Your data and your rights

Privacy Policy

HASP Privacy Policy Last updated · May 16, 2026

Overview

HASP ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform (the "Service"), including usehasp.com, app.usehasp.com, docs.usehasp.com, usehasp.run, and associated subdomains. By using the Service, you agree to the collection and use of information as described in this policy.

Information We Collect

Information you provide directly:

  • Account information: Your name and email address when you register. Authentication is handled via third-party sign-in providers (Google, Microsoft), email-based magic link, or enterprise SSO — HASP does not collect or store passwords.
  • Organization information: Your organization or company name, if provided.
  • Payment information: When you add a payment method, your billing details (card number, expiry, CVV) are collected and processed directly by our payment processor, Stripe. HASP does not store raw card data — we store only a tokenized reference and the last four digits of your card for display purposes. Stripe's privacy policy governs their handling of payment data.
  • AI inputs and outputs: Chat messages, prompts, uploaded documents, RAG retrieval queries, and the model responses returned to you. For customers operating under a signed BAA, these may include Protected Health Information (PHI) and are handled per our HIPAA controls — see "PHI and HIPAA" below and the Trust Center.
  • Internal-app content: The static files (HTML, CSS, JavaScript, and related assets) you upload when publishing internal apps to the Service, and any structured data records your apps create via the Data API.
  • Communications: Messages you send to us via email or support channels.

Information collected automatically:

  • Usage data: Pages visited, features used, actions taken, and timestamps of your interactions with the Service.
  • Device and browser information: IP address, browser type and version, operating system, and device identifiers.
  • Log data: Server logs including access times, referring URLs, and error logs.
  • Cookies and similar technologies: See the Cookies section below.

How We Use Your Information

We use the information we collect to:

  • Provide, operate, maintain, and improve the Service
  • Process and host the tools you publish and serve them to your authorized team members
  • Process payments and manage your subscription
  • Send transactional and product communications including receipts, security alerts, account notifications, onboarding reminders, trial status updates, and upgrade suggestions related to your account and service usage
  • Respond to your support requests and communications
  • Monitor usage patterns and analyze trends to improve the Service
  • Detect, investigate, and prevent abuse, fraud, impersonation, and violations of our Terms of Service
  • Comply with legal obligations and respond to lawful requests from authorities
  • Enforce our Terms of Service and protect the rights and safety of HASP and its users

We do not use your content (uploaded tools, file attachments, and application data records) for any purpose other than hosting, serving, and enforcing our Terms of Service.

Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

  • Service providers (sub-processors): We share data with third-party sub-processors who help us operate the Service. The current list — kept in sync with the Trust Center sub-processor register — is:
    • Compliance substrate: Aptible (managed PostgreSQL, application hosting, network — HIPAA + SOC 2 substrate inheritance on dedicated AWS infrastructure)
    • AI inference (Anthropic): Anthropic, PBC (Claude inference for chat, document analysis, AI Studio, public API, and agent workflows) — direct integration under HASP Healthcare BAA. Processes de-identified prompt and completion content; PHI is redacted by HASP before content leaves our substrate. Anthropic does not train on commercial API traffic.
    • AI inference (OpenAI): OpenAI (GPT inference as alternative provider) — direct integration under HASP Enterprise BAA. PHI redacted by HASP before send. OpenAI does not train on commercial API traffic.
    • PHI handling (HASP-owned): PHI de-identification, redaction, and re-identification is performed by HASP's own pipeline — built on Microsoft Presidio with healthcare-specific custom recognizers, running on Aptible-managed infrastructure inside the HASP compliance boundary. PHI handling is not delegated to a third party.
    • RAG embeddings: Voyage AI (voyage-4 embedding model for document RAG). Receives document text after PHI redaction.
    • Document OCR: Amazon Web Services (Textract — text extraction from scanned-document uploads). Receives uploaded document images and text, which may contain PHI before redaction; operates as our subcontractor business associate under an AWS BAA addendum.
    • Web search retrieval (primary): Tavily — primary provider for the AI's web.search tool. Receives search queries only. HASP ensures no PHI is ever transmitted to this provider. Tavily Privacy Policy.
    • Web search retrieval (fallback): Serper — optional fallback provider. Same scope as Tavily — HASP ensures no PHI is ever transmitted to this provider. Serper Privacy Policy.
    • Edge delivery: Cloudflare (content delivery, DNS, custom domain routing, DDoS mitigation, R2 object storage). Request metadata only; no PHI.
    • Payments: Stripe (subscription billing, four-meter usage reporting, payment processing, Stripe Tax). Customer billing metadata only; no PHI.
    • Email: Postmark (transactional email delivery for account and system notifications)
    • SSO + SCIM: WorkOS (SAML/SSO authentication and SCIM provisioning for Business and Enterprise accounts; processes identity attributes and group memberships on our behalf)
    • OAuth providers: Google and Microsoft (when Customer enables provider sign-in). Identity attributes only.
    • Analytics: PostHog (product analytics; loaded only with explicit cookie consent)
    • Performance monitoring: Nightwatch (job queue health, slow queries, scheduled commands, server metrics)
    • Error tracking: Sentry (backend exceptions and frontend JavaScript errors)
    • Secrets management: Doppler (stores and syncs HASP's internal application secrets to Aptible environment config; does not process customer Personal Data — only HASP infrastructure credentials)
    All sub-processors are contractually bound to use your data only for the purposes of providing services to us. Sub-processor changes carry a 30-day advance-notice obligation under the DPA so you can object before any change takes effect.
  • Legal process and law enforcement: We may disclose your information — including account details, content, and access logs — in response to valid legal requests such as subpoenas, court orders, or government investigations. We may also proactively share information with law enforcement where we believe it is necessary to prevent or respond to illegal activity, fraud, abuse, or threats to safety. Where permitted by law, we will notify affected users of legal requests.
  • Abuse and impersonation reports: Where a user's content or conduct is found to impersonate or harm a third party, we may disclose relevant account information and content to the affected organization or individual, or their legal representatives, as part of our abuse remediation process.
  • Business transfers: If HASP is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
  • With your consent: We may share information in any other circumstance where you have given us explicit consent to do so.

