Privacy Policy

1. Introduction

Hyver ("Company," "we," "our," or "us") operates an AI Agent Marketplace that enables businesses and individuals to deploy, manage, and orchestrate artificial intelligence workers for purposes including, without limitation, customer support, sales automation, research, and marketing (collectively, the "Service").

This Privacy Policy ("Policy") sets forth the terms and conditions under which the Company collects, uses, discloses, and safeguards Personal Data in connection with the Service, including the Company's website, AI agents, integration tools, and all related services. This Policy is incorporated by reference into the Company's Terms of Use. Data Subjects are encouraged to read this Policy carefully and in its entirety prior to accessing or using the Service.

1.1 Definitions

For purposes of this Policy, the following terms shall have the meanings ascribed to them below:

"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to name, email address, account identifiers, usage data, and content submitted to the Service.
"Processing" means any operation or set of operations performed upon Personal Data, whether or not by automated means, including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, or deletion.
"Data Controller" means the Company, which determines the purposes and means of Processing Personal Data in connection with the Service.
"Data Subject" means the natural person to whom Personal Data relates, including users, account holders, and individuals whose data is submitted to the Service.
"Sub-processor" means any third-party service provider engaged by the Company to Process Personal Data on the Company's behalf.

Notice: By accessing or using the Service, the Data Subject acknowledges that interactions with AI agents may be processed across multiple systems, including Sub-processors that provide artificial intelligence infrastructure and third-party integration services. The Company is committed to full transparency regarding the flow of Personal Data through the Service.

2. Information We Collect

2.1 Account Information

Upon registration, the Company collects Personal Data necessary to establish and maintain a user account, including:

Email address and account credentials, which are stored in encrypted form
Name and organisational information, where voluntarily provided
User preferences and account configuration settings
Authentication and identity verification data processed through our authentication service provider

2.2 Usage Data

The Company automatically collects certain technical and behavioural data generated through a Data Subject's interaction with the Service, including:

Pages visited, features accessed, and actions performed within the Service
Session duration and frequency of access
Device and browser characteristics, including operating system and device identifiers
Internet Protocol (IP) address and approximate geographic location
Referring uniform resource locators (URLs) and search query terms

2.3 AI Interaction Data

In the course of a Data Subject's interaction with AI agents made available through the Service, the Company collects:

Messages, queries, instructions, and prompts submitted to AI agents
Outputs, responses, and results generated by AI agents
Files, documents, and data uploaded by the Data Subject for agent Processing
Agent configuration parameters and customisation settings
Workflow execution records and output logs

2.4 Integration Data

Where a Data Subject elects to connect third-party services to the Service via available integration protocols, the Company may collect:

Access credentials for connected services, which are stored in encrypted form with per-account isolation
Data retrieved from connected services pursuant to the Data Subject's instructions (including, by way of example, project management, communication, and business platforms)
Delegated access tokens and associated refresh credentials

3. How We Use Your Information

The Company processes Personal Data for the following lawful purposes, each of which constitutes a legitimate basis for Processing under applicable data protection law:

3.1 Service Delivery

Provision, maintenance, and improvement of the Service
Processing of Data Subject requests and execution of AI agent workflows
Enabling AI agents to perform tasks on behalf of the Data Subject
Administration of user accounts and provision of customer support

3.2 Service Improvement

Analysis of usage patterns for the purpose of enhancing the user experience
Development of new features, agents, and integration capabilities
Improvement of artificial intelligence model performance using anonymised and aggregated data
Monitoring of Service performance and infrastructure reliability

3.3 Security and Compliance

Detection, prevention, and remediation of security threats and unauthorised access
Enforcement of the Company's Terms of Use and prevention of abuse
Compliance with applicable legal obligations and regulatory requirements
Maintenance of audit records for governance and compliance purposes

3.4 Communications

Transmission of service-related notifications, account alerts, and operational updates
Response to Data Subject inquiries and support requests
Distribution of product communications and announcements, where the Data Subject has provided consent

4. AI Agent Data Processing

Notice: This section describes the manner in which Personal Data is processed when a Data Subject interacts with AI agents made available through the Service. Data Subjects are advised to review this section carefully prior to using AI agent functionality.

