the following categories of Personal Information:

1.1 Information you provide

• Account information: name, email, company, role, billing & invoicing details, payment method token (we do not store full card numbers—payments are handled by PCI-DSS compliant providers), username, and password (hashed and salted).
• User content: content you submit to the Services (text, files, code, prompts, attachments) when you use Hipo.ai features or APIs.
• Communications: messages you send to us (support requests, feedback, and other correspondence).
• Social and public profile information: information you choose to provide from social media or other public profiles if you link those accounts to Hipo.ai.
• Other information you provide: responses to surveys, event registrations, or identity verification documents when required for account validation.

1.2 Information collected automatically

• Technical & usage data: IP address, browser and device characteristics, operating system, page views, referral URLs, feature usage, language, time zone, event and performance logs, and other diagnostic data.
• Cookies and tracking technologies: cookies, local storage, pixels, and similar technologies used for authentication, security, preferences, analytics, and marketing. See our Cookies & Tracking section for controls.
• Location data: approximate location derived from IP address or device settings (only if enabled).

1.3 Sensitive personal data

We generally do not collect sensitive categories of personal data (e.g., race, religion, health) unless you explicitly provide it and we have a lawful basis and explicit consent to process it. If we ever need to process sensitive data for optional features, we will obtain your explicit consent first and document purpose and retention.

2. How we use Personal Information

We use Personal Information for the following purposes and to the extent permitted by law:

• To provide, operate, maintain and improve the Services, and to perform our contractual obligations to you.
• To authenticate and authorize access (including multi-factor authentication and single sign-on integrations).
• To process payments and billing, and to prevent payment fraud.
• To provide customer support and respond to your requests.
• To run, evaluate, and improve our models and product features — with safeguards described below and subject to any region-specific controls.
• To detect, investigate, and prevent fraud, abuse, security incidents, or illegal activity and to protect the rights, property, or safety of Hipo.ai and others.
• To comply with legal obligations, litigation, and law enforcement requests or governmental processes.
• To communicate product announcements, updates, and marketing when permitted — you can opt-out of marketing communications at any time.

Aggregated and de-identified data

We may aggregate or de-identify Personal Information and use or share the de-identified data for any lawful purpose (analytics, research, benchmarking). We will not attempt to re-identify data except when required by law.

3. Security measures & platform hardening

We deploy a layered security program combining technical, administrative, and physical controls. Key elements include:

• Encryption: TLS 1.2+ for data in transit; strong encryption at rest (e.g., AES-256 or industry standard equivalent) for stored Personal Information. Keys are managed via a centralized key management service with role-based controls.
• Access controls: role-based access control (RBAC), least privilege, separation of duties, logging and access audits. Administrative access is restricted and requires multi-factor authentication (MFA).
• Authentication: password hashing using strong algorithms, optional MFA for accounts, support for SSO (SAML/OAuth/OpenID Connect) for enterprise customers, session timeout and rotation policies.
• Secure development: secure SDLC practices, code review, static/dynamic analysis, dependency scanning, and automated CI/CD checks.
• Vulnerability management: regular internal and external vulnerability scans, third-party penetration tests, and a responsible disclosure / bug bounty program (report to [email protected]).
• Monitoring & logging: centralized logging, SIEM, anomaly detection, and retention of security logs for incident investigation in accordance with our retention policy.
• Data segregation: production and non-production environments are segregated; customer data is logically separated.
• Third-party risk management: vendor assessments, Data Processing Agreements (DPAs), contractual security requirements, and continuous monitoring of subprocessors.
• Personnel security: background checks where permitted, role-based training, least-privilege onboarding/offboarding, and annual security & privacy training for relevant staff.
• Incident response & disaster recovery: documented incident response plan, tabletop exercises, backups, and documented Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). We perform periodic DR tests.

4. Disclosure of Personal Information

We may disclose Personal Information to:

• Service providers & subprocessors: third-party vendors (cloud hosting, payment processors, analytics, email delivery, support tools) that perform services on our behalf under contract and restricted by our instructions and DPAs.
• Affiliates and partners: where necessary to deliver Services or for internal business reasons.
• Legal and safety: when required by law, to respond to legal process, protect rights, property, safety, or to investigate or prevent fraud or security incidents.
• Business transactions: in the context of mergers, acquisitions, financing, or asset sales — with notice to users when required by law.
• User choices: where you intentionally share information (for example, via shared links, public content, or integration with third-party applications), that information may be visible to others as you direct.

