GDPR Compliance

Last updated: March 12, 2026

This page compiles H33's data protection practices from our existing legal documents into a single GDPR reference. All text below is drawn verbatim from our Privacy Policy, Data Processing Agreement, and Cookie Policy. For the full text of each document, follow the links above.

1. Data Controller & Contact

This Privacy Policy explains how H33.ai, Inc. ("H33," "we," "us," or "our") collects, uses, discloses, and retains information when you (i) visit our websites, marketing pages, and other online properties that link to this Privacy Policy (the "Sites") and/or (ii) access or use the H33 services, APIs, SDKs, dashboards, and related offerings (the "Services").

Scope

• Visitors to the Sites
• Business contacts (e.g., customers, prospects, partners, vendors)
• Users who create or administer H33 accounts ("Authorized Users")

When Customers use the Services to authenticate End Users or process Customer Data, H33 typically acts as a processor/service provider to the Customer (who is the controller/business). In those cases, the Customer determines what data is submitted and how it is used in its application.

Contact

H33.ai, Inc.
Attn: Privacy
Email: privacy@h33.ai
Security: security@h33.ai
Legal: legal@appuix.xyz

2. Lawful Basis for Processing

We collect information from (a) you directly, (b) your organization, (c) your use of the Sites/Services, and (d) service providers and third parties.

We use information to:

• Provide, operate, maintain, and secure the Sites and Services;
• Provision accounts, authenticate access, and administer subscriptions/credits;
• Process payments, invoices, taxes, and account notices;
• Monitor performance, prevent abuse, detect fraud, and enforce rate limits and security controls;
• Provide support and respond to requests;
• Comply with applicable laws and respond to lawful requests;
• Improve and develop the Services (including reliability, security, and usability);
• Market and communicate with business contacts (subject to opt-out rights where applicable).

We do not use Customer Data submitted to the Services to contact End Users for H33's marketing.

3. Data Categories & Retention

Information You Provide

• Business and account information (e.g., name, business email, phone, company name, role, billing contact details).
• Support and communications (e.g., support tickets, emails, chat communications, meeting notes).
• Payment and billing information (e.g., billing address, transaction history, tax/VAT information). Payment card data is typically processed by a payment processor; we may receive limited payment-related metadata.

Information Collected Automatically

• Device and usage information (e.g., IP address, device identifiers, browser type, pages viewed, timestamps, referring URLs).
• Logs and security telemetry (e.g., API request metadata, authentication events, error logs, rate-limit events, audit/attestation logs, and security signals).
• Site analytics. We use Google Analytics to understand how visitors use the Sites (for example, which pages are visited and how the Sites perform). Google Analytics may use cookies and similar technologies to collect usage information.
• Checkout and payment metadata. If you purchase Services, our payment provider (Stripe) may collect and process payment information. We may receive limited transaction and billing metadata (e.g., billing contact, payment status, transaction identifiers), but we do not receive or store full payment card numbers.

Customer Data Processed Through the Services

Depending on how a Customer configures and uses the Services, Customer Data may include:

• Identifiers, templates, samples, or biometric-derived artifacts (including face/voice/fingerprint/behavioral biometrics) submitted by or on behalf of the Customer;
• Authentication inputs and outputs generated for the Customer;
• Configuration data, keys, and policies Customer sets within the Services;
• Limited metadata needed to operate and secure the Services.

Architecture note: The Services may be configured to process certain sensitive inputs in encrypted form such that H33 does not require plaintext access to provide the Services.

Retention

We retain information as needed to provide the Sites and Services and for legitimate business purposes such as security, dispute resolution, and legal compliance, subject to our contractual terms, legal obligations, and technical constraints.

• Business/contact data: Retained for relationship management and compliance, subject to reasonable deletion requests where applicable.
• Customer Data in H33-controlled systems: Retained per the Customer's configuration and requests where feasible and consistent with our contractual terms, legal obligations, and technical constraints.
• Logs and security records: Retained for security, abuse prevention, and auditability; retention periods may vary by tier and configuration.
• On-chain data (if applicable): May be persistent and not practically deletable.

4. Your Rights (Articles 15-22)

H33 will assist the Controller in responding to data subject requests including:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure (Article 17 GDPR)
• Right to data portability (Article 20 GDPR)

End Users of a Customer Application

If you interact with an application provided by one of our Customers, and you want to exercise privacy rights relating to that Customer's data practices (access, deletion, correction, etc.), please contact the Customer directly. H33 generally processes such data on the Customer's behalf and will assist the Customer as required by applicable terms.

Site Visitors and Business Contacts

Depending on your location and applicable law, you may have rights regarding your personal information (e.g., access, deletion, correction, portability, or opt-out of certain processing). You can submit requests by emailing privacy@h33.ai.

We may need to verify your identity and/or authority to submit a request. If you are submitting a request on behalf of an organization, we may require proof of authorization.

5. Cookies & Consent

We use cookies and similar technologies on the Sites for:

• Essential site functionality,
• Analytics/performance measurement (including Google Analytics),
• Security and fraud prevention, and
• (If enabled in the future) limited marketing.

Cookie Categories

When you first visit our Website, you will see a cookie consent banner that allows you to accept all cookies, accept necessary only, or manage preferences. You can change your cookie preferences at any time.

For full details, see our Cookie Policy.

6. International Transfers & SCCs

H33 is U.S.-based, and information may be processed in the United States and other locations where we or our providers operate.

To the extent we offer Services involving Restricted Regions data, such access is typically handled under an Enterprise arrangement and applicable data protection terms (e.g., an executed DPA, where applicable).

H33 processes data in the United States (AWS us-east-1). For EU/EEA customers, transfers are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission.

7. Sub-processors

H33 uses the following sub-processors:

The Controller will be notified of any changes to sub-processors with 30 days' advance notice.

Additional service providers referenced in our Privacy Policy (used for Sites and business operations, not necessarily sub-processors under the DPA):

• Twilio — SMS delivery and related communications, where enabled
• Google Analytics — Site analytics
• Chat101 — Support chat (H33.ai, Inc. affiliate)
• Cachee — Caching and performance optimization (H33.ai, Inc. affiliate)
• Helius — Solana RPC / infrastructure services, where blockchain features are enabled

8. Data Protection Measures

H33 implements the following technical measures to protect Personal Data:

• Encryption at rest: All biometric templates are stored as FHE ciphertexts — the server never accesses plaintext biometric data
• Encryption in transit: TLS 1.3 with post-quantum key exchange (Kyber-768)
• Zero-knowledge verification: Authentication proofs reveal no personal information beyond the yes/no result
• Post-quantum security: All cryptographic operations use NIST-standardized post-quantum algorithms (ML-KEM, ML-DSA)
• Data minimization: Only encrypted template hashes are stored; raw biometric data is never retained

We maintain reasonable administrative, technical, and organizational measures designed to protect information. No system is perfectly secure; we cannot guarantee absolute security. Certain Services may use modern cryptographic schemes (including post-quantum signature algorithms) as part of the security design; these are technical methods, not third-party recipients of information.

9. Breach Notification

H33 will notify the Controller of any Personal Data breach without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, categories of data affected, and remediation measures taken.

10. Data Deletion & Portability

Personal Data is retained only for the duration of the service agreement. Upon termination, all Personal Data (including encrypted templates) is deleted within 30 days. Deletion certificates are available upon request.

Depending on your location and applicable law, you may have rights regarding your personal information (e.g., access, deletion, correction, portability, or opt-out of certain processing). You can submit requests by emailing privacy@h33.ai.