Privacy Policy

Data Controller

We are the data controller responsible for your personal data processed through the Hubrix platform. For enterprise customers with a Data Processing Agreement (DPA), the customer organization may act as controller and we act as processor.

What We Collect

We do not collect special categories of personal data (health, religion, political views, biometric data) and our platform is not designed to process such data. You should not submit special category data through the platform.

How We Use Your Data

We process your data under the following legal bases (GDPR Article 6):

• Contract performance — To provide the Hubrix service, manage your account, process payments, and respond to support requests
• Legitimate interests — Security monitoring, fraud prevention, rate limiting, and improving service reliability
• Legal obligation — To comply with Dutch and EU law, including tax and accounting obligations
• Consent — For optional features like connecting Google Drive or Microsoft account (you may withdraw consent at any time)

We do not use your data for advertising, profiling, or selling to third parties.

AI Provider Processing

The Hubrix routes queries to third-party AI providers depending on the model selected:

• Anthropic — Claude models. Zero Data Retention (ZDR) agreement in place. Prompts and responses are not used for model training. Anthropic Privacy Policy
• OpenAI — GPT-4o and Whisper STT. Enterprise ZDR agreement. Data not used for training. OpenAI Privacy Policy
• Google Gemini — Gemini Flash model. EU data processing terms apply. Google Privacy Policy
• ElevenLabs — Text-to-speech only. Audio not retained. ElevenLabs Privacy
• Serper — Web search queries only. No personal data transmitted.

SSO & Data Connectors

Single Sign-On (Google / Microsoft):

• We store your provider user ID, email, and OAuth tokens in our database
• Tokens use openid + email + profile scopes only — we do not access your Google Drive or OneDrive through SSO login
• You can disconnect your SSO account at any time via Settings → Connected Accounts
• Disconnecting revokes our access and deletes stored tokens

Data Connectors (Google Drive / OneDrive / SharePoint):

• Connector OAuth uses separate tokens from SSO login — scoped to drive.readonly or Files.Read only
• We only download files you explicitly select for import
• Downloaded file content is stored in our RAG database for AI search
• Connector tokens are stored encrypted and auto-refreshed as needed
• Disconnecting a connector deletes the associated tokens immediately

Data Storage & Location

• Primary server: 89.167.82.46 — Netherlands (EU), Hetzner datacenter
• Backup server: Grafana server — EU-based
• Database: PostgreSQL 16 on the same Netherlands server
• Cache: Redis — in-memory on Netherlands server, no persistence of personal data
• AI processing: Queries sent to AI providers may be processed on their global infrastructure, subject to their data processing agreements
• Payments: Processed by Stripe — see Stripe's privacy policy
• Email: Sent via Resend.com — EU servers — email content not retained by Resend beyond transmission

We do not transfer personal data outside the EEA without appropriate safeguards. AI providers with non-EU infrastructure operate under Standard Contractual Clauses (SCCs) or equivalent mechanisms.

Data Retention

• Account data: Retained while your account is active, plus 30 days after deletion
• Chat history: Retained while your account is active. You can delete sessions at any time.
• Uploaded documents: Retained until you delete them or your account is closed
• Token usage logs: Retained for 12 months for billing and analytics
• Rate limiting events: Deleted automatically every hour
• Semantic cache: Automatically expires after 7 days
• Stripe payment records: Retained 7 years per Dutch tax law (Belastingdienst)
• Password reset tokens: Expire after 1 hour, unused tokens deleted daily
• SSO / Connector tokens: Deleted immediately upon disconnecting, or within 30 days of account deletion

Data Sharing

We do not sell your personal data. We share data only with:

• AI providers — Query content sent to process your AI requests (see Section 4)
• Stripe — Payment processing only. Stripe acts as data processor.
• Resend — Email delivery only. Email content not retained.
• Google / Microsoft — Only when you explicitly connect their services via SSO or Data Connectors
• Legal authorities — If required by Dutch or EU law, court order, or regulatory obligation

For enterprise on-premise deployments: data remains entirely on your own infrastructure and is not shared with us.

Your GDPR Rights

Under GDPR, you have the following rights:

• Right of access (Art. 15) — Request a copy of your personal data
• Right to rectification (Art. 16) — Correct inaccurate data
• Right to erasure (Art. 17) — Delete your account and associated data
• Right to restriction (Art. 18) — Restrict processing in certain circumstances
• Right to data portability (Art. 20) — Export your data in a machine-readable format
• Right to object (Art. 21) — Object to processing based on legitimate interests
• Right to withdraw consent (Art. 7) — Disconnect SSO or Data Connectors at any time

To exercise any of these rights, contact us at privacy@hubrix.ai. We will respond within 30 days.

You also have the right to lodge a complaint with the Dutch Data Protection Authority: autoriteitpersoonsgegevens.nl

Cookies & Session Tokens

We use minimal cookies:

• Authentication cookie — HttpOnly, Secure, SameSite=Lax. Contains a JWT session token. Valid for 24 hours. Strictly necessary — no consent required.
• No tracking cookies — We do not use Google Analytics, Facebook Pixel, or any third-party tracking
• No advertising cookies — We do not serve or facilitate advertising

The Hubrix is ad-free. No advertising networks have access to your data through our platform.

Security Measures

• TLS 1.2/1.3 encryption for all data in transit (Let's Encrypt, auto-renewed)
• bcrypt password hashing — passwords never stored in plain text
• SHA256 hashing for API keys — full keys never stored
• Row-Level Security (RLS) on 13 PostgreSQL tables
• JWT HttpOnly cookies to prevent XSS token theft
• Redis-based rate limiting (30 req/min) to prevent abuse
• html_escape() on all AI responses to prevent XSS injection
• Content Security Policy (CSP) headers via Nginx
• 83/83 automated security tests — 100% passing
• Daily encrypted backups to EU-based remote server

In the event of a personal data breach, we will notify affected users and the Dutch Data Protection Authority within 72 hours as required by GDPR Article 33.

Children's Privacy

The Hubrix is an enterprise platform intended for users aged 18 and above. We do not knowingly collect personal data from children under 16. If you believe a child has created an account, please contact us at privacy@hubrix.ai and we will delete the account promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify registered users by email at least 14 days before the changes take effect. The effective date at the top of this page will always reflect the most recent version.

Continued use of the platform after the effective date constitutes acceptance of the updated policy.

Contact & DPA Requests

Enterprise customers requiring a Data Processing Agreement (DPA) can request one at privacy@hubrix.ai or via our GDPR page.

Complaints can also be submitted to the Dutch supervisory authority: Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl.