Your work,
kept private.

The bulk of this policy is the legal detail required by GDPR, CCPA, and the relationships our institutional customers have with their own auditors. The four commitments below are the load-bearing ones; everything else is how we operationalise them.

1. I

   We do not train on your data.

   Your hypotheses, notebooks, uploads, and queries are never used to train any model — neither ours, nor any third-party model we route inference through. This is contractually enforced with every LLM vendor we use; the contracts are reviewable on request under NDA.

2. II

   We do not share your data with third parties.

   Other than the inference vendors named below — used in a zero-retention mode — your data does not leave our infrastructure. We do not sell data, ever, under any circumstance. We do not place advertising. We do not have data partners.

3. III

   You can delete everything in 24 hours.

   One-click delete in your account settings removes your workspace, hypotheses, audit logs, and uploaded files within 24h, with cryptographic erasure of backup encryption keys within 30d. We will email confirmation when deletion completes.

4. IV

   We tell you when something happens.

   Material policy changes are emailed to every active account at least 30 days before they take effect. Security incidents that could affect your data are disclosed within 72h of discovery, by direct email, with a public post-mortem to follow.

Account data

Email, name, organisation, role. Provided by you when you sign up. Used to authenticate, bill, and contact you. Retained while your account is active.

Workspace content

The corpus you upload, the hypotheses you generate, the audit logs they produce. Encrypted at rest with AES-256-GCM, in transit with TLS 1.3. Held in our primary database (Postgres) and object storage (S3 with object-lock for audit logs).

Usage telemetry

Which pages you visit, which buttons you click, which pipelines you run, how long they take. Used to operate and improve the service. We do not enrich this with third-party identity data. We do not run third-party analytics scripts (no Google Analytics, no Mixpanel-style fingerprinting).

Inference traces

The intermediate prompts, model responses, and tool calls each pipeline stage produces. Retained for 30 days for debugging and audit-replay; after 30 days, deleted unless you have flagged a specific hypothesis for retention.

Billing data

Last four digits of card, billing address, invoices. Card numbers are tokenised by Stripe; we never see them. Retained per tax-law requirements (typically 7 years).

Cross-site tracking

We do not place tracking cookies, fingerprint your browser, or load third-party tags that do.

Sensitive personal data without consent

Race, religion, sexual orientation, biometrics — never collected on the consumer site. Institutional customers handling PHI/PII do so under a BAA with explicit consent flows configured per-deployment.

Children’s data

humanovo is not directed at children under 16. We do not knowingly collect data from anyone under 16; if we discover such data, we delete it.

Adversarial pipelines run on a small set of frontier-model providers. Each is contractually held to zero-retention, no-training-on-customer-data terms. The current roster:

Anthropic

Default provider for the generation, mechanism-extraction, and revision stages. Contracted under the Anthropic Zero-Retention Addendum. No customer data used for training.

OpenAI (Azure)

Used for the contradiction-search and counter-argument stages. Contracted via Azure’s zero-retention API. Data is not retained beyond the inference call and is not used for training.

Self-hosted open weights

Llama-family and Mistral-family models we host ourselves on dedicated GPU infrastructure for the embedding and re-ranking stages. No data leaves our network.

We will email every active account 30 days before adding, removing, or changing the role of any inference vendor.

Encryption at rest

AES-256-GCM. Database and object storage. Per-tenant data-encryption keys on the Institution tier.

Encryption in transit

TLS 1.3 only. HSTS preloaded. Certificate transparency monitored.

Access control

Principle-of-least-privilege internally. SSO + hardware-key 2FA mandatory for all employees. All production access logged and reviewed weekly.

Backups

Encrypted, immutable, in a separate cloud account, in a separate region. Restore tested monthly.

Penetration testing

Annual third-party penetration test. Most recent: scheduled Q3 2026. Reports available to Institution-tier customers under NDA.

SOC 2 / ISO 27001

SOC 2 Type II audit in progress, ETA Q4 2026. ISO 27001 on the 2027 roadmap.

HIPAA

BAAs available for Institution-tier customers handling PHI. Technical safeguards (encryption, access logs, breach notification) are in place site-wide; the BAA is the contractual layer that obligates us to them in writing.

GDPR / UK GDPR

We are the data controller for site-account data and the data processor for workspace content uploaded by EU/UK customers. SCCs in place with all sub-processors. Data subject access requests fulfilled within 30 days.

Under GDPR, UK GDPR, CCPA, and equivalent regimes, you have the rights below. We honour them globally, regardless of jurisdiction, because doing so is the right policy and the engineering cost of regional carve-outs exceeds the value.

Access

Export everything we hold about you, in a portable format (JSON + the underlying files). Available in account settings; arrives by email within 24h.

Correction

Edit account data inline. Workspace content is yours to correct directly; we do not edit it.

Deletion

One-click in account settings. Completes within 24h; backup keys destroyed within 30d.

Portability

The export above is in a documented schema designed to be re-imported into any system you choose. We will not lock you in.

Objection

You can object to any specific use of your data; email privacy@humanovo.net and we’ll respond within 30 days.

Withdrawal of consent

If we relied on consent for any processing, you can withdraw it at any time without penalty.

Primary infrastructure is in us-east-1 (Virginia). EU customer data, by request, can be pinned to eu-west-1 (Ireland) on the Institution tier, with no transatlantic transfers other than for support engineering when expressly authorised by the customer.

We use a small set of strictly-necessary cookies (session authentication, CSRF token, theme preference). We do not use advertising or analytics cookies. There is therefore no cookie consent banner — none of our cookies require consent under ePrivacy or GDPR.

Privacy questions: privacy@humanovo.net. We reply within five business days.

EU representative (Article 27 GDPR): named in the imprint once a customer in the EU formally requires it; not yet appointed because we have no qualifying EU-resident data subjects under the threshold. We will appoint and publish before crossing it.

Data Protection Officer: dpo@humanovo.net.

7 May 2026

Initial version.