Privacy Policy
Effective February 25, 2026 · HAIO Labs, Inc.
HAIO Labs, Inc. (“HUMΛN,” “we,” “our,” or “us”) respects your privacy. This policy explains what information we collect, how we use it, and your rights. It applies to builtwithhuman.com, haio.run, the HUMΛN platform, API, SDKs, and mobile and desktop applications (collectively, the “Services”).
1. Information we collect
Information you provide directly:
- Name, email address, and organization when you register or contact us
- Passport display name you choose during Passport creation
- Messages, feedback, or support requests you send us
- Payment information processed by our payment provider (Stripe); we do not store card numbers
Passport and identity data:
Your HUMΛN Passport uses WebAuthn/passkey technology. Your biometric data (fingerprint, Face ID) never leaves your device and is never transmitted to or stored by HUMΛN. We store only your decentralized identifier (DID), your WebAuthn public key, and your chosen display name.
Usage and technical data:
- Pages visited, features used, and general usage patterns
- Browser type, operating system, and IP address
- Error logs and performance data via Sentry
- API request metadata (endpoint, response time, error codes) — not request body content
CCPA categories of personal information collected:
- Identifiers: name, email address, DID, IP address, device identifiers
- Internet or network activity: pages visited, features used, API calls
- Geolocation: country/region derived from IP address (not precise location)
- Inferences: product preferences drawn from usage patterns
- Professional information: organization or role if provided
2. How we use your information
- Provide, maintain, and improve our Services
- Authenticate you when you sign in with your Passport
- Process transactions and send related notices
- Respond to inquiries and support requests
- Send product updates and announcements (you can opt out at any time)
- Understand how our Services are used to guide development
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations
We do not sell your personal information to third parties. We do not use your personal information for automated decision-making that produces legal or similarly significant effects without human review.
3. Information sharing
We share your information only in these limited circumstances:
- Service providers: Trusted vendors who help us operate our Services under confidentiality agreements, including: Cloudflare (hosting, CDN), Railway (infrastructure), Sentry (error monitoring), Stripe (payments), SendGrid (email), and Anthropic / OpenAI (AI features where applicable)
- Legal requirements: When required by applicable law, court order, or to protect the rights, property, or safety of HUMΛN, our users, or others
- Business transfers: In connection with a merger, acquisition, or sale of assets, we will provide notice and your rights under this policy will continue to apply
- With your consent: In any other circumstances where you have given explicit consent
4. Data retention
We retain your information for as long as your account is active or as needed to provide Services. You may request deletion of your account and associated data at any time by contacting privacy@builtwithhuman.com.
Passport DIDs and public keys associated with registered Passports may be retained in our public identity registry for integrity purposes, even after account deletion, consistent with the decentralized nature of the identity system.
Anonymized or aggregated data that cannot reasonably be used to identify you may be retained indefinitely for analytics and product improvement.
5. Security
We use industry-standard measures to protect your information, including TLS encryption in transit, encryption at rest, and regular security reviews. Passport credentials use hardware-backed cryptography (Secure Enclave, TPM) where available. For a detailed overview of our security practices, see our Security page.
No method of transmission or storage is 100% secure. If you discover a security issue, please report it responsibly to security@builtwithhuman.com.
7. International data transfers
HUMΛN is headquartered in the United States. If you access our Services from the European Economic Area (EEA), United Kingdom, or Switzerland, your information may be transferred to and processed in the United States.
We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement (IDTA) as the legal mechanism for such transfers, where required. We also implement supplementary technical and organizational measures to protect transferred data.
8. Your rights
Depending on your location, you may have the right to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete information
- Request deletion of your information (“right to be forgotten”)
- Object to or restrict certain processing
- Receive your data in a portable format
- Withdraw consent at any time (where processing is based on consent)
To exercise these rights, contact privacy@builtwithhuman.com. We will respond within 30 days. We may ask you to verify your identity before acting on a request.
9. Children
Our Services are not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us at privacy@builtwithhuman.com and we will delete it promptly.
10. Changes to this policy
We may update this policy periodically. We will notify you of material changes by email or prominent notice on our website at least 30 days before they take effect. The “Effective” date at the top indicates the most recent revision. Continued use of our Services after changes constitutes acceptance of the updated policy.
European users — GDPR
Applies to users in the European Economic Area (EEA), United Kingdom, and Switzerland.
Data controller
HAIO Labs, Inc., 828 Canonbury St, Henderson, NV 89011, USA is the data controller for personal information processed through our Services. Contact: privacy@builtwithhuman.com.
Legal bases for processing
We process your personal information on the following legal bases under Article 6 GDPR:
- Contract performance (Art. 6(1)(b)): To provide, maintain, and support the Services you have signed up for
- Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, product analytics, and improving our Services — where these interests are not overridden by your rights
- Consent (Art. 6(1)(a)): Marketing communications and optional analytics cookies — you may withdraw consent at any time
- Legal obligation (Art. 6(1)(c)): Where processing is required by applicable law
Your GDPR rights
Under GDPR, you have the right to:
- Access — obtain a copy of your personal data (Art. 15)
- Rectification — correct inaccurate data (Art. 16)
- Erasure — request deletion in certain circumstances (Art. 17)
- Restriction — limit how we process your data (Art. 18)
- Portability — receive your data in a machine-readable format (Art. 20)
- Object — to processing based on legitimate interests (Art. 21)
- Withdraw consent — at any time, without affecting prior lawful processing
To exercise these rights, contact privacy@builtwithhuman.com. We will respond within 30 days (extendable by two months for complex requests with notice).
Right to lodge a complaint
You have the right to lodge a complaint with your local data protection authority (DPA). In the EU, find your national DPA at edpb.europa.eu. In the UK, contact the Information Commissioner's Office (ICO).
California residents — CCPA / CPRA
Additional rights for residents of California under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
Your California rights
- Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our business purpose, and the categories of third parties with whom we share it
- Right to delete: Request deletion of your personal information, subject to certain exceptions
- Right to correct: Request correction of inaccurate personal information
- Right to opt out of sale or sharing: HUMΛN does not sell or share personal information for cross-context behavioral advertising. No opt-out mechanism is required, but you may contact us to confirm
- Right to limit sensitive personal information: We do not use sensitive personal information (as defined by CPRA) for purposes beyond providing our Services
- Right to non-discrimination: We will not discriminate against you for exercising any of these rights
How to exercise California rights
Submit a verifiable consumer request by:
- Email: privacy@builtwithhuman.com with subject line “California Privacy Request”
- Mail: HAIO Labs, Inc., 828 Canonbury St, Henderson, NV 89011 — Attn: Privacy
We will respond to verifiable requests within 45 days (extendable by 45 days with notice). We may need to verify your identity before fulfilling a request.
You may designate an authorized agent to make a request on your behalf. The agent must provide written authorization signed by you, and we may still verify your identity directly.
Metrics (preceding 12 months)
As a company in early operation, we will publish annual metrics on CCPA requests received, fulfilled, and denied beginning in 2027 in accordance with CPRA requirements.
Contact us
Questions about this policy? We're happy to help.
- Email: privacy@builtwithhuman.com
- Mail: HAIO Labs, Inc., 828 Canonbury St, Henderson, NV 89011