HumanikOS
Zylo
Humanik CloudLegal
Privacy Policy
Effective date: March 28, 2026
Last updated: March 28, 2026
1. Introduction
This Privacy Policy describes how Humanik Technologies Inc. ("HumanikOS," "we," "us," or "our") collects, uses, stores, and protects your information when you use the HumanikOS platform, website, APIs, and all related services (the "Service"). It applies to all users of the Service, regardless of location.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
We are committed to transparency about our data practices and to protecting the information you entrust to us.
2. Data We Collect
Account Data
Information you provide when you create an account or manage your profile:
| Data | Purpose |
|---|---|
| Email address | Account creation, authentication, service communications |
| Full name | Account profile, display within workspaces |
| Organization name | Multi-tenant workspace setup |
| Password or OAuth tokens | Authentication via Firebase Auth |
| Billing information | Payment processing via Stripe |
Workspace Data
Content you create, upload, or store through the platform in the course of using the Service:
| Data | Purpose |
|---|---|
| Database records and tables | Core service delivery — your data plane |
| Files and objects | Core service delivery — your storage |
| Code and deployment artifacts | Core service delivery — agent workspaces |
| Agent configurations and prompts | Core service delivery — AI agent setup |
| Task history and logs | Service delivery, debugging, audit trail |
| Integration credentials (encrypted) | Connecting to third-party services you authorize |
AI Interaction Data
Data generated through your use of AI features on the platform:
| Data | Purpose |
|---|---|
| Prompts sent to AI agents | Core service delivery |
| Agent responses and tool calls | Core service delivery |
| Voice interaction audio (if enabled) | Voice synthesis and recognition via ElevenLabs |
| Token usage metrics | Billing and usage tracking |
Automatically Collected Data
Information collected automatically when you interact with the Service:
| Data | Purpose |
|---|---|
| IP address | Security, rate limiting, fraud prevention |
| Browser type, operating system, device info | Service optimization and debugging |
| Pages visited and feature usage | Product improvement (aggregated) |
| Error logs and crash reports | Service reliability |
3. How We Use Your Data
We use the data we collect for the following purposes:
- Service delivery — operating the platform, processing AI requests, managing workspaces, executing agent tasks
- Billing — processing payments, tracking usage, generating invoices, managing credit balances
- Security — fraud detection, abuse prevention, access logging, threat monitoring
- Communication — account notifications, security alerts, service updates, and transactional emails
- Improvement — aggregated and anonymized analytics to improve the product and user experience
- Legal — compliance with legal obligations, responding to lawful requests, enforcing our terms
4. AI & Model Training
We do not use your data to train AI models.
Your workspace data, prompts, AI interactions, agent responses, and all other customer content are never used to train, fine-tune, or improve AI models — by us or by any third party on our behalf. Your data is used solely for delivering the Service to you.
AI features on the platform are powered by Anthropic's Claude models via their API. Anthropic's API data use policy applies to interactions routed through their service. As of this writing, Anthropic does not use API inputs or outputs to train their models. We encourage you to review Anthropic's terms for the most current information.
System prompts — including agent personality, skills, and workspace context — are constructed by our platform to enable service delivery. These prompts do not contain other customers' data.
5. Data Sharing & Third Parties
Service Providers
We share data with third-party service providers solely as necessary to operate the Service. These providers process data on our behalf under contractual obligations to protect your data:
| Provider | Purpose | Data Shared |
|---|---|---|
| Anthropic | AI model inference (Claude) | Prompts and context via API |
| Firebase (Google) | Authentication | Auth tokens, user profiles |
| Supabase | Database infrastructure | Workspace structured data |
| Fly.io | Compute infrastructure | Office runtime data, code, files |
| Cloudflare (R2) | Object storage | Files, snapshots, uploaded objects |
| Stripe | Payment processing | Billing data, payment methods |
| ElevenLabs | Voice synthesis (if enabled) | Voice text input, audio output |
A complete list of our subprocessors is available at humanik.io/legal/subprocessors. We will provide at least 14 days' advance notice before adding new subprocessors.
