Privacy Policy

Last updated: February 7, 2026

1. Introduction

Marviy Pte Ltd ("we", "us", "Company") operates the hatiOS platform. This Privacy Policy describes how we collect, use, and protect information when you use our services, including hatiosai.com, app.hatiosai.com, api.hatiosai.com, and all associated SDKs, APIs, and documentation.

Effective date: February 7, 2026

2. Information We Collect

Account Information

• Name, email address, organization name
• Authentication credentials (hashed, never stored in plaintext)
• Billing information (processed by Stripe; we do not store full payment details)

Agent Data (processed through the proxy)

• LLM requests and responses passing through the hatiOS proxy
• Agent reasoning traces (thoughts, tool calls, results)
• Policy evaluation results and intervention records
• Session metadata (timestamps, durations, agent identifiers)

Usage Data

• Dashboard activity and feature usage
• API call volumes and patterns
• Performance metrics

Technical Data

• IP addresses, browser/device information
• Log data for security and debugging

3. How We Use Information

• To provide and operate the hatiOS Service
• To enforce policies and governance rules as configured by Customer
• To generate audit trails and compliance reports
• To bill for usage (metered actions)
• To improve Service performance and reliability
• To communicate about the Service (updates, security notices, billing)
• To comply with legal obligations

4. Data Processing & Storage

Agent Data is processed in transit through the hatiOS proxy and stored in the Flight Recorder as configured by Customer.

• Data encrypted at rest (AES-256) and in transit (TLS 1.3)
• Primary infrastructure hosted on Google Cloud Platform
• Data residency available as selected by Customer for Enterprise tier

Retention by tier:

• Starter (Free): 30 days
• Pro: 90 days hot storage, 1 year cold storage
• Enterprise: 1 year hot storage, 7 years cold storage

5. Data Sharing & Third Parties

We do not sell personal data or Agent Data. We do not use Agent Data to train AI models.

Third-party processors (with Data Processing Agreement in place):

• Google Cloud Platform — infrastructure hosting
• Stripe — payment processing
• WorkOS — enterprise SSO, if enabled by Customer
• Analytics providers — anonymized usage data only

We may disclose information if required by law or to protect the rights and safety of our users and the public.

6. Customer Data Ownership

Customer retains full ownership of all data processed through the Service. This includes:

• Agent reasoning traces
• Policy configurations
• Intervention records

Customer may export their data at any time via API or dashboard. Upon account termination, Customer has 30 days to export their data before it is permanently deleted.

7. Security Measures

• AES-256 encryption at rest
• TLS 1.3 encryption in transit
• API keys hashed with bcrypt
• Role-based access control (RBAC)
• SOC2 Type II compliance (in progress)
• HIPAA BAA available for Enterprise customers
• Regular security audits and penetration testing
• SHA-256 cryptographic hashing for audit trail integrity

8. Data Subject Rights (PDPA / GDPR)

Depending on your jurisdiction, you may have the following rights:

• Right to access your personal data
• Right to correction of inaccurate data
• Right to deletion ("right to be forgotten")
• Right to data portability
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

To exercise these rights, email privacy@hatios.com. We will respond within 30 days.

9. Cookies & Tracking

• Essential cookies: Authentication and session management (always active)
• Analytics cookies: Service improvement (with consent)
• No advertising or third-party tracking cookies

Cookie preferences are manageable via dashboard settings.

10. International Data Transfers

Data may be transferred to jurisdictions outside Singapore for processing. Appropriate safeguards (Standard Contractual Clauses or equivalent) are applied for all international transfers.

Enterprise customers may specify data residency requirements.

11. Children's Privacy

The Service is not directed at individuals under 18. We do not knowingly collect data from minors. If you believe a minor has provided us with personal information, please contact us and we will delete it.

12. Changes to This Policy

Updated policies will be posted on this page with a new effective date. Material changes will be communicated 30 days in advance via email. Continued use of the Service constitutes acceptance of the updated policy.

13. Contact

Data Protection Officer: privacy@hatios.com

Marviy Pte Ltd
Singapore