1. Who we are
HalluciBlock (“HalluciBlock”, “we”, “us”) provides a grounded AI assistant platform that answers only from facts a customer teaches it. HalluciBlock is operated by [Company legal name], registered at [registered address]. For data-protection questions, contact privacy@halluciblock.com.
For most personal data we process about our customers’ end-users (the people who chat with a customer’s bot), the customer is the data controller and we act as a data processor on their behalf. For data about our own account holders, we are the controller.
2. Information we collect
- Account data — your work email, organisation name, and a securely hashed password (we never store passwords in plain text).
- Knowledge you teach — the facts, documents, and content you add to train your assistant. This is your data; we store it to operate the service.
- Conversations & questions — messages sent to your bot, the answers and citations returned, and the questions it couldn’t answer (“knowledge gaps”), so you can improve it.
- Usage & technical data — request counts, plan limits, timestamps, approximate region, browser/IP metadata, and error logs needed to run, secure, and meter the service.
- Billing data — your plan and subscription status. Card payments are handled entirely by Stripe; we never see or store full card numbers.
- Cookies & local storage — see Cookies below.
3. How we use your data & our legal bases
| Purpose | GDPR legal basis |
|---|---|
| Provide and operate the service (auth, training, answering, the widget) | Performance of a contract |
| Bill subscriptions and prevent payment fraud | Contract · legal obligation |
| Secure the platform, enforce limits, and debug | Legitimate interests |
| Improve features and reliability (aggregated/anonymised where possible) | Legitimate interests |
| Send service and account emails | Contract · legitimate interests |
| Optional analytics & marketing cookies | Consent (you can withdraw anytime) |
| Comply with law and respond to lawful requests | Legal obligation |
4. AI and your data
HalluciBlock is grounded by design — your assistant answers only from the facts you teach it, which are stored in your isolated tenant. To generate answers, pooled plans use vetted third-party inference providers under strict contractual terms: no training on your data and zero data retention. In extractive mode, only the relevant stored facts and the question are sent — never your whole knowledge base. Enterprise plans run on dedicated, isolated infrastructure (your own model and region, optionally in your own cloud), so your data never leaves your environment. In no case is your data used to train external models.
5. Sharing & sub-processors
We do not sell your personal data. We share it only with vetted sub-processors who help us run the service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Subscription billing & card processing | EU / US |
| MongoDB Atlas | Database hosting (your tenant data) | Region of your cluster |
| Amazon Web Services | Application hosting | EU / US |
| Managed inference provider | AI answer generation (no-training, zero-retention) | EU / US |
| Vercel | Web app hosting & CDN | Global edge |
We may also disclose data where required by law, to protect rights and safety, or in connection with a merger or acquisition (with notice).
6. International transfers
Where data is transferred outside the UK/EEA, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and the UK Addendum, together with additional technical measures.
7. Data retention
We keep account and knowledge data for as long as your account is active. If you delete content, or close your account, we delete or anonymise the associated personal data within a reasonable period, except where we must retain limited records to meet legal, tax, or security obligations. Deleting a tenant removes its database records.
8. Your rights
Under the GDPR and similar laws you have the right to:
- access a copy of your personal data;
- rectify inaccurate data;
- erase your data (“right to be forgotten”);
- restrict or object to certain processing;
- data portability;
- withdraw consent at any time (e.g. for optional cookies); and
- lodge a complaint with your supervisory authority (in the UK, the ICO).
To exercise any of these, email privacy@halluciblock.com. If your request concerns data processed on behalf of one of our customers, we will refer you to, or assist, that customer as the controller.
9. Cookies & local storage
We use strictly-necessary storage to keep you signed in (an auth token in your browser’s local storage) and to remember your cookie choices. Optional analytics or marketing cookies are only set after you consentvia our cookie banner. You can change your choices at any time using the “Cookie preferences”link in the footer.
10. Children
The service is not directed to children under 16, and we do not knowingly collect their personal data.
11. Security
We protect data with encryption in transit, tenant isolation, hashed credentials, and access controls. See our Security overview for detail.
12. Changes to this policy
We may update this policy; we will revise the “last updated” date and, for material changes, notify you.
13. Contact
Privacy & data protection: privacy@halluciblock.com. Postal: [registered address].