Privacy Policy

1. What We Collect

Hive processes data you voluntarily upload (AI chat exports, resumes, LinkedIn profiles) to generate your Mirror portrait. We also collect:

• Account data: email address and authentication credentials when you register
• Profile data: display name, username, and public/private status you set
• Portrait data: AI-generated portrait stored encrypted in our database

We do not collect data without your explicit action. We do not use tracking pixels, fingerprinting, or third-party analytics.

2. How We Process Your Data

Your uploaded data is anonymized (names, emails, phone numbers removed) before being sent to Anthropic (Claude API) for portrait generation. The original data is never stored on our servers. Only the resulting AI portrait is saved.

3. Encryption & Storage

Your portrait data is stored in Supabase (PostgreSQL) hosted in the EU with TLS encryption in transit and at-rest encryption on the database level. Public profiles are accessible by anyone with the link. Private profiles are only visible to you when logged in. Row-Level Security (RLS) policies ensure each user can only access their own data.

4. Authentication & Account

We use Supabase Auth for account management. You can register with email/password or Google OAuth. Passwords are hashed with bcrypt. We do not store plain-text passwords. Google OAuth tokens are managed by Supabase and not stored on our servers.

5. Public Profiles & Sharing

When you make your profile public, the following information becomes visible to anyone with your profile URL:

• Your display name and username
• Your AI-generated portrait (strengths, skills, projects, etc.)
• Your profile may appear in Open Graph previews when shared on social media

You can make your profile private at any time. Private profiles are not accessible to anyone except you.

6. AI Processing Disclosure

Your Mirror portrait is generated by AI (Claude by Anthropic). AI observations are based on patterns in your data and may not be fully accurate. You can edit or delete any observation at any time.

7. Third-Party Services

• Anthropic (Claude API): AI processing. Anonymized data is sent to Anthropic servers (USA). We have DPA in place.
• Supabase: Database and authentication. EU-hosted PostgreSQL.
• Google OAuth: Optional sign-in method. Subject to Google's privacy policy.
• Vercel: Hosting. Edge functions in EU region.

8. Your Rights (GDPR)

Under the EU General Data Protection Regulation, you have the right to:

• Access: View all your data anytime in your dashboard
• Portability: Export your data as JSON, Markdown, or plain text
• Erasure: Delete all your data and account permanently
• Rectification: Edit any AI observation or personal data
• Restriction: Make your profile private to stop public processing
• Objection: Contact us to object to any data processing

To exercise any of these rights, contact us at [email protected] or use the controls in your dashboard.

9. Cookies

We use essential cookies onlyfor authentication sessions. No tracking cookies. No advertising cookies. No third-party analytics cookies. Your browser's localStorage is used to cache your portrait locally for faster access.

10. Data Retention

We retain your data as long as your account is active. When you delete your account, all associated data (portraits, profile, authentication records) is permanently deleted within 30 days.

11. Children's Privacy

Hive is not intended for users under 16 years of age. We do not knowingly collect data from children. If you believe a child has provided data to us, please contact us.

12. Contact & Data Controller

Hive (Skorly Oy), Helsinki, Finland
Data Controller: Hive (Skorly Oy)
For privacy inquiries: [email protected]
For general inquiries: [email protected]

9. Payments & Subscriptions

Premium features (Personal Pages) are processed through Stripe, Inc.We do not store your credit card details — all payment data is handled by Stripe under their Privacy Policy.

We store your Stripe customer ID and subscription status to manage your access. Subscription data is retained for the duration of your account plus 90 days for accounting purposes.

Cancellation: You may cancel your subscription at any time through the billing portal in your dashboard. Your page remains active until the end of the current billing period.

Refunds: We offer a full refund within 7 days of your first payment. Contact [email protected].

10. Data Breach Notification

In the event of a data breach that affects your personal data, we will notify you via email within 72 hours of becoming aware of the breach, as required by GDPR Article 33. We will also notify the relevant supervisory authority.

11. Data Retention

Active accounts: Data is retained as long as your account is active.

Account deletion: When you delete your account, all personal data is permanently removed within 30 days. Anonymized, aggregated data may be retained for analytics.

Inactive accounts: Accounts with no login activity for 24 months may be flagged for deletion. You will receive an email notification 30 days before deletion.

12. Automated Decision-Making

Your AI Mirror portrait is generated by automated processing (Claude API). This portrait is informational only and does not affect your access to services or rights. You may request human review of any AI-generated content by contacting [email protected].