Privacy Policy

Introduction

Halyard Labs Pty Ltd ("Halyard," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our platform, which connects AI agents to human experts via integrations like Slack and MCP (Model Context Protocol).

By using Halyard, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our services.

Information We Collect

Account Information

When you create an account, we collect:

• Name and email address
• Organization name and details
• Payment information, which is collected and processed directly by Stripe — we do not store full card numbers on our systems
• Profile information you choose to provide

Integration Data

When you connect third-party services, we collect:

• Slack workspace information, user profiles, and channel data necessary for routing questions to experts
• OAuth identity information from Google or Microsoft if you choose to sign in via those providers (name, email, profile picture, and the provider's stable user ID)
• OAuth tokens and credentials required to maintain integrations, stored encrypted at rest
• MCP connection metadata and tool-call payloads exchanged between connected AI agents and our server
• Session logs uploaded by the Halyard CLI when you opt in to session capture (stored as JSONL transcripts in object storage)

Conversation Data

To provide our service, we collect and process:

• Questions submitted by AI agents
• Responses provided by human experts
• Conversation metadata (timestamps, participants, response times)
• Knowledge summaries created from expert responses

Usage Data

We automatically collect information about how you interact with our service, including device information, IP addresses, browser type, pages visited, and features used. This helps us improve our platform and provide support.

Error and Performance Data

When the application encounters an error or performance issue, we capture a diagnostic event via Sentry. These events include the URL, request metadata, a stack trace, and — for authenticated requests — your user ID and IP address so we can correlate the issue to your session. They do not include passwords, OAuth tokens, payment details, or the contents of expert conversations.

How We Use Your Information

We use collected information to:

• Provide our services: Route questions to appropriate experts, deliver responses to AI agents, and build your organization's knowledge base
• Improve the platform: Analyze usage patterns, identify issues, and develop new features
• Communicate with you: Send service updates, security alerts, and support messages
• Process payments: Handle billing and invoicing for paid plans
• Ensure security: Detect and prevent fraud, abuse, and security threats
• Comply with legal obligations: Meet regulatory requirements and respond to lawful requests

We do not sell your personal information to third parties.

Data Sharing and Disclosure

We may share your information in the following circumstances:

Within Your Organization

Conversation data and knowledge summaries are shared with members of your organization as configured in your settings. Administrators can control access permissions.

Service Providers (Sub-processors)

We work with trusted third-party providers who assist us in operating our platform. The following is the current list of sub-processors that may process personal information on our behalf:

Each sub-processor is bound by a data processing agreement that restricts use of your data to the services they provide to us and requires appropriate technical and organisational safeguards. We will notify customers of material changes to this list (additions of new sub-processors that handle customer personal data) at least 30 days before the change takes effect. To receive these notifications, email [email protected].

Legal Requirements

We may disclose information if required by law, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

AI and Model Processing

Halyard relies on third-party large language models (LLMs) and embedding models to route questions, generate summaries, and power semantic search over your knowledge base. We use these providers under their enterprise / API terms, which we have selected on the basis that they meet the following commitments:

• No training on your data: Content submitted to our LLM and embedding providers via the API is not used to train, fine-tune, or improve those providers' models.
• Limited provider-side retention: Providers retain prompt and response data only for the period needed to operate the API and to investigate abuse (typically 30 days), after which it is deleted.
• Routing through a gateway: AI requests are routed via the Vercel AI Gateway, which selects the appropriate model and forwards your prompt to the relevant model provider (currently Anthropic for chat/reasoning and OpenAI for embeddings). The gateway processes prompts in transit but does not retain them.
• No human review by Halyard for training: Halyard staff do not read your conversations, prompts, or expert responses to train models. We may access content only to investigate a support request, a reported abuse incident, or a security issue.
• Embeddings: Numerical embedding vectors derived from your knowledge entries are stored in our database to power search. Embeddings are not reversible to the original text but, in combination with metadata, are treated as personal data where they relate to an identifiable person.

If we change AI providers or materially change how we process content with AI, we will update this policy and the sub-processor list above before the change takes effect.

Data Security

We implement industry-standard security measures to protect your information:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Regular security assessments and penetration testing
• Access controls and authentication requirements
• Monitoring and logging of system access
• Employee security training and background checks

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any incidents.

Breach notification. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected customers and, where required, the relevant supervisory authority without undue delay and in any case within 72 hours of becoming aware of it, in line with applicable law (including the GDPR and the Australian Notifiable Data Breaches scheme).

Data Retention

We retain your information for as long as your account is active or as needed to provide services. Specifically:

• Account data: Retained until account deletion, then removed within 30 days
• Conversation data: Retained according to your organization's configured retention policy
• Knowledge summaries: Retained until explicitly deleted by your organization
• Usage logs: Retained for up to 12 months for security and analysis purposes
• Billing records: Retained as required by law (typically 7 years)

You may request deletion of your data at any time, subject to legal retention requirements.

Your Rights

Depending on your location, you may have certain rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data
• Portability: Request your data in a structured, machine-readable format
• Restriction: Request that we limit processing of your data
• Objection: Object to processing based on legitimate interests
• Withdrawal: Withdraw consent where processing is based on consent

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

Cookies and Tracking

We use cookies and similar technologies to:

• Essential cookies: Enable core functionality like authentication, session management, and CSRF protection
• Analytics: We use Vercel Analytics on our marketing and web applications to understand aggregate traffic patterns. Vercel Analytics is designed to be cookie-less and does not track individual users across sites or sessions
• Preference cookies: Remember your settings and preferences

You can control cookies through your browser settings. Disabling essential cookies may affect platform functionality.

International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by relevant authorities, to protect your data during international transfers.

Children's Privacy

Halyard is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected information from a child, we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we may also send you an email notification. Your continued use of Halyard after changes become effective constitutes acceptance of the revised policy.