Legal
Privacy Policy
This policy explains how HiAgent handles personal data for the website, account dashboard, AI support widget, source ingestion, lead capture, and related production systems.
Last updated: May 23, 2026
Information we collect
- Account details such as name, work email, company name, website, selected plan, authentication provider, and login/session metadata.
- Workspace configuration such as widget settings, uploaded or connected knowledge sources, source summaries, activity logs, and plan status.
- Customer website widget data such as visitor questions, optional visitor email addresses, conversation history, lead records, missed questions, confidence metadata, page URLs, and timestamps.
- Public contact form data such as name, email, company, topic, subject, message, page URL, request metadata, and timestamps.
- Technical data such as IP-derived request metadata, browser/device information, security logs, rate-limit events, and cookies needed for login, Google OAuth state, CSRF protection, and fraud prevention.
How we use information
- Provide the HiAgent dashboard, AI support widget, source-based answers, lead capture, missed-question review, and human handoff workflows.
- Authenticate users, preserve selected plan and billing intent, protect sessions, prevent abuse, diagnose production issues, and maintain service security.
- Process uploaded or connected sources so the widget can answer from the business knowledge the account owner chooses to connect.
- Improve reliability, debug failed requests, comply with legal obligations, and respond to account, support, privacy, or security requests.
AI providers and third parties
- HiAgent may send a visitor question and relevant source excerpts to a server-side AI model provider when an account enables AI answers. Model credentials stay server-side.
- Google OAuth is used only when a user chooses to continue with Google. Google may process the OAuth request under Google's own terms and privacy policy.
- Google Analytics may process page and device interaction data so HiAgent can understand website traffic and improve the public website and signup funnel.
- HiAgent uses a consent banner to store cookie choices and communicate Google Consent Mode signals to Google tags.
- Hosting, database, storage, deployment, analytics, email, support, and security providers may process data only as needed to operate the service.
- This repository does not currently load Meta Pixel or other ad-tracking scripts on public pages. If Meta Business Tools or similar ad measurement tools are enabled later, the policy and consent flow should be updated before use.
Cookies and local storage
- HiAgent uses required cookies for authenticated sessions, Google OAuth state, CSRF protection, and dashboard security.
- The browser may store local UI state needed to keep the dashboard and widget settings usable. These controls are operational, not third-party ad-tracking cookies.
- Google Analytics is loaded with Consent Mode defaults that deny analytics and advertising storage until consent is updated. Advertising cookies or additional ad pixels should be controlled through the consent flow before activation.
Retention and deletion
- Account, workspace, source, conversation, lead, and missed-question data is kept while the account remains active or while needed to provide the service.
- Security logs and backup records may be retained for a limited period to prevent abuse, investigate incidents, comply with legal obligations, and restore service integrity.
- Account owners can request deletion or export of their workspace data. Some records may remain where retention is legally required or technically necessary for backups and security.
Customer responsibilities
- Customers who install the widget on their own websites are responsible for telling their visitors that the widget may collect questions, email addresses, page URLs, and conversation content.
- Customers should avoid uploading sensitive personal data, payment card data, health data, government IDs, or regulated information unless they have a lawful basis and written approval for that use.
- Customers are responsible for reviewing AI answers, configuring sources accurately, and providing any visitor notices required by their own privacy obligations.
Your rights and choices
- Depending on your location, you may have rights to access, correct, delete, restrict, object to, or receive a copy of personal data.
- You can stop using the service, remove connected sources, disable lead capture, or request account deletion.
- To make a privacy request, use the contact page from the email address associated with the account.
Cookie declaration
- Required cookies support account sessions, security controls, Google OAuth state, CSRF protection, and cookie preference storage.
- Optional analytics cookies are used only after consent to measure public website traffic and signup funnel performance.
- Optional marketing and personalization cookies are used only after consent and may be changed as the public website adds or removes campaign tools.
Contact
For privacy requests, account deletion, or questions about this policy, use the contact page.
