Hubalot Privacy Policy

Introduction

Hubalot is built with privacy and security as foundational principles. We believe your data belongs to you—not to us, not to advertisers, and not to third parties.

This Privacy Policy explains what information we collect, how we use and protect it, how we share data with AI providers to deliver our services, and how we comply with data protection laws including GDPR, CCPA, and third-party API requirements (including Google API Services).

By using Hubalot, you acknowledge and consent to the data practices described in this policy.

1. Information We Collect

To provide, secure, and improve Hubalot's services, we collect the following categories of information:

1.1 Account Information

What we collect:

• Full name
• Email address
• Billing information (credit card details are encrypted and processed by third-party payment processors; Hubalot never stores complete payment card numbers)
• Account preferences and settings
• Subscription tier and billing history

Why we collect it: To create and manage your account, process payments, provide customer support, and deliver subscription benefits.

1.2 User Content & Enhanced Memory Data

What we collect:

• Files and documents you upload to Hubalot
• Content connected via third-party integrations (Google Drive, Gmail, Dropbox, Notion, etc.)
• AI prompts, chat messages, and conversation history
• AI-generated responses and outputs
• Memory notes, insights, and summaries created by our Enhanced Memory system
• Project data, workspace configurations, and organizational structures
• Tags, labels, and metadata you create

Why we collect it: To power the Enhanced Memory system, provide intelligent context to AI models, enable document search and retrieval, generate insights, and deliver personalized AI experiences across your workspace.

1.3 Usage & Technical Data

What we collect:

• IP address and general location (city/country level)
• Device type, operating system, and browser information
• Session data, timestamps, and feature usage patterns
• Performance metrics, error logs, and diagnostic data
• Token usage statistics and AI model selection history
• Page views, navigation paths, and interaction events

Why we collect it: To monitor system performance, detect security threats, optimize user experience, enforce fair use policies, manage token allocation and fallback systems, and improve our platform.

1.4 Third-Party Integration Data (Optional & User-Initiated)

Hubalot integrates with external services only when you explicitly authorize the connection. We collect data from these services solely to perform the specific actions you request:

Google Drive:

• Only the specific files you select via Google Drive Picker
• File metadata (name, type, modification date)
• File content for indexing in Enhanced Memory

Gmail:

• Individual emails you explicitly open for summarization
• Email metadata (sender, subject, date)
• Email content for AI processing (never bulk-ingested or stored permanently without your action)

Dropbox:

• Only files or folders you explicitly select
• File metadata and content for Enhanced Memory indexing

Notion:

• Only pages or databases you explicitly select
• Page content and structure for Enhanced Memory integration

Other Integrations:

• Data access is limited to user-selected items only
• No background syncing or bulk data collection
• All integrations use OAuth 2.0 (we never request or store your passwords)

Important: Hubalot does not crawl, sync, or access your entire cloud storage or email accounts. We only access the specific items you choose to import or process.

1.5 What We Don't Collect

Hubalot does NOT collect:

• Passwords for any service (all integrations use OAuth 2.0)
• Bulk or automated access to your cloud storage or email
• Browsing history outside of Hubalot
• Sensitive personal information (health records, financial account numbers, government IDs) unless you explicitly upload such documents
• Information from children under 13

2. How We Use Your Data

Hubalot uses your information solely to deliver, improve, and secure our services:

2.1 Service Delivery

• Provide core features: Process AI requests, generate responses, manage documents, and deliver workspace functionality
• Enhanced Memory system: Analyze, index, and retrieve relevant context from your uploaded content to provide intelligent, personalized AI interactions
• AI model routing: Select appropriate AI models based on your requests and share necessary context with third-party AI providers (OpenAI, Anthropic, Google, xAI, etc.) to generate responses
• AUTO mode functionality: Automatically determine the best AI model for each prompt and route your request with relevant Enhanced Memory context
• Token management: Track usage, implement fallback systems, and ensure fair resource allocation across membership tiers

2.2 Personalization & Intelligence

• Customize your workspace: Remember preferences, settings, and organizational structures
• Generate insights: Create summaries, extract key information, and identify patterns in your content
• Improve relevance: Use conversation history and memory data to provide contextually aware AI responses
• Optimize recommendations: Suggest relevant documents, past conversations, and AI models based on your usage patterns

2.3 Account Management & Billing

• Process payments: Manage subscriptions, process renewals, and handle billing inquiries
• Enforce plan limits: Monitor storage usage (1GB Free / 10GB Pro / 50GB Elite) and token allocations
• Communicate with you: Send account notifications, billing receipts, service updates, and support responses
• Provide customer support: Troubleshoot issues, answer questions, and resolve technical problems

2.4 Platform Improvement & Security

• Analyze usage patterns: Understand how features are used to prioritize development and improvements (using aggregated, anonymized data)
• Detect abuse: Identify unusual usage patterns that may indicate system exploitation, token abuse, or security threats
• Monitor performance: Track system health, response times, and error rates to maintain service quality
• Conduct research: Develop new features and improve AI routing algorithms (using anonymized data only)

2.5 Legal & Compliance

• Comply with laws: Meet legal obligations, respond to lawful requests, and enforce our Terms of Service
• Protect rights: Defend against legal claims and protect the security and integrity of our platform
• Prevent fraud: Detect and prevent fraudulent transactions, account abuse, and unauthorized access

We never sell your personal information or user content to third parties.

