How Humane AI handles data.

This Privacy Policy covers the Humane AI platform: our API, SDKs (Python, TypeScript, REST), the web dashboard, the MemPalace memory store, engines (Policy, Safety, Proactive Triggers, A/B Experiments), and our marketing website at humaneai.vaarak.com.

In this policy, “you” is the person or company with a Humane AI account. “End users” or “patients” are the people your application serves — whose conversations and behavioral signals you send to us on their behalf. For their data, you are the Controller and we are the Processor — see our Data Processing Addendum.

From you (the account holder)

• Identity: name, email address, organization name, role.
• Authentication: bcrypt-hashed password, OAuth provider identifiers (Google).
• Billing: Stripe customer ID, invoice history, plan tier.
• Usage: request timestamps, endpoints hit, rate-limit metrics, error codes.
• Support correspondence you send us by email or in-app chat (retained for 2 years unless you ask us to delete it sooner).

From end users (on your behalf)

• Messages you explicitly send to our API as part of a conversation — stored as ConversationMessage rows.
• Behavioral signals derived from those messages — mood, energy, trust, familiarity, sentiment. These are derived numeric state, not raw transcripts.
• Optional semantic memories written to MemPalace when you opt in to relational memory on a tier that supports it.
• End-user profiles: external_id, optional display_name, status, interaction counts.
• Proactive-trigger state, A/B experiment assignments, audit events.

We do not collect raw browsing history, device fingerprints, biometric data, or precise geolocation from end users unless you send it to us explicitly.

We use the data we collect to:

• Provide the API and dashboard features on your active plan.
• Compute behavioral state — mood / energy / trust / familiarity / sentiment — so your LLM calls can be context-aware.
• Enforce safety gates, policy rules, and rate limits across your tenant.
• Keep audit logs for security, incident investigation, and compliance reporting (retained for 2 years by default).
• Operate transactional email (verification, password reset, billing receipts, quota warnings, weekly digest — opt-outable).
• Detect, investigate, and prevent abuse, fraud, and violations of these Terms or our Acceptable Use Policy.
• Improve our service — only using aggregated, de-identified metrics.

We do not sell your data. We do not train our own foundation models on your Customer Data. We do not share Customer Data with third-party LLM providers beyond what is needed to fulfil a request you made.

Retention is enforced automatically every hour by a scheduled job — not by manual cleanup — and is capped per plan:

Conversation messages and MemPalace memories older than the cap are hard-deleted. Audit logs and billing history are kept for 2 years for regulatory reasons, regardless of plan.

When you cancel, we retain a 30-day grace window before final deletion to let you reverse the cancellation or export data. After 30 days, we delete Customer Data unless a signed MSA or active legal hold requires otherwise.

We share data with the following categories of third parties, all bound by written data-protection agreements:

• Infrastructure: Contabo (Mumbai region — primary hosting, EU-owned operator), Cloudflare (DNS + DDoS protection, no TLS-terminated content).
• LLM providers you route traffic to — OpenAI, Anthropic, Google Gemini, AWS Bedrock, Mistral, Groq, xAI, and others selected via the provider string on each request. Only the prompt and the response transit.
• Payments: Stripe (PCI-DSS Level 1). We never store full card numbers; Stripe holds the payment method.
• Email: Resend (transactional email delivery). Opt-outable per category.
• Observability:Sentry (application errors, sampled & scrubbed), optional OpenTelemetry exporters you configure.

A current, versioned sub-processor list lives at /dpa#subprocessors. We publish at least 30 days' notice before adding a new sub-processor that processes Customer Data.

You have the following rights for your account and — where you are the Controller — for your end users' data you process through Humane AI.

Access (GDPR Art. 15 · HIPAA §164.524)

Retrieve everything we hold on an end user — profile, events, messages, proactive triggers, experiment assignments, MemPalace memories — via GET /api/privacy/export/{external_id}. Exports are audit-logged.

Erasure (GDPR Art. 17 · HIPAA §164.528)

Permanently delete an end user and all derived signals via DELETE /api/privacy/erase/{external_id}. The call cascades into events, messages, triggers, assignments, and MemPalace; the erase event is audit-logged before the rows disappear.

Portability (GDPR Art. 20)

Exported data returns structured JSON matching our documented schema — portable by design.

Rectification, Objection, Restriction

Edit profile fields from the dashboard. To restrict further processing of a specific end user, call POST /api/privacy/restrict/{external_id}or mark the end user's status as paused.

CCPA: Do Not Sell

We do not sell personal information as defined by the CCPA. California residents may still request access and deletion through the endpoints above.

Humane AI is not directed at children. Do not use the Service to process personal data of a child under 13 (or 16 in the EU) unless you have obtained verifiable parental consent. If we learn we've received data concerning a child without proper consent, we will delete it.

We use a minimal set of cookies, all strictly necessary for the Service to function:

• humane_session — HttpOnly, Secure, SameSite=Lax. Authenticates your dashboard session. Cleared on sign-out.
• humane_csrf — short-lived CSRF token for forms.
• humane_theme — saves dashboard light/dark preference (no PII).

We do not use advertising or cross-site tracking cookies. We do not use Google Analytics; aggregate traffic is measured with a privacy-preserving tool (Plausible or Umami, first-party subdomain, no cookies).

Our primary infrastructure is in Mumbai, India(Contabo data centre). When you call an LLM provider routed through us, your prompt may travel to that provider's servers — typically in the United States or the EU. EU Standard Contractual Clauses (2021/914/EU) and, where relevant, UK IDTA are incorporated by reference into our sub-processor agreements. See /dpa#transfers.

Technical and organizational measures are documented in detail at /security. Highlights: TLS 1.3 everywhere, bcrypt password hashing, HttpOnly session cookies, HMAC-SHA256 webhook signatures, tenant- scoped queries, and hourly integrity checks on the Alembic schema.

We review this policy at least annually and whenever we add or remove a sub- processor. Material changes are announced by email and in the dashboard at least 30 days before they take effect.

Privacy questions, data-subject requests, or regulator correspondence go to our Data Protection Officer at privacy@humaneai.vaarak.com. EU residents may also contact their national supervisory authority directly.