Privacy Policy

Who we are & scope

Hydrus.ai, Inc. is a U.S. corporation with a registered and mailing address at 30 N Gould St, Ste R, Sheridan, WY 82801, USA. We provide a software-as-a-service (SaaS) platform for AI governance and sustainability reporting, along with related consulting and partnership services.

Our AI governance product helps organizations maintain an inventory of AI systems, classify risk, and demonstrate compliance against frameworks including the EU AI Act, NIST AI RMF, ISO/IEC 42001, and AIUC-1, including fundamental-rights impact assessments, control mapping, and audit-ready evidence. Our sustainability product supports measurement and reporting of Scope 1, 2, and 3 emissions using a library of more than 800,000 emission factors, and reporting against frameworks such as CSRD, ISSB, the GHG Protocol, GRI, TCFD, and CDP.

This policy applies to our marketing site at hydrus.ai, our application at next.hydrus.ai, and our communications and business operations. When we provide our platform to a customer, that customer is typically the controller of the personal data it processes through the service, and Hydrus acts as a processor on the customer's behalf. In that role, our processing is governed by our agreement with the customer, and this policy describes our practices generally.

Information we collect

We collect information in three broad categories: account data you provide, usage and technical data we generate automatically, and customer content you submit to the platform.

• Account data: your name, work email address, company or organization name, and job role or title, along with information needed to administer your account and authenticate you.
• Usage, telemetry, and log data: information about how you interact with our services, including pages and features used, device and browser type, IP address, timestamps, diagnostic and performance logs, and information collected through cookies and similar technologies.
• Customer content: the data you and your organization upload to or generate within the platform, including AI-system metadata, emissions and ESG data, uploaded documents and invoices, data ingested via email forwarding, data received through API integrations, and information extracted through optical character recognition (OCR).

How we use information

We use personal data to provide, operate, maintain, and improve our services; to create and administer accounts; to authenticate users and secure the platform; to process customer content so that you can manage AI governance and sustainability reporting workflows; and to provide customer support.

We also use information to communicate with you about your account, service updates, and security notices; to respond to inquiries submitted through our contact page or scheduling tools; to monitor and improve performance and reliability; to detect, prevent, and investigate fraud, abuse, and security incidents; and to comply with legal obligations and enforce our agreements.

• Delivering and operating the platform and its features.
• Authenticating users and safeguarding accounts and data.
• Providing support and responding to requests.
• Improving and developing our products and services.
• Sending administrative, transactional, and security communications.
• Meeting legal, regulatory, and contractual obligations.

Legal bases for processing (GDPR)

Where the European Union General Data Protection Regulation (GDPR) or the UK GDPR applies, we process personal data only when we have a valid legal basis to do so. The basis depends on the specific context in which we collect and use the data.

When Hydrus acts as a processor on behalf of a customer, the customer is responsible for establishing the legal basis for the processing of the personal data it submits to the platform.

• Performance of a contract: to provide the services you or your organization have requested and to administer your account.
• Legitimate interests: to secure, operate, and improve our services, to communicate with users, and to prevent fraud and abuse, where such interests are not overridden by your rights.
• Consent: where required, for certain communications and for non-essential cookies, which you may withdraw at any time.
• Legal obligation: to comply with applicable laws, regulations, and lawful requests.

How we share information & sub-processors

We do not sell personal data. We share personal data only as needed to operate our business and provide our services, and we require the parties we engage to protect personal data and use it only for the purposes we specify.

We engage trusted service providers (sub-processors) to support the delivery of our services. These currently include cloud hosting and infrastructure (Amazon Web Services), our scheduling provider (Calendly), our contact-form provider (Formspree), and large language model and AI providers used to power certain platform features. A current list of sub-processors is available on request.

We may also disclose information to comply with applicable law, regulation, legal process, or enforceable governmental request; to enforce our terms and protect the rights, property, or safety of Hydrus, our customers, or others; and in connection with a merger, acquisition, financing, or sale of assets, in which case we will continue to protect personal data consistent with this policy.

