Privacy Policy

Last Updated: March 14, 2026

This Privacy Policy describes how H33.ai, Inc., doing business as Cachee ("Company," "we," "us," or "our"), collects, uses, discloses, and protects information in connection with the Cachee platform and related services (the "Service"). This Privacy Policy applies to information we collect from customers, their authorized users, website visitors, and other individuals who interact with us or the Service.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service. This Privacy Policy is incorporated into and forms part of our Terms of Service.

We collect and retain only the personal information necessary to provide the Service and fulfill our legal obligations (data minimization). We do not sell your personal information.

1. U.S.-Only Availability and Cross-Border Transfers

The Service is currently available only within the United States. All data collected through the Service is stored and processed in the United States. We do not knowingly collect or process information from individuals located outside the United States. If you are located outside the United States, please do not access or use the Service.

Some of our service providers (such as Stripe for payment processing) operate globally. To the extent personal information is transferred internationally by a subprocessor, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms as required by applicable law.

2. Scope and Roles

When our customers ("Customers") use the Service to process information about their own end users, the Customer acts as the data controller (or equivalent role under applicable law), and we act as a data processor (or service provider). In such cases, our processing of end-user data is governed by our Data Processing Agreement (DPA), and end users should refer to the Customer's privacy policy.

When we collect information directly from website visitors, prospective customers, or individuals who contact us, we act as the data controller. This Privacy Policy describes our practices in that capacity.

3. Information We Collect

A. Account and Registration Information

When you create an account or register for the Service, we collect information such as your name, email address, company name, phone number, and billing address. We also collect your subscription plan tier, API key identifiers, namespace identifiers, and CDN configuration slug.

B. Authentication and Verification Information

When you create an account or log in, we use the following authentication methods:

Email verification links (magic links) sent via Amazon Simple Email Service (SES);
One-time passwords (OTP) via SMS, sent via Twilio or Amazon Simple Notification Service (SNS) as a fallback;
Identity verification orchestrated by Auth1 (z101.ai), our authentication service provider.

These services receive your email address and phone number solely for the purpose of authentication. OTP codes are ephemeral and automatically expire within 10 minutes.

C. Infrastructure Configuration Data

When you configure integrations, we collect your deployment preferences including cache backend type, endpoint URL, deployment region, and optionally VPC ID, security group, IAM role ARN, TLS settings, and sidecar configuration. This data is stored encrypted in your account settings.

D. Customer Data

Customers and their authorized users may upload, submit, or transmit data through the Service, including biometric templates, encrypted identity payloads, and related metadata ("Customer Data"). We process Customer Data solely to provide the Service in accordance with our agreement with the Customer. Customers are the data controllers for Customer Data.

E. Usage and Log Data

We automatically collect information about how you access and use the Service, including:

IP address, browser type and version, operating system, and device identifiers;
Pages viewed, features used, actions taken, and time spent on the Service;
API call logs, request and response metadata, error logs, and performance metrics;
Authentication events (login attempts, session creation, OTP verification);
Date and time of access, session duration, and frequency of use.

We do not currently use third-party analytics platforms such as Google Analytics or Mixpanel. Usage data is analyzed internally.

F. Payment Data

Payment card information is processed exclusively by Stripe using Stripe.js client-side encryption. Cachee infrastructure never receives, stores, or has access to credit card numbers, expiration dates, or CVC codes. We receive only your email address and billing address from Stripe for invoicing purposes. Stripe retains payment data in accordance with its own privacy policy and PCI-DSS standards.

G. Cookies and Tracking Technologies

We use the following cookies and storage mechanisms:

cachee_at and cachee_rt: httpOnly session cookies containing encrypted authentication tokens. These are inaccessible to JavaScript for security.
cachee_cookie_consent: A localStorage flag that remembers your cookie consent preferences.

Our support chat widget (Chat101) is loaded only after you grant analytics cookie consent via our cookie banner. For more information, see our Cookie Notice.

