The plain-English version is short. The careful version is below.

Hapex AI is a sole-proprietor business based in Indianapolis, Indiana, United States. The operator and data controller of record is Shameel Khairi. The contact address for privacy and security correspondence is support@hapex.ai. There is no separate Data Protection Officer at our scale; the operator handles privacy requests directly and will identify themselves by name in any reply.

This Policy applies to hapex.ai, the build flow at hapex.ai/build, the agent service that runs automations on your behalf, and any successor properties operated by Hapex. It covers prospects who fill out the intake form, customers who activate paid or free automations, and end users whose data flows through an automation a customer has authorized (for example, your inbox if you connected Gmail).

This Policy does not cover third-party services you connect to (Google Workspace, Slack, Notion, GitHub, Microsoft 365, Stripe, ntfy.sh, Resend, Anthropic, InsForge, or others). Those providers each have their own privacy practices, and authorizing them as part of an automation is also an acknowledgement that their policies apply to data they hold.

Account information.

When you submit an intake request we collect your name, email address, and any business context you choose to provide. If you activate an automation we additionally store the service tier you selected and (for paid tiers) a Stripe customer identifier plus the last four digits of the payment method. Hapex never receives or stores full payment card numbers; Stripe does.

Automation specifications.

We store the natural-language description of the automation you asked for, the structured plan our planner produced, the slug, the schedule, and which capabilities the automation uses. Plans are kept indefinitely as long as the automation is active so they can be re-run or audited.

Authorized credentials.

To run automations against third parties, you authorize Hapex via OAuth (for example, “Continue with Google”) or by providing API keys. We store the resulting refresh tokens and any required keys encrypted with AES-256-GCM in our managed backend. Plaintext credentials touch agent-service memory only at the moment a step runs and are never logged. You can revoke this authorization at any time, both from inside Hapex and from the third-party provider's account settings.

Automation inputs and outputs.

When an automation runs, the runtime fetches inputs from the services you have authorized (for example, unread Gmail messages, recent calendar events, files in a Drive folder) and produces outputs (for example, a phone-friendly summary delivered via push notification). Hapex processes this content transiently to execute the automation, and we retain a bounded test-run record (see Section 11) so you can debug failures and so we can demonstrate that a self-test passed before billing.

Telemetry and operational logs.

We collect minimal operational logs necessary to keep the service running: HTTP request timestamps and response codes, error stack traces with personally identifying values redacted where feasible, scheduler events, and aggregate usage counters. We do not log full plaintext credentials, full email bodies, or full automation outputs.

Cookies and similar technologies.

The intake app uses only first-party cookies strictly necessary to keep your build session coherent across page reloads. We do not use third-party analytics cookies, advertising pixels, fingerprinting libraries, session-replay tools, or behavioral tracking. We respect Global Privacy Control (GPC) and Do Not Track signals as described in Section 9.

We use the information described in Section 3 for these purposes and no others:

• Operate the service. Build, test, schedule, and run the automations you have authorized. This is the primary and necessary use.
• Bill you accurately. Apply your selected service tier, generate invoices through Stripe, and reconcile usage.
• Keep the service safe. Detect and prevent abuse, fraud, credential theft, prompt-injection attacks, and quota gaming.
• Respond to you. Answer support requests, deliver onboarding emails, send security notices and incident disclosures.
• Improve Hapex through internal research. See Section 5; this is a defined use with explicit limits.
• Comply with law. Respond to lawful requests from courts and regulators, defend legal claims, enforce our Terms.

By using Hapex, you grant Hapex a worldwide, royalty-free license to use the data you submit and the data your automations process for internal product research and development.“Research and development” here means the following, and only the following:

• Improving the planner's ability to translate plain-English requests into correct automation plans.
• Evaluating and tuning the runtime that executes capabilities (Gmail, Calendar, Slack, ntfy, and successors).
• Measuring the cost, quality, and reliability of large language models we route requests through, including running offline comparisons between models and prompt strategies.
• Diagnosing failures, fixing bugs, and reproducing incidents reported by customers or detected through monitoring.
• Training, fine-tuning, or evaluating proprietary models that are operated by Hapex and not exposed to third parties as standalone products.

What we will not do under this clause. We will not sell, license, or otherwise make available your raw data, automation outputs, or derivative datasets to third parties. We will not use your data to train models owned by third parties; sub-processors that process your data on our behalf (for example, Anthropic) operate under their own contractual terms which prohibit use of inputs and outputs to train their general-purpose models, and we will not opt back in to such training. We will not publish customer-identifying examples in marketing material, demos, or papers without obtaining your prior written consent.

