Privacy Policy

Learn how we collect, use, and protect your data in compliance with GDPR and global privacy standards.

Last updated: January 9, 2026

TL;DR

✓ We collect only essential data to provide cybersecurity services

✓ Your data is never sold to third parties

✓ Full GDPR compliance with all data subject rights supported

✓ Data encrypted in transit (TLS 1.3) and at rest (AES-256)

✓ You can export or delete your data at any time

✓ Contact: [email protected]

1. Introduction

Hunto AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cybersecurity services and platform.

By using our services, you agree to the collection and use of information in accordance with this policy. We treat the General Data Protection Regulation (GDPR) as our baseline for data protection globally, ensuring the highest standards for all our customers regardless of location.

2. Information We Collect

Information You Provide Directly

We collect information that you provide when creating an account and using our services:

  • Account Information: Name, email address, company name, job title, phone number
  • Security Assets: Domains, IP addresses, email addresses, and other digital assets you want monitored
  • Authentication Data: Passwords (hashed and salted), MFA settings, API keys
  • Communication Data: Support requests, feedback, survey responses
  • Payment Information: Billing details processed securely through Stripe (we don't store credit card numbers)

Information Collected Automatically

When you use our platform, we automatically collect certain information:

  • Usage Data: Pages visited, features used, time spent, click patterns
  • Device Information: Browser type, operating system, device identifiers
  • Log Data: IP addresses, access times, API requests, error logs
  • Security Monitoring Data: Threat detections, vulnerability findings, risk scores
  • Cookies: Essential cookies for authentication and preferences (see Cookie Policy)

Data Minimization Principle

We practice data minimization - collecting only what's necessary to deliver our services effectively. We don't collect sensitive personal data (health, religion, political views) unless explicitly required for specific security features you enable.

3. How We Use Your Information

We use the information we collect for the following purposes, based on legitimate legal grounds:

Service Delivery (Contract Performance)

  • Provide, maintain, and improve our cybersecurity monitoring services
  • Monitor your digital assets for security threats, vulnerabilities, and data breaches
  • Generate security reports, alerts, and threat intelligence
  • Process payments and manage your subscription

Communication (Legitimate Interest)

  • Send critical security alerts and incident notifications
  • Provide customer support and respond to inquiries
  • Share product updates, new features, and service improvements
  • Send marketing communications (with your consent, opt-out anytime)

Security & Compliance (Legal Obligation & Legitimate Interest)

  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations and regulatory requirements
  • Maintain audit logs and records for compliance purposes
  • Enforce our Terms of Service and protect our rights

Product Improvement (Legitimate Interest)

  • Analyze usage patterns to enhance service quality
  • Develop new features and security capabilities
  • Train and improve our AI/ML models for threat detection
  • Conduct research and analytics (using aggregated, anonymized data)

4. Data Sharing and Disclosure

We do not sell your personal information to anyone. We may share your information only in the following limited circumstances:

Service Providers (Data Processors)

We share data with vetted third-party service providers who assist in our operations under strict data processing agreements:

  • Cloud infrastructure providers (Scaleway, Oracle Cloud, Hostinger)
  • Email delivery service (Amazon SES)
  • Payment processor (Stripe - PCI DSS compliant)

See our Compliance page for the complete sub-processor list.

Legal Requirements

We may disclose information if required by law, court order, or government request, or to protect our rights, prevent fraud, or ensure safety. We will notify you of such requests unless legally prohibited.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We'll notify you and ensure the acquiring party honors this Privacy Policy.

With Your Consent

We may share information with third parties when you explicitly consent, such as integrating with your existing security tools or SIEM platforms.

5. Data Security

We implement comprehensive security measures to protect your data from unauthorized access, alteration, disclosure, or destruction. Our security controls include:

Encryption

  • TLS 1.3 for data in transit
  • AES-256 for data at rest
  • Field-level encryption for sensitive data

Access Controls

  • Mandatory MFA for all accounts
  • Role-based access control (RBAC)
  • Principle of least privilege

Monitoring

  • 24/7 security monitoring (SIEM)
  • Intrusion detection systems
  • Regular vulnerability assessments

Compliance

  • ISO 27001:2022 certified
  • Annual security audits
  • Penetration testing quarterly

While we implement industry-leading security measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents per ourincident response procedures.

