HANK.ai Privacy Policy
Last updated: June 9, 2026 · Effective: June 9, 2026 · Version 2026-06-09
⚠️ BETA — ACTIVE DEVELOPMENT. The Service is pre-release, beta-stage software under active development; the features described here and our data practices may change as it evolves. Material changes will be published here with a new version. Your use of the Service is governed by the Terms of Service, including its "as is," no-warranty, and use-at-your-own-risk provisions.
In short (this summary is not part of the policy and does not modify it; if it conflicts with the text below, the text controls): We collect your sign-in identity (via SSO), and we log how you use the Service to authenticate you, meter and bill usage, and protect against abuse. We do not sell or share your personal information for advertising. We do not want PHI or patient data — don't send it. We keep data only as long as we need it, host it in the United States, and honor your privacy rights.
This Privacy Policy is issued by Hank.ai, Inc., a Delaware corporation ("Hank," "we," "us," or "our"), which is the controller responsible for the personal information described here. It explains how we collect, use, disclose, and protect information in connection with your use of the Hank.ai websites, applications, APIs, MCP endpoints, and related services (the "Service"). It is incorporated by reference into our Terms of Service, and capitalized terms not defined here have the meanings given in the Terms. By using the Service, you agree to this Privacy Policy.
1. Information We Collect
Account and identity information. When you sign in, we use single sign-on ("SSO") through your identity provider (for example, Google) using the standard openid email profile scope. We receive and store your email address, your name, a stable identifier (the identity provider's subject) for your Account, and — where your provider supplies them — basic profile attributes such as your profile-image URL and locale. For organization-managed accounts we may also receive your provider's hosted-domain. We never receive or store your identity-provider password.
Usage and metering information. To operate, secure, meter, and bill the Service, we record information about each interaction, including: the service and operation invoked; timestamps; request paths (with sensitive tokens and URL credentials redacted before storage); HTTP status; processing time and the request/response size of the call; the volume, unit count, and Credits associated with the call; how the interaction reached us (direct API, web interface, or our edge gateway); the API Key or session used (stored only as a non-reversible cryptographic fingerprint — we do not store the key or session token itself); your IP address; and your browser or client user agent.
Security and administrative logs. To protect the Service and maintain an integrity trail, we keep: (a) administrative audit records of changes made to accounts and configuration, which include the actor, IP address, user-agent, the action taken, and a before/after snapshot of the affected record; and (b) security-event logs of failed or blocked authentication and suspected-abuse attempts, which include the IP address, request method and path, and a non-reversible token fingerprint. We do not store raw credentials in these logs.
Communications. If you contact us for support, we retain your messages and contact details to respond.
No Protected Health Information. The Service is not intended or authorized for PHI or patient-identifiable data, and you agree not to submit it (see Section 6 of the Terms). We do not knowingly collect PHI through the Service.
2. How We Use Information
We use the information we collect to: provide, maintain, and improve the Service; authenticate you and manage your Account, Entitlements, and Credits; meter usage and calculate and process billing; detect, investigate, and prevent abuse, fraud, scraping, automated misuse of the user interface, security incidents, and violations of our Terms, and to enforce our rights (including suspending or terminating access); respond to your requests and provide support; and comply with legal obligations.
3. Legal Bases for Processing (EEA / UK)
If you are in the European Economic Area ("EEA") or the United Kingdom, we process your personal information on the following legal bases: (a) performance of a contract — to authenticate you, provide the Service, manage your Account and Entitlements, meter usage, and calculate and process billing; (b) our legitimate interests — to secure the Service; to detect, investigate, and prevent abuse, fraud, scraping, and automated misuse; to maintain administrative audit and security logs; and to improve the Service, in each case balanced against your rights; (c) compliance with a legal obligation — to meet tax, accounting, and other legal requirements and to respond to lawful requests; and (d) your consent — where we ask for it, which you may withdraw at any time. Where we rely on legitimate interests, you may object to that processing as described in Section 9.
4. How We Share Information
We do not sell or share your personal information, and we do not engage in "sharing" for cross-context behavioral advertising, in each case as those terms are defined under the California Consumer Privacy Act as amended by the CPRA. We have not sold or shared personal information in the preceding 12 months. We share information only as follows:
- Service providers and subprocessors who process information on our behalf under written contracts that limit them to providing services to us. These currently include our cloud hosting and infrastructure provider, our SSO/identity provider, our payment processor, and our content-delivery and security providers. A current list of subprocessors is available at hank.ai/subprocessors, and we will provide reasonable advance notice (for example, by updating that page or by emailing account administrators) before adding a new subprocessor that processes personal information, and business customers may object on reasonable data-protection grounds.
- Legal and safety — where we believe in good faith that disclosure is required by law or legal process, or is necessary to protect the rights, property, or safety of Hank, our users, or others.
- Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this Privacy Policy.
5. Use of Information for AI and Model Improvement
We may use usage and metering information, and De-Identified or Aggregated Data derived from your interactions, to operate, secure, and improve the Service, including its search, ranking, and machine-learning features. We do not use the content of your individual queries to train machine-learning models that are made available to other customers except in De-Identified or Aggregated form, and we do not sell your data or use it for third-party advertising. Where we offer features powered by third-party AI providers, those providers act as our subprocessors under confidentiality and are listed on our subprocessor page.
6. Cookies and Sessions
We use a secure, HTTP-only session cookie (for example, __Secure-hank_session) to keep you signed in to the web interface and to associate your web activity with your Account for authentication and metering. We do not use the Service to serve third-party advertising or to track you across unrelated websites, and we do not use non-essential or advertising cookies.