4.1 Data Flow in AI Agent Processing

When a Data Subject submits a request to an AI agent, Personal Data may be processed across the following layers of the Service infrastructure:

Orchestration Layer: The Company's proprietary routing system, which directs requests to the appropriate agents, tools, and downstream services
AI Infrastructure: Our AI infrastructure providers, which host and operate the third-party artificial intelligence models used to generate agent responses
Integration Connectors: External services and platforms connected to the Service via application programming interfaces and integration protocols, as configured by the Data Subject (including, by way of example, project management, version control, communication, and business productivity platforms)

4.2 Conversation History

The Company retains conversation histories for the purpose of enabling session continuity and improving the quality of the Service. Data Subjects may delete their conversation history at any time through the account settings interface. Upon such request, deletion shall be effectuated in accordance with the retention schedule set forth in Section 7 of this Policy.

4.3 Agent Memory and Contextual Data

Certain AI agents maintain contextual memory to enable personalised responses over successive interactions. Such data is stored securely and associated exclusively with the Data Subject's account. Data Subjects may reset agent memory at any time through the agent configuration interface.

4.4 Data Minimisation

The Company applies the principle of data minimisation in all AI agent Processing operations. Only the minimum Personal Data necessary to fulfil a specific request is transmitted to AI infrastructure providers and integration services. Account information and data unrelated to the specific request shall not be shared with such providers.

5. Third-Party Services

The Service relies upon a number of Sub-processors and third-party service providers in order to deliver its functionality. The categories of such providers are described below.

5.1 AI Infrastructure Providers

AI Model Providers: The Company engages AI infrastructure providers that host and operate multiple third-party artificial intelligence foundation models used to generate agent responses and process Data Subject requests
Agent Orchestration Infrastructure: Runtime infrastructure services engaged by the Company for AI agent orchestration, execution, and memory management

5.2 Cloud Infrastructure Providers

The Company engages cloud infrastructure service providers for the following operational functions:

Serverless compute services for backend application programming interfaces
Managed database services for storage of agent configurations, session data, and related records
Object storage services for knowledge base content and processing artefacts
Identity and authentication services for user account management
Content delivery network services for Service availability and performance
Cryptographic key management services for encryption of stored credentials

5.3 Third-Party Integration Services

Where a Data Subject elects to connect external services to the Service via available application programming interfaces and integration protocols, Personal Data may be shared with those external services in accordance with the Data Subject's instructions. Categories of available integrations include:

Productivity and Collaboration: Project management, document collaboration, and workspace productivity platforms
Software Development: Version control and model repository platforms
Business Operations: Payment processing, customer relationship management, and marketing platforms
Design and Creative: Design and visual content creation platforms
Search and Data: Web search and geographic data services

Each third-party service provider operates pursuant to its own privacy policy and data processing terms, which govern that provider's use of Personal Data. Data Subjects are encouraged to review those policies prior to enabling integrations. Access credentials for connected services are encrypted using industry-standard key management and stored with per-account isolation.

6. Data Security & Compliance

6.1 Security Measures

The Company implements and maintains a comprehensive set of technical and organisational security measures designed to protect Personal Data against unauthorised access, disclosure, alteration, or destruction, including:

Encryption of Personal Data in transit and at rest using industry-standard encryption protocols
Secure authentication services with multi-factor authentication support
Regular security audits and independent penetration testing
Role-based access controls and application of the principle of least privilege
Continuous security monitoring and incident response procedures

6.2 Compliance Standards

The Service is designed and operated to meet applicable enterprise compliance requirements:

SOC 2 Type II: The Company maintains SOC 2 Type II certified security controls
GDPR: The Company processes Personal Data in compliance with the General Data Protection Regulation and applicable European data protection law
HIPAA: Healthcare data handling capabilities are available to Data Subjects on Enterprise plans, subject to execution of a Business Associate Agreement
Audit Logs: Comprehensive activity logs are maintained for governance and regulatory compliance purposes

6.3 Data Location

Personal Data is primarily stored and processed in European Union data centers. Enterprise customers may request specific data residency arrangements, subject to applicable contractual terms and technical feasibility.