H. Communications

When you contact us via email, support chat, or other channels, we collect the content of your communications, including any attachments, along with your name, email address, and any other information you choose to provide.

4. Legal Basis for Processing

We process your personal information on the following legal bases:

Legal Basis	Data Categories	Purpose
Contract Performance (GDPR Art. 6(1)(b))	Account information, authentication data, infrastructure config, payment data	Necessary to create your account, authenticate you, provision infrastructure, and process payments
Legitimate Interest (GDPR Art. 6(1)(f))	Usage logs, authentication events, security data, performance metrics	Improve service quality, prevent fraud, maintain security, diagnose issues
Legal Obligation (GDPR Art. 6(1)(c))	Billing records, audit logs, tax information	Comply with tax, accounting, and regulatory requirements
Consent (GDPR Art. 6(1)(a))	Analytics cookies (Chat101 widget), promotional communications	Load support chat widget, send marketing emails. You may withdraw consent at any time.

5. How We Use Information

We use the information we collect for the following purposes:

Providing the Service: To operate, maintain, and deliver the features and functionality of the Service, including processing authentication requests, verifying identities, and provisioning cache infrastructure.
Account Management: To create and manage your account, process payments, and communicate with you about your account and subscription.
Improving the Service: To analyze usage patterns, diagnose technical issues, develop new features, and improve the performance, security, and reliability of the Service.
Security and Fraud Prevention: To detect, investigate, and prevent security incidents, fraud, abuse, and violations of our Terms of Service and Acceptable Use Policy.
Communications: To send you transactional communications (such as magic link emails, OTP codes, billing notifications, and security alerts), and, with your consent, promotional communications.
Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.
Aggregated Analytics: To generate aggregated, de-identified data for benchmarking, reporting, and analytical purposes that do not identify any individual or Customer.

6. Automated and AI-Assisted Features

The Service uses automated processing, including machine learning and artificial intelligence, to perform identity verification, biometric matching, and authentication. These automated processes compare submitted biometric data against enrolled templates to produce match/no-match results.

When Customer implementations use automated decisions that have legal or similarly significant effects on individuals, Customers are responsible for implementing appropriate human review and override mechanisms as required by applicable law (e.g., GDPR Article 22). Cachee provides the technical infrastructure; Customers control the decision-making context.

7. How We Disclose Information

We do not sell your personal information. We may disclose information in the following circumstances:

A. Service Providers and Subprocessors

We share information with the following third-party service providers and subprocessors who assist us in operating the Service:

Amazon Web Services (AWS): Database (RDS PostgreSQL), caching (ElastiCache), storage (S3), and content delivery (CloudFront) — US-East-1
Netlify: Website hosting and serverless functions — US
Auth1 (z101.ai): Identity verification and authentication flow orchestration — US-East-1
Twilio: SMS-based one-time password delivery — US
Amazon SES: Transactional email delivery (magic links, notifications) — US-East-1
Amazon SNS: Fallback SMS delivery — US-East-1
Stripe: Payment processing (card data handled by Stripe directly, never touches Cachee) — US
Chat101 (z101.ai): Customer support chat widget (loaded only after cookie consent) — US-East-1

Each subprocessor is contractually required to maintain data security and use information only for services we request. For the full list with data flow details, see our Subprocessors page. We notify customers at least 30 days in advance of any subprocessor changes.

B. Legal Requirements

We may disclose information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Service, Acceptable Use Policy, or other agreements; (c) protect the rights, property, or safety of Company, our customers, or the public; or (d) detect, prevent, or address fraud, security, or technical issues.

C. Business Transfers

If Company is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your information.

D. With Consent

We may disclose information with your consent or at your direction.

