Privacy Policy

H Company

8 rue Sainte-Cécile, 75009

Paris, Île-de-France, France

Introduction

This Privacy Policy ("Policy") constitutes a comprehensive document that governs the collection, use, disclosure, retention, and protection of personal information by H Company ("H Company," "we," "us," or "our") in connection with the Holotab Chrome extension ("Holotab"), the Inference API (“Inference”) and all associated services, backend infrastructure, and technical operations (collectively referred to as the "Services").

This Policy applies without limitation to all users worldwide who access, install, or otherwise utilize the Services, including Holotab through the Chrome Web Store or any authorized distribution channels. H Company maintains an unwavering commitment to protecting user privacy through responsible data stewardship, implementing industry-leading technical and organizational measures designed to minimize data processing risks while ensuring seamless service delivery.

By installing Holotab or the Inference API, accessing its functionality, submitting task instructions, or otherwise engaging with the Services, you expressly acknowledge that you have carefully read, fully understood, and unconditionally accept the terms and conditions set forth in this Policy. Should you find any provision unacceptable or disagree with our data practices, you are respectfully requested to immediately cease all use of the Services and uninstall them.

For any privacy-related inquiries, rights exercise requests, data subject access demands, or clarification regarding our processing activities, please contact us directly at privacy@hcompany.ai. H Company responds to all legitimate inquiries within statutory timeframes and maintains detailed records of all communications as part of our comprehensive accountability framework.

1. Data Controller Identification and Legal Framework

H Company, duly incorporated and maintaining its registered office at 8 rue Sainte-Cécile, 75009 Paris, Île-de-France, France, acts as the data controller with respect to all personal data processed through the Services. Data Protection Officer: H Company's designated Data Protection Officer can be reached at privacy@hcompany.ai for matters pertaining specifically to GDPR compliance, data protection impact assessments, or cross-border data transfer documentation.

Users physically located within jurisdictions maintaining dedicated data protection supervisory authorities retain the right to lodge formal complaints with their competent local authority. By way of non-exhaustive example, residents of France may contact the Commission Nationale de l'Informatique et des Libertés (CNIL) at www.cnil.fr, while users in other Member States should refer to their respective national supervisory bodies as listed on the European Data Protection Board's official registry.

H Company maintains comprehensive internal records documenting all processing activities pursuant to GDPR Article 30, conducts regular data protection impact assessments for high-risk processing operations, and implements appropriate technical and organizational measures to ensure ongoing compliance with evolving regulatory requirements across all jurisdictions served by the Services.

For the sake of clarity, it is hereby clarified that this Privacy Policy applies to the user’s personal data that H Company processes in its capacity as data controller (within the meaning of applicable regulations, including the GDPR), for the purposes listed below, excluding processing carried out by H Company on personal data included in content uploaded by the User who uses the Service for professional purposes. In the latter case, H Company processes the personal data contained in the content uploaded or processed by the User via the Service in accordance with the addendum on the protection of personal data. 

2. Categories of Personal Data Processed and Privacy by Design Principles

H Company implements data minimization practices by processing screenshots only transiently during task execution – immediately deleting them upon completion – while retaining solely user prompts and anonymized processing traces for Services improvement purposes. This architecture ensures transient handling of visual data while preserving essential operational records necessary for service optimization, error resolution, and quality assurance.

2.1 User and account information

H Company processes the User's registration data (email address, credentials, logs, and additionally in case of paid Service: first name, last name, billing information, enterprise) for the purpose of enabling account creation and use of the Service, based on the contract, as well as for billing purposes if applicable.

When the User is using our website, H Company may also process (i) personal data provided by the User who sends a request to H Company via contact form, for the sole purpose of responding to that request, and (ii) browsing data for audience measurement and technical necessary cookies.

2.2 User Instructions (Task Prompts)

In connection with the use of the Services, the sole substantive personal data actively collected by H Company comprises natural language task instructions voluntarily authored and submitted by users through the Services’ interface. These prompts typically consist of concise directives such as "summarize the visible content on this page" "populate the adjacent form fields with the following information" "extract and compile key data points from the current document" or "navigate sequentially through this multi-step workflow."

Such prompts represent the user's explicit instruction to initiate automated task execution and constitute the foundational input for all Services processing activities. No visual representations or environmental data accompanies these instructions during processing.

2.3 Processing Traces and Essential Technical Metadata

To ensure operational reliability, H Company systematically generates and temporarily retains limited processing traces comprising exclusively non-identifying operational metadata, including without limitation: precise UTC timestamps marking task initiation and completion; binary success/failure status codes; non-identifying browser user-agent strings; Holotab extension version identifiers; high-level performance metrics (execution latency, resource utilization, geolocation if activated in Chrome browser); and aggregated statistical measures across user cohorts (feature adoption rates, error classifications).

