Home AI Agents Workflows Use Cases Pricing Compare Blog About Process Contact Docs Status Get your Operator →
Legal

Privacy Policy.

How we handle data when you build automations with Hapex.

Effective May 9, 2026 ยท Updated June 15, 2026

Hapex AI (“Hapex,” “we,” “us”) builds and runs custom AI automations on behalf of small businesses. To do that, we necessarily handle data: account details, third-party credentials you authorize us to use, the inputs your automations consume, and the outputs they produce. This Policy explains exactly what we collect, why, who else touches it, how long we keep it, and what rights you have over it. If anything below is unclear, email support@hapex.ai and we will rewrite it.

Contents
  1. Who We Are
  2. Scope and Application
  3. Information We Collect
  4. How We Use Information
  5. Research Use of Customer Data
  6. We Do Not Sell Personal Information
  7. Sub-processors and Sharing
  8. Legal Bases for Processing (GDPR / UK GDPR)
  9. Your Rights
  10. Global Privacy Control and Do Not Track
  11. Data Security
  12. Data Retention
  13. International Data Transfers
  14. Children
  15. Changes to This Policy
  16. Persistent connections
  17. Google API Services and Limited Use
  18. How to Contact Us

1. Who We Are

Hapex AI is a sole-proprietor business based in the United States. The operator and data controller of record is Shameel Khairi. The contact address for privacy and security correspondence is support@hapex.ai.

2. Scope and Application

This Policy applies to hapex.ai, the build flow at build.hapex.ai, the agent service that runs automations on your behalf, and any successor properties operated by Hapex. It covers prospects, customers who activate automations, and end users whose data flows through an authorized automation (for example, your inbox if you connected Gmail).

This Policy does not cover third-party services you connect to (Google Workspace, Slack, Notion, GitHub, Microsoft 365, Stripe, ntfy.sh, Resend, Anthropic, InsForge, or others). Those providers each have their own privacy practices.

3. Information We Collect

Account information.

Name, email, and any business context you provide. For paid tiers, a Stripe customer identifier and the last four digits of the payment method. Hapex never receives or stores full payment card numbers; Stripe does.

Automation specifications.

The natural-language description of the automation you asked for, the structured plan our planner produced, the slug, the schedule, and which capabilities the automation uses.

Authorized credentials.

Refresh tokens and any required keys, encrypted with AES-256-GCM in our managed backend. Plaintext credentials touch agent-service memory only at the moment a step runs and are never logged. You can revoke this authorization at any time from Hapex and from the third-party provider's account settings.

Automation inputs and outputs.

When an automation runs, the runtime fetches inputs from the services you have authorized and produces outputs delivered through the channel its plan specifies. Hapex processes this content transiently to execute the automation, and we retain a bounded test-run record so you can debug failures and so we can demonstrate that a self-test passed before billing.

Telemetry and operational logs.

Minimal operational logs necessary to keep the service running. We do not log full plaintext credentials, full email bodies, or full automation outputs.

Cookies and similar technologies.

Only first-party cookies strictly necessary to keep your build session coherent. No third-party analytics, advertising pixels, fingerprinting libraries, session-replay tools, or behavioral tracking.

4. How We Use Information

  • Operate the service. Build, test, schedule, and run the automations you have authorized.
  • Bill you accurately. Apply your selected service tier through Stripe.
  • Keep the service safe. Detect and prevent abuse, fraud, prompt-injection attacks, and quota gaming.
  • Respond to you. Support, onboarding, security notices.
  • Improve Hapex through internal research. See Section 5; this is a defined use with explicit limits.
  • Comply with law. Lawful requests, defending legal claims, enforcing our Terms.

5. Research Use of Customer Data

By using Hapex, you grant Hapex a worldwide, royalty-free license to use the data you submit and the data your automations process for internal product research and development. “Research and development” here means the following, and only the following:

  • Improving the planner's ability to translate plain-English requests into correct automation plans.
  • Evaluating and tuning the runtime that executes capabilities.
  • Measuring the cost, quality, and reliability of large language models we route through.
  • Diagnosing failures, fixing bugs, reproducing incidents.
  • Training, fine-tuning, or evaluating proprietary models that are operated by Hapex and not exposed to third parties as standalone products.

