1.1. This Privacy Policy explains how HUEE ("we", "us", "our", or "Controller") collects, uses, stores, and protects your personal data when you use our website and software-as-a-service platform for creating and managing AI agents ("Service").

1.2. We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR - Regulation (EU) 2016/679), the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG), the German Telemedia Act (Telemediengesetz - TMG), and other applicable data protection laws.

1.3. The data controller responsible for the processing of your personal data is:

1.4. We advise you that data transmission over the Internet (e.g., email communication) may be subject to security vulnerabilities. Complete protection of data against third-party access is not possible.

2.1. We collect personal data in the following ways:

• Data you provide directly: Information you provide when registering, using our Service, or contacting us
• Data collected automatically: Technical information collected when you access our website or Service
• Data from third parties: Information received from authentication providers (e.g., Google OAuth) if you choose to use them

2.2. Categories of personal data we process:

• Identity data: Name, email address, username
• Account data: Login credentials, account settings, preferences
• Payment data: Billing address, payment method details (processed by our payment providers)
• Technical data: IP address, browser type and version, device information, operating system, time zone, referral source
• Usage data: Information about how you use our website and Service, features accessed, session duration
• Communication data: Messages sent through our support channels, feedback, and correspondence
• Content data: Data you create, upload, or process through our Service, including AI agent configurations and prompts

2.3. We do not intentionally collect any special categories of personal data (sensitive data) as defined in Article 9 GDPR, such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation. If you submit such data through the Service, you do so under your own responsibility.

3.1. We process your personal data based on the following legal grounds pursuant to Article 6(1) GDPR:

3.2. Contractual Performance (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This includes:

• Creating and managing your user account
• Providing access to and delivering our Service
• Processing payments and managing subscriptions
• Communicating about service-related matters
• Providing customer support

3.3. Consent (Art. 6(1)(a) GDPR): Where you have given consent to the processing of your personal data for one or more specific purposes. This includes:

• Receiving marketing communications and newsletters
• Use of non-essential cookies for analytics and marketing purposes
• Processing data for purposes beyond the original scope (where applicable)

You have the right to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

3.4. Legitimate Interests (Art. 6(1)(f) GDPR): Processing is necessary for the purposes of our legitimate interests, except where such interests are overridden by your interests or fundamental rights. Our legitimate interests include:

• Ensuring the security and integrity of our Service
• Preventing fraud and abuse
• Improving and developing our Service
• Analyzing usage patterns to enhance user experience
• Maintaining business records and administration
• Enforcing our terms of service and legal rights

3.5. Legal Obligations (Art. 6(1)(c) GDPR): Processing is necessary for compliance with legal obligations to which we are subject, such as:

• Tax and accounting requirements
• Responding to lawful requests from public authorities
• Compliance with court orders

4.1. We process your personal data for the following purposes:

• Service Provision: To provide, maintain, and improve our AI agent platform and related services
• Account Management: To create and manage your user account, authenticate your identity, and maintain account security
• Payment Processing: To process payments, manage billing, and handle refunds
• Communication: To respond to inquiries, send service notifications, and provide customer support
• Personalization: To customize your experience and provide relevant features and content
• Security: To detect, prevent, and investigate security incidents, fraud, and abuse
• Analytics: To analyze usage patterns, measure Service performance, and generate aggregated statistics
• Legal Compliance: To comply with applicable laws, regulations, and legal processes
• Business Operations: To operate, protect, and optimize our business

4.2. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.

5.1. When you register for an account, we collect the following data:

• Email address (required)
• Password (stored in encrypted/hashed form)
• Name (if provided)
• Organization name (for business accounts)

5.2. If you register using a third-party authentication service (such as Google OAuth), we receive the following data from the authentication provider:

• Email address
• Name
• Profile picture URL (if available)
• Unique identifier from the provider

5.3. This data is processed on the basis of Article 6(1)(b) GDPR for the purpose of contract performance and providing our Service.

5.4. Your account data is stored for the duration of your account's existence and for a reasonable period thereafter as required for legal and business purposes.

6.1. Server Log Files: When you access our website or Service, our servers automatically collect and store information in log files, including:

• IP address
• Date and time of access
• Requested URL and referrer URL
• Browser type and version
• Operating system
• HTTP status codes

This data is processed on the basis of Article 6(1)(f) GDPR (legitimate interests) for security purposes, troubleshooting, and service optimization. Log files are typically retained for 30 days.

6.2. AI Agent and Service Data: When you use our Service, we process data related to your AI agents and configurations:

• Agent configurations and settings
• Prompts and instructions you create
• Connection configurations (database connections, API integrations)
• Usage metrics and analytics

This data is processed on the basis of Article 6(1)(b) GDPR for the purpose of providing our Service.

6.3. Third-Party Integrations: If you connect our Service to third-party applications (such as Google Workspace, Slack, or databases), we process connection credentials and data necessary to facilitate these integrations. You remain responsible for the data accessed through these integrations and must ensure compliance with applicable data protection laws.

7.1. Our website and Service use cookies and similar tracking technologies. Cookies are small text files that are stored on your device when you visit our website.

7.2. Types of cookies we use:

Essential Cookies (Strictly Necessary): These cookies are necessary for the website to function and cannot be switched off. They include:

• Session cookies for authentication and maintaining your login state
• Security cookies for fraud prevention
• Cookie consent preferences

Legal basis: Article 6(1)(f) GDPR (legitimate interests) - these cookies are essential for website operation.

Analytics Cookies: These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously:

• Page views and navigation patterns
• Time spent on pages
• Error messages encountered

Legal basis: Article 6(1)(a) GDPR (consent) - these cookies are only placed with your consent.