8. Data Retention

We retain information for as long as reasonably necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Specific retention periods:

Data Category	Retention Period	Disposal Method
Account information	Duration of account + 30 days after deletion request	Permanent deletion from database
Customer Data	Per customer agreement; deleted or returned on termination	Secure deletion per DPA
Authentication events	12 months (security audit trail)	Automated purge
Active sessions / API tokens	Destroyed on logout or expiration	Immediate deletion
One-time passwords (OTP)	10 minutes (verification window only)	Automatic expiration + purge
API keys and credentials	Until revoked by you or account deletion	Permanent deletion
Usage and log data	Up to 24 months	Aggregation or deletion
Billing records	7 years (tax/legal requirement)	Secure deletion after period
Communications	Duration needed to address inquiry + 12 months	Deletion
Cookie consent records	Duration of consent + 3 years (audit trail)	Deletion

When information is no longer needed, we securely delete or de-identify it. Automated retention enforcement runs periodically to purge expired data.

9. Security

We implement and maintain administrative, technical, and physical security measures designed to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

Fully homomorphic encryption (FHE) to enable processing of encrypted data without decryption;
Post-quantum cryptographic (PQC) algorithms to protect against both current and future computational threats;
Zero-knowledge proofs (ZKP) to enable verification without revealing underlying data;
Encryption of data in transit (TLS 1.3) and at rest (AES-256);
httpOnly cookies for authentication tokens (inaccessible to JavaScript);
Access controls and multi-factor authentication;
Regular security assessments and monitoring;
Employee training on data protection and security practices.

While we strive to protect your information, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your information.

Breach Notification: In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay, describing the nature of the breach, likely consequences, and measures taken to address it (GDPR Article 34). We will also notify the relevant supervisory authority within 72 hours where required (GDPR Article 33).

10. Your Rights

Depending on your location and applicable law, you have the following rights regarding your personal information:

Access (Art. 15): The right to request access to the personal information we hold about you. You can export your data at any time from Settings > Account & Privacy > Export My Data in the dashboard.
Correction / Rectification (Art. 16): The right to request correction of inaccurate or incomplete personal information. You can update your profile from Settings > Profile Information.
Deletion / Erasure (Art. 17): The right to request deletion of your personal information, subject to legal retention requirements. You can delete your account from Settings > Account & Privacy > Delete My Account.
Portability (Art. 20): The right to receive your personal information in a structured, commonly used, machine-readable JSON format.
Restrict Processing (Art. 18): The right to request that we restrict processing of your personal information in certain circumstances (e.g., while we verify accuracy of contested data).
Object (Art. 21): The right to object to our processing of your personal information on legitimate interest grounds. We will cease processing unless we demonstrate compelling legitimate grounds.
Withdraw Consent: Where processing is based on your consent (e.g., analytics cookies, promotional emails), you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal. You can withdraw cookie consent by clearing your browser data; email consent via the "unsubscribe" link.
Complain to a Supervisory Authority (Art. 77): You have the right to lodge a complaint with your local data protection authority regarding our handling of your personal information.
Opt-Out of Sale: We do not sell personal information. If this changes, we will provide an opt-out mechanism.

To exercise any of these rights, use the self-service tools in your dashboard or contact us at privacy@h33.ai. We will respond within 30 days (or as required by applicable law). We may ask you to verify your identity before processing your request.

When we rectify, erase, or restrict processing of your personal data, we will notify each recipient to whom the data has been disclosed, unless this proves impossible or involves disproportionate effort (GDPR Article 19). We will inform you about those recipients if you request it.

If we process your personal information on behalf of a Customer (as a data processor), please direct your request to the applicable Customer.

11. Children's Privacy

The Service is not directed to individuals under the age of 18, and we do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe that a child under 18 has provided us with personal information, please contact us at privacy@h33.ai.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this Privacy Policy and, where required by law, by providing additional notice (such as an email notification or an in-Service announcement). We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Officer / Privacy inquiries: privacy@h33.ai
General support: support@h33.ai
Legal inquiries: legal@h33.ai
Mailing address: H33.ai, Inc., Attn: Privacy Team