H1NTED — Privacy Policy
Effective Date: 7 October 2025
This Privacy Policy explains how H1NTED (“H1NTED”, “we”, “us”, “our”) processes personal data in connection with our AI-driven persona analysis platform, website and associated services (the “Platform”).
Provider details. ТОВАРИСТВО З ОБМЕЖЕНОЮ ВІДПОВІДАЛЬНІСТЮ «Хінтед Штучний Інтелект» (EDRPOU 46041011). English: Limited Liability Company "Hinted Artificial Intelligence". Registered address: Flat 178, 1d Universytetska Street, Irpin, Bucha District, Kyiv Oblast, 08200, Ukraine.
EU Representative (Art. 27 GDPR)
For data subjects and supervisory authorities in the EEA: our EU Representative is Oleksandr Lynnyk, 36 Chapel Close, Tankardstown, Balbriggan, Co. Dublin, K32 WV88, Ireland. E-mail: olek.lynnyk@gmail.com, tel: +353 87 935 62 84. The EU Representative acts as the point of contact for GDPR enquiries and maintains a copy of the Records of Processing under Article 30 GDPR on behalf of the Controller.
Contact: hello@h1nted.com. This Policy should be read together with our Terms of Use and Cookies Policy. Capitalised terms have the meanings given in the Terms.
1) Roles and responsibility (who is controller/processor)
User Inputs (what you upload: images, text, public profiles, links, etc.) — You act as the data controller. H1NTED acts as your data processor, processing User Inputs solely on your documented instructions to provide the Platform.
Account, billing, website, support and security logs — H1NTED is the data controller.
For Business/enterprise customers, a separate Data Processing Agreement (DPA) may apply; where it conflicts with this Policy, the signed DPA prevails.
Critical — your responsibilities: you are solely responsible for the lawfulness of User Inputs, including providing Articles 13/14 notices, having a lawful basis and, where required, obtaining informed permission/consent from each person depicted — even if the source is public. On request, you will provide evidence of your legal basis/consents.
2) Scope
This Policy covers the Platform (website, dashboard, APIs and related services) that generates AI-based persona insights from User Inputs. We do not engage in solely automated decision-making that produces legal or similarly significant effects on individuals. Any profiling in the GDPR sense occurs under your control (as controller) and results in informational Outputs, not decisions.
3) What we process
A. User Inputs (you provide): images/photographs, text, links to publicly available social media profiles, and metadata you supply.
B. Outputs (we generate): AI-generated insights and recommendations derived from User Inputs.
C. Account & Billing: business name, role, email, subscription tier, invoices, payment status, VAT details; limited payment metadata via Stripe (we do not store full card numbers).
D. Security & Operations: IP-derived coarse location, device/browser info, timestamps and event logs strictly necessary to operate, secure and rate-limit the Platform.
E. Support & Comms: messages you send to support; optional call notes.
We do not process biometric identifiers and we do not perform emotion recognition or biometric categorisation. The Platform is intended for business users 18+; we do not knowingly collect children’s data.
4) Purposes and lawful bases
| Purpose | Data | Lawful basis |
|---|---|---|
| Provide the Platform and generate Outputs | User Inputs, Outputs, account, logs | Contract necessity (Art. 6(1)(b)) with your organisation; for User Inputs we act as processor on your instructions |
| Account administration & billing | Account & Billing | Contract necessity; Legal obligation (tax/audit) |
| Security, fraud/abuse prevention, rate-limiting | Security & Operations | Legitimate interests (Art. 6(1)(f)) |
| Support communications | Support & Comms | Contract necessity / Legitimate interests |
| Service notices (non-marketing) | Account | Legitimate interests |
| Marketing (optional) | Email, preferences | Consent (opt-in; withdraw any time) |
| Compliance with law/requests | Relevant records | Legal obligation / Public interest, as applicable |
Special-category data & children’s data: Do not upload special-category data (e.g., health, biometrics, ethnicity) or children’s data unless you have a valid legal basis and safeguards. We may reject or delete such data where we become aware of it.
5) AI processing transparency
We use proprietary pipelines and third-party AI inference providers (e.g., Grok-2 Vision for visual analysis and Grok-4 Reasoning for textual reasoning) to generate persona insights. Processing is limited to inference; we do not train or fine-tune models on your data. Analysis relies on objects, accessories and text cues; it does not rely on facial geometry, voice, gait or other biometric templates. Any accuracy/score is illustrative, not a guarantee.
