Hodor – Privacy Policy

The following definitions are applicable to the entire Privacy Policy:

• “Account”: refers to the personal account allowing any User to access the Solution.
• “Client”: refers to any legal entity that has entered into a contract with Hodor in order to benefit from the Solution.
• “Contract”: refers to any contract concluded between Hodor and a Client in order to provide the Solution.
• “Data Subject”: refers to a Visitor, User, or any other individual whose personal data is processed by Hodor.
• “Data Processor”: refers to any company whose services Hodor uses to implement the various personal data processing operations described below.
• “Solution”: refers to the digital platform developed by Hodor called Hodor and available at app.hodor.ai.
• “User”: refers to any natural person who uses the Solution as an employee or as a service provider of the Client.
• “Visitor”: refers to any person consulting or browsing the Website.
• “Website”: refers to Hodor’s marketing website available at https://www.Hodor.ai/.

Unless circumstances request otherwise, definitions in the singular include the plural and vice versa.

2.1 Hodor acting as a data controller

Hodor is the data controller, within the meaning of the Personal Data Regulation, of the following data:

Personal data collected in the context of the Website and/or Hodor’s activities:

• Contact data (name, email address, job title, company name, appointment details);
• Navigation data on the Website (IP address, browsing data, unique identifier associated with a cookie, language preferences).

Personal data collected in the context of the Solution:

• Users’ general information (name, email address, company name);
• Users’ login information (login ID, password, session start and end time, IP address, location, session history, browsing data);
• Personal data of Users provided in the context of support requests (issues encountered by Users, session recordings or logs);
• Information relating to the User’s device (device type, operating system, browser type and version).

2.2 Hodor acting as a data processor

Hodor acts as the data processor, within the meaning of the Personal Data Regulation, of the following data:

• Activity of the User within the Solution (including prompts, AI agents created, and any other personal data contained in the content uploaded or processed by a User through the Solution …)
• Activity / audit logs (activities): method, path, status, duration plus the full request_payload and response_payload of every agent API call.
• These payloads can contain personal data pulled from connected tools (Gmail, Drive, Notion, Slack…) — access-controlled by a payload_visibility flag (owner_only/workspace_visible) with an admin approval workflow, encrypted at rest (Fernet)
• Third-party credentials stored on the client’s behalf (integrations): OAuth access/refresh tokens and API keys to Google/Microsoft/Notion/etc. encrypted at rest (Fernet).

The terms and conditions under which the Client has instructed Hodor to process personal data are set out in the Contract entered into between Hodor and the Client, in accordance with Personal Data Regulation.

Consequently, Data Subject contacting Hodor in relation to processing activities carried out by Hodor in its capacity as data processor will be redirected to the relevant data controller.

3.1 Hodor acting as a data controller

3.2 Hodor acting as a data processor

Hodor processes personal data as a data processor to provide the Solution and any associated services in accordance with the Contract entered into between Hodor and the Client, acting as data controller. In particular, personal data is processed to enable the Client to create, deploy and manage AI agents identities and permissions within the Solution.

The personal data collected and processed are necessary for the pursuit of all of the aforementioned purposes and are intended for the internal management services of Hodor as well as, if necessary, for its Data Processors.

The categories of Processors to whom personal data may be transferred are the following:

• Daily operations: Data Processors which provide digital solutions for Hodor day-to-day activities such as data hosting, detections of Solution errors or bugs, monitoring of the use of the Solution, updates and proper function of the Solution.
• Maintenance services: Data Processors which have access to Hodor technology to perform maintenance or troubleshoot technical problems in connection with Hodor products and/or services in case of emergency.
• Marketing and communication operations: Data Processors which provide online communication solutions and social media services, enabling data analysis for marketing purposes.
• Management and advisory operations: Data Processors which assist Hodor with management and compliance (whether accounting, legal, financial, or audit-related).
• Financial services: Data Processors which provide specialized financial services solutions such as payment services.

It is hereby clarified that neither Hodor nor its Data Processors sell personal data of Data Subjects.

The data of Data Subjects is not retained beyond the period strictly necessary for the purposes outlined in this Privacy Policy. In particular:

• Personal data collected during visits to the Website through cookies is retained for a period of 12 months from the collection of personal data.
• Personal data collected when a Data Subjects fills in a form on the Website is retained for a period of 3 years from the last interaction with the Data Subject or; in the absence of such interaction, from the date on which the form was submitted.
• Personal data associated with Accounts is retained for the duration of the Contract with the Client.
• Data processed in connection with assistance requests are retained for the time required to address the request.

