Privacy Policy

Last updated: February 10, 2026

This Privacy Policy explains how H33.ai, Inc. ("H33," "we," "us," or "our") collects, uses, discloses, and retains information when you (i) visit our websites, marketing pages, and other online properties that link to this Privacy Policy (the "Sites") and/or (ii) access or use the H33 services, APIs, SDKs, dashboards, and related offerings (the "Services").

Important

The Services are intended for business use. If you are an individual interacting with a Customer's application that uses H33, H33 generally processes information on behalf of that Customer. In most cases, privacy requests related to that Customer's application should be directed to the Customer (see Section 10).

1. Scope and Roles

1.1 This Policy Covers

  • Visitors to the Sites
  • Business contacts (e.g., customers, prospects, partners, vendors)
  • Users who create or administer H33 accounts ("Authorized Users")

1.2 Customer Data in the Services

When Customers use the Services to authenticate End Users or process Customer Data, H33 typically acts as a processor/service provider to the Customer (who is the controller/business). In those cases, the Customer determines what data is submitted and how it is used in its application.

Your organization's contract documents (e.g., Terms, Security Exhibit, U.S. State Privacy Addendum, and any executed DPA/BAA if applicable) govern H33's processing of Customer Data.

2. Information We Collect

We collect information from (a) you directly, (b) your organization, (c) your use of the Sites/Services, and (d) service providers and third parties.

2.1 Information You Provide

  • Business and account information (e.g., name, business email, phone, company name, role, billing contact details).
  • Support and communications (e.g., support tickets, emails, chat communications, meeting notes).
  • Payment and billing information (e.g., billing address, transaction history, tax/VAT information). Payment card data is typically processed by a payment processor; we may receive limited payment-related metadata.

2.2 Information Collected Automatically

  • Device and usage information (e.g., IP address, device identifiers, browser type, pages viewed, timestamps, referring URLs).
  • Logs and security telemetry (e.g., API request metadata, authentication events, error logs, rate-limit events, audit/attestation logs, and security signals).
  • Site analytics. We use Google Analytics to understand how visitors use the Sites (for example, which pages are visited and how the Sites perform). Google Analytics may use cookies and similar technologies to collect usage information.
  • Checkout and payment metadata. If you purchase Services, our payment provider (Stripe) may collect and process payment information. We may receive limited transaction and billing metadata (e.g., billing contact, payment status, transaction identifiers), but we do not receive or store full payment card numbers. We may receive tokenized and/or truncated payment details and transaction metadata from Stripe.
  • Search indexing. Search engines (including Google and Bing) may crawl or index publicly available Site pages subject to their own policies and your settings with those providers.

2.3 Customer Data Processed Through the Services (On Behalf of Customers)

Depending on how a Customer configures and uses the Services, Customer Data may include:

  • Identifiers, templates, samples, or biometric-derived artifacts (including face/voice/fingerprint/behavioral biometrics) submitted by or on behalf of the Customer;
  • Authentication inputs and outputs generated for the Customer;
  • Configuration data, keys, and policies Customer sets within the Services;
  • Limited metadata needed to operate and secure the Services.

Architecture note: The Services may be configured to process certain sensitive inputs in encrypted form such that H33 does not require plaintext access to provide the Services. However, H33 still processes and stores information needed to operate, secure, and support the Services.

2.4 Optional Modules

If enabled by the Customer, we may also process:

  • KYC/AML Module Data (e.g., identity verification inputs, sanctions/PEP screening outcomes, and related verification metadata) as described in the applicable addendum and/or Order Form; and/or
  • Token/Blockchain Module Data (e.g., wallet addresses, on-chain identifiers, credential metadata, transaction hashes, smart contract interactions, and related logs), subject to the Token and Blockchain addenda.

3. How We Use Information

We use information to:

  • Provide, operate, maintain, and secure the Sites and Services;
  • Provision accounts, authenticate access, and administer subscriptions/credits;
  • Process payments, invoices, taxes, and account notices;
  • Monitor performance, prevent abuse, detect fraud, and enforce rate limits and security controls;
  • Provide support and respond to requests;
  • Comply with applicable laws and respond to lawful requests;
  • Improve and develop the Services (including reliability, security, and usability);
  • Market and communicate with business contacts (subject to opt-out rights where applicable).

We do not use Customer Data submitted to the Services to contact End Users for H33's marketing.

