Privacy Policy
Last updated: January 26, 2026
H33, Inc. ("H33," "we," "us," or "our") is committed to protecting your privacy and the privacy of your end users. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website h33.ai and use our quantum authentication and privacy-preserving computation API services (collectively, the "Services").
Our Privacy-First Commitment
- Zero-Knowledge Architecture: We never see or store raw biometric data. All sensitive data is processed using cryptographic proofs.
- No Data Sales: We never sell, rent, or trade your personal information or your users' data.
- Privacy by Design: Our services are built from the ground up to minimize data collection and maximize privacy.
- Encryption Everywhere: All data is encrypted in transit and at rest using post-quantum cryptography.
- Your Data, Your Control: You can request access, correction, or deletion of your data at any time.
1. Information We Collect
1.1 Account Information
When you register for an H33 account, we collect:
- Contact Information: Name, email address, phone number (optional)
- Organization Details: Company name, job title, company size (optional)
- Authentication Credentials: Hashed passwords or OAuth tokens
- Profile Information: Profile picture (optional), timezone preferences
1.2 Billing and Payment Information
For paid services, we collect:
- Billing Details: Billing name, address, VAT/tax ID
- Payment Information: Payment card details are processed directly by Stripe and never stored on our servers
- Transaction History: Records of purchases, credits, and usage
1.3 Usage and Technical Data
We automatically collect:
- API Usage Data: Endpoints called, request/response metadata, timestamps, latency metrics
- Device Information: IP address, browser type and version, operating system
- Log Data: Server logs, error logs, security event logs
- Analytics Data: Page views, feature usage, session duration
1.4 Data Processed Through Our APIs
When you use our Services, different types of data may be processed depending on the API endpoints used:
| Service | Data Processed | How It's Protected |
|---|---|---|
| Biometric Auth | Facial embeddings, fingerprint templates, voiceprints | FHE encryption - we never see raw biometric data |
| FHE Encryption | Encrypted ciphertext only | Data remains encrypted during all processing |
| Zero-Knowledge Proofs | Proof data, public inputs only | Private inputs never leave client device |
| Quantum Signatures | Public keys, signatures, message hashes | Private keys never transmitted |
| KYC/Identity | Document images, extracted data | Processed with ZK proofs, minimal data retention |
| Blockchain Identity | Public addresses, attestation data | On-chain data is public by design |
Critical: What We Do NOT Collect or Store
- Raw Biometric Data: Our FHE and ZK architecture ensures we never receive, see, or store actual biometric templates (facial images, fingerprints, voiceprints)
- Plaintext Passwords: We use passwordless authentication with quantum-resistant cryptography
- Private Keys: Cryptographic private keys remain on your systems and are never transmitted to us
- Unencrypted Personal Data: All sensitive data is encrypted before transmission
- FHE Decryption Keys: We cannot decrypt FHE-encrypted data you process through our services
2. How We Use Your Information
2.1 Providing and Improving Services
- Process API requests and provide cryptographic services
- Authenticate your access to our platform
- Monitor and optimize service performance
- Develop new features and improve existing ones
- Provide technical support and respond to inquiries
2.2 Billing and Account Management
- Process payments and manage subscriptions
- Track credit usage and generate invoices
- Send billing notifications and receipts
- Prevent fraud and unauthorized transactions
2.3 Communications
- Send service announcements and technical notices
- Provide security alerts and updates
- Respond to support requests and feedback
- Send marketing communications (with consent, easily unsubscribable)
2.4 Security and Compliance
- Detect and prevent security threats and abuse
- Investigate potential violations of our terms
- Comply with legal obligations and requests
- Maintain audit logs for compliance purposes
2.5 Analytics and Research
- Analyze usage patterns to improve services (aggregated, anonymized)
- Conduct research on cryptographic techniques (no personal data)
- Generate aggregate statistics and reports
3. Legal Basis for Processing
3.1 For EEA, UK, and Swiss Users (GDPR)
We process your personal data based on the following legal grounds:
- Contract Performance: Processing necessary to provide our Services to you
- Legitimate Interests: Improving services, security, fraud prevention, and analytics (balanced against your rights)
- Legal Obligation: Compliance with applicable laws, tax requirements, and regulatory obligations
- Consent: Where you have given explicit consent (e.g., marketing communications)
3.2 Special Category Data (Biometrics)
Biometric data is classified as special category data under GDPR. Our processing is justified by:
- Technical Architecture: Our zero-knowledge and FHE systems mean we do not process raw biometric data
- Explicit Consent: Obtained by you from your end users before data is submitted to our APIs
- Substantial Public Interest: Authentication and fraud prevention purposes
4. Information Sharing and Disclosure
4.1 We Do NOT Sell Your Data
We do not sell, rent, or trade your personal information or your users' data to third parties for their marketing purposes.
4.2 Service Providers
We share information with trusted service providers who assist us in operating our Services:
- Cloud Infrastructure: AWS for hosting and compute (data encrypted)
- Payment Processing: Stripe for payment card transactions
- Email Services: For transactional and marketing emails
- Analytics: Anonymized usage data only
- Support Tools: For customer support ticket management
All service providers are bound by data processing agreements and confidentiality obligations.
4.3 Legal Requirements
We may disclose information when required by law, including:
- Court orders, subpoenas, or legal process
- Government or regulatory requests
- To protect our rights, property, or safety
- To investigate potential violations of our terms
Where permitted, we will notify you of such requests.
