Privacy Policy

Effective April 26, 2026 · Last updated April 26, 2026 · Next review April 26, 2027

1. Introduction

This Privacy Policy describes how Hynds AI LLC ("Hynds AI," "we," "us," or "our") collects, uses, shares, retains, and deletes information in connection with the Hynds AI Ops application (the "Application"), available at https://corp.hynds.ai.

The Application is an internal customer relationship management (CRM) and accounting platform used by Hynds AI personnel and authorized affiliates to operate the Hynds AI business. It is not a consumer-facing product.

We are committed to protecting the privacy and security of the information processed by the Application. This Policy is reviewed and reapproved at least annually, and is updated whenever we make a material change to how we collect, use, share, retain, or delete information.

2. Scope

This Policy applies to information processed by the Application, including:

• Information you provide directly when creating an account or using features.
• Information we collect automatically from your use of the Application.
• Information obtained from third-party services that you authorize the Application to access (such as Microsoft 365 and, where applicable, Plaid).

This Policy does not apply to:

• Public marketing content on hynds.ai.
• Third-party services accessed through the Application (each such service has its own privacy policy, which governs its independent processing of your information).

3. Information We Collect

3.1 Information You Provide

• Account information — name, email address, password (stored only as a salted bcrypt hash), and assigned role.
• CRM content — contacts, companies, deals, activities, tags, and notes you create or import.
• Financial content — chart of accounts, journal entries, invoices, bills, expenses, budgets, and supporting metadata.
• Communications — content you submit to the Application (e.g., manually entered notes, edits to AI-extracted contacts).

3.2 Information Collected Automatically

• Authentication and session events — login attempts (successful and failed), IP address, user-agent string, and session activity. These are recorded in our AuditLog for security and compliance purposes.
• Application usage logs — request paths, response statuses, error traces, and similar diagnostic data retained by our hosting provider.

3.3 Information from Third-Party Services

With your explicit authorization (via OAuth or an equivalent flow), the Application may receive:

• From Microsoft 365 (Microsoft Graph API) — your business email messages, calendar events, contacts, and basic profile metadata, scoped to the permissions you granted (Mail.Read, Mail.ReadWrite, Calendars.Read, Contacts.Read, User.Read, offline_access).
• From Plaid (planned, where you connect a bank account) — bank account metadata, transactions, balances, and, where applicable, liability details for the financial institutions and accounts you explicitly link. See Section 6 for additional Plaid-specific disclosures.

We do not collect or process payment card numbers. We do not collect biometric data, government-issued ID numbers, or precise geolocation.

3.4 Information We Do Not Collect

The Application is not directed to and does not knowingly collect information from children under 13 (or under 16 in jurisdictions where that is the applicable threshold). See Section 11.

4. How We Use Information

We use the information described in Section 3 for the following purposes:

• Operate the Application — authenticate users, render the CRM and finance modules, persist your records, and provide the integrations you enable.
• Synchronize integrated services — pull email, calendar, contact, and (where enabled) banking data on your behalf so that they are usable inside the Application.
• AI-assisted features — extract structured contact details from email signatures using a large language model (currently Abacus.AI's hosted LLM API). The email body being analyzed is sent to the LLM provider for the duration of the request only; we do not use this content to train any model, and we do not retain prompts on the LLM provider's side beyond what is required to return the response.
• Security and abuse prevention — detect and respond to suspicious authentication, enforce role-based access, and investigate incidents.
• Compliance and recordkeeping — meet U.S. tax, accounting, and other legal recordkeeping obligations.
• Improve the Application — diagnose errors, monitor performance, and roll out fixes.

We do not sell personal information. We do not use your information for advertising, profiling for advertising, or to build third-party data products. We do not rent or lease your information.

5. How We Share Information

We share information only in the limited circumstances described below.

5.1 Service Providers (Subprocessors)

We engage a small set of vetted service providers to operate the Application. Each is bound by contractual confidentiality and security obligations, and each is granted access only to the data necessary to perform its function.

A current list of subprocessors is maintained in our Information Security Policy and can be requested via the contact in Section 13.

5.2 Legal Requirements

We may disclose information if we are required to do so by law, valid legal process (such as a subpoena or court order), or to comply with regulatory obligations. We will give you notice of such disclosure unless legally prohibited.

5.3 Protection of Rights

We may disclose information when we believe in good faith that disclosure is necessary to investigate, prevent, or respond to suspected fraud, security incidents, or violations of our terms.

5.4 Business Transfers

If Hynds AI is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred to the successor entity. We will give notice and require the successor to honor the commitments in this Policy.

5.5 With Your Direction

We share information with third parties when you direct us to (for example, when you connect a Microsoft 365 account or link a bank via Plaid).

We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

6. Plaid-Specific Disclosures

When you elect to link a financial institution to the Application, we use Plaid Inc. ("Plaid") to gather your data from that financial institution. By using the Application's bank-linking feature, you grant Hynds AI and Plaid the right, power, and authority to act on your behalf to access and transmit your personal and financial information from your relevant financial institution.

You agree to your personal and financial information being transferred, stored, and processed by Plaid in accordance with the Plaid End User Privacy Policy:

https://plaid.com/legal/#end-user-privacy-policy

Plaid's processing of your information is governed by Plaid's own privacy policy, which we encourage you to review. Plaid is independently responsible for its data practices.