4. How We Disclose Information

We may disclose information:

4.1 Service Providers and Subprocessors

We disclose information to vendors, service providers, and subprocessors that help us operate the Sites and Services (including, as applicable, hosting, monitoring, caching, customer support, communications, authentication, and payments). These providers process information under contractual restrictions appropriate to their role. Some providers are affiliates within the H33.ai corporate group.

Examples include (as applicable):

  • Amazon Web Services (AWS) (hosting and infrastructure);
  • Stripe (payment processing);
  • Twilio (SMS delivery and related communications, where enabled);
  • Google Analytics (site analytics);
  • Chat101 (support chat and communications tooling provided by H33.ai, Inc. or an affiliate within the H33.ai corporate group);
  • Cachee (caching and performance optimization services provided by H33.ai, Inc. or an affiliate within the H33.ai corporate group, where enabled);
  • Auth1.ai (authentication-related services provided by H33.ai, Inc. or an affiliate within the H33.ai corporate group, where enabled); and
  • Helius (Solana RPC / infrastructure services used to facilitate certain blockchain interactions, where blockchain features are enabled).

We may update our service providers over time. Where required by law or contract, we will provide additional information about subprocessors upon request.

4.2 Customers and Authorized Users

Customer account administrators may access and manage information within the Customer's account, including logs and outputs generated for that Customer.

4.3 Legal, Safety, and Compliance

To comply with law, legal process, or governmental requests; to protect rights, safety, and security; to investigate fraud or misuse; or to enforce our agreements.

4.4 Business Transfers

In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets (subject to customary confidentiality protections).

4.5 Blockchain/On-Chain Disclosures (If Enabled)

If a Customer enables blockchain or token features, certain information (such as transaction hashes, wallet addresses, on-chain identifiers, credential metadata, attestations, and related logs) may be submitted to or reflected on third-party blockchain networks, including Solana. Blockchain networks (such as Solana) are decentralized third-party networks not operated by H33 and are not H33 "subprocessors."

Blockchain records may be public and/or persistent and may not be editable or deletable. H33 does not control the Solana network or third-party infrastructure providers used to access it (such as RPC providers). Customers are responsible for configuring their use cases to avoid placing sensitive information on-chain and for ensuring their use complies with applicable law.

5. Data Retention

We retain information as needed to provide the Sites and Services and for legitimate business purposes such as security, dispute resolution, and legal compliance, subject to our contractual terms, legal obligations, and technical constraints.

  • Business/contact data: Retained for relationship management and compliance, subject to reasonable deletion requests where applicable.
  • Customer Data in H33-controlled systems: Retained per the Customer's configuration and requests where feasible and consistent with our contractual terms, legal obligations, and technical constraints.
  • Logs and security records: Retained for security, abuse prevention, and auditability; retention periods may vary by tier and configuration.
  • On-chain data (if applicable): May be persistent and not practically deletable.

6. Security

We maintain reasonable administrative, technical, and organizational measures designed to protect information. No system is perfectly secure; we cannot guarantee absolute security. Certain Services may use modern cryptographic schemes (including post-quantum signature algorithms) as part of the security design; these are technical methods, not third-party recipients of information.

7. Cookies, Analytics, and Similar Technologies

We use cookies and similar technologies on the Sites for:

  • Essential site functionality,
  • Analytics/performance measurement (including Google Analytics),
  • Security and fraud prevention, and
  • (If enabled in the future) limited marketing.

Google Analytics

Google Analytics uses cookies and similar technologies to help us understand Site usage and improve performance. You can limit analytics collection by: (i) adjusting your browser cookie settings; (ii) using browser tools that limit tracking; and/or (iii) using Google's opt-out mechanisms made available for Google Analytics.

No Session Replay / Keystroke Logging

We do not currently use session-replay, keystroke logging, or similar "behavioral recording" tools on the Sites. If we introduce such tools, we will update this Privacy Policy and, where required, provide additional notice and choice.

Embedded Tools

Certain embedded functionality (for example, checkout flows or support widgets) may be delivered by service providers and may set cookies or similar technologies subject to their own policies and your browser settings.

Sites

We may take steps to help the Sites appear in search results (including via Bing and other search engines). We do not use Bing's analytics products for Site analytics at this time.

If we maintain a separate Cookie Notice or cookie banner, it will provide additional choices and details.

8. International Data Transfers and Restricted Regions

H33 is U.S.-based, and information may be processed in the United States and other locations where we or our providers operate.

To the extent we offer Services involving Restricted Regions data, such access is typically handled under an Enterprise arrangement and applicable data protection terms (e.g., an executed DPA, where applicable).