These traces enable critical functions such as real-time system monitoring, root cause analysis of technical failures, capacity planning, and proactive security incident detection without compromising individual user anonymity or enabling re-identification.

2.4 Processing personal data included in Inputs and/or screenshots

To use the Services, the user may apply them to content or inputs that themselves may contain personal data (including images, audio or video files) belonging to third parties. In such cases, the user is responsible for ensuring that they are legally permitted to use the Services on such personal data. This data is not processed or stored by H Company only transiently during task execution – immediately deleting them upon completion. It is the user’s responsibility to ensure that the content does not contain any sensitive data as defined by applicable regulations, such as health data, or any data related to areas in which the use of the Services is prohibited under the Terms of Use.

3. Lawful Bases for Processing and Legitimate Interests Assessment

Each distinct processing purpose benefits from an independently assessed lawful basis, rigorously documented through H Company's internal Records of Processing Activities (ROPA) and, where required, formal Legitimate Interests Assessments (LIA) conducted pursuant to GDPR Article 6(1)(f):

Contractual Necessity (GDPR Art. 6(1)(b), equivalent provisions): Processing user-submitted task prompts constitutes the indispensable means of (i) creating users accounts and allowing their access and authentication to use the Services, managing accounts, and performing the agreement including invoicing by H Company as the case may be, and (ii) fulfilling H Company's contractual obligation to execute the precise automation services requested by each user upon extension installation and activation.

Legitimate Interests (GDPR Art. 6(1)(f)): Temporary retention and analysis of processing traces serves H Company's well-established legitimate interests in maintaining service availability, ensuring operational continuity, detecting and mitigating security threats, resolving technical incidents, suspending the Services in case of emergency or non-contractual use, and iteratively improving service quality through data-driven optimization – balanced against and demonstrably not overriding individual privacy rights through comprehensive safeguards including data minimization, pseudonymization, and strict access controls.

4. Specific Processing Purposes and Prohibited Activities

H Company's data processing activities remain strictly circumscribed within four exhaustive legitimate purposes, each implemented through purpose-specific technical architectures that preclude commingling or secondary usage:

1. Primary Task Execution: Real-time interpretation and fulfillment of user-submitted natural language instructions (prompts) through advanced language model inference, representing the core contractual deliverable;

2. Service Integrity & Quality Assurance: Systematic analysis of processing traces to identify, diagnose, and remediate technical anomalies, optimize inference latency, prevent service degradation, and maintain contractual service level commitments;

3. Cybersecurity & Threat Intelligence: Continuous monitoring for anomalous patterns indicative of malicious activity, unauthorized access attempts, or potential service abuse, enabling proactive risk mitigation;

4. Statutory Compliance & Legal Accountability: Documentation and retention necessary to demonstrate compliance with applicable regulatory frameworks (including H Company's accounting and tax obligations and the AI agents’ oversight and monitoring obligations), anti-fraud efforts, evidence of the user’s contractual obligations and actions (and to defend H Company’s interests in the event of a dispute), and respond appropriately to lawful authority requests.

Express Prohibitions: H Company conducts no behavioral advertising, individual profiling, automated decision-making producing legal effects, or any form of data monetization. All processing remains inextricably linked to legitimate service delivery imperatives.

5. Data Retention and Deletion Framework

To use the Services, users must provide certain information such as their email address, name - which are encrypted and protected, and used for authentication, notifications, and account management. No additional profile fields are required beyond what is strictly necessary to operate the account and associated services. Such personal data is retained only for the duration of the user’s use of the Services until the user’s account is deleted, plus (i) in the case of a paid Service, for the duration of H Company’s accounting and tax obligations, (ii) any periods lawfully required by the statute of limitations regarding the proof of obligations, and, in the event of a dispute, for the duration of the dispute.

From a technical standpoint, H Company must process visual information displayed in the user’s browser in order to perform the requested tasks. The extension captures and analyzes visual elements of the active tab (including screenshots or equivalent visual representations) solely for the time strictly necessary to interpret the context and execute the user’s instructions. These visual elements are processed in memory and are deleted immediately after the operation is completed (one hour maximum after captured) ; they are not retained, logged, or stored in any persistent form. 

For non-European Economic Area users, only user prompts and limited, non-visual processing traces are retained for a maximal duration of 30 days for service improvement, debugging, and security purposes, in accordance with the data minimization and storage limitation principles applicable to our Service. For European Economic Area users, such data are not retained for those purposes.

