Privacy Policy

This Privacy Policy explains how the Humind Labs AI group of companies (together, "Humind Labs AI," "we," "us," or "our") collects, uses, shares, and protects personal information when you visit humindlabsai.com (the "Website") or interact with us through the Website's contact form.

"Humind Labs AI" is a commercial brand operated by four separate legal entities, each acting as the data controller for users located in its territory:

• Octo Technologies (U.S. — registration in process) — United States — 117 NE 1st Avenue, 9th Floor, Miami, FL 33132
• Octo Technologies Inc. — Canada — 1030 W Georgia Street, Unit 1010, Vancouver, BC V6E 2Y3 — BC Incorporation #BC1264793; Federal Business #713145670BC0001; Vancouver Business Licence #26-120552
• Octo Technologies SpA — Chile — Badajoz 100, Of. 1014, Piso 10, Las Condes, Santiago 7560908 — RUT: 77.862.182-7
• Humanify AI Ltd. — United Kingdom — 71–75 Shelton Street, Covent Garden, London WC2H 9JQ — Companies House: 16264769; ICO Registration: ZB977487

This Policy applies to personal information we process in connection with the Website and the B2B consulting inquiries submitted through it. It does not cover services we may offer under a separate signed agreement (where the terms of that agreement will govern), or third-party websites linked from ours.

Your applicable data controller is determined by your country of residence. If you are located in a country where we do not have a dedicated entity, the contract counterparty is the Humind Labs AI entity whose country you identify in our contact form, or — absent that — Octo Technologies (U.S. — registration in process) as default controller. Country-specific rights and remedies are described in the Country Addenda at the end of this Policy. If you are resident in the United Kingdom, the United Kingdom Addendum below is the primary applicable addendum for you.

We collect a limited set of personal information, primarily through our contact form and through analytics tools that operate only with your consent. We do not run a newsletter and we do not place advertising cookies. The categories we process are:

• Contact form submissions: full name, work email address, company name, country of residence, service of interest, and the message you send us. All fields except company are required.
• Technical data automatically generated by your browser when you access our servers: IP address, approximate geographic location derived from IP, device type, operating system, browser type and version, referring URL, and timestamps. This data is processed by our hosting provider (AWS) for security and operational logs.
• Cookie preferences: a single first-party cookie named cookie_consent stores your choice to accept or decline cookies. No tracking identifier is set or shared.
• Correspondence: if you email us directly, we process the content of the message and any information you voluntarily include.

We use your personal information for the following purposes, and only for these purposes:

• To respond to your inquiry, prepare a proposal, and provide the consulting services you request.
• To send you a transactional confirmation email acknowledging receipt of your contact form submission.
• To route your inquiry to the correct regional team (United States, Canada, Chile, or United Kingdom) based on the country you indicate.
• To maintain the security, availability, and integrity of the Website, including preventing abuse and investigating suspected fraud.
• To comply with legal obligations, enforce our Terms of Service, defend legal claims, and meet accounting and record-keeping requirements.
• To aggregate, anonymise, and de-identify information for internal business analysis. Aggregated data is no longer personal information and is not subject to this Policy.

Where UK GDPR, EU GDPR (in retained form), or Chile's Law 21.719 applies, we rely on the following legal bases under Article 6 of the applicable regulation:

• Performance of a contract, or steps prior to entering a contract at your request — when you submit a contact form to inquire about our services (Art. 6(1)(b) UK/EU GDPR; Art. 13(1)(b) Chile Law 21.719).
• Legitimate interests — to secure the Website, prevent fraud, and pursue limited direct marketing to existing business contacts (Art. 6(1)(f)). You have the right to object to processing based on legitimate interests at any time (see Section 10).
• Consent — for any optional processing where we explicitly request it, such as future marketing communications. Consent can be withdrawn at any time without affecting prior lawful processing (Art. 6(1)(a); Art. 7).
• Legal obligation — to comply with tax, accounting, record-keeping, or regulatory requirements applicable to each operating entity (Art. 6(1)(c)).

We take a measured approach to cookies and analytics. The Website uses one strictly necessary first-party cookie and loads analytics technologies only after you provide consent through our cookie banner.