Subprocessors & transparency: we maintain a current list of subprocessors and will provide notice of new subprocessors where required by contract or law. Subprocessors are contractually required to maintain appropriate safeguards.

5. Cookies, tracking & advertising

We use cookies and similar technologies for security, authentication, analytics, and product improvements. We do not “sell” Personal Information for cross-context behavioral advertising. For EU/UK users and where required by law, we obtain consent for non-essential cookies.

• Essential cookies: required for login, authentication, and security.
• Performance & analytics cookies: measure usage and improve the Services.
• Marketing cookies: for promotional communications, subject to your choices and local law.

You can manage cookie preferences through our cookie banner or by adjusting your browser settings. Note that blocking certain cookies may affect functionality.

6. Retention & deletion

We retain Personal Information only as long as necessary for the purposes described in this Policy or as required by law. Typical retention periods include:

When you request deletion, we will remove Personal Information from active systems within a reasonable timeframe and where technically practicable. Residual copies may remain in backups for a limited period but will be inaccessible for normal processing.

7. International transfers & legal basis

Hipo.ai is headquartered in the United States and processes data in jurisdictions where our servers and subprocessors operate. Where Personal Information is transferred across borders, we use appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms required by applicable law.

Legal bases (EEA/UK): where applicable, we rely on legal bases such as performance of contract, legitimate interests, consent, or compliance with legal obligations. For data subject rights and regional details, see Data access & portability.

8. Data subject rights — access, portability, correction, deletion

You can exercise applicable rights depending on your country (for example, under GDPR, UK GDPR, CPRA/CCPA, or other local privacy laws). These rights may include:

• Access to the Personal Information we hold about you;
• Correction or update of inaccurate information;
• Deletion or restriction of processing (subject to legal exceptions);
• Data portability (export of your Personal Information in a machine-readable format such as JSON or CSV);
• Objecting to processing for direct marketing or profiling; and
• Withdrawing consent where consent is the legal basis for processing.

How to submit a request

1. Sign in to your Hipo.ai account and use the privacy controls in your account settings where available.
2. If you cannot access the account, email [email protected] with the subject line “DSAR — [Your name]”. Include (a) the email associated with your account, (b) the request type (access, deletion, portability, etc.), and (c) any supporting details that help us locate your account.
3. We may request additional information to verify your identity before fulfilling the request. This is to protect your Personal Information from unauthorized disclosures.

We will respond to verifiable requests within the timeframes required by applicable law. If we deny a request, we will explain the reason and any available appeals process.

9. Children

Our Services are not intended for children under 13 (or higher minimum age where required by applicable law). We do not knowingly collect Personal Information from children under 13. If you believe we have collected Personal Information of a child under the applicable age, please contact [email protected] so we can investigate and remove the information as appropriate.

10. Automated decision-making & profiling

Some features may use automated processing including model-generated suggestions, scoring, or other outputs. We do not use automated decision-making in a manner that produces legal or similarly significant effects about you without providing appropriate safeguards and information where required by law. If you have concerns about profiling or automated decisions, contact [email protected].

11. Security incident response & breach notification

We maintain an incident response program. In the event of a security incident that affects Personal Information, we will:

• Take immediate steps to contain and remediate the incident;
• Assess the scope and impact;
• Notify affected individuals and regulators as required by law (for GDPR-regulated incidents we will notify the supervisory authority within 72 hours when required); and
• Provide information about the incident and recommended mitigation steps for affected users (e.g., password reset).

If you believe your account has been compromised, contact [email protected] immediately.

12. Third-party services & links

Our Services may contain links to third-party websites or services not operated by Hipo.ai. We are not responsible for their privacy practices. Before sharing Personal Information on third-party sites, please review their privacy policies and settings.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post an updated version and, where appropriate, notify you by email or in-product notification. The “Effective” date at the top will be updated to show when changes take effect.

14. How to contact us

If you have questions, concerns, or requests about this Privacy Policy or our privacy practices, please contact us:

• Privacy team: [email protected]
• Data subject requests (DSARs): [email protected]
• Security incidents & reports: [email protected]
• Legal: [email protected]

Please include as much detail as you can in your message so we can route your request quickly and accurately. We may need to verify your identity before fulfilling certain requests.