We do not perform facial recognition, biometric identification/categorisation or emotion recognition. Outputs are informational only and must not be used as the sole basis for high-impact decisions (employment, credit, insurance, immigration, law-enforcement, healthcare).
6) Storage and retention (strict limits)
User Inputs & Outputs are designed to be ephemeral and are automatically deleted within 12 hours after completion of processing. They are not backed up or aggregated.
Self-service deletion: You can delete User Inputs/Outputs at any time via the in-product Delete control; this removes them from active systems. Minimal residual logs may remain only as necessary for integrity or legal obligations.
We do not use User Inputs/Outputs to train foundation models. Limited, de-identified telemetry may be used solely to improve safety/reliability where lawful and non-identifying.
Account & Billing are retained for the life of your account and thereafter up to 6 years to satisfy tax/audit obligations.
7) Sharing and sub-processors
We do not sell personal data. We share data only with service providers/sub-processors under written data-protection terms (e.g., hosting, AI inference, email/support tooling, Stripe for payments, AWS for hosting, Supabase for database), professional advisers under confidentiality, and competent authorities where required by law.
A current list of sub-processors and locations is available on our Website and will be updated with prior notice; you may object on reasonable grounds. We require sub-processors to implement appropriate security and to purge User Inputs/Outputs within our retention window (or provide equivalent guarantees). Sub-processors are contractually prohibited from using your data to train models.
8) International transfers
When personal data is transferred from the EEA/UK to countries without an adequacy decision (including transfers to Ukraine and to non-EEA sub-processors), we use the EU Standard Contractual Clauses (2021/914) and, where relevant, the UK IDTA/Addendum, together with appropriate technical and organisational measures. For transfers to certified US providers, we may rely on the EU–US Data Privacy Framework.
9) Your responsibilities (critical)
Lawful basis & permissions: Do not upload any photograph, profile or text about a person unless you have a lawful basis under applicable data-protection laws and, where required, that person’s informed permission/consent — even if the source is public.
Accuracy & relevance: Ensure User Inputs are accurate, relevant and necessary for your purpose.
Data-subject requests: As controller of User Inputs, you handle access/erasure/objection requests from individuals whose data you uploaded; we will reasonably assist as your processor.
Prohibited uses: No discrimination, unlawful surveillance, harassment, doxxing or manipulative profiling; no use as the sole basis for sensitive decisions.
10) Your rights (EU/UK)
Where H1NTED is controller (account, billing, website, support), you may exercise rights of access, rectification, erasure, restriction, objection, portability, and withdrawal of consent (for marketing/cookies) by contacting hello@h1nted.com.
Where you are controller (User Inputs), please direct requests to your organisation; we will support as processor.
You may lodge a complaint with any EEA supervisory authority or, for UK individuals, with the ICO.
11) Cookies and similar technologies
We use cookies and similar technologies for functionality, security and optional analytics/marketing. Only essential cookies are enabled by default. Non-essential cookies operate on consent via our Cookies banner. See our Cookies Policy for details and controls.
12) Security
We implement appropriate technical and organisational measures, including encryption in transit, access controls, environment segregation, least-privilege access and monitoring for abuse. You must maintain reasonable security on your side (account hygiene, role-based access, secure networks) and notify us without undue delay of any suspected compromise.
Where H1NTED is controller and a personal-data breach occurs, we will assess and, where required, notify the competent supervisory authority within applicable deadlines and affected users without undue delay. Where we are processor, we will notify the controller without undue delay.
13) Age
The Platform is provided to business users aged 18 or over. We do not knowingly collect children’s data. If you believe children’s data has been uploaded, contact us immediately so we can take appropriate steps to delete it.
14) Global availability & local compliance
The Platform is operated from the EU and offered to business users across the EU and worldwide. You are responsible for ensuring your use of the Platform complies with local laws (e.g., employment, sector rules, image rights) in your country.
15) Changes to this Policy
We may update this Policy from time to time. For material changes, we will provide notice (email or in-product) at least 30 days in advance where practicable. Continued use after the effective date constitutes acceptance.
16) Contact
LLC "H1NTED" — LIMITED LIABILITY COMPANY "H1NTED Artificial Intelligence Discernment"
Registered address: Flat 178, 1d Universytetska Street, Irpin, Kyiv Oblast, 08200, Ukraine
Email: hello@h1nted.com