H1NTED — Privacy Policy
Effective Date: 1 September 2025
This Privacy Policy explains how H1NTED (“H1NTED”, “we”, “us”, “our”) processes personal data in connection with our AI-driven persona analysis platform, website and associated services (the “Platform”).
Provider details. H1NTED (pre-incorporation), Ireland (correspondence: [Address]).
Contact: olek.lynnyk@gmail.com. This Policy should be read together with our Terms of Use and Cookies Policy. Capitalised terms have the meanings given in the Terms.
1) Roles and responsibility (who is controller/processor)
User Inputs (what you upload: images, text, public profiles, links, etc.) — You act as the data controller. H1NTED acts as your data processor, processing User Inputs solely on your documented instructions to provide the Platform.
Account, billing, website, support and security logs — H1NTED is the data controller.
For Business/enterprise customers, a separate Data Processing Agreement (DPA) may apply; where it conflicts with this Policy, the signed DPA prevails.
Your obligations as controller: You are solely responsible for the lawfulness of User Inputs, including providing data-subject notices, having a lawful basis, and, where required, obtaining informed permission/consent from each person whose photograph or data you upload.
2) Scope
This Policy covers the Platform (website, dashboard, APIs and related services) that generates AI-based persona insights from User Inputs. We do not engage in solely automated decision-making that produces legal or similarly significant effects on individuals. Any profiling in the GDPR sense occurs under your control (as controller) and results in informational Outputs, not decisions.
3) What we process
A. User Inputs (you provide): images/photographs, text, links to publicly available social media profiles, and metadata you supply.
B. Outputs (we generate): AI-generated insights and recommendations derived from User Inputs.
C. Account & Billing: business name, role, email, subscription tier, invoices, payment status, VAT details; limited payment metadata via Stripe (we do not store full card numbers).
D. Security & Operations: IP-derived coarse location, device/browser info, timestamps and event logs strictly necessary to operate, secure and rate-limit the Platform.
E. Support & Comms: messages you send to support; optional call notes.
We do not process biometric identifiers and we do not perform emotion recognition or biometric categorisation. The Platform is intended for business users 18+; we do not knowingly collect children’s data.
4) Purposes and lawful bases
| Purpose | Data | Lawful basis |
|---|---|---|
| Provide the Platform and generate Outputs | User Inputs, Outputs, account, logs | Contract necessity (Art. 6(1)(b)) with your organisation; for User Inputs we act as processor on your instructions |
| Account administration & billing | Account & Billing | Contract necessity; Legal obligation (tax/audit) |
| Security, fraud/abuse prevention, rate-limiting | Security & Operations | Legitimate interests (Art. 6(1)(f)) |
| Support communications | Support & Comms | Contract necessity / Legitimate interests |
| Service notices (non-marketing) | Account | Legitimate interests |
| Marketing (optional) | Email, preferences | Consent (opt-in; withdraw any time) |
| Compliance with law/requests | Relevant records | Legal obligation / Public interest, as applicable |
Special-category data & children’s data: Do not upload special-category data (e.g., health, biometrics, ethnicity) or children’s data unless you have a valid legal basis and safeguards. We may reject or delete such data where we become aware of it.
5) AI processing transparency
We use proprietary AI models (e.g., Grok2Vision) to generate persona insights. Analysis relies on objects, accessories and text cues; it does not rely on facial geometry, voice, gait or other biometric templates. Any accuracy/score (e.g., “~80%”) is illustrative, not a guarantee. Users are clearly informed they interact with AI-powered features. No biometric data is captured, inferred or processed. You may request human review of support cases and opt out of optional analytics. Outputs are informational only and must not be used as the sole basis for high-impact decisions (employment, credit, insurance, immigration, law-enforcement, healthcare).
6) Storage and retention (strict limits)
User Inputs & Outputs are designed to be ephemeral. We do not retain them beyond 12 hours and 30 minutes from completion of processing, after which they are automatically purged from active systems and transient caches.
Self-service deletion: You can delete User Inputs/Outputs at any time via the in-product Delete control; this triggers immediate removal from active systems and purge from transient caches no later than 12 hours 30 minutes.
We do not create routine backups of User Inputs/Outputs and do not use them to train foundation models. Limited, de-identified telemetry may be used to improve safety/reliability where lawful and non-identifying.
Account & Billing are retained for the life of your account and thereafter up to 6 years to satisfy tax/audit obligations.
Security logs are retained only as necessary for security/integrity, then minimised or anonymised. Legal holds or regulatory requests may temporarily override the above to the extent required by law.
7) Sharing and sub-processors
We do not sell personal data. We share data only with: Service providers/sub-processors under written data-protection terms (e.g., hosting, AI inference, email/support tooling, Stripe for payments, AWS for hosting, Supabase for database). Professional advisers (legal/accounting) under confidentiality. Authorities where required by law.
A current list of sub-processors and locations is available on request or via our website. We require sub-processors to implement appropriate security and to purge User Inputs/Outputs within our retention window (or provide equivalent guarantees).
8) International transfers
We primarily process data in the EU/EEA. If personal data is transferred outside the EEA/UK, we use appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) (and the UK IDTA/Addendum where relevant), plus additional technical and organisational measures.
9) Your responsibilities (critical)
Lawful basis & permissions: Do not upload any photograph, profile or text about a person unless you have a lawful basis under applicable data-protection laws and, where required, that person’s informed permission/consent.
Accuracy & relevance: Ensure User Inputs are accurate, relevant and necessary for your purpose.
Data-subject requests: As controller of User Inputs, you handle access/erasure/objection requests from individuals whose data you uploaded; we will reasonably assist as your processor.
Prohibited uses: No discrimination, unlawful surveillance, harassment, doxxing or manipulative profiling; no use as the sole basis for sensitive decisions. If you breach the above, you agree to indemnify and hold H1NTED harmless for resulting claims, penalties or fines, as set out in the Terms of Use.
10) Your rights (EU/UK)
Where H1NTED is controller (account, billing, website, support), you may exercise rights of access, rectification, erasure, restriction, objection, portability, and withdrawal of consent (for marketing/cookies) by contacting olek.lynnyk@gmail.com.
Where you are controller (User Inputs), please direct requests to your organisation; we will support as processor.
You may lodge a complaint with a supervisory authority. Our lead authority is the Data Protection Commission (Ireland). You may also complain to your local EU authority or, for UK individuals, to the ICO.
11) Cookies and similar technologies
We use cookies and similar technologies for functionality, security and optional analytics/marketing. Only essential cookies are enabled by default. Non-essential cookies operate on consent via our Cookies banner. See our Cookies Policy for details and controls.
12) Security
We implement appropriate technical and organisational measures, including encryption in transit, access controls, environment segregation, least-privilege access and monitoring for abuse. You must maintain reasonable security on your side (account hygiene, role-based access, secure networks) and notify us without undue delay of any suspected compromise.
Where H1NTED is controller and a personal-data breach occurs, we will assess and, where required, notify the DPC within 72 hours and affected users without undue delay. Where we are processor, we will notify the controller without undue delay.
13) Age
The Platform is provided to business users aged 18 or over. We do not knowingly collect children’s data. If you believe children’s data has been uploaded, contact us immediately so we can take appropriate steps to delete it.
14) Global availability & local compliance
The Platform is operated from Ireland and offered to business users across the EU and worldwide. You are responsible for ensuring your use of the Platform complies with local laws (e.g., employment, sector rules, image rights) in your country.
15) Changes to this Policy
We may update this Policy from time to time. For material changes, we will provide notice (email or in-product) at least 30 days in advance where practicable. Continued use after the effective date constitutes acceptance.