6. Technical and Organizational Security Measures

H Company implements appropriate technical and organizational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with GDPR Article 32 and applicable standards. These measures include:

1. Technical protections: Transport Layer Security (TLS) encryption for data transmissions between the Services and our servers; access controls limiting data availability to authorized personnel only; regular software updates and patching; and basic monitoring for unusual activity.

2. Operational safeguards: Internal policies governing data access and usage; password protection for administrative systems; secure development practices during extension updates; and procedures for responding to potential security incidents.

3. Continuous improvement: H Company regularly reviews and enhances security practices based on industry developments, threat intelligence, and lessons learned from operational experience.

While no system can guarantee absolute security, H Company maintains proportionate protections given the limited scope of data processed (user prompts and anonymized traces only) and implements prompt deletion protocols to minimize exposure.

7. Subprocessors, Third-Party Disclosures, and Accountability Chain

For all users, screenshots are deleted immediately after processing (1h maximum) while user prompts and processing traces are retained for a maximum of thirty (30) days to support service improvement, troubleshooting, and security monitoring. Data transmissions to our U.S.-based infrastructure are protected by end-to-end encryption both in transit (TLS) and at rest. Our cloud service providers maintain standard security commitments through their commercial terms of service, including data protection warranties and confidentiality obligations.

H Company makes no disclosures for marketing, advertising, or commercial partnerships. Data is never sold, licensed, or shared with third parties except as contractually required by our service providers or compelled by lawful authority. In enterprise deployments, customers receive only non-personal, aggregated service metrics.

8. International Data Transfers and Equivalence Guarantees

For all users, data is transmitted to secure infrastructure protected by industry-standard encryption protocols both in transit and at rest. H Company deletes screenshots at the end of the processing session, and in any event no later than one (1) hour after capture, while the remaining data are retained in Europe for a maximum period of thirty (30) days. H Company continues to monitor evolving transfer requirements and stands ready to implement additional measures as regulatory guidance develops.

9. Individual Data Subject Rights

Pursuant to applicable data protection legislation conferring such rights upon data subjects, users of the Services may exercise the following prerogatives through written request directed to privacy@hcompany.ai:

a) Right of access to personal data processed concerning them and, where applicable, related processing details, including transmission of a copy of Data Subject’s personal data;

b) Right to rectification of inaccurate, outdated or incomplete personal data;

c) Right to erasure of personal data under the conditions and limitations established by law;

d) Right to restriction of processing in the circumstances contemplated by regulation;

e) Right to data portability in a structured, commonly used, and machine-readable format, where technically feasible, if the processing is based on your consent or the execution of the agreement and is automated;

f) Right to object to processing based on legitimate interests, subject to the controller's compelling grounds, without affecting the lawfulness of prior processing;

g) Right to withdraw consent where processing relies on such legal basis, without affecting the lawfulness of prior processing.

H Company shall provide substantive response within one (1) calendar month of receipt of complete request, extendible by two (2) months for manifestly complex or numerous demands upon prior notification to the data subject. Verification of requester identity may be required to prevent unauthorized disclosures.

If you have any unresolved issues, you may lodge a complaint with the competent supervisory authority, which is in France the National Data Protection Authority (CNIL).

10. Protection of Minors’ data

The Services constitute professional-grade automation software intended exclusively for users having attained the age of majority or legal adulthood as determined by their jurisdiction of residence. H Company does not knowingly solicit, collect, or process personal data from minors under sixteen (16) years of age.

In the event a parent, legal guardian, or authorized representative becomes aware of inadvertent minor data processing, such party may immediately request comprehensive deletion by contacting privacy@hcompany.ai. H Company shall effectuate permanent erasure within statutory timeframes and furnish confirmation of compliance.

11. Policy Amendment Procedures

Material Modifications: Amendments affecting processing purposes, categories, recipients, or retention necessitate minimum thirty (30) days advance notice delivered through persistent in-extension notifications, email (where contact information registered), and Chrome Web Store updates. Continued service utilization post-notification constitutes complete and unconditional acceptance.

Administrative Updates: Clarifications, formatting improvements, or contact details published immediately without individual prior notice.

12. Governing Law and Jurisdiction

This Policy constitutes an integral component of H Company's contractual terms, governed exclusively by French law with all disputes subject to the mandatory, non-exclusive jurisdiction of the Paris Commercial Court (Tribunal de Commerce de Paris), without prejudice to data subjects' rights to pursue remedies through competent supervisory authorities or mandatory consumer forums.

13. Contact 

H Company

8 rue Sainte-Cécile, 75009

Paris, Île-de-France, France

privacy@hcompany.ai