Legal

Privacy Policy

How we collect, use, and protect your personal information across our global operations.

Last updated: 15 April 2026

1. Introduction

This Privacy Policy explains how the Humind Labs AI group of companies (together, "Humind Labs AI," "we," "us," or "our") collects, uses, shares, and protects personal information when you visit humindlabsai.com (the "Website") or interact with us through the Website's contact form.

"Humind Labs AI" is a commercial brand operated by four separate legal entities, each acting as the data controller for users located in its territory:

Octo Technologies (U.S. — registration in process) — United States — 117 NE 1st Avenue, 9th Floor, Miami, FL 33132
Octo Technologies Inc. — Canada — 1030 W Georgia Street, Unit 1010, Vancouver, BC V6E 2Y3 — BC Incorporation #BC1264793; Federal Business #713145670BC0001; Vancouver Business Licence #26-120552
Octo Technologies SpA — Chile — Badajoz 100, Of. 1014, Piso 10, Las Condes, Santiago 7560908 — RUT: 77.862.182-7
Humanify AI Ltd. — United Kingdom — 71–75 Shelton Street, Covent Garden, London WC2H 9JQ — Companies House: 16264769; ICO Registration: ZB977487

2. Scope and applicability

This Policy applies to personal information we process in connection with the Website and the B2B consulting inquiries submitted through it. It does not cover services we may offer under a separate signed agreement (where the terms of that agreement will govern), or third-party websites linked from ours.

Your applicable data controller is determined by your country of residence. If you are located in a country where we do not have a dedicated entity, the contract counterparty is the Humind Labs AI entity whose country you identify in our contact form, or — absent that — Octo Technologies (U.S. — registration in process) as default controller. Country-specific rights and remedies are described in the Country Addenda at the end of this Policy.

3. Personal information we collect

We collect a limited set of personal information, primarily through our contact form. We do not run a newsletter, we do not use behavioural analytics, and we do not place advertising cookies. The categories we process are:

Contact form submissions: full name, work email address, company name, country of residence, service of interest, and the message you send us. All fields except company are required.
Technical data automatically generated by your browser when you access our servers: IP address, approximate geographic location derived from IP, device type, operating system, browser type and version, referring URL, and timestamps. This data is processed by our hosting provider (AWS) for security and operational logs.
Cookie preferences: a single first-party cookie named cookie_consent stores your choice to accept or decline cookies. No tracking identifier is set or shared.
Correspondence: if you email us directly, we process the content of the message and any information you voluntarily include.

4. How we use your information

We use your personal information for the following purposes, and only for these purposes:

To respond to your inquiry, prepare a proposal, and provide the consulting services you request.
To send you a transactional confirmation email acknowledging receipt of your contact form submission.
To route your inquiry to the correct regional team (United States, Canada, Chile, or United Kingdom) based on the country you indicate.
To maintain the security, availability, and integrity of the Website, including preventing abuse and investigating suspected fraud.
To comply with legal obligations, enforce our Terms of Service, defend legal claims, and meet accounting and record-keeping requirements.
To aggregate, anonymize, and de-identify information for internal business analysis. Aggregated data is no longer personal information and is not subject to this Policy.

5. Legal bases for processing (UK/EU/Chile)

Where UK GDPR, EU GDPR (in retained form), or Chile's Law 21.719 applies, we rely on the following legal bases under Article 6 of the applicable regulation:

Performance of a contract, or steps prior to entering a contract at your request — when you submit a contact form to inquire about our services (Art. 6(1)(b) UK/EU GDPR; Art. 13(1)(b) Chile Law 21.719).
Legitimate interests — to secure the Website, prevent fraud, and pursue limited direct marketing to existing business contacts (Art. 6(1)(f)). You have the right to object to processing based on legitimate interests at any time (see Section 10).
Consent — for any optional processing where we explicitly request it, such as future marketing communications. Consent can be withdrawn at any time without affecting prior lawful processing (Art. 6(1)(a); Art. 7).
Legal obligation — to comply with tax, accounting, record-keeping, or regulatory requirements applicable to each operating entity (Art. 6(1)(c)).