3. Data Sharing & Third-Party AI Providers

3.1 Our Commitment: No Data Sales

Hubalot does not sell, rent, lease, or trade your personal information or content to any third party for marketing, advertising, or any other commercial purpose.

Your data is shared only in the limited circumstances described below, and always in service of delivering the functionality you've requested.

3.2 Sharing with AI Model Providers

To deliver AI-powered features, Hubalot must share your prompts and relevant context with third-party AI providers.

When you submit a request to an AI model (or when AUTO mode selects a model for you), we transmit:

• Your prompt or question
• Relevant context from Enhanced Memory (excerpts from your documents, previous conversations, project data, and profile information that our system determines is pertinent to your request)
• Conversation history (for multi-turn dialogues)
• Technical metadata (model preferences, temperature settings, etc.)

Third-party AI providers we work with include:

• OpenAI (GPT-4, GPT-3.5, DALL-E, Whisper)
• Anthropic (Claude Opus, Claude Sonnet, Claude Haiku)
• Google (Gemini Ultra, Gemini Pro, Gemini Flash)
• xAI (Grok)
• Perplexity (Sonar models)
• Mistral AI
• Meta (Llama models)
• Stability AI (image generation)
• ElevenLabs (voice generation)
• Suno (music generation)
• Runway, Pika, Luma (video generation)

Important safeguards:

1. Contractual protections: We maintain data processing agreements with AI providers that prohibit them from using your data to train their models or for purposes beyond processing your specific requests
2. Selective context: Hubalot shares only the context that's relevant to your prompt—not your entire document library
3. No persistent storage: Most AI providers process requests in real-time and do not retain your data after generating responses (subject to their own privacy policies and retention requirements)
4. Provider policies apply: Each AI provider has its own privacy policy and data practices. While we select providers with strong privacy commitments, we encourage you to review their policies
5. Your control: You choose which AI models to use. If you have concerns about a specific provider, you can avoid using their models

3.3 AUTO Mode & Enhanced AUTO Mode Consent

When you activate AUTO or ENHANCED AUTO mode, you explicitly authorize Hubalot to:

• Analyze your prompt to determine the most appropriate AI model
• Share your prompt and relevant Enhanced Memory context with whichever AI provider(s) we select
• Route your request across multiple providers if beneficial (e.g., using one model for research and another for synthesis)
• Make these decisions dynamically without requiring per-request approval

This automated routing is core to Hubalot's value proposition—delivering the best AI for each task while maintaining your context across models.

3.4 Service Providers & Infrastructure Partners

We share limited data with trusted service providers who help us operate Hubalot:

Hosting & Infrastructure:

• Cloud hosting providers (AWS, Google Cloud, or similar) for data storage and computing
• Content delivery networks (CDNs) for performance optimization

Payment Processing:

• Stripe or similar payment processors for billing (they receive payment information directly; we only store tokenized references)

Analytics & Monitoring:

• Error tracking and performance monitoring tools (we use anonymized or pseudonymized data where possible)
• Analytics platforms to understand feature usage (aggregated data only)

Communication:

• Email service providers for transactional emails and support communications

All service providers:

• Are bound by strict data processing agreements
• Are prohibited from using your data for their own purposes
• Must maintain security standards equivalent to or exceeding ours
• Have access only to the minimum data necessary to perform their specific function

3.5 Integration Providers (User-Initiated Only)

When you connect third-party services (Google Drive, Gmail, Dropbox, Notion, etc.), we access those services on your behalf using OAuth tokens. We only access the specific items you select—never your entire account. These integrations are optional, user-initiated, and can be disconnected at any time from your account settings.

3.6 Legal Requirements & Protection of Rights

We may disclose your information if required to do so by law or in response to:

• Valid legal process: Subpoenas, court orders, or other lawful government requests
• Legal obligations: Compliance with applicable laws and regulations
• Safety & security: Protecting the rights, property, or safety of Hubalot, our users, or the public
• Fraud prevention: Detecting, preventing, or addressing fraud, security, or technical issues
• Enforcement: Enforcing our Terms of Service and investigating violations

When legally permitted, we will notify you of such requests and provide you an opportunity to object.

3.7 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the successor entity. We will notify you via email and/or prominent notice on our platform before your data is transferred and becomes subject to a different privacy policy.

4. Data Protection & Security

Security is paramount at Hubalot. We implement industry-leading security measures to protect your data.

4.1 Encryption

Data at rest:

• AES-256 encryption for all stored data (documents, conversations, memory data, account information)
• Encrypted database backups with secure key management
• Separate encryption keys per customer where feasible

Data in transit:

• TLS 1.3+ encryption for all data transmitted between your device and Hubalot servers
• TLS encryption for all communication with third-party AI providers and service providers
• Certificate pinning and strict transport security policies

4.2 Access Controls

Row-level security:

• Database architecture ensures users can only access their own data
• No user can view or access another user's documents, conversations, or workspace

Authentication & authorization:

• Secure password hashing using industry-standard algorithms (bcrypt/Argon2)
• Multi-factor authentication (MFA) available for all accounts
• Session management with automatic timeout and secure token handling
• Role-based access controls for administrative functions

Principle of least privilege:

• Hubalot employees have access only to the systems necessary for their role
• Customer data access is logged and monitored
• Administrative access requires additional authentication

4.3 OAuth Security

All third-party integrations use OAuth 2.0:

• We never request or store your passwords for external services
• OAuth tokens are encrypted and stored securely
• Tokens have limited scopes (minimum permissions necessary)
• You can revoke access at any time from your account settings

4.4 AI Training Protection

Your content is NOT used to train AI models: We have contractual agreements with AI providers prohibiting training on customer data. We use API endpoints that exclude data from training datasets. Your conversations and documents remain private and are not used to improve third-party models.

Exception: Aggregated, anonymized usage statistics may be used to improve Hubalot's routing algorithms—but never in a way that could identify you or reveal your content.

4.5 Infrastructure Security

• Firewalls and intrusion detection/prevention systems
• DDoS protection and rate limiting
• Regular security audits and vulnerability assessments
• Secure coding practices and code review processes
• 24/7 security monitoring and anomaly detection

No system is 100% secure. While we implement industry-leading security measures, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials and notifying us immediately of any unauthorized access.

5. Google API Services Compliance

Hubalot's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5.1 Google Drive Integration

Scope Used: https://www.googleapis.com/auth/drive.file

Purpose: Allows Hubalot to access only the specific files a user selects via the Google Drive Picker.

How it works:

1. You click "Add from Google Drive" in your Hubalot workspace
2. The official Google Drive Picker opens (a Google-controlled interface)
3. You browse and select one or more Google Docs, Sheets, or other files
4. Hubalot receives only the file ID(s) of the items you selected
5. Hubalot calls the Drive API files.export method to convert the selected file(s) into text or appropriate format
6. The converted content is encrypted and stored in your private Hubalot workspace
7. The content is indexed by Enhanced Memory for intelligent retrieval

Important limitations:

• No broad access: Hubalot does NOT request drive.readonly or any scope that would allow access to your entire Drive
• No crawling or syncing: We do not automatically sync or monitor your Drive for changes
• No modifications: Hubalot never modifies, deletes, or writes to your Google Drive files
• User-initiated only: Access occurs only when you explicitly select files via the Picker
• Revocable: You can disconnect Google Drive integration at any time from your Hubalot account settings

5.2 Gmail Integration

Scope Used: https://www.googleapis.com/auth/gmail.readonly (Restricted Scope)

Purpose: Allows users to open individual emails for AI-powered summarization and analysis.

Important safeguards:

• No bulk ingestion: Hubalot does NOT automatically import or sync your entire Gmail inbox
• Individual access only: Each email is retrieved only when you explicitly request it
• No external sharing: Gmail content is processed by AI models under our data processing agreements and is not shared with external parties for marketing or other purposes
• Limited retention: Raw email content may be temporarily cached for processing but is not permanently stored unless you save a summary
• User control: You can disconnect Gmail integration at any time

5.3 Limited Use Disclosure

Hubalot's use of information received from Google APIs is limited to:

1. Providing and improving user-facing features that are visible and prominent in Hubalot's user interface
2. Security purposes (detecting abuse, preventing unauthorized access)
3. Compliance with applicable laws

Hubalot does NOT:

• Use Google user data for serving advertisements
• Allow humans to read Google user data unless necessary for security purposes or compliance with applicable laws
• Transfer Google user data to third parties except as necessary to provide user-facing features, for security purposes, or for compliance with applicable laws

6. Data Storage, Retention & Deletion

6.1 Storage Limits by Plan

• Free Plan: 1 GB of storage
• Pro Plan: 10 GB of storage
• Elite Plan: 50 GB of storage

6.2 Data Retention Policies

• Active accounts: Your data is retained for as long as your account is active and as necessary to provide services
• Inactive accounts: Free accounts may be deleted after 12 months of inactivity (with 30 days advance notice)
• Deleted data: Permanently removed from active systems within 30 days; backups may retain deleted data for up to 90 days

6.3 Data Deletion & Account Control

You can delete individual items or your entire account at any time through your account settings. Upon account deletion, all your data will be permanently deleted within 30 days. You can export your data before deletion.