Pseudonymization and aggregation. Whenever feasible, we strip direct identifiers (names, email addresses, phone numbers, message bodies) before data enters a research pipeline, and we aggregate or sample at a level that does not permit re-identification of any individual user.

Your control. You may opt out of research use at any time by emailing support@hapex.aiwith the subject line “Opt out of research use.” Opting out does not affect the operation, billing, or support of your automations. Opt-out requests will be honored within fifteen business days and persist across all future processing of your data.

Hapex does not, and will not, sell your personal information. This commitment goes beyond what California law requires of us at our current scale. We extend it to every customer regardless of where they live and to every category of information described in Section 3.

We do not engage in the following practices, ever, under any commercial pressure or acquisition scenario without first obtaining new explicit consent: (a) sale of personal information for monetary or other valuable consideration, (b) sharing of personal information for cross-context behavioral advertising, (c) renting, swapping, or trading customer lists with third-party marketers, (d) supplying customer data to data brokers, (e) using customer data to train third-party AI providers' foundation models, or (f) using identifiable customer content in marketing without prior written consent.

If Hapex is acquired or merged with another company, your data will only transfer subject to a continuation of this Policy or a privacy notice that is materially equivalent in substance, and you will be notified at least thirty days in advance with an opportunity to delete your account before the transfer takes effect.

We rely on a small number of vetted infrastructure providers to deliver the service. Each is a sub-processor under the GDPR framework. Hapex remains the controller of your data; sub-processors process it only on our documented instructions.

• InsForge (managed Postgres, edge functions, file storage, authentication). Stores the encrypted credential blobs, automation plans, and test-run records described in Section 3.
• Anthropic(Claude language models). Receives the planner prompt during a build and the summarization prompt at run time. Anthropic's API terms prohibit them from training their general-purpose models on our inputs and outputs; we have not opted in to any such training.
• Google LLC (Gmail, Calendar, Drive, and other Workspace APIs you authorize). Acts as the data source you point Hapex at; their privacy policy applies to data they hold about you.
• ntfy.sh (push notification delivery). Receives the message body and title for any automation that delivers via ntfy. ntfy.sh holds messages for up to twelve hours.
• Resend (transactional email delivery). Receives the email body, subject, and recipient for any automation that delivers via Resend, plus our own onboarding and incident emails to you.
• Stripe (payment processing). Holds your payment method and billing history. Hapex never sees full card numbers.
• Railway and Vercel / Netlify (compute and edge hosting). Run the agent service and the intake app. They have access to data in transit during request handling and to operational logs.
• Google Cloud(OAuth client and identity verification for the “Continue with Google” flow).

A current sub-processor list is available on request. We will give existing customers at least fifteen days' notice before adding a sub-processor that processes personal information; you may terminate during that window without penalty if you object.

We will disclose your information outside this list only when (a) you direct us to (for example, you ask us to copy your plan to a new account), (b) we are compelled by valid legal process and have reasonable basis to comply, or (c) disclosure is necessary to investigate or defend against a credible legal claim or a security incident. We will, where lawful, notify you of legal compulsions affecting your data.

For users protected by the European or United Kingdom General Data Protection Regulation, we process personal data on the following lawful bases:

• Performance of a contract. Processing necessary to deliver the service you signed up for, including running your automations and billing you. (Article 6(1)(b))
• Legitimate interests. Securing the service, preventing abuse, conducting the internal research described in Section 5 (where the research interest is balanced against your reasonable expectations and you may opt out at any time). (Article 6(1)(f))
• Consent. Marketing communications, optional integrations, and any processing not covered above. (Article 6(1)(a))
• Legal obligation. Tax, accounting, and lawful-request compliance. (Article 6(1)(c))

Depending on your jurisdiction you may have any or all of the following rights. We honor each of them globally because doing so is simpler than tracking residency.