6. Cookies and similar technologies

We take a minimalist approach to cookies. The Website uses one strictly necessary first-party cookie and no third-party marketing, analytics, or advertising cookies.

cookie_consent — first-party, 1-year retention — records your choice to accept or decline non-essential cookies. Stored in your browser's local storage; no identifier is transmitted to third parties. Strictly necessary under UK GDPR / PECR Reg. 6(4) and does not require prior consent.
We do not use Google Analytics, Plausible, Mixpanel, Meta Pixel, LinkedIn Insight Tag, Hotjar, or any similar analytics or tracking technology.
Your hosting provider (AWS CloudFront / Amplify) may set short-lived operational cookies for load balancing and security purposes. These are strictly necessary and do not identify you beyond a session.

8. International data transfers

Because we operate across four countries, personal information may be transferred across borders. The specific flows you should be aware of are:

European Economic Area / United Kingdom / Switzerland → United States: when contact data is stored in Brevo (EU) and forwarded to our United States operations, or when AWS server logs originate from an EU/UK IP and are stored in us-east-2. We rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) or UK Addendum.
Chile → European Union / United States: contact data transferred to Brevo (EU) and AWS (US). Chile's Law 21.719 requires safeguards equivalent to the Chilean framework; we rely on contractual clauses to ensure this.
Canada → United States: data transferred to AWS (US) hosting is covered by written agreements requiring protection consistent with PIPEDA and, where applicable, Quebec Law 25.
Upon request, we will provide a copy of the safeguards applicable to any specific cross-border transfer of your personal information.

9. Data retention

We retain personal information only for as long as necessary for the purposes described in this Policy, or as required by applicable law.

Contact form submissions and CRM records: up to 24 months from your last interaction with us, after which records are deleted or anonymized, unless a longer period is required for legal, tax, or accounting reasons.
Server logs (IP address, access logs): 90 days.
Cookie preference (cookie_consent): up to 1 year or until you clear your browser storage.
Email correspondence: up to 7 years where retention is required by tax or commercial law in the relevant jurisdiction; otherwise, 24 months.
Backups: encrypted operational backups are rotated and fully overwritten within 35 days.

10. Your rights

Subject to the laws of your country of residence, you have the following rights in relation to your personal information. We will respond to verifiable requests within the statutory timeframe (generally 30 days; extensions may apply where permitted by law).

Right of access — request confirmation of whether we process your personal information and receive a copy of that information.
Right to rectification — request correction of inaccurate or incomplete information.
Right to erasure ("right to be forgotten") — request deletion of your information where one of the legal grounds for deletion applies.
Right to restriction of processing — request that we limit how we use your information in specified circumstances.
Right to data portability — receive your information in a structured, commonly used, machine-readable format, and request its transfer to another controller where technically feasible.
Right to object — object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
Right to withdraw consent — where processing is based on consent, withdraw consent at any time without affecting prior lawful processing.
Right not to be subject to solely automated decision-making — where such decisions produce legal or similarly significant effects (we do not engage in such decision-making; see Section 11).
Right to lodge a complaint with your supervisory authority — without prejudice to any other administrative or judicial remedy (see Section 17 and the Country Addenda).

11. Automated decision-making and AI

We do not subject you to decisions based solely on automated processing — including profiling — that produce legal effects concerning you or similarly significantly affect you (within the meaning of Article 22 UK/EU GDPR and equivalent provisions of Chile Law 21.719).

Although Humind Labs AI specializes in AI consulting, the Website itself does not use artificial intelligence to make or substantially influence decisions about you. All meaningful decisions about your inquiries are reviewed by a human team member before any commercial response is issued.

12. Security of your information

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include, without limitation:

Encryption in transit (TLS 1.2 or higher) for all communications with the Website and between our sub-processors.
Encryption at rest for data stored by Brevo, AWS, and Sanity.
Least-privilege access controls; multi-factor authentication for all personnel with access to personal information; quarterly access review.
Written data processing agreements with all sub-processors requiring equivalent security standards.
Incident response procedures aligned with 72-hour regulator notification timelines where applicable.
Security training for all personnel handling personal information.
Note: no method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we work continuously to protect your information.

