Login Get started

Privacy Policy #

Last updated: 17 October 2025
Controller roles:

  • For Customer account/billing/admin data: Hay Labs LDA is Controller.
  • For end-user data processed on behalf of Customer (e.g., chat messages): Customer is Controller and Hay is Processor (see DPA).

1) Scope #

This Policy explains how we process: (a) Customer admin/user data, and (b) end-user personal data processed on behalf of Customer via the Service.

2) Categories of Data #

  • Customer (B2B) data: name, email, role, organization info, billing identifiers, usage metadata (login, IP, user-agent), support tickets.
  • End-user data (on behalf of Customer): chat messages and attachments, conversation metadata, customer identifiers provided by Customer (e.g., email/phone/order IDs), and documents supplied by Customer for knowledge/RAG. Content may incidentally include special-category data if end-users type it.
  • Provide and secure the Service (contract performance, Art. 6(1)(b));
  • Billing & account management (contract + legal obligation, Art. 6(1)(b)(c));
  • Fraud/security monitoring and service improvement (legitimate interests, Art. 6(1)(f)).
    For end-user data, Hay acts as Processor and processes strictly per Customer instructions (DPA).

4) Retention #

  • End-user conversations: retained until 90 days of end-user inactivity, then irreversibly anonymized (content scrubbed of PII and direct identifiers removed). This period can be Customer-configurable per contract.
  • LLM logs (traces/usage): up to 90 days.
  • Audit logs: up to 7 years (security/compliance).
  • Backups: retained by infrastructure provider per standard schedules; deleted data may persist in backups until rotation completes.
    We may keep aggregated/anonymous data for analytics.

5) Sharing & Subprocessors #

We use vetted providers to operate the Service (see Subprocessors List). Typical categories: hosting/database, LLM provider (e.g., OpenAI), email (SMTP), payment processing (Stripe), optional cache/CDN. We require appropriate data-protection terms and, where applicable, SCCs/DPF for international transfers.

6) International Transfers #

If data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses and/or Data Privacy Framework where applicable. Customers may request EU-region options where supported (e.g., Azure OpenAI).

7) Security #

Measures include TLS in transit, role-based access controls, audit logging, and least-privilege access. Customers should configure their roles/permissions and integration scopes appropriately.

8) Data Subject Rights #

For end-user data, please contact the Customer (the Controller). For Customer account data, contact us at [email protected] to request access, correction, deletion, portability, or to object/restrict. We will respond within one month.

9) Children #

The Service is not directed to children under 16, and we do not knowingly collect such data.

10) Changes #

We may update this Policy. Material changes will be notified via dashboard/email.