PHI and HIPAA

HASP is a HIPAA-ready AI platform. When a customer signs a Business Associate Agreement (BAA) with us, HASP becomes a business associate to that customer; Anthropic, OpenAI, and Voyage AI operate as our subcontractor business associates under separate BAAs we hold with each.

Concretely, this means:

  • Real PHI is prohibited until your BAA is countersigned. During the Free Evaluation, the Service is restricted to non-PHI use. PHI mode unlocks per organization the moment the BAA is signed in-app.
  • HASP-owned PHI handling. PHI de-identification, redaction, and re-identification is performed by HASP's own pipeline (built on Microsoft Presidio with healthcare-specific custom recognizers). Every chat turn, uploaded text, and tool definition passes through the pipeline before any prompt leaves HASP's substrate. Detection events are logged with the categories that fired, the action taken (redact / allow / block), and the user who initiated the request. Default action is configurable per organization.
  • Per-org data isolation. Solo, Professional, and Business orgs share a multi-tenant Postgres cluster with row-level isolation by org. Enterprise orgs run on a dedicated per-org Postgres data plane — their own database, pgvector index, and file storage.
  • Tamper-evident audit trail. Every action in the system — chat turn, document upload, RAG retrieval, API call, agent tool invocation, BAA event, PHI detection, admin action — is recorded in a hash-chained log signed with an Ed25519 key bound to your tenant. Customers can export the chain and verify it independently using the verification recipe.
  • No training on customer data. HASP does not train any model on customer data, period. Our inference provider BAAs (Anthropic, OpenAI) prohibit training on commercial API traffic. Your conversations, documents, and prompts are not used to improve any model — ours or any provider's.

Full framework details, control matrix, sub-processor register, and document-request process live at the Trust Center.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

  • Active accounts: Account and content data is retained for the duration of your subscription.
  • Account deletion: When you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required by law or legitimate business necessity (e.g., billing records, dispute resolution).
  • Terminated accounts (for cause): Where an account is terminated due to a violation of our Terms of Service — including abuse, impersonation, or illegal activity — we may retain relevant account data, content, and logs for up to 7 years for legal, compliance, and law enforcement purposes.
  • Billing records: Payment and transaction records are retained for a minimum of 7 years as required by applicable financial regulations.
  • Legal holds: Data subject to a legal hold (e.g., in connection with a subpoena or ongoing investigation) will be retained until the hold is lifted.
  • Audit logs: Platform activity records are maintained as an immutable audit log for security and compliance integrity. These records may reference your account identifier even after account deletion and are not subject to erasure requests, as deletion would compromise the integrity of the audit chain. Personal identifying information within audit logs is minimized, and audit logs are not used for any purpose other than security, compliance, and legal obligations.