13. Children's privacy

The Website is directed to businesses and business professionals and is not directed to children. We do not knowingly collect personal information from children under the age of digital consent in the relevant jurisdiction: 13 years (United States / United Kingdom / Canada outside Quebec), 14 years (Chile under Law 21.719; Quebec for social-media-like services under Law 25), or 16 years where a higher age applies by local law. If you believe we have inadvertently collected personal information from a child, please contact us and we will delete it promptly.

14. Data breach notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with UK GDPR Article 33, Quebec Law 25, and equivalent obligations in our other jurisdictions. Where the breach is likely to result in a high risk to you, we will also notify you directly, without undue delay, in clear and plain language, describing the nature of the breach, the likely consequences, and the measures taken or proposed.

15. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our operations, applicable law, or industry practice. When we make material changes, we will update the "Last updated" date at the top of this Policy, and where legally required, we will provide prominent notice on the Website or contact you directly before the changes take effect. We encourage you to review this Policy periodically.

16. Contact us and Data Protection Officer

For any question about this Privacy Policy, to exercise your rights, or to contact our Data Protection Officer, you can reach us at:

Email (primary): privacy@humindlabsai.com — monitored by Felipe Medel, our Data Protection Officer.
General inquiries: hello@humindlabsai.com
Postal address: use the address of the entity applicable to you (see Section 1 and the Country Addenda below).
When contacting us about a rights request, please include sufficient information for us to verify your identity and locate your records. We will not share personal information with anyone who cannot reasonably prove they are the subject of that information.

17. How to lodge a complaint

You have the right to lodge a complaint with the supervisory authority in your country of residence. Country-specific complaint paths are described in the Country Addenda below. Lodging a complaint with a supervisory authority is without prejudice to any other administrative or judicial remedy available to you, and it does not require you to contact us first — though we would welcome the opportunity to address your concern directly.

Country-specific addenda

This addendum applies to residents of the United States and is provided by Octo Technologies (U.S. — registration in process), located at 117 NE 1st Avenue, 9th Floor, Miami, FL 33132. It supplements — and where there is a direct conflict, overrides — the main Privacy Policy for US residents to the extent required by applicable US federal and state law.

We do not sell or share personal information for cross-context behavioural advertising, as those terms are defined by the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), or by the consumer privacy statutes of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), or any other US state with a comparable privacy framework. Consequently, no opt-out is required, but you may nonetheless submit a Do Not Sell / Do Not Share request, which we will honour automatically.

If you are a California resident, you also have rights under California Civil Code § 1798.83 (the "Shine the Light" law) to request information about our disclosures of personal information to third parties for their direct marketing purposes. We do not make such disclosures, so any Shine the Light request will confirm a nil response.

We do not collect or process "sensitive personal information" as defined under CPRA § 1798.140(ae), including racial or ethnic origin, religious beliefs, precise geolocation, health, biometric identifiers, or genetic data. If we ever begin to do so, we will update this Policy and provide you with a right to limit use.

Children: we comply with the Children's Online Privacy Protection Act (COPPA) and CCPA protections for minors under 16. Because we do not sell or share personal information, the CCPA opt-in-consent requirements for minors' data do not apply.

To exercise your rights under CCPA/CPRA or any other applicable state law, email privacy@humindlabsai.com. We will acknowledge your request within 10 business days and substantively respond within 45 calendar days (extendable by an additional 45 days with notice, where permitted). You may designate an authorized agent to submit a request on your behalf; we will require written authorization and verification of your identity.

Right to know what personal information we collect, use, disclose, and sell (we do not sell).
Right to delete personal information we have collected from you, subject to statutory exceptions.
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information (we do not engage in either).
Right to limit the use and disclosure of sensitive personal information (we do not collect any).
Right to data portability — receive a copy in a portable, readily usable format.
Right to non-discrimination for exercising any of these rights.

This addendum applies to residents of Canada and is provided by Octo Technologies Inc., located at 1030 W Georgia Street, Unit 1010, Vancouver, BC V6E 2Y3. It supplements the main Privacy Policy for Canadian residents and is the primary framework governing our handling of your personal information in Canada.

Our processing is governed primarily by the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to the collection, use, and disclosure of personal information in the course of commercial activities across Canada. PIPEDA is the cornerstone of our Canadian privacy programme and reflects the 10 fair information principles that shape how we operate: accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance.