What We Do Not Do
- We do not sell your personal data
- We do not share your data with advertisers
- We do not provide your data to data brokers
- We do not use your data for purposes unrelated to delivering the Service
Legal & Safety Disclosures
We may disclose your data when we believe in good faith that disclosure is necessary to:
- Comply with applicable law, regulation, or valid legal process
- Protect the safety of any person or the public
- Protect against fraud, abuse, or security threats
- Protect our rights, property, or the integrity of the Service
In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
6. Data Storage & Security
We implement technical and organizational measures designed to protect your data:
- Encryption at rest — AES-256-GCM for credentials and secrets; standard encryption for other stored data
- Encryption in transit — TLS 1.2 or higher for all connections
- Credential isolation — BYOK API keys are encrypted in per-office vaults, never logged, and injected via a localhost proxy at runtime
- Tenant isolation — each office runs in a dedicated VM with IAM-enforced access boundaries
- Access controls — role-based access with scoped policies; 34 granular permissions across 13 roles
- Inter-service authentication — HMAC-based verification between internal services
No method of storage or transmission is completely secure. While we strive to protect your data, we cannot guarantee absolute security. If you discover a security vulnerability, please report it to info@humanik.io.
7. Data Retention
We retain your data only for as long as necessary to fulfill the purposes described in this policy:
| Data Category | Retention Period |
|---|---|
| Account profile data | While your account is active, plus 90 days after deletion |
| Workspace data (databases, files, code) | While your workspace is active, plus 30 days after deletion |
| AI interaction logs (prompts, responses) | 90 days rolling, then purged |
| Voice interaction audio | Not stored — processed in real time and not persisted by HumanikOS |
| Billing records and invoices | 7 years, as required by tax and legal obligations |
| Access and audit logs | 1 year |
| Server and application logs | 30 days |
| BYOK API keys | While active; securely wiped immediately upon removal or office deletion |
| Backup snapshots | 30 days rolling |
When you delete your account or workspace, we initiate deletion of your data across all systems. Some data may persist in encrypted backups for the retention periods listed above before being permanently removed.
8. Your Rights
All Users
Regardless of your location, you may:
- Request access to the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data
- Export your workspace data in machine-readable format (JSON, CSV, SQL)
European Economic Area & United Kingdom (GDPR)
If you are located in the EEA or UK, you have additional rights under the General Data Protection Regulation, including:
- Right to restrict processing of your data
- Right to data portability
- Right to object to processing based on legitimate interest
- Right to withdraw consent at any time for consent-based processing
- Right to lodge a complaint with your local supervisory authority
Our lawful bases for processing your data under GDPR are: contract performance (account and service delivery), legitimate interest (security, product improvement), and consent (voice features, marketing).
California (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Request deletion of your personal information
- Opt out of the sale or sharing of personal information — we do not sell or share your personal information as defined by the CCPA
- Non-discrimination for exercising your privacy rights
Exercising Your Rights
To exercise any of these rights, contact us at info@humanik.io. We will verify your identity and respond within 30 days (GDPR) or 45 days (CCPA). We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.
9. International Data Transfers
Your data may be transferred to and processed in countries other than your own, including the United States and Canada, where our infrastructure providers operate.
For transfers of personal data from the EEA or UK to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. We ensure that all subprocessors handling EEA/UK personal data are bound by equivalent protections.
If you have questions about how your data is transferred, contact us at info@humanik.io.
10. Cookies
We use a minimal set of cookies to operate the Service:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Session | Strictly necessary | Authentication state | Session |
| CSRF token | Strictly necessary | Prevent cross-site request forgery | Session |
| Cookie preferences | Strictly necessary | Remember your cookie choices | 1 year |
We do not use advertising or marketing cookies. We do not use third-party tracking cookies. If we introduce analytics cookies in the future, we will update this policy and obtain your consent where required.
11. Children's Privacy
The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at info@humanik.io.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes at least 30 days in advance via email or a notice within the platform.
Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes. We encourage you to review this policy periodically. Prior versions are available upon request.
13. Contact
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:
Humanik Technologies Inc.
Email: info@humanik.io
Website: humanik.io