Overview
Hibiscus AI ("Hibiscus", "we", "us") builds a personal AI companion that helps you plan, remember, and act. This Privacy Policy explains what data we collect, how we use it, and the choices you have. We designed Hibiscus to be private by default — you own your memory, and we never sell your data or use it to train third-party models.
Data we collect
- Account data — name, email, password hash, billing address, and country.
- Order data — credits purchased, chosen currency, promo codes, and payment method used for the transaction.
- Content you provide — messages, tasks, calendar items, documents, and other content you save into Hibiscus.
- Usage data — feature interactions, credit consumption, error logs, and performance metrics.
- Device data — IP address, browser type, operating system, and approximate location derived from the IP.
How we use your data
- To operate and improve the Hibiscus service.
- To process payments and manage your credit balance.
- To provide the AI features you request — memory, chat, planning, research, and automations.
- To secure the service, detect abuse, and enforce our Acceptable Use Policy.
- To send transactional emails (order receipts, security alerts, and product updates you opted into).
Legal basis (GDPR)
For customers in the European Economic Area and the United Kingdom, we process personal data on the following bases: contract (to deliver the service you purchased), legitimate interests (to secure and improve the service), legal obligation (tax, accounting, fraud prevention), and consent (marketing communications and non-essential cookies).
AI training and model use
Your content is never used to train foundation models — ours or any third-party provider's. When Hibiscus uses an external model to generate a response, only the minimum context needed for that single request is sent, and providers are contractually required to not retain or train on it.
Data retention
- Account data — while your account is active, plus up to 12 months after closure.
- Order and invoicing data — retained for the period required by tax law (typically 6–10 years).
- Content you save into Hibiscus — kept until you delete it or close your account.
- Server and security logs — up to 90 days.
Your rights
Depending on where you live, you have rights to access, correct, delete, port, or restrict the processing of your personal data, and to object to certain processing. You can also withdraw consent at any time. To exercise these rights, email [email protected]. We respond within 30 days.
Security
Data is encrypted in transit using TLS and at rest using industry-standard encryption. Access to production systems is limited to authorized personnel, protected by SSO and hardware keys, and logged. No system is perfectly secure — if you believe your account has been compromised, contact [email protected].
Children
Hibiscus is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.
International transfers
Hibiscus operates globally. Where personal data is transferred outside the EEA or the UK, we rely on Standard Contractual Clauses or another approved transfer mechanism.
Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced by email or through an in-product notice at least 14 days before they take effect.
Email us at [email protected] and we'll get back to you within two business days.