Data Storage and Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Your published tools are stored securely and are only accessible to members of your team through authenticated access. Authorized HASP personnel may access your account session for support, debugging, or investigation purposes. All such access is recorded in an immutable audit log. For organizations that handle PHI, our operational tooling renders PHI as redacted placeholders by default; viewing unredacted PHI is a separate path that requires per-instance approval from one of your organization's administrators and is time-bounded. A break-glass exception exists for active security incidents, with immediate notification to your organization and a mandatory post-incident review. However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you without undue delay and within the timeframes required by applicable law. Where feasible, we will provide notification within 72 hours of becoming aware of the breach. Notification will describe the nature of the breach, the data affected, likely consequences, and the measures we are taking to address it.

Cookies

We use the following categories of cookies:

  • Essential cookies: Required for the Service to function, including session authentication and security tokens. These cannot be disabled.
  • Preference cookies: Store your settings such as theme preference (light/dark mode).
  • Analytics cookies: PostHog is used to understand how the Service is used. PostHog may collect event data, session information, and device details. You can review PostHog's privacy policy at posthog.com/privacy. Analytics are collected on the HASP platform (usehasp.com, app.usehasp.com). Analytics data is routed through a HASP-operated proxy (e.usehasp.com) before reaching PostHog's servers. The developer documentation portal (docs.usehasp.com) collects anonymous page view events using memory-only storage — no cookies or persistent identifiers are used. The runtime domain (usehasp.run) where hosted apps are served does not load third-party analytics on behalf of app end-users. We honor the Do Not Track (DNT) browser signal. When DNT is enabled, analytics tracking is disabled.

You can control non-essential cookie settings through your browser preferences. Disabling essential cookies will prevent the Service from functioning correctly.

Children's Privacy

The Service is not intended for use by children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 16, please contact us at [email protected].

Your Rights

Subject to applicable law, you have the following rights regarding your personal data. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request deletion of your account and associated personal data, subject to retention obligations described above.
  • Export: Export your personal data at any time through your account settings. Organization administrators on Business and Enterprise plans may additionally export full organization data — including members, apps, schemas, and records.
  • Objection: Object to processing of your personal data for certain purposes.
  • Opt-out of communications: Unsubscribe from non-essential marketing communications at any time. Transactional and security communications cannot be opted out of while your account is active.

Please note that certain data — specifically immutable audit log records maintained for security and compliance integrity — cannot be erased even upon request. See the Data Retention section for details.

GDPR — European Users

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional rights and protections apply under the General Data Protection Regulation (GDPR) and equivalent legislation:

  • Legal basis: We process your data on the following legal bases: performance of a contract (to provide the Service), legitimate interests (security, fraud prevention, service improvement), legal obligation (compliance with law), and consent (where explicitly obtained).
  • Data portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format.
  • Restriction: You may request that we restrict processing of your data in certain circumstances.
  • Supervisory authority: You have the right to lodge a complaint with your local data protection authority.

Data transfers outside the EEA are subject to appropriate safeguards including Standard Contractual Clauses where required.

CCPA — California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following additional rights:

  • Know: The right to know what personal information we collect, use, disclose, and sell.
  • Delete: The right to request deletion of your personal information, subject to certain exceptions.
  • Opt-out of sale: We do not sell personal information. There is nothing to opt out of.
  • Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your California privacy rights, contact us at [email protected]. We will respond within 45 days as required by law.

PIPEDA / CPPA — Canadian Residents

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how we handle your personal information. We satisfy all ten of PIPEDA's fair-information principles through the same controls that underpin our GDPR compliance. Our control set is also designed to satisfy Canada's forthcoming Consumer Privacy Protection Act (CPPA, Bill C-27) when it comes into force.

  • Access: You have the right to request access to the personal information we hold about you and to know how it has been used or disclosed.
  • Correction: You have the right to challenge the accuracy and completeness of your personal information and request corrections.
  • Withdrawal of consent: Where we rely on consent as the basis for processing, you may withdraw it at any time, subject to legal or contractual restrictions.
  • Complaint: You have the right to challenge our compliance with PIPEDA by contacting us, and to escalate to the Office of the Privacy Commissioner of Canada if you are not satisfied with our response.

Your personal information may be transferred to and processed in the United States. HASP remains accountable for the protection of personal information transferred to third-party service providers and requires each provider to maintain equivalent protections by contract, as required under PIPEDA Schedule 1 §4.1.3.

To exercise your PIPEDA rights or submit a complaint, contact us at [email protected]. We will respond within 30 days.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page, updating the "Last updated" date, and where practicable, by email or in-app notification. Continued use of the Service after changes constitutes acceptance of the revised policy.

Contact Us

For questions or requests regarding this Privacy Policy or your personal data, contact us at [email protected].

To report a privacy violation, data breach concern, or abuse, contact us at [email protected].