What we will not do under this clause. We will not sell, license, or otherwise make available your raw data, automation outputs, or derivative datasets to third parties. We will not use your data to train models owned by third parties; sub-processors that process your data on our behalf operate under their own contractual terms which prohibit use of inputs and outputs to train their general-purpose models, and we will not opt back in to such training. We will not publish customer-identifying examples in marketing material, demos, or papers without obtaining your prior written consent.

Pseudonymization and aggregation. Whenever feasible, we strip direct identifiers before data enters a research pipeline, and we aggregate at a level that does not permit re-identification.

Your control. You may opt out of research use at any time by emailing support@hapex.ai with the subject line “Opt out of research use.” Opting out does not affect the operation, billing, or support of your automations. Opt-out requests will be honored within fifteen business days.

6. We Do Not Sell Personal Information

Hapex does not, and will not, sell your personal information. This commitment goes beyond what California law requires of us. We extend it to every customer regardless of where they live and to every category of information described in Section 3.

We do not engage in the following practices, ever, under any commercial pressure or acquisition scenario without first obtaining new explicit consent: (a) sale of personal information for monetary or other valuable consideration, (b) sharing of personal information for cross-context behavioral advertising, (c) renting, swapping, or trading customer lists with third-party marketers, (d) supplying customer data to data brokers, (e) using customer data to train third-party AI providers' foundation models, or (f) using identifiable customer content in marketing without prior written consent.

If Hapex is acquired or merged, your data will only transfer subject to a continuation of this Policy or a privacy notice that is materially equivalent in substance, with at least thirty days' notice and an opportunity to delete your account before the transfer takes effect.

7. Sub-processors and Sharing

We rely on a small number of vetted infrastructure providers. Each is a sub-processor under GDPR. Hapex remains the controller; sub-processors process data only on our documented instructions.

  • InsForge (managed Postgres, edge functions, file storage, authentication).
  • Anthropic (Claude language models). API terms prohibit training Anthropic's general-purpose models on our inputs and outputs; we have not opted in.
  • Google LLC (Gmail, Calendar, Drive, and other Workspace APIs you authorize).
  • ntfy.sh (push notification delivery).
  • Resend (transactional email delivery).
  • Stripe (payment processing).
  • Railway, Vercel, Netlify (compute and edge hosting).

A current sub-processor list is available on request. We will give existing customers at least fifteen days' notice before adding a sub-processor that processes personal information.

  • Performance of a contract. Article 6(1)(b).
  • Legitimate interests. Article 6(1)(f). You may opt out at any time.
  • Consent. Article 6(1)(a). You may withdraw at any time.
  • Legal obligation. Article 6(1)(c). Tax, accounting, lawful-request compliance.

9. Your Rights

Depending on your jurisdiction you may have any or all of the following rights. We honor each globally because doing so is simpler than tracking residency.

  • Access, rectification, erasure, restriction, portability, objection, withdrawal of consent.
  • California (CCPA / CPRA): right to know, correct, delete, limit use of sensitive personal information, and opt out of sale or sharing for cross-context behavioral advertising. Hapex does not engage in such sale or sharing, so the opt-out is satisfied by default.
  • Right to lodge a complaint with your local data-protection authority.

Email support@hapex.ai to exercise any right. We respond within thirty days, extendable once for complex requests with notice.

10. Global Privacy Control and Do Not Track

When your browser sends a Global Privacy Control signal or a Do Not Track header, we treat it as a binding opt-out from any form of cross-context behavioral advertising and from any sharing with third parties for marketing purposes. Because we do not engage in those practices, the practical effect is that your browser's signal will not change anything we do, but we record receipt of the signal in our compliance log on each request.

11. Data Security

  • Encryption in transit: TLS 1.2 or higher.
  • Encryption at rest: AES-256-GCM application-layer for credentials; disk-level at sub-processor.
  • Least-privilege OAuth scopes.
  • Self-test gate before activation, before any external message, and before any Stripe charge.
  • Bounded retention. See Section 12.
  • Incident response: notification within seventy-two hours of confirmation, in line with GDPR Article 33.