6. Data Retention

We retain your information only as long as necessary to provide services, comply with legal obligations, resolve disputes, and enforce agreements:

Data TypeRetention Period
Account & profile dataUntil account deletion + 30 days
Security monitoring data90 days (customizable: 30-365 days)
Incident & alert data1 year (customizable: 90 days - 7 years)
Audit logs2 years (for compliance)
Billing records7 years (legal requirement)
Backups30 days rolling

After the retention period, data is securely deleted from our systems. You can request earlier deletion by contacting [email protected].

7. Your Privacy Rights

Depending on your location, you have various rights regarding your personal data. We honor these rights globally to ensure consistent data protection:

✓ Right to Access

Request a copy of your personal data we hold

✓ Right to Rectification

Correct inaccurate or incomplete data

✓ Right to Erasure

Request deletion of your data (right to be forgotten)

✓ Right to Data Portability

Export your data in machine-readable format (JSON/CSV)

✓ Right to Restrict Processing

Limit how we process your data in certain situations

✓ Right to Object

Object to processing based on legitimate interests or direct marketing

✓ Right to Withdraw Consent

Withdraw consent for processing (where consent is the legal basis)

✓ Right to Lodge a Complaint

File a complaint with your data protection authority

How to Exercise Your Rights:

Self-Service: Access your account dashboard to update information, export data, or delete your account

Email Request: Contact [email protected] with your request. We respond within 30 days (60 days for complex requests).

Identity Verification: For security, we may ask you to verify your identity before processing certain requests.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for all international data transfers:

For EU/EEA Customers:

  • EU Data Residency Option: All data stored and processed exclusively in the EU (France - Scaleway)
  • Standard Contractual Clauses (SCCs): EU-approved SCCs (2021 version) for any transfers outside EEA
  • Adequacy Decisions: We comply with EU Commission adequacy decisions for approved countries

For India Customers (DPDP Act Compliance):

We comply with India's Digital Personal Data Protection Act, 2023. Indian customer data can be stored within India (OCI Mumbai / Hostinger India) or transferred with appropriate safeguards.

For US Customers:

We comply with applicable US data protection laws including state privacy laws (CCPA, CPRA, VCDPA, etc.). US customer data is primarily stored in US data centers (OCI Ashburn).

9. Compliance with Privacy Laws

Our privacy practices comply with major data protection regulations worldwide:

🇪🇺 GDPR (EU/EEA)

Full compliance with EU General Data Protection Regulation. See our GDPR compliance details.

🇮🇳 DPDP Act (India)

Compliant with Digital Personal Data Protection Act, 2023 including data localization requirements.

🇺🇸 US State Laws

CCPA, CPRA (California), VCDPA (Virginia), CPA (Colorado), and other state privacy laws.

🔒 ISO 27001

Certified ISO 27001:2022 for information security management.

10. Children's Privacy

Our services are designed for businesses and are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

If you are a parent or guardian and believe we have collected information from a child under 18, please contact us immediately at [email protected], and we will promptly delete such information from our systems.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to provide, protect, and improve our services. Cookies are small text files stored on your device that help us understand how you use our platform.

Essential Cookies (Always Active)

Required for authentication, security, and basic functionality. Cannot be disabled.

Analytics Cookies (Optional)

Help us understand usage patterns to improve our services. Can be disabled in settings.

Preference Cookies (Optional)

Remember your settings and preferences. Can be disabled in settings.

You can control cookie preferences through your browser settings. Note that disabling certain cookies may limit functionality. We do not use advertising or tracking cookies.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Notify you via email (to your registered email address)
  • Display a prominent notice on our platform for 30 days
  • For material changes affecting your rights, obtain consent where required by law

Your continued use of our services after changes become effective constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

For questions about this Privacy Policy or to exercise your data rights, contact us at:

[email protected]

Related Pages: Compliance & Security Terms of Service