7. Data Retention

The Company retains Personal Data only for so long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

Account Data: Retained for the duration of the active account relationship and deleted within thirty (30) days following account closure
Conversation History: Retained for a default period of ninety (90) days; Data Subjects may adjust this period or request earlier deletion through account settings
Usage Analytics: Aggregated and anonymised no later than twelve (12) months following collection
Audit Logs: Retained for a period of seven (7) years pursuant to applicable legal and compliance obligations

Data Subjects may request earlier deletion of their Personal Data by contacting the Company at the address set forth in Section 11 of this Policy, subject to any overriding legal obligations that may require the Company to retain certain records.

8. Your Rights

Subject to applicable law and any restrictions imposed by overriding legal obligations, Data Subjects may be entitled to exercise the following rights with respect to their Personal Data:

Right of Access: The right to obtain confirmation of whether Personal Data relating to the Data Subject is being processed, and to receive a copy thereof
Right to Rectification: The right to require correction of inaccurate or incomplete Personal Data without undue delay
Right to Erasure: The right to require deletion of Personal Data in circumstances prescribed by applicable law
Right to Data Portability: The right to receive Personal Data in a structured, commonly used, and machine-readable format, and to transmit such data to another controller
Right to Restriction of Processing: The right to request restriction of Processing in circumstances prescribed by applicable law
Right to Object: The right to object to Processing of Personal Data carried out on the basis of the Company's legitimate interests
Right to Withdraw Consent: Where Processing is based upon the Data Subject's consent, the right to withdraw such consent at any time without prejudice to the lawfulness of Processing carried out prior to withdrawal

To exercise any of the foregoing rights, Data Subjects shall submit a written request to the Company at privacy@hyver.ai. The Company shall respond to all verified requests within the timeframe prescribed by applicable law.

9. Cookies & Tracking

9.1 Categories of Cookies Used

Strictly Necessary Cookies: Cookies required for authentication, session management, and the basic operational functionality of the Service; these cookies cannot be disabled without materially impairing the Service
Preference Cookies: Cookies that retain Data Subject settings and preferences, including display theme and language selection, across sessions
Analytics Cookies: Cookies used to collect aggregated information regarding Service usage patterns for the purpose of improving functionality; these cookies may be disabled through account or browser settings

9.2 Cookie Management

Data Subjects may manage cookie preferences through their browser settings or through the Service's account settings interface. Disabling strictly necessary cookies may impair or prevent access to certain features of the Service.

9.3 Do Not Track

The Company honours Do Not Track (DNT) signals transmitted by a Data Subject's browser. Where a DNT signal is detected, the Company shall refrain from cross-site behavioural tracking of the Data Subject.

10. Changes to This Policy

The Company reserves the right to amend this Policy at any time. In the event of a material change to the manner in which Personal Data is collected, used, or disclosed, the Company shall provide notice to affected Data Subjects by:

Publishing the revised Policy on this page with an updated effective date
Updating the "Last Updated" date appearing at the top of this Policy
Transmitting email notification to registered Data Subjects in the case of material changes affecting their rights or obligations

A Data Subject's continued use of the Service following the effective date of any amendment shall constitute acceptance of the revised Policy. Data Subjects who do not agree to the amended terms are required to discontinue use of the Service.

11. Contact Us

Data Protection Inquiries

Questions, concerns, or requests relating to this Policy or the Company's data protection practices should be directed to the Company in writing at the contact addresses set forth below. The Company shall acknowledge receipt of all requests and endeavour to respond within the period prescribed by applicable law.

General Inquiries: privacy@hyver.ai
Data Protection Officer: dpo@hyver.ai

Data Subjects who are residents of the European Union and whose GDPR rights have not been adequately addressed by the Company retain the right to lodge a complaint with the competent supervisory authority in the Member State of their habitual residence, place of work, or place of the alleged infringement.