• Cloud hosting and infrastructure: Amazon Web Services (AWS).
• Scheduling: Calendly.
• Contact forms: Formspree.
• AI features: large language model and AI providers used to power platform functionality.

AI & your data

We do not use customer content to train foundation models, and we do not permit our AI sub-processors to use your customer content to train their models. Customer content is processed only to provide the requested functionality of the platform.

Certain features are powered by large language model and AI providers. Customers may choose to bring their own LLM key, allowing AI processing to occur through the customer's own provider account and under the customer's own arrangements with that provider.

We do not sell personal data and do not use customer content for advertising or for building or improving foundation models.

International data transfers

Hydrus is based in the United States and operates infrastructure in both the United States and the European Union. As a result, personal data may be transferred to, stored in, or processed in countries other than the one in which it was collected, including countries that may have different data protection laws.

Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of protection, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs), where applicable. For eligible customers, we offer regional data residency options so that data can be hosted in a chosen region.

Data retention

We retain personal data for as long as necessary to fulfill the purposes described in this policy, including to provide our services, maintain your account, comply with our legal and contractual obligations, resolve disputes, and enforce our agreements.

When Hydrus acts as a processor, customer content is retained in accordance with our agreement with the customer and the customer's configuration of the service. Upon termination, and subject to legal requirements, we delete or return customer content as provided in that agreement. When personal data is no longer required, we delete it or anonymize it using commercially reasonable measures.

Security

We maintain a comprehensive information security program designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. Our practices are independently validated through SOC 2 (Type II) and ISO 27001, and we apply administrative, technical, and physical safeguards appropriate to the sensitivity of the data we handle.

Data is encrypted in transit using TLS 1.3 and at rest using AES-256. Our services are hosted on Amazon Web Services in U.S. and EU regions. We support single sign-on (SSO) and multi-factor authentication (MFA), and we offer optional virtual private cloud (VPC) or self-hosted deployment and regional data residency for eligible customers. No method of transmission or storage is completely secure, but we work continuously to protect your data and to improve our safeguards.

Your privacy rights

Depending on where you live and the applicable law, you may have rights regarding your personal data. Under the GDPR and similar laws, these include the rights to access, correct, delete, and port your personal data, as well as to restrict or object to certain processing and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local data protection authority.

Under the California Consumer Privacy Act (CCPA), as amended, California residents have the right to know what personal information we collect and how it is used and shared, the right to request access to and deletion of personal information, the right to correct inaccurate personal information, the right to opt out of the sale or sharing of personal information, and the right not to be discriminated against for exercising these rights. Hydrus does not sell personal data and does not share personal data for cross-context behavioral advertising, so there is no sale or sharing to opt out of; however, you may still exercise your other rights.

Where Hydrus processes personal data as a processor on behalf of a customer, we will direct requests we receive to the relevant customer (controller) and assist them in responding as required. To exercise your rights or to make a request, contact us using the details in the "How to contact us" section below. We may need to verify your identity before acting on a request, and you may use an authorized agent where permitted by law.

Cookies & tracking

We and our service providers use cookies and similar technologies on our marketing site and application to enable core functionality, remember your preferences, authenticate sessions, maintain security, and understand how our services are used so we can improve them.

You can control cookies through your browser settings, including by blocking or deleting cookies, though disabling certain cookies may affect the functionality of our services. Where required by law, we obtain consent before setting non-essential cookies.

Children's privacy

Our services are intended for use by organizations and business professionals and are not directed to children. We do not knowingly collect personal data from children under the age of 16.

If we learn that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that information. If you believe a child has provided us with personal data, please contact us using the details below.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will revise the effective date at the top of this policy and, where appropriate, provide additional notice.

We encourage you to review this policy periodically. Your continued use of our services after an updated policy becomes effective constitutes your acknowledgment of the changes to the extent permitted by applicable law.

How to contact us

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of personal data, please reach out to us. You can email our privacy team at privacy@hydrus.ai or get in touch through the contact page at hydrus.ai/contact.

You can also reach us by mail at: Hydrus.ai, Inc., 30 N Gould St, Ste R, Sheridan, WY 82801, USA. We will respond to your inquiry within a reasonable timeframe and in accordance with applicable law.