9. Marketing Communications

Business contacts may opt out of marketing emails by using the unsubscribe link in the message or by contacting us at privacy@h33.ai. Transactional and service communications (e.g., invoices, security notices) are not marketing and may still be sent.

10. Privacy Rights and Requests

10.1 End Users of a Customer Application

If you interact with an application provided by one of our Customers, and you want to exercise privacy rights relating to that Customer's data practices (access, deletion, correction, etc.), please contact the Customer directly. H33 generally processes such data on the Customer's behalf and will assist the Customer as required by applicable terms.

10.2 Site Visitors and Business Contacts

Depending on your location and applicable law, you may have rights regarding your personal information (e.g., access, deletion, correction, portability, or opt-out of certain processing). You can submit requests by emailing privacy@h33.ai.

We may need to verify your identity and/or authority to submit a request. If you are submitting a request on behalf of an organization, we may require proof of authorization.

11. U.S. State Privacy Disclosure (Including California)

This Section provides additional disclosures for residents of certain U.S. states with comprehensive privacy laws (including California). This Section applies to personal information we collect as described in this Privacy Policy in connection with the Sites and our business relationship activities. For Customer Data processed through the Services on behalf of a Customer, see Section 1.2 and Section 10.1.

11.1 Categories of Personal Information We Collect

Depending on how you interact with us, we may collect the following categories of personal information:

  • Identifiers (e.g., name, business email address, phone number, IP address, account identifiers).
  • Commercial information (e.g., subscription tier, credits purchased, transaction status, invoices).
  • Internet or network activity information (e.g., Site usage data, pages viewed, timestamps, device and browser information, and similar analytics data).
  • Professional or employment-related information (e.g., company name, role/title, business contact details).
  • Customer support and communications (e.g., messages sent to support, feedback, and related metadata).
  • Security and operational logs (e.g., authentication events, API request metadata, error logs, rate-limit events, and security signals).

We do not collect or use "sensitive personal information" for the purpose of inferring characteristics about individuals. To the extent sensitive information is submitted to the Services by a Customer (including biometric-related data), H33 generally processes it on behalf of the Customer under the applicable contract documents.

11.2 Sources of Personal Information

We collect personal information from:

  • You and your organization (e.g., account creation, purchases, communications);
  • Your use of the Sites and Services (e.g., logs and analytics); and
  • Service providers that support our operations (e.g., payments and analytics).

11.3 Purposes of Collection and Use

We use personal information for the purposes described in Section 3, including to operate and secure the Sites and Services, process transactions, provide support, communicate with business contacts, enforce our agreements, and comply with law.

11.4 Disclosures of Personal Information

We disclose personal information as described in Section 4, including to service providers that help us operate our Sites and Services (such as payment processing and site analytics), and for legal, security, and compliance purposes.

11.5 No Sale or Sharing; Targeted Advertising

H33 does not "sell" personal information and does not "share" personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, as amended by the CPRA ("CCPA/CPRA"). We do not use personal information collected on the Sites to serve targeted ads across third-party websites. Use of analytics providers for measurement and site performance does not constitute "sharing" for cross-context behavioral advertising.

11.6 Your Privacy Rights

Depending on your state of residence and applicable law, you may have the right to:

  • Request access to and/or a copy of certain personal information we maintain about you;
  • Request correction of inaccurate personal information;
  • Request deletion of certain personal information;
  • Obtain information about disclosures of personal information to service providers;
  • In certain states, opt out of certain processing (such as targeted advertising, sale, or profiling in furtherance of decisions producing legal or similarly significant effects) -- noting that H33 does not sell or share personal information for cross-context behavioral advertising as described above.

You may exercise applicable rights by emailing privacy@h33.ai.

11.7 Verification and Authorized Agents

To protect privacy and security, we may verify your identity and/or your authority before responding to a request. If you use an authorized agent, we may require proof of authorization and may also require you to verify your identity directly with us.

11.8 Appeals (Certain States)

If we decline to take action on a request, you may appeal our decision by replying to our response or emailing privacy@h33.ai with the subject line "Privacy Appeal." We will respond in accordance with applicable law.

11.9 California "Shine the Light"

California residents may request certain information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes in a manner that would require a "Shine the Light" disclosure.

11.10 Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

12. Children

The Sites and Services are not directed to children, and we do not knowingly collect personal information from children under 13 (or under the applicable age of digital consent where required).

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated policy and update the "Last Updated" date. Where required, we will provide additional notice.

14. Contact Us

H33.ai, Inc.
Attn: Privacy
Email: privacy@h33.ai
Security: security@h33.ai
Legal: legal@appuix.xyz