Skip to main content
HEXIUM

Legal

Privacy Policy

What we collect, how we use it, and the rights you have over your data on the HEXIUM AI platform.

Last updated: June 27, 2026

We respect your privacy and are committed to handling personal data transparently. This policy explains how HEXIUM collects, uses, shares, and protects information when you use the platform.

01Information We Collect

We collect information in three ways: information you provide, information collected automatically, and information from third parties (such as OAuth providers and payment processors).

02Account Information

  • Email address, display name, and authentication identifiers.
  • Profile preferences, workspace settings, and team membership.
  • OAuth identifiers when you sign in with Google or another provider.
  • Beta acceptance timestamp confirming you accepted our beta notice.

03Payment Information

Payment information (card details, billing address, and tax data) is collected and processed by Stripe, our PCI-DSS Level 1 payment processor. HEXIUM does not store full card numbers on its own systems. We retain transaction metadata (amount, currency, plan, timestamps, and Stripe customer/subscription IDs) for billing, accounting, and fraud-prevention purposes.

04AI Input and Output Data

To run AI agents we transmit your prompts, files, and configuration ("AI Inputs") to our model providers and store the resulting "AI Outputs" against your account.

  • AI Inputs are processed solely to fulfill your request.
  • We do not sell AI Inputs or Outputs and we do not use them to train third-party foundation models, except where our model providers' terms require opt-out (which we have configured where available).
  • Aggregate, de-identified usage statistics may be used to improve product quality and safety.

05Cookies and Analytics

We use a minimal set of cookies and similar technologies:

  • Strictly necessary — authentication, session, and security.
  • Functional — UI preferences such as theme and layout.
  • Analytics — privacy-respecting usage analytics to understand feature adoption and reliability.

You can clear cookies in your browser at any time; doing so will sign you out.

06How We Use Information

  • To provide, secure, and improve the platform.
  • To run AI agents, integrations, and automations you configure.
  • To process payments, manage subscriptions, and prevent fraud.
  • To send transactional, security, and product update emails.
  • To comply with legal obligations and enforce our Terms.

07Data Sharing

We share information only with:

  • Service providers — Stripe, Supabase, Cloudflare, Lovable, and AI model providers (e.g. OpenAI, Anthropic, Google) acting as data processors under contract.
  • Team members in workspaces you join.
  • Legal authorities when required by law, subpoena, or court order.
  • Acquirers in connection with a merger, acquisition, or asset sale, subject to confidentiality.

We do not sell personal information.

08Data Retention

  • Account data: retained for the life of your account plus up to 90 days after deletion.
  • Billing records: retained for 7 years to comply with tax and accounting requirements.
  • AI Inputs and Outputs: retained while your account is active; you may delete individual items at any time.
  • Backups: encrypted backups are rotated and purged within 35 days.

09Security Practices

  • Transport encryption (TLS 1.2+) for all traffic.
  • Encryption at rest for databases and object storage.
  • Row-level security (RLS) enforces tenant isolation in our database.
  • Webhook signature verification for all incoming payment events.
  • Least-privilege access controls and audit logging for production systems.

10User Rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated data.
  • Export your data in a portable format.
  • Object to or restrict certain processing.

To exercise any of these rights, email privacy@hexorium.io.

11GDPR/CCPA Rights

If you are in the European Economic Area, United Kingdom, or Switzerland (GDPR), or California (CCPA/CPRA), you have additional rights including the right to lodge a complaint with your local supervisory authority and the right to opt out of the "sale" or "sharing" of personal information. HEXIUM does not sell or share personal information as defined under the CCPA/CPRA.

Our legal bases for processing under GDPR are contract performance, legitimate interests, consent, and legal obligation, depending on the activity.

12International Transfers

The platform operates on globally distributed infrastructure. When we transfer personal data outside your jurisdiction, we rely on Standard Contractual Clauses or equivalent safeguards approved by the relevant regulators.

13Children's Privacy

The platform is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@hexorium.io and we will delete it.

14Contact Information

Questions about this document? Contact legal@hexorium.io or support@hexorium.io.

TermsPrivacyRefunds