Privacy Policy
This page explains what personal data Horkos collects, how it is used, and the rights you have over it. It is written in plain English, kept short, and updated when things change. If anything is unclear, write to support@horkos.eu.
1. Who we are
Data controller: Horkos, operated independently from Lisboa, Portugal. Contact: support@horkos.eu. The services covered by this policy are the website horkos.eu, the documentation site at /docs/, the pilot page at /pilot/, and the Horkos API and Python SDK.
2. What we collect
From visitors to the website
We use Vercel Web Analytics, which is privacy-friendly and does not set tracking cookies or persistent identifiers in your browser. It records aggregate page views, the page that referred you, and approximate geography (derived from the request, not from any account). We cannot identify individuals from this data.
From people who write to us or apply to the pilot
When you email support@horkos.eu, or use the pilot application form (which opens your default mail client), we receive your email address, the contents of your message, and any other detail you choose to share. We use this only to reply to you and to evaluate fit for the engagement.
From customers using the Horkos API
If you create an organisation through the API, we store your organisation name, slug, contact email, and a SHA-256 hash of your API key (we never store the key in plaintext). We also store the actions, sessions, policy evaluations, approvals and audit logs your AI agents send through the gateway. This data is what the service is for; without it we cannot govern or audit your agents.
3. What we do not collect
- We do not use tracking cookies.
- We do not run third-party advertising pixels or social-media trackers on this site.
- We do not sell, rent, or share your personal data with anyone for marketing.
4. Where the data lives
Horkos runs entirely in the European Union:
- Gateway (API): Render.com, Frankfurt region (Germany).
- Database: Supabase (managed PostgreSQL), eu-west-1 (Ireland).
- Cache and rate limiting: Upstash Redis, EU region.
- This website and the dashboard: Vercel, served from the EU edge.
- Notifications: Slack webhooks the customer configures themselves.
5. Legal basis for processing (GDPR)
- Consent — when you voluntarily contact us by email or apply to the pilot.
- Contract — when you use the API, we process the data necessary to provide the service.
- Legitimate interest — for aggregate, cookieless web analytics to understand how the site is used.
6. Your rights
You have the following rights under the GDPR:
- Access — request a copy of the data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data. Note: audit logs produced by your agents are immutable by design and are retained while the organisation is active, because they are compliance evidence you and your auditors rely on.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to specific processing, where applicable.
- Complain — to your local Data Protection Authority. In Portugal that is the CNPD (www.cnpd.pt).
To exercise any of these rights, write to support@horkos.eu. We respond within 30 days.
7. Retention
Emails are kept for as long as is reasonably useful for our correspondence. API and audit data is kept while your organisation is active; on account closure we can export or delete it on request, subject to any retention obligation you have for compliance evidence.
8. Security
API keys are stored only as SHA-256 hashes. The audit log is append-only at the application layer (no UPDATE or DELETE endpoint). All traffic is HTTPS. Hosting providers (Render, Supabase, Upstash, Vercel) provide their own platform-level protections — we do not rebuild what they already secure.
9. Children
Horkos is a B2B service. It is not directed at children, and we do not knowingly collect data from them.
10. Changes
If we change this policy materially, we update the "Last updated" date at the top and, for active customers, notify by email. Earlier versions are kept in our private git history.