Privacy Policy

1. Introduction

H33.ai, Inc. (“we,” “us,” or “our”) operates NoSheet, accessible at nosheet.ai. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our service. By accessing or using NoSheet, you agree to the practices described in this policy.

2. Information We Collect

We collect information necessary to provide, maintain, and improve NoSheet. The categories of information we collect include the following:

Account Information

When you create an account, we collect your email address, name, and phone number (for SMS verification via our authentication provider, Auth1). This information is required to provide the service and authenticate your identity.

User-Uploaded Data

You may upload CSV files, spreadsheet data, and other tabular data to NoSheet for cleaning, transformation, and processing. We process this data solely on your behalf and in accordance with your instructions.

Usage Data

We automatically collect information about how you interact with NoSheet, including pages visited, features used, cleaning operations performed, and session duration. This data helps us understand how the service is used and identify areas for improvement.

Device & Technical Data

We collect technical information such as your IP address, browser type and version, operating system, and device identifiers. This information is used for security, troubleshooting, and analytics purposes.

Payment Information

Payments are processed by Stripe, Inc. We do not store, process, or have access to your full credit card numbers. Stripe’s handling of your payment information is governed by their Privacy Policy. We receive only limited transaction details (such as the last four digits of your card, billing address, and transaction amounts) necessary for account management and record-keeping.

Cookies

We use cookies and similar technologies to manage authentication sessions and, with your consent, to collect anonymized analytics data. See Section 10 for details on our cookie practices.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and maintain the service — including account creation, data processing, and feature delivery.
• Process and clean your uploaded data — performing the cleaning, transformation, and analysis operations you request.
• Authenticate your identity — via Auth1 to verify you are who you say you are and protect your account.
• Process payments — manage subscriptions, billing, and payment processing through Stripe.
• Send service