Provincial private-sector privacy statutes that have been declared substantially similar to PIPEDA also apply where you reside in those provinces. In particular: the British Columbia Personal Information Protection Act (PIPA-BC) applies to our organization's activities with respect to BC residents, given that Octo Technologies Inc. is headquartered in Vancouver; the Alberta Personal Information Protection Act (PIPA-AB) applies to Alberta residents. We comply fully with PIPEDA, PIPA-BC, and PIPA-AB in their respective spheres of application.

Under PIPEDA and the applicable provincial statutes, you have the following rights: (i) the right to know what personal information we hold about you and how it is used and disclosed; (ii) the right to access your personal information and receive a copy; (iii) the right to request correction of inaccuracies; (iv) the right to withdraw consent, subject to legal or contractual restrictions; (v) the right to be informed of any breach of security safeguards involving a real risk of significant harm (PIPEDA s. 10.1); and (vi) the right to challenge our compliance and file a complaint with the Office of the Privacy Commissioner of Canada or the applicable provincial commissioner.

Under the federal Canadian Anti-Spam Legislation (CASL), we will not send you commercial electronic messages without your express or implied consent, and every message will include a functioning unsubscribe mechanism honoured within 10 business days.

For residents of Quebec specifically, additional rights apply under An Act respecting the protection of personal information in the private sector, as amended by Quebec Law 25 (CQLR c. P-39.1). Quebec residents should primarily read the fr-CA version of this Policy, which addresses Quebec-specific obligations in French as required by the Charter of the French Language. Under Law 25, Quebec residents have — among other rights — the right to data portability, the right to de-indexing where dissemination causes serious prejudice, and the right to be notified of any confidentiality incident presenting a risk of serious injury. Law 25 penalties can reach CAD $25,000,000 or 4% of worldwide turnover for the most serious violations.

To exercise your rights, contact our Privacy Officer, Felipe Medel, at privacy@humindlabsai.com. You may also file a complaint with: (a) the Office of the Privacy Commissioner of Canada (priv.gc.ca) for federal PIPEDA matters; (b) the Office of the Information and Privacy Commissioner for British Columbia (oipc.bc.ca) for PIPA-BC matters; (c) the Office of the Information and Privacy Commissioner of Alberta (oipc.ab.ca) for PIPA-AB matters; (d) the Commission d'accès à l'information du Québec (cai.gouv.qc.ca) for Quebec matters applicable to Quebec residents.

Right to access your personal information (PIPEDA Principle 9).
Right to correct inaccuracies (PIPEDA Principle 9; PIPA-BC s. 24; PIPA-AB s. 25).
Right to withdraw consent, subject to legal or contractual restrictions (PIPEDA Principle 3).
Right to be informed of breaches of security safeguards involving a real risk of significant harm (PIPEDA s. 10.1).
Right to file a complaint with the Office of the Privacy Commissioner of Canada, the BC OIPC, or the Alberta OIPC.
Additional rights for Quebec residents under Law 25 (data portability, de-indexing, incident notification) — see the fr-CA Policy.

Este anexo se aplica a los residentes de la República de Chile y es proporcionado por Octo Technologies SpA, ubicada en Badajoz 100, Oficina 1014, Piso 10, Las Condes, Santiago 7560908. Complementa la Política de Privacidad principal para residentes chilenos.

Operamos bajo la Ley N° 19.628 sobre Protección de la Vida Privada, actualmente en vigor, y estamos adaptando nuestras prácticas para cumplir plenamente con la Ley N° 21.719, publicada el 13 de diciembre de 2024 y cuya plena vigencia comenzará el 13 de diciembre de 2026. Nuestras prácticas ya están diseñadas para cumplir con los principios que introduce la Ley 21.719: licitud, finalidad, proporcionalidad, calidad, responsabilidad, seguridad, transparencia y confidencialidad.

Bajo la Ley 21.719, ampliamos las bases legales para el tratamiento más allá del consentimiento, incluyendo: ejecución de un contrato, interés legítimo, obligación legal, interés vital y interés público. Toda vez que tratemos datos personales en el marco de su solicitud de servicios, la base legal principal será la ejecución de un contrato o las medidas precontractuales a su solicitud.