4.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.
4.5 With Your Consent
We may share information when you direct us to do so or provide explicit consent.
5. Data Security
5.1 Technical Security Measures
We implement industry-leading security measures:
- Post-Quantum Encryption: FIPS 203/204 compliant algorithms for data in transit
- TLS 1.3: All API communications encrypted with modern TLS
- AES-256: Encryption for data at rest
- Zero-Knowledge Architecture: Sensitive data never exposed to our systems
- FHE Processing: Computations on encrypted data without decryption
- Key Management: HSM-backed key storage with strict access controls
5.2 Organizational Security Measures
- SOC 2 Type II: Certified infrastructure and processes
- Access Controls: Role-based access with least privilege principle
- Security Training: Regular employee security awareness training
- Incident Response: Documented procedures for security incidents
- Penetration Testing: Regular third-party security assessments
- Audit Logging: Comprehensive logging of all system access
5.3 Breach Notification
In the unlikely event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law, typically within 72 hours of becoming aware of the breach.
6. Data Retention
6.1 Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Information | Duration of account + 30 days | Service provision |
| API Usage Logs | 90 days | Debugging, analytics |
| Security Logs | 1 year | Security monitoring |
| Billing Records | 7 years | Tax/legal requirements |
| Support Tickets | 3 years | Service quality |
| Marketing Consent | Until withdrawn | Compliance |
6.2 API-Processed Data
Data processed through our APIs (biometric templates, encrypted data, proofs) is processed in real-time and not retained after the API response is returned, unless you explicitly enable logging features.
6.3 Deletion Requests
Upon account closure or deletion request, we will delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records).
7. Your Privacy Rights
7.1 Rights for All Users
Regardless of your location, you have the right to:
- Access: Request a copy of your personal data
- Correction: Update or correct inaccurate information
- Deletion: Request deletion of your personal data
- Data Portability: Receive your data in a structured, machine-readable format
- Withdraw Consent: Withdraw consent for marketing communications
- Complaint: Lodge a complaint with us or a supervisory authority
7.2 Additional Rights for EEA, UK, and Swiss Residents (GDPR)
- Restriction: Request restriction of processing in certain circumstances
- Objection: Object to processing based on legitimate interests
- Automated Decision-Making: Not be subject to decisions based solely on automated processing (we do not make such decisions)
- Supervisory Authority: Lodge a complaint with your local data protection authority
7.3 Additional Rights for California Residents (CCPA/CPRA)
- Know: Request disclosure of personal information collected, used, and disclosed
- Delete: Request deletion of personal information
- Correct: Request correction of inaccurate personal information
- Opt-Out of Sale: We do not sell personal information
- Non-Discrimination: Not be discriminated against for exercising your rights
- Limit Use of Sensitive Personal Information: Request limitation of use (we minimize collection by design)
7.4 Additional Rights for Other Jurisdictions
We respect privacy rights under other applicable laws, including:
- Brazil (LGPD): Access, correction, deletion, portability, and information about sharing
- Canada (PIPEDA): Access, correction, and withdrawal of consent
- Australia (Privacy Act): Access and correction of personal information
7.5 Exercising Your Rights
To exercise any of these rights, please contact us at privacy@h33.ai. We will respond within 30 days (or sooner as required by applicable law). We may need to verify your identity before processing your request.
8. International Data Transfers
8.1 Data Location
Our primary data processing occurs in the United States. Your information may be transferred to and processed in countries other than your country of residence.
8.2 Transfer Safeguards
For transfers from the EEA, UK, or Switzerland, we use:
- Standard Contractual Clauses (SCCs): EU Commission-approved contractual terms
- UK International Data Transfer Agreement: For UK transfers
- Swiss-U.S. Data Privacy Framework: Where applicable
- Supplementary Measures: Including encryption and access controls
8.3 Data Residency Options
Enterprise customers may request specific data residency options. Contact us at enterprise@h33.ai for more information.
9. Cookies and Tracking Technologies
We use cookies and similar technologies as described in our Cookie Policy. You can manage your preferences through our cookie consent banner or your browser settings.
10. Third-Party Services and Links
Our Services may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.
11. Children's Privacy
Our Services are not directed to individuals under 16 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at privacy@h33.ai.
12. Your Responsibilities as a Customer
When using our Services to process end-user data, you act as the data controller and are responsible for:
- Obtaining appropriate consent from end users
- Providing privacy notices to end users
- Complying with applicable data protection laws
- Responding to end-user rights requests
- Implementing appropriate security measures in your applications
- Complying with biometric privacy laws (BIPA, GDPR Article 9, etc.)
13. Data Processing Agreement
For customers processing personal data through our Services, we offer a Data Processing Agreement (DPA) that includes:
- Standard Contractual Clauses for international transfers
- Security commitments and audit rights
- Sub-processor notification procedures
- Data breach notification obligations
Contact legal@h33.ai to request a DPA.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website
- Updating the "Last updated" date
- Sending email notice for material changes
We encourage you to review this policy periodically. Continued use of our Services after changes constitutes acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:
Data Protection Officer
H33, Inc.
Attn: Data Protection Officer
Email: privacy@h33.ai
Website: https://h33.ai
EU Representative
For GDPR-related inquiries, you may also contact our EU representative:
Email: eu-representative@h33.ai
UK Representative
For UK GDPR-related inquiries:
Email: uk-representative@h33.ai