7. Your Privacy Rights

Hubalot respects your privacy rights under applicable laws, including GDPR (European Union), CCPA/CPRA (California), and other global privacy regulations.

7.1 Rights for All Users

• Access: Request a copy of the personal information we hold about you
• Correction: Update or correct inaccurate or incomplete information
• Deletion: Request deletion of your personal information
• Portability: Export your data in a machine-readable format
• Objection: Object to certain processing activities
• Revoke consent: Withdraw consent for data processing

To exercise your rights: Email privacy@hubalot.com or use your account settings. We will respond within 30 days.

8. Security Monitoring & Incident Response

• Real-time anomaly detection and automated threat monitoring
• Comprehensive audit logs of system access and data operations
• Regular penetration testing by independent security firms
• 24/7 incident response team
• User notification within 72 hours of any data breach

9. Children's Privacy

Hubalot is not intended for use by children under the age of 13 (or 16 in the European Union). We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 13 without parental consent, we will delete that information immediately.

10. International Data Transfers

Hubalot operates globally and may transfer data across borders. For transfers outside your country, we use Standard Contractual Clauses (SCCs) and other approved mechanisms to ensure adequate protection. By using Hubalot, you consent to the transfer of your information to countries outside your country of residence.

11. Cookies & Tracking Technologies

Hubalot uses cookies and similar technologies to:

• Essential cookies: Maintain your login session and platform security (cannot be disabled)
• Analytics cookies: Understand usage patterns and improve features (can be opted out)

We do NOT use: Third-party advertising cookies or cross-site tracking for marketing purposes.

12. Marketing Communications

You will receive transactional emails (account notifications, billing receipts, security alerts) which cannot be opted out. Marketing emails (product updates, tips, promotions) can be unsubscribed at any time via the link in the email or in your account settings.

13. Third-Party Links & Services

Hubalot may contain links to third-party websites and services. We are not responsible for the privacy practices of third-party sites. Third-party integrations (Google Drive, Gmail, etc.) are governed by their own privacy policies in addition to this policy.

14. Business Transfers & Corporate Changes

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you via email before your data is transferred and becomes subject to a different privacy policy.

15. Updates to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you via email and in-app notification. Continued use of Hubalot after changes take effect constitutes your acceptance of the updated Privacy Policy.

16. Contact Us & Data Protection Officer

Privacy Team: privacy@hubalot.com

Security Team: security@hubalot.com

Support: support@hubalot.com

Legal: legal@hubalot.com

Mailing Address: Hubalot, Inc., 30 N Gould St Ste N, Sheridan, WY 82801

17. Acknowledgment & Consent

By creating an account and using Hubalot, you acknowledge that:

1. You have read and understood this Privacy Policy in its entirety
2. You consent to the collection, use, and sharing of your information as described herein
3. You understand that your data will be shared with third-party AI providers to deliver services
4. You consent to the Enhanced Memory system processing your uploaded content
5. You authorize AUTO mode to route your requests to AI providers we select
6. You understand your privacy rights and how to exercise them

If you do not agree to these practices, do not use Hubalot.

18. Specific Disclosures for Regulatory Compliance

18.1 GDPR (EU/EEA Users)

Data Controller: Hubalot, Inc. is the data controller for personal information collected through our services. You have the right to lodge a complaint with your local data protection authority.

18.2 CCPA/CPRA (California Users)

Hubalot does NOT sell personal information. California residents can exercise their rights by contacting privacy@hubalot.com. We will respond within 30 days.

19. Transparency Report

Hubalot is committed to transparency about government and legal requests for user data. We publish an annual Transparency Report detailing the number and types of requests we receive.

20. Final Notes

This Privacy Policy is effective as of the date listed at the top and supersedes all prior versions.

Key principles that guide our privacy practices:

• ✓ Your data is yours — You own and control your content
• ✓ We don't sell your data — Never have, never will
• ✓ Transparency — Clear explanations of what we collect and why
• ✓ Security first — Industry-leading protection for your information
• ✓ Minimal collection — We collect only what's necessary
• ✓ User control — Easy tools to access, export, and delete your data
• ✓ Compliance — Adherence to global privacy regulations
• ✓ Continuous improvement — Regular updates to enhance privacy protections