Usted tiene los derechos conocidos como "ARCOPOL" bajo la legislación chilena de protección de datos: acceso, rectificación, cancelación (supresión), oposición, portabilidad, bloqueo y, en el caso de tratamientos automatizados con efectos jurídicos, los derechos contemplados en la nueva ley. Puede ejercer estos derechos contactándonos en privacy@humindlabsai.com; responderemos en los plazos establecidos por la ley aplicable.

Conforme a la Ley 21.719, los datos sensibles (tales como origen étnico, creencias, salud, vida u orientación sexual, datos biométricos y genéticos) requieren consentimiento expreso, específico e informado. No recopilamos datos sensibles a través del Sitio Web.

La autoridad de control competente es la Agencia de Protección de Datos Personales, cuya entrada en funciones está prevista para diciembre de 2026. Hasta entonces, la supervisión y los procedimientos administrativos continúan siendo los establecidos por la Ley 19.628 y las acciones de habeas data ante los tribunales competentes.

Las transferencias internacionales de datos fuera de Chile se realizan con salvaguardias contractuales equivalentes a las previstas por la Ley 21.719, incluyendo cláusulas contractuales tipo o mecanismos equivalentes reconocidos por la Agencia de Protección de Datos Personales cuando esté en funciones.

Derecho de acceso a sus datos personales.
Derecho de rectificación de datos inexactos o incompletos.
Derecho de cancelación o supresión de datos.
Derecho de oposición al tratamiento.
Derecho de portabilidad (bajo Ley 21.719).
Derecho de bloqueo temporal del tratamiento.
Derecho a interponer acción de habeas data ante el tribunal competente.

This addendum applies to residents of the United Kingdom and is provided by Humanify AI Ltd., located at 71–75 Shelton Street, Covent Garden, London WC2H 9JQ. Our ICO Data Protection Registration number is ZB977487 (registered 2 September 2025, renewed annually).

We process your personal information in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018 ("DPA 2018"), the Privacy and Electronic Communications Regulations 2003 ("PECR"), and the Data (Use and Access) Act 2025 ("DUA Act 2025"), as interpreted by guidance from the Information Commissioner's Office ("ICO").

We rely on the six lawful bases in Article 6 of the UK GDPR and, where applicable, the seventh "recognised legitimate interest" basis introduced by the DUA Act 2025 and effective from 5 February 2026. We do not process special category data (Article 9) or criminal offence data (Article 10) through the Website.

You have all the rights of a UK data subject: access, rectification, erasure, restriction of processing, data portability, objection, rights relating to automated decision-making and profiling (we do not engage in solely automated decisions with legal or similarly significant effects), and the right to withdraw consent where consent is the legal basis.

Cookies and similar technologies set by our Website are used only where strictly necessary within the meaning of PECR Regulation 6(4), or with your prior consent where any non-essential cookie is ever introduced. Currently, only the cookie_consent cookie is used, and it is strictly necessary to record your consent choice.

International transfers from the UK to third countries rely on the International Data Transfer Agreement ("IDTA") or the UK Addendum to the European Commission's Standard Contractual Clauses, unless an adequacy regulation made under section 17A of the DPA 2018 applies. The ICO's guidance is reflected in our supplier due diligence process.

For notifiable personal data breaches, we will notify the ICO within 72 hours of becoming aware and, where there is a high risk to you, notify you directly without undue delay, in compliance with UK GDPR Articles 33 and 34.

Your right to complain to a supervisory authority is the right to complain to the ICO. You can contact the ICO at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow SK9 5AF — ico.org.uk — 0303 123 1113. Lodging a complaint with the ICO is without prejudice to your right to a judicial remedy and does not require you to contact us first.

Right to be informed about collection and use of your personal data.
Right of access (subject access request).
Right to rectification.
Right to erasure ("right to be forgotten").
Right to restrict processing.
Right to data portability.
Right to object, including to direct marketing at any time.
Rights in relation to automated decision-making and profiling (Art. 22).
Right to withdraw consent where consent is the basis for processing.
Right to lodge a complaint with the Information Commissioner's Office.