The retention period applicable to personal data processed by Hodor in its capacity as data processor may be governed by specific terms agreed between Hodor and the Client, in its capacity as data controller.

Hodor undertakes to anonymize, archive or delete personal data of Data Subjects as soon as the purpose and retention period expire, subject to the time necessary to comply with its legal obligations, particularly in consideration of civil and commercial statute of limitations.

6.1 Description of Data Subjects’ rights

In accordance with the Personal Data Regulation, Data Subjects benefit from various rights over their personal data, such as:

• Right of access: any Data Subject can find out what personal data Hodor has about him or her and obtain a copy of this data.
• Right to rectification and to erasure: Data Subjects can ask for the correction of inaccurate or outdated personal data about them, as well as their deletion.
• Right to object and to restriction of processing: Data Subjects can object to how Hodor processes their personal data or request that the processing concerning them be restricted, to the extent possible and subject to compelling legitimate grounds that Hodor may have for continuing processing, such as legal obligations.
• Right to withdraw consent: any Data Subject who has consented to a processing has the right to withdraw his or her consent, without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to data portability: Data Subjects can request Hodor to send their personal data in a structured, commonly used and machine-readable format for transmission to another data controller, provided that this is possible.
• Right to set directives regarding the fate of personal data after death: any individual may provide Hodor with directives concerning the handling of their data in the event of death, including whether or not to disclose their data to third parties.
• Right to lodge a complaint with a supervisory authority: any Data Subject may contact the CNIL or any competent data protection authority, if he or she believes that Hodor has not complied with certain rules set out in the Personal Data Regulation (information on how to lodge a complaint with the CNIL is provided on its site).

6.2 Exercise of rights

For any question relating to the processing of their personal data or to exercise their rights under the Personal Data Regulation, Data Subjects may contact Hodor at the following addresses:

• Via email: dpo@hodor.ai and/or
• Via letter : Colibri SAS, 17 rue Saint James, 92200, Neuilly sur Seine, France.

The exercise of the rights offered by the Personal Data Regulations is not unlimited - Hodor is entitled to refuse to act to manifestly unfounded or excessive requests - and each of them meets conditions that are imposed by the Personal Data Regulation. As such, the following elements are specified:

• Identity: any Data Subject must prove his or her identity and indicate the address at which he or she wishes to be contacted.
• Response time: the requests are processed by Hodor within a reasonable time taking into account the complexity, the number of requests formulated and the Personal Data Regulation.
• Free of charge: the exercise of rights is in principle free of charge. In cases where a request would imply important costs, the Data Subject could be required to pay a fee.

These requirements must be respected, otherwise requests may not be processed.

The personal data processed by Hodor is hosted by Scaleway, whose servers are located in France.

Hodor uses cookies and trackers, which are small computer files stored on your devices, to collect data about your browsing habits, record your visits to specific pages, and provide additional services such as enhancing your browsing comfort.

In accordance with article 82 of the French Law No. 78-17 of 6 January 1978, Loi relative à l’informatique, aux fichiers et aux libertés, any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he or she has been informed beforehand, by the data controller or its representative of (i) the purpose of any action aimed at accessing, by electronic transmission, information already stored in his or her electronic communications terminal equipment or at entering information in this equipment and (ii) the means available to him or her to object to it. Such access or writing may only take place on the condition that the subscriber or user, after receiving such information, has expressed his consent. Data Subjects may withdraw their consent to the use of these cookies by clicking here: www.hodor.ai/cookies

It is also provided that these rules are not applicable if the access to information stored in the user's terminal equipment or the registration of information in the user's terminal equipment (i) either has the exclusive purpose of enabling or facilitating communication by electronic means, or (ii) is strictly necessary for the provision of an online communication service at the express request of the user.

Within the framework of this exception, Hodor uses the following cookies:

• cookies for audience measurement in order to measure the activity and the traffic of the Website.
• cookies for fraud prevention in order to detect and prevent fraudulent activity in the Website or the Solution.
• cookies for personalization of the interface in order to allow to record the language preferences expressed by the Visitor.

Hodor takes all physical, logistic and organizational security measures to guarantee a high level of security for the protection of personal data and in particular to prevent the latter from being distorted, damaged or communicated to unauthorized persons. The security measures include in particular:

• Regular security audits performed by third-party service providers
• Pen-tests on the data infrastructure performed every 6 months

Hodor may change this Privacy Policy from time to time as the manner in which personal data is handled may change due to development of the Website, the Solution, or applicable rules.

In such a situation, Data Subjects will be notified of updates, either by sending an email or through a notice on the Website, at least fifteen days prior to a material change to the Privacy Policy.