Within the Application, we use the Plaid-provided data only for the purposes described in Section 4, including: displaying your bank balances and transactions, supporting reconciliation against journal entries, and (where you choose to use it) auto-categorizing transactions to the chart of accounts.

You can disconnect a linked institution at any time from Settings → Integrations. When you disconnect, we revoke our access token at Plaid, stop pulling new data, and delete or anonymize the related Plaid data we hold per Section 7 below.

7. Data Retention and Deletion Policy

We maintain a defined and enforced data retention and deletion policy that is reviewed at least annually. Our retention practices are set in accordance with applicable U.S. federal and state recordkeeping and privacy laws, including the CCPA/CPRA, and are summarized below.

7.1 Retention Periods

7.2 Deletion on Request

Subject to applicable legal-retention obligations, you may request deletion of your account and associated personal information by contacting us at the address in Section 13. We will:

1. Acknowledge your request within 10 business days.
2. Verify the request to ensure it comes from the authorized account holder.
3. Delete or anonymize the requested data within 30 days of verification, except for:
   • Records we are required to retain by law (e.g., the seven-year financial-records line above);
   • Records subject to an active legal hold; and
   • De-identified or aggregated data that can no longer be reasonably linked to you.
4. Notify you when deletion is complete.

7.3 Automatic Deletion

The Application performs the following automatic deletions in code:

• Disconnecting Outlook (/api/integrations/outlook/disconnect) deletes the encrypted OutlookConnection row, including stored tokens and delta state. Synced email and calendar records associated with that connection are deleted at the same time.
• Disconnecting a Plaid item (when the integration is enabled) will revoke the access token at Plaid and delete the associated PlaidItem, PlaidAccount, and raw PlaidTransaction rows. Posted journal entries derived from those transactions are retained under the financial-records retention period.
• Account deactivation by a Super Admin removes the user's ability to authenticate and revokes any OAuth tokens scoped to that user.

7.4 Periodic Review

The Security Officer reviews this retention and deletion policy at least annually and updates it to reflect changes in applicable law, integrated services, or business operations. The most recent review date is shown at the top of this document.

8. Your Rights

Depending on where you reside, you may have the following rights regarding your personal information.

8.1 Rights Under U.S. State Privacy Laws (e.g., California, Virginia, Colorado, Connecticut, Utah)

• Right to know / access — request a description of, or a copy of, the personal information we hold about you.
• Right to delete — request deletion of personal information we hold about you, subject to the legal-retention exceptions described in Section 7.
• Right to correct — request correction of inaccurate personal information.
• Right to portability — request a copy of your personal information in a portable, machine-readable format.
• Right to opt out of “sale” or “sharing” — we do not sell or share personal information for cross-context behavioral advertising; there is nothing to opt out of.
• Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond those reasonably necessary to deliver the Application.
• Right against discrimination — we will not retaliate against you for exercising any of these rights.

8.2 How to Exercise These Rights

Submit a request to the contact in Section 13 from the email address associated with your account. We will verify your identity and respond within the timeframe required by applicable law (generally 45 days, with one optional 45-day extension). There is no charge for a reasonable request.

8.3 Authorized Agents

You may designate an authorized agent to make a request on your behalf. We will require written authorization and may need to verify your identity directly.

8.4 Appeals

If we decline a request, you may appeal by replying to our response. We will reconsider and provide a written explanation within 60 days.

9. Security

We implement administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, alteration, disclosure, and destruction. These include:

• Role-based access control (RBAC) with four roles and least-privilege defaults.
• Strong password requirements and account lockout after repeated failed attempts.
• Bcrypt password hashing; passwords are never stored in plaintext.
• TLS 1.2+ for all data in transit.
• Encryption at rest at the storage layer, plus application-layer AES-256 encryption for OAuth and Plaid access tokens.
• An immutable audit log of privileged actions.
• Quarterly access reviews and monthly audit-log reviews.
• Least-privilege OAuth scopes for all third-party integrations.
• A documented Incident Response Plan with a 72-hour breach-notification target for incidents involving personal data.

These controls are described in detail in our Information Security Policy, which is reviewed annually. No system is perfectly secure; we cannot guarantee the security of information transmitted to or stored by the Application, but we will respond promptly and in good faith to any incident affecting your data.

10. International Data Transfers

The Application and its primary subprocessors are located in the United States. If you access the Application from outside the United States, your information will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Application, you consent to this transfer.

11. Children's Privacy

The Application is intended exclusively for adult business users. We do not knowingly collect personal information from anyone under the age of 16. If we learn that we have collected such information, we will delete it promptly. Contact us at the address in Section 13 if you believe we have collected information from a minor.

12. Changes to This Policy

We may update this Policy from time to time. When we make a material change, we will:

1. Update the Last Updated date at the top of the document.
2. Provide notice through the Application or by email to active account holders at least 14 days before the change takes effect, unless an immediate change is required to comply with law or to address a security risk.
3. Maintain prior versions on request.

Continued use of the Application after the effective date of an update constitutes acceptance of the updated Policy.

13. Contact Us

For questions, requests, or complaints regarding this Policy or our handling of your information:

We acknowledge requests within 10 business days and respond within the timeframe required by applicable law.

© 2026 Hynds AI LLC · Version 1.0 · Effective April 26, 2026