7.3. Managing Cookies: You can manage your cookie preferences through:

• Our cookie consent banner when you first visit our website
• Your browser settings (you can configure your browser to reject cookies or alert you when cookies are being sent)

7.4. Please note that disabling certain cookies may affect the functionality of our website and Service.

8.1. We may share your personal data with the following categories of third parties:

8.2. Service Providers: We engage third-party service providers to perform functions on our behalf, including:

• Cloud Infrastructure: Hosting and storage providers for operating our Service
• Payment Processors: For processing payments and managing subscriptions (e.g., Stripe, PayPal)
• Email Service Providers: For sending transactional and marketing emails
• Analytics Providers: For analyzing website usage and Service performance
• Customer Support Tools: For managing support inquiries

These service providers process personal data on our behalf and are bound by data processing agreements in accordance with Article 28 GDPR.

8.3. AI Model Providers: When you use our AI agent features, your prompts and queries may be processed by third-party AI model providers (such as OpenAI, Anthropic, or similar providers). These providers process data as independent controllers or processors depending on their terms of service. We encourage you to review the privacy policies of these providers.

8.4. Legal Requirements: We may disclose your personal data if required by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to:

• Comply with legal obligations
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing
• Protect the personal safety of users or the public

8.5. Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any choices you may have regarding your data.

8.6. We do not sell your personal data to third parties.

9.1. Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where some of our service providers are located.

9.2. When transferring personal data outside the EEA, we ensure an adequate level of data protection through one or more of the following safeguards:

• Adequacy Decisions: Transfers to countries that the European Commission has determined provide an adequate level of data protection
• Standard Contractual Clauses: Transfers based on EU Standard Contractual Clauses (SCCs) adopted by the European Commission, ensuring that appropriate safeguards are in place
• Binding Corporate Rules: Where applicable, transfers within corporate groups based on approved binding corporate rules
• Certification Mechanisms: Transfers to US companies certified under the EU-U.S. Data Privacy Framework

9.3. You may request a copy of the safeguards in place for international data transfers by contacting us using the details provided in Section 15.

10.1. We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

10.2. Retention periods:

• Account data: Retained for the duration of your account and for up to 3 years after account deletion for legal and administrative purposes
• Transaction data: Retained for 10 years in accordance with German commercial law (HGB) and tax regulations (AO)
• Communication records: Retained for 3 years after the last communication
• Server log files: Retained for up to 30 days
• Service usage data: Deleted or anonymized within 90 days of account termination
• Consent records: Retained for as long as required to demonstrate compliance with legal obligations

10.3. When your personal data is no longer required, we will securely delete or anonymize it. Anonymized data, which cannot be used to identify you, may be retained indefinitely for statistical and analytical purposes.

11.1. We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Article 32 GDPR.

11.2. Our security measures include:

• Encryption of data in transit using TLS/SSL
• Encryption of sensitive data at rest
• Secure password hashing using industry-standard algorithms
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Employee training on data protection and security
• Incident response procedures
• Regular backups and disaster recovery planning

11.3. While we take all reasonable measures to protect your data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee the absolute security of your data.

11.4. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, inform affected individuals without undue delay in accordance with Articles 33 and 34 GDPR.

12.1. Under the GDPR, you have the following rights regarding your personal data:

12.2. Right of Access (Art. 15 GDPR): You have the right to request confirmation as to whether we process your personal data and, if so, to request access to that data along with information about how it is processed.

12.3. Right to Rectification (Art. 16 GDPR): You have the right to request that we correct any inaccurate personal data concerning you and complete any incomplete personal data.

12.4. Right to Erasure / Right to be Forgotten (Art. 17 GDPR): You have the right to request the deletion of your personal data where one of the following applies:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw your consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• The data must be erased to comply with a legal obligation

12.5. Right to Restriction of Processing (Art. 18 GDPR): You have the right to request restriction of processing where:

• You contest the accuracy of your personal data (for the period allowing us to verify accuracy)
• Processing is unlawful and you oppose erasure
• We no longer need the data but you require it for legal claims
• You have objected to processing pending verification of legitimate grounds

12.6. Right to Data Portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where processing is based on consent or contract and carried out by automated means.

12.7. Right to Object (Art. 21 GDPR): You have the right to object at any time to processing of your personal data based on legitimate interests (Art. 6(1)(f) GDPR) or for direct marketing purposes. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

12.8. Right Not to be Subject to Automated Decision-Making (Art. 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless such processing is necessary for a contract, authorized by law, or based on your explicit consent.

12.9. Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. This does not affect the lawfulness of processing before the withdrawal.

12.10. Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR. In Germany, the competent supervisory authorities are the data protection authorities of the federal states (Landesdatenschutzbeauftragte).

12.11. Exercising Your Rights: To exercise any of these rights, please contact us using the details provided in Section 15. We will respond to your request within one month. This period may be extended by two further months where necessary, considering the complexity and number of requests.

12.12. We may request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

13.1. Our Service is intended for users who are at least 18 years old and is designed for business use. We do not knowingly collect personal data from children under the age of 16.

13.2. If we become aware that we have collected personal data from a child under the age of 16 without verification of parental consent, we will take steps to delete that information as quickly as possible.

13.3. If you believe that we may have collected information from a child under 16, please contact us immediately using the details provided in Section 15.

14.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

14.2. When we make material changes to this Privacy Policy, we will notify you by:

• Posting a prominent notice on our website
• Sending you an email notification (if you have an account)
• Updating the "Last updated" date at the top of this page

14.3. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

14.4. Your continued use of our Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

15.1. For questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us at:

15.2. We will respond to your inquiries as soon as possible and in accordance with applicable legal requirements.

15.3. If you are not satisfied with our response or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with a data protection supervisory authority.