• Right of access. You can request an export of the personal data we hold about you in a structured, machine-readable format.
• Right to rectification. You can correct inaccurate or incomplete information.
• Right to erasure. You can request deletion of your account and associated personal data, subject to retention required by law (for example, tax records).
• Right to restriction. You can ask us to suspend processing of your data while a dispute is being investigated.
• Right to data portability. You can request a copy of your data in a portable format and have it sent directly to another controller where technically feasible.
• Right to object. You can object to processing based on legitimate interests, including the research use in Section 5.
• Right to withdraw consent. Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.
• California rights. Under the California Consumer Privacy Act and California Privacy Rights Act, you also have the right to know the categories of personal information collected, the right to correct, the right to delete, the right to limit use of sensitive personal information, and the right to opt out of any sale or sharing for cross-context behavioral advertising. Hapex does not engage in any such sale or sharing, so the opt-out is satisfied by default.
• Right to lodge a complaint. You can complain to your local data-protection supervisory authority. We would prefer you contact us first, but you are not required to.

To exercise any right, email support@hapex.ai. We will respond within thirty days, extendable once by an additional thirty days for complex requests with notice. We will verify your identity using the email address tied to your account and may require a second factor for high-risk requests like erasure of an active automation.

When your browser sends a Global Privacy Control signal or a Do Not Track header, we treat it as a binding opt-out from any form of cross-context behavioral advertising and from any sharing of your personal data with third parties for marketing purposes. Because we do not engage in those practices in the first place, the practical effect is that your browser's signal will not change anything we do, but we record receipt of the signal in our compliance log on each request.

We design Hapex with the following minimum security controls:

• Encryption in transit. All traffic between your browser, the intake app, the agent service, the database, and sub-processors uses TLS 1.2 or higher.
• Encryption at rest. Customer credentials are encrypted at the application layer with AES-256-GCM using a key held only on the agent service. The database additionally encrypts storage volumes at the disk level via the sub-processor.
• Least-privilege OAuth scopes. Each capability requests the minimum scopes required to function (for example, Gmail summarization uses the read-only scope, not full mail access).
• Self-test gate. Every automation must pass a successful self-test execution before activation, before any email or message is sent on behalf of the customer, and before any Stripe charge is created.
• No plaintext logging. Credentials, full automation outputs, and email bodies are never written to logs.
• Bounded retention. See Section 11.
• Incident response. If we identify a security incident affecting your data, we will notify you within seventy-two hours of confirmation, in line with GDPR Article 33 timelines, even if your jurisdiction does not require it.

No system is impervious. We will continue to harden Hapex; we will publish post-mortems for incidents that affect more than a handful of customers; and we ask that researchers reporting vulnerabilities email support@hapex.aiwith subject “Security report” for a coordinated disclosure.

We keep different categories of data for different lengths of time:

• Account information. For as long as your account is active, plus thirty days after deletion to allow recovery from accidental deletion.
• Automation plans and slugs. For as long as the automation is active. Deactivated automations are soft-deleted for thirty days then purged.
• Encrypted credentials. Held only while the associated automation is active. Revoked or deleted automations cause immediate purge of the corresponding credential row.
• Test-run records. Retained for ninety days for debugging, then summarized into aggregate counters and the row is purged.
• Operational logs. Up to thirty days for application logs; up to one year for security and compliance logs.
• Billing records. Seven years (United States tax retention requirement). Held in Stripe and in our own financial records.

When you delete your account, all data outside the categories above with mandatory retention is purged within thirty days, and we will confirm in writing once the purge is complete.

Hapex is operated from the United States. Data submitted to the service is processed primarily in the United States. Our sub-processors may process data in other jurisdictions, including the European Economic Area, the United Kingdom, and other regions where they maintain infrastructure.

Where required by law, transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States or other third countries are made under the European Commission's Standard Contractual Clauses, the United Kingdom International Data Transfer Addendum, or other valid transfer mechanisms.

Hapex is not designed for or directed at children under the age of sixteen. We do not knowingly collect personal information from anyone under sixteen. If you believe a minor has provided us information, contact support@hapex.ai and we will delete the information and the corresponding account promptly.

We may update this Policy when our practices change, when a new sub-processor is onboarded, or when applicable law changes. The “Effective” and “Updated” dates at the top of this document always reflect the current version. For material changes (changes that adversely affect your rights, expand the categories of data collected, or change the legal basis for processing), we will notify you via email at least fifteen days before the changes take effect, and you may close your account before that date if you do not consent.

Older versions of this Policy are available on request.

For any privacy-related question, request, complaint, or correction, email support@hapex.ai. Mailing correspondence may be addressed to Hapex AI, Indianapolis, Indiana, United States. We will reply within thirty days; complex requests may be extended once with written notice.