Privacy policy
How we collect, use, and protect personal data when you use Hebno.
Last updated 30 May 2026
Draft for review; not legal advice. Counsel should confirm entity details, retention periods, cookie practices, and subprocessors before launch.
1. Who we are and scope
Hebno("Hebno", "we", "us") provides an AI control platform for growing teams: one place to access major AI models, see spend by team and client, set hard budgets, and keep platform data in the European Union.
This privacy policy explains how we handle personal data when you:
- Visit our marketing website.
- Contact us for sales or support.
- Use the Hebno product as a customer administrator or authorised user.
When your organisation uses Hebno to process personal data about its staff or clients, we usually act as a processoron your organisation's instructions - see our data processing agreement. This policy covers where we act as controller (for example your account with us and this website).
2. What we collect
Website and contact
- Information you submit in forms (name, email, company, message content).
- Technical data such as IP address, browser type, and pages viewed.
- Cookies and similar technologies described in Section 11.
Product use
- Account and profile - name, work email, organisation, role, authentication identifiers.
- Organisation and usage - team and client project assignments, enabled models, token counts, and cost records (integer cents).
- Chat content - prompts and responses when you use integrated models, stored to provide history, support, and audit.
- API credentials - if you connect your own provider keys, we store them encrypted to call providers on your behalf; we do not use them for any other purpose.
- Billing - seat counts, plan tier, invoices, and payment references (payment cards are handled by our payment processor, not stored in full on Hebno).
- Support - tickets, emails, and call notes.
- Security and audit logs - sign-in events, administrative actions, and security signals.
3. How we use personal data
We use personal data to:
- Provide, operate, secure, and improve the Service.
- Transmit prompts directly to AI model providers you enable and return responses.
- Enforce role-based access, budgets, and organisation policies.
- Bill per active seat and report model usage at cost (see terms).
- Respond to enquiries, demos, and support requests.
- Comply with law and defend legal claims.
We do not use your inputs or outputs to train any AI model. Providers process inference under their own terms; you control which models are enabled.
We do not sell personal data. We do not use automated decision-making that produces legal or similarly significant effects about individuals without human involvement.
4. Legal bases (EEA and UK)
Where GDPR or UK GDPR applies, we rely on:
- Contract - to provide the platform, billing, and support you request.
- Legitimate interests - to secure systems, prevent abuse, improve the product, and market to business contacts in a measured way (you may object where applicable).
- Consent - for optional cookies or marketing where required.
- Legal obligation - where we must retain or disclose data.
5. Retention
We retain personal data only as long as necessary:
- Account data - for the subscription term and up to 90 days after closure for billing disputes and support, unless law requires longer.
- Chat and usage records - according to your organisation's settings where available, or default periods we disclose in the product, typically up to 24 months for operational analytics unless you delete earlier.
- Audit and security logs - typically up to 12 months.
- Marketing contacts - until you unsubscribe or we no longer have a lawful basis.
Counsel may adjust these periods before launch.
6. Sharing and subprocessors
We share data with service providers under contracts requiring appropriate safeguards. AI model providers receive prompts and responses only for models your organisation enables, via direct API connection to that provider.
Business customers receive at least 30 days' notice of new subprocessors that materially affect processing, as described in the DPA.
Platform infrastructure
These providers host and operate the Hebno application. They do not receive your prompts unless necessary for delivery of the platform itself (for example encrypted storage or logs).
AI model providers (direct connection)
When you enable a model, inference requests are sent directly to that provider's API. Each enabled provider is a separate subprocessor and only receives data for the models you have turned on.
7. International transfers
Hebno platform hosting and primary storage are in the European Union. When you enable a model provider outside the EEA, personal data in prompts may be processed in that provider's regions.
We use appropriate safeguards for transfers, including standard contractual clauses approved by the European Commission where required. You can restrict which providers are enabled to control transfer risk.
8. Security
Measures include:
- EU data residency for platform hosting and storage.
- No training on customer data.
- AES-256 encryption at rest; TLS 1.2 or higher in transit.
- Role-based access control and audit logs.
- Encryption of customer-supplied API keys at rest.
Report security concerns to privacy@hebno.com.
9. Your rights
Depending on location, you may have rights to access, correct, delete, restrict, port, or object to processing, and to withdraw consent. You may complain to your supervisory authority.
Contact privacy@hebno.com. If you use Hebno through your employer, many requests should go to your organisation as controller first.
10. Children
The Service is not directed at children under 16. We do not knowingly collect their data. Contact us if you believe we have.
11. Cookies and similar technologies
Our website may use essential cookies for security and session management. We minimise non-essential tracking. Where analytics or marketing cookies are used, we will describe them in a cookie notice and obtain consent where required by law.
You can control cookies through browser settings; blocking essential cookies may affect site function.
12. Contact and changes
Privacy questions: privacy@hebno.com.
We may update this policy on this page with a new "Last updated" date. Material changes for contracted customers follow the terms of service or your order.