Legal · Privacy

Privacy Policy

Effective: 2026-05-25 Last updated: 2026-05-25 Version: 1.0
Placeholders remain — Before publishing, replace {{COMPANY_NAME}}, {{ORG_NR}}, {{COMPANY_ADDRESS}}, {{DPO_EMAIL}}, and {{SUPERVISORY_AUTHORITY}} throughout this document.

Who we are

Hauly is operated by {{COMPANY_NAME}} (org.nr {{ORG_NR}}), a company registered in Sweden with its address at {{COMPANY_ADDRESS}}. We act as the data controller for the personal data described in this policy. For data processed on behalf of our business customers (workspace data), see our Data Processing Agreement.

This policy explains what personal data we collect when you visit www.hauly.ai, sign in to your Hauly workspace, or use our AI features. It complies with the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act (2018:218).

What we collect

Account data

When you sign in, we store the email address you use to authenticate. We do not collect a password — authentication is handled by our identity provider (see Subprocessors).

Conversation data

When you use the Ask AI feature on our marketing site or in your workspace, the messages you type are transmitted to our AI processor (Anthropic) to generate a reply. We do not retain the contents of your conversations in our own logs; only metadata (request ID, latency, model name, token counts) is logged.

Technical data

Our hosting and security infrastructure automatically logs:

  • Your IP address (for security, rate-limiting, and abuse prevention)
  • Browser User-Agent string
  • Request path, status code, and response time
  • A short-lived request identifier

Preference data

We store your theme preference (light, dark, or system) in your browser's localStorage under the key hauly:theme. This is local to your device and not transmitted to our servers.

Cookies & similar technologies

See our Cookie Policy for a full list of cookies and local storage items, their purpose, and their retention.

Why we process your data & the legal basis

Purpose Data Legal basis (GDPR)
Authenticate you and provide the service Email, session token Art. 6(1)(b) Contract
Generate AI responses you request Your chat messages Art. 6(1)(b) Contract
Prevent abuse, rate-limit, security monitoring IP address, request metadata Art. 6(1)(f) Legitimate interest
Comply with legal obligations (e.g. accounting, court orders) As required Art. 6(1)(c) Legal obligation
Save your theme preference localStorage item Strictly necessary — no consent required (ePrivacy Art. 5(3) exception)

We do not use your data for profiling, automated decision-making with legal effects, or advertising.

How long we keep your data

  • Account data — for as long as your account exists, plus 30 days after deletion (to honour reactivation requests).
  • Conversation metadata (request logs, token counts) — 30 days, then deleted.
  • Rate-limit counters — IP-keyed counters with TTLs of 60 seconds (per-minute) and 24 hours (per-day).
  • Security & access logs — up to 30 days from our hosting provider.
  • Theme preference — stored locally on your device until you clear your browser data.

Subprocessors

We use the following processors to deliver Hauly. Each is bound by a Data Processing Agreement and EU Standard Contractual Clauses where applicable.

Processor Purpose Location Safeguard
Vercel Inc. Hosting, edge network, access logs EU (Frankfurt) + US SCC, DPA
Supabase Inc. Authentication, database EU (Frankfurt) SCC, DPA
Anthropic PBC AI model inference (chat responses) US SCC, DPA — no model training on API data
Upstash Inc. Redis-based rate-limit counters (IP, TTL ≤ 24h) EU (Frankfurt) SCC, DPA

An up-to-date list of subprocessors is maintained at this address. You can subscribe to changes by emailing {{DPO_EMAIL}}.

International transfers

Some of our subprocessors (notably Anthropic and parts of Vercel's edge network) operate in the United States. Where data leaves the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) — implementing additional technical and organisational safeguards including encryption in transit (TLS 1.3) and at rest.

For Anthropic specifically, your prompts are processed under their Commercial Terms, which prohibit training their models on API customer inputs.

Your GDPR rights

Under the GDPR you have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure ("right to be forgotten") — request deletion of your data.
  • Restriction — limit how we process your data.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent, withdraw at any time without affecting the lawfulness of past processing.

To exercise any of these rights, email {{DPO_EMAIL}}. We respond within 30 days.

Right to lodge a complaint

If you believe our processing infringes the GDPR, you have the right to lodge a complaint with the Swedish supervisory authority, {{SUPERVISORY_AUTHORITY}} (Integritetsskyddsmyndigheten — IMY), at imy.se.

Security

We protect your data with industry-standard measures:

  • TLS 1.3 for all traffic between your browser, our servers, and our subprocessors.
  • Strict Content Security Policy, HSTS, and frame-ancestors restrictions.
  • Row Level Security (RLS) on all customer-facing database tables.
  • Per-IP rate limiting and origin validation on API endpoints.
  • Audit logging with no message-content retention.
  • Principle of least privilege for internal access.

If you discover a security issue, please report it confidentially to {{DPO_EMAIL}}.

Children

Hauly is a B2B product not directed at children under 16. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it.

Changes to this policy

We will update this policy as our processing evolves. Material changes will be communicated by email (for signed-in users) or via a banner on our site at least 14 days before they take effect. The effective date at the top reflects the current version.

Contact

Data Protection Contact

{{COMPANY_NAME}}
{{COMPANY_ADDRESS}}
Email: {{DPO_EMAIL}}