Researchers reporting vulnerabilities should email support@hapex.ai with subject “Security report.”

12. Data Retention

  • Account information: while active, plus thirty days after deletion for recovery.
  • Automation plans and slugs: while the automation is active. Deactivated automations are soft-deleted for thirty days then purged.
  • Encrypted credentials: while the associated automation is active; revoked or deleted automations cause immediate purge.
  • Test-run records: ninety days, then aggregated counters and the row is purged.
  • Operational logs: up to thirty days for application logs; up to one year for security logs.
  • Billing records: seven years (United States tax retention).

13. International Data Transfers

Hapex is operated from the United States. Sub-processors may process data in other jurisdictions. Where required, transfers from the EEA, the United Kingdom, or Switzerland are made under the European Commission's Standard Contractual Clauses, the United Kingdom International Data Transfer Addendum, or other valid transfer mechanisms.

14. Children

Hapex is not designed for or directed at children under the age of sixteen. We do not knowingly collect personal information from anyone under sixteen.

15. Changes to This Policy

We may update this Policy when our practices change, when a new sub-processor is onboarded, or when applicable law changes. For material changes, we will notify you by email at least fifteen days before the changes take effect, and you may close your account before that date if you do not consent.

16. Persistent connections

When you connect an external provider (for example, Google or Slack) during the agent build flow, Hapex stores an encrypted refresh token in the user_connections table. This token is scoped to your client_id and is used solely to execute the automations you have authorized.

Specifically:

  • The refresh token is encrypted at rest with AES-256-GCM before being written to the database. The plaintext token is never stored in logs or any other persistent location.
  • The token is scoped to your account. It cannot be accessed by other Hapex customers.
  • You can disconnect any provider at any time from /dashboard/connections. Disconnecting deletes the user_connections row for that provider immediately. No backup copy is retained.
  • If you delete your account entirely, all user_connections rows for your account are purged as part of the cascade delete.

You can also revoke Hapex’s access directly from the provider (for example, from myaccount.google.com/permissions for Google). Doing so invalidates the refresh token. The next time the automation runs, it will fail with a reauthorization error, and you will be prompted to reconnect from the dashboard.

17. Google API Services and Limited Use

Hapex’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In plain terms, when you connect a Google service:

  • What we access. Only the data covered by the scopes you approve on Google’s consent screen: Gmail messages (read and send), calendar events (read and write), Google Chat messages in your spaces, Drive files (read, upload, and organize), and the ability to create and edit Google Docs, Sheets, and Slides, depending on which services you connect. Each Google service is its own grant; connecting Gmail does not give Hapex access to Drive.
  • What we use it for. Solely to operate the features you asked for: scanning your mail for context (for example, the First Shift scan for unanswered quotes), preparing and sending email, organizing labels, sending and reading Chat messages in your spaces, creating and organizing Drive files, creating and editing Docs, Sheets, and Slides on request, managing calendar events, and running the automations you configured. Nothing else.
  • Who else sees it. Message text is processed by our model provider (Anthropic) acting as a service provider, strictly to generate the outputs you requested. Google user data is never shared with third parties for advertising or marketing, never sold, and never used to train machine-learning models.
  • What we keep. Raw email contents are never stored in our database. We retain only high-level operational summaries, findings, and logs (including vector embeddings of those summaries) so your Operator has memory of its own work.
  • Humans stay in control. The Operator can send email and Chat messages directly on your behalf for workflows you have configured. Actions that are irreversible, like sending to an external recipient for the first time, require explicit user confirmation before the Operator proceeds.
  • Revocation. Disconnect any Google service from /dashboard/connections (the stored token is deleted immediately) or revoke access from myaccount.google.com/permissions.

18. How to Contact Us

For any privacy-related question, request, complaint, or correction, email support@hapex.ai. Mailing correspondence may be addressed to Hapex AI, United States.

Terms of Service · Security · Refund Policy · support@hapex.ai