Legal

Privacy Policy

Your life stays yours. This policy explains what Hibiscus collects, how we use it, and the controls you have.

Last updated: October 14, 2025
01

Overview

Hibiscus AI ("Hibiscus", "we", "us") builds a personal AI companion that helps you plan, remember, and act. This Privacy Policy explains what data we collect, how we use it, and the choices you have. We designed Hibiscus to be private by default — you own your memory, and we never sell your data or use it to train third-party models.

02

Data we collect

  • Account data — name, email, password hash, billing address, and country.
  • Order data — credits purchased, chosen currency, promo codes, and payment method used for the transaction.
  • Content you provide — messages, tasks, calendar items, documents, and other content you save into Hibiscus.
  • Usage data — feature interactions, credit consumption, error logs, and performance metrics.
  • Device data — IP address, browser type, operating system, and approximate location derived from the IP.
03

How we use your data

  • To operate and improve the Hibiscus service.
  • To process payments and manage your credit balance.
  • To provide the AI features you request — memory, chat, planning, research, and automations.
  • To secure the service, detect abuse, and enforce our Acceptable Use Policy.
  • To send transactional emails (order receipts, security alerts, and product updates you opted into).
05

AI training and model use

Your content is never used to train foundation models — ours or any third-party provider's. When Hibiscus uses an external model to generate a response, only the minimum context needed for that single request is sent, and providers are contractually required to not retain or train on it.

06

Sharing and subprocessors

We share data with a small set of vetted subprocessors that help us operate Hibiscus. Categories include cloud hosting, database and storage providers, payment processors, transactional email providers, error and analytics tooling, and inference providers for AI features. A current list is available on request from [email protected].

We do not sell personal data and do not share it with advertisers.

07

Data retention

  • Account data — while your account is active, plus up to 12 months after closure.
  • Order and invoicing data — retained for the period required by tax law (typically 6–10 years).
  • Content you save into Hibiscus — kept until you delete it or close your account.
  • Server and security logs — up to 90 days.
08

Your rights

Depending on where you live, you have rights to access, correct, delete, port, or restrict the processing of your personal data, and to object to certain processing. You can also withdraw consent at any time. To exercise these rights, email [email protected]. We respond within 30 days.

09

Security

Data is encrypted in transit using TLS and at rest using industry-standard encryption. Access to production systems is limited to authorized personnel, protected by SSO and hardware keys, and logged. No system is perfectly secure — if you believe your account has been compromised, contact [email protected].

10

Children

Hibiscus is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

11

International transfers

Hibiscus operates globally. Where personal data is transferred outside the EEA or the UK, we rely on Standard Contractual Clauses or another approved transfer mechanism.

12

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email or through an in-product notice at least 14 days before they take effect.

Questions about this policy?

Email us at [email protected] and we'll get back to you within two business days.