7. Data Security and Breach Notification
We use administrative, technical, and organizational measures designed to protect information against unauthorized access, disclosure, alteration, and destruction, including encryption in transit, access controls, and a private internal network between Service components. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
If we become aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to your personal information, we will notify affected users and, where required, the relevant supervisory authority or regulator without undue delay and consistent with applicable law (including, for EEA/UK personal data, the GDPR/UK GDPR 72-hour authority-notification standard where the breach is likely to result in a risk to individuals). Our notice will describe, to the extent known, the nature of the incident, the categories of data involved, and the steps we are taking in response.
8. Data Retention
We retain personal information only as long as needed for the purposes described in this policy:
- Account and identity information — for the life of your Account and up to 90 days after Account deletion, except where a longer period is required by law.
- Usage and metering records — for up to 24 months to support billing, dispute resolution, and capacity planning, after which they are deleted or de-identified.
- Administrative audit records — for up to 24 months as an integrity and compliance trail.
- Security-event logs — for up to 12 months for abuse and fraud investigation.
We may retain information longer where required to meet a legal, tax, accounting, or regulatory obligation, to resolve an active dispute, or to enforce our agreements, and we may keep aggregated or de-identified information, which no longer identifies you, indefinitely.
9. Your Rights and Choices
Depending on your location, you may have rights to access, correct, delete, or port your personal information, or to object to or restrict certain processing. To exercise any of these rights, email [email protected] or contact us at the address in Section 16. We will verify your request using the account information we hold (for example, control of the email address on the Account) before acting, and you may use an authorized agent acting on your behalf with proof of authorization. We will respond within the time required by applicable law — generally within 45 days under the CCPA (extendable by a further 45 days with notice) and within one month under the GDPR/UK GDPR (extendable by two further months for complex requests). We will not discriminate or retaliate against you for exercising these rights, and we do not offer financial incentives in exchange for your personal information. If we decline a request, we will explain why, and you may appeal by replying to our decision. You also have the right to lodge a complaint with your local data-protection supervisory authority (EEA/UK) or with the California Privacy Protection Agency or California Attorney General.
10. California Privacy Notice (CCPA / CPRA)
This section supplements the policy for California residents. In the past 12 months we have collected the following statutory categories of personal information:
| Category | Examples | Sources | Business purpose | Recipients |
|---|---|---|---|---|
| Identifiers | Name, email, IdP subject identifier, IP address, token fingerprint | You; your identity provider; automatically | Authentication, account management, security | Service providers |
| Internet/network activity | Service and operation invoked, request paths, status, timing, volume, user agent, security/audit logs | Automatically as you use the Service | Metering, security, abuse prevention | Service providers |
| Commercial information | Plan, Credits, billing-related records | You; automatically | Billing and account management | Service providers, payment processor |
We do not collect sensitive personal information for the purpose of inferring characteristics, we do not knowingly collect the personal information of minors, we do not sell or share personal information, and we do not use or disclose sensitive personal information beyond the purposes permitted by the CPRA (so the right to limit its use does not apply, and we do not offer a "Do Not Sell or Share" opt-out because we do neither). California residents have the rights to know, access, correct, and delete, and to be free from discrimination for exercising these rights. Exercise them as described in Section 9; we will verify and respond within the CCPA timelines.
11. Automated Decision-Making and Profiling
We use automated processes to meter usage, enforce rate and credit limits, and detect abuse, fraud, and automated misuse, which can result in throttling, a credit block, or suspension of access. We do not use these processes to make decisions that produce legal or similarly significant effects about you without a means for human review: if your access is suspended or terminated by an automated control and you believe it was in error, you may contact us at [email protected] for human review. We do not engage in profiling for marketing or advertising purposes.
12. Data Processing Addendum for Business Customers
If you use the Service on behalf of an organization and, in doing so, route personal information of your own end users or staff through the Service, you act as the controller (or business) for that information and Hank acts as your processor (or service provider) with respect to it, limited to providing the Service to you. On request, and as a condition of any such processing, we will make available our standard Data Processing Addendum, which incorporates the Standard Contractual Clauses where applicable and sets out our processing instructions, security commitments, subprocessor terms, and assistance with data-subject requests and breach notification. Nothing in this policy authorizes you to submit PHI or other patient-identifiable data, which remains prohibited under Section 6 of the Terms of Service unless and until a separate Business Associate Agreement is executed.
13. International Data Transfers
The Service is operated from, and information is processed in, the United States. Where we transfer personal information of individuals in the EEA, the United Kingdom, or Switzerland to the United States or other countries that have not received an adequacy decision, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses and, for the United Kingdom, the UK International Data Transfer Addendum (or the IDTA). You may request a copy of the relevant transfer mechanism by contacting [email protected]. By accessing the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, where data-protection laws may differ from those of your jurisdiction.
14. Children's Privacy
The Service is a professional tool intended only for use by individuals 18 years of age or older acting in a business or professional capacity. It is not directed to children, and we do not knowingly collect personal information from anyone under 18, and in particular not from any child under 13 within the meaning of the U.S. Children's Online Privacy Protection Act. If we learn we have collected such information, or if you believe a child has provided us information, contact us at [email protected] and we will delete it.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make a material change, we will publish the updated policy with a new version identifier and effective date and, where required, ask you to review and accept it before continuing to use the Service.
16. Contact
This Privacy Policy is issued by Hank.ai, Inc., a Delaware corporation, the controller responsible for the personal information described here. For any privacy question or to exercise your rights, contact our privacy team at [email protected] or by mail at the postal address published on the Hank website. If you are in the EEA or the UK and we are required to appoint a representative or data protection officer, their contact details will be published here.
Revision History
| Version | Effective date | Summary of changes |
|---|---|---|
| 2026-06-09 | June 9, 2026 | Initial publication. |
Prior versions are available on request at [email protected]. Material changes will be published here with a new version identifier and, where required, will ask you to review and accept the updated document before continued use.