• cookie_consent — first-party, 1-year retention — records your choice to accept or decline non-essential cookies. Stored in your browser; no identifier is transmitted to third parties. Strictly necessary under UK GDPR / PECR Reg. 6(4) and does not require prior consent.
• Google Tag Manager (GTM) — a tag management system that loads other analytics scripts. GTM itself does not set cookies or collect personal data. It is loaded on every page but defers to your consent choice before activating analytics tags.
• Google Analytics 4 (GA4) — consent-gated analytics service provided by Google LLC. GA4 sets cookies (e.g., _ga, _ga_*) to measure page views, traffic sources, and conversion events (such as contact form submissions). GA4 cookies are only set if you accept analytics cookies via our consent banner. Data is processed by Google in accordance with its privacy policy. We have enabled IP anonymisation and do not use GA4 for advertising or cross-site tracking.
• Microsoft Clarity — a free analytics service provided by Microsoft Corporation that records session replays and generates heatmaps to help us understand how visitors interact with the Website. Clarity operates without setting cookies and does not require consent. Clarity does not collect personal identifiers. Data is processed by Microsoft in accordance with its privacy statement.
• Your hosting provider (AWS CloudFront / Amplify) may set short-lived operational cookies for load balancing and security purposes. These are strictly necessary and do not identify you beyond a session.
• We do not use Meta Pixel, LinkedIn Insight Tag, or any advertising or retargeting technology.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising or for any purpose described as a "sale" or "share" under the California Consumer Privacy Act (as amended by the CPRA).

We do share personal information with a limited set of sub-processors who provide services strictly necessary to operate the Website and respond to your inquiries. Each sub-processor is bound by a written data processing agreement that requires GDPR/UK-GDPR-equivalent safeguards.

• Brevo (Sendinblue SA, France) — email delivery and CRM storage of contact form submissions, including consent preferences and country routing. Data is hosted in the European Union.
• Sanity Labs (Sanity.io AS, Norway) — headless content management system used exclusively to publish the blog. Sanity does not process personal information collected through the contact form.
• Amazon Web Services, Inc. (AWS Amplify + CloudFront) — Website hosting and content delivery. Hosting region: us-east-2 (Ohio, United States). Server logs include IP addresses and are retained for 90 days.
• Google LLC (Google Workspace) — email infrastructure for the hello@humindlabsai.com and privacy@humindlabsai.com mailboxes. Applies only when you correspond with us by email.
• Google LLC (Google Analytics 4 + Google Tag Manager) — consent-gated web analytics to measure traffic, page views, and conversion events. Data may be transferred to the United States under Google's Standard Contractual Clauses. Only activated when you accept analytics cookies.
• Microsoft Corporation (Microsoft Clarity) — cookieless session replay and heatmap analytics to understand user interaction patterns. No personal identifiers are collected. Data is processed in accordance with Microsoft's privacy statement.
• Professional advisors — accountants, auditors, and lawyers — bound by professional confidentiality, engaged only where necessary to operate our business.
• Public authorities, courts, and law enforcement — where we are legally compelled to disclose information in response to a valid legal request, or where disclosure is necessary to establish, exercise, or defend legal claims.

Because we operate across four countries, personal information may be transferred across borders. The specific flows you should be aware of are:

• European Economic Area / United Kingdom / Switzerland → United States: when contact data is stored in Brevo (EU) and forwarded to our United States operations, or when AWS server logs originate from an EU/UK IP and are stored in us-east-2. We rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) or UK Addendum.
• Chile → European Union / United States: contact data transferred to Brevo (EU) and AWS (US). Chile's Law 21.719 requires safeguards equivalent to the Chilean framework; we rely on contractual clauses to ensure this.
• Canada → United States: data transferred to AWS (US) hosting is covered by written agreements requiring protection consistent with PIPEDA and, where applicable, Quebec Law 25.
• Upon request, we will provide a copy of the safeguards applicable to any specific cross-border transfer of your personal information.

We retain personal information only for as long as necessary for the purposes described in this Policy, or as required by applicable law.

• Contact form submissions and CRM records: up to 24 months from your last interaction with us, after which records are deleted or anonymised, unless a longer period is required for legal, tax, or accounting reasons.
• Server logs (IP address, access logs): 90 days.
• Cookie preference (cookie_consent): up to 1 year or until you clear your browser storage.
• Email correspondence: up to 7 years where retention is required by tax or commercial law in the relevant jurisdiction; otherwise, 24 months.
• Backups: encrypted operational backups are rotated and fully overwritten within 35 days.

Subject to the laws of your country of residence, you have the following rights in relation to your personal information. We will respond to verifiable requests within the statutory timeframe (generally 30 days; extensions may apply where permitted by law).

• Right of access — request confirmation of whether we process your personal information and receive a copy of that information.
• Right to rectification — request correction of inaccurate or incomplete information.
• Right to erasure ("right to be forgotten") — request deletion of your information where one of the legal grounds for deletion applies.
• Right to restriction of processing — request that we limit how we use your information in specified circumstances.
• Right to data portability — receive your information in a structured, commonly used, machine-readable format, and request its transfer to another controller where technically feasible.
• Right to object — object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
• Right to withdraw consent — where processing is based on consent, withdraw consent at any time without affecting prior lawful processing.
• Right not to be subject to solely automated decision-making — where such decisions produce legal or similarly significant effects (we do not engage in such decision-making; see Section 11).
• Right to lodge a complaint with your supervisory authority — without prejudice to any other administrative or judicial remedy (see Section 17 and the Country Addenda).

We do not subject you to decisions based solely on automated processing — including profiling — that produce legal effects concerning you or similarly significantly affect you (within the meaning of Article 22 UK/EU GDPR and equivalent provisions of Chile Law 21.719).

Although Humind Labs AI specialises in AI consulting, the Website itself does not use artificial intelligence to make or substantially influence decisions about you. All meaningful decisions about your inquiries are reviewed by a human team member before any commercial response is issued.

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, alteration, disclosure, or destruction. These measures include, without limitation:

• Encryption in transit (TLS 1.2 or higher) for all communications with the Website and between our sub-processors.
• Encryption at rest for data stored by Brevo, AWS, and Sanity.
• Least-privilege access controls; multi-factor authentication for all personnel with access to personal information; quarterly access review.
• Written data processing agreements with all sub-processors requiring equivalent security standards.
• Incident response procedures aligned with 72-hour regulator notification timelines where applicable.
• Security training for all personnel handling personal information.
• Note: no method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we work continuously to protect your information.

The Website is directed to businesses and business professionals and is not directed to children. We do not knowingly collect personal information from children under the age of digital consent in the relevant jurisdiction: 13 years (United States / United Kingdom / Canada outside Quebec), 14 years (Chile under Law 21.719; Quebec for social-media-like services under Law 25), or 16 years where a higher age applies by local law. If you believe we have inadvertently collected personal information from a child, please contact us and we will delete it promptly.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with UK GDPR Article 33, Quebec Law 25, and equivalent obligations in our other jurisdictions. Where the breach is likely to result in a high risk to you, we will also notify you directly, without undue delay, in clear and plain language, describing the nature of the breach, the likely consequences, and the measures taken or proposed.

We may update this Privacy Policy from time to time to reflect changes in our operations, applicable law, or industry practice. When we make material changes, we will update the "Last updated" date at the top of this Policy, and where legally required, we will provide prominent notice on the Website or contact you directly before the changes take effect. We encourage you to review this Policy periodically.

For any question about this Privacy Policy, to exercise your rights, or to contact our Data Protection Officer, you can reach us at:

• Email (primary): privacy@humindlabsai.com — monitored by Felipe Medel, our Data Protection Officer.
• General inquiries: hello@humindlabsai.com
• Postal address: use the address of the entity applicable to you (see Section 1 and the Country Addenda below).
• When contacting us about a rights request, please include sufficient information for us to verify your identity and locate your records. We will not share personal information with anyone who cannot reasonably prove they are the subject of that information.

You have the right to lodge a complaint with the supervisory authority in your country of residence. Country-specific complaint paths are described in the Country Addenda below. If you are resident in the United Kingdom, your supervisory authority is the Information Commissioner's Office (ICO). Lodging a complaint with a supervisory authority is without prejudice to any other administrative or judicial remedy available to you, and it does not require you to contact us first — though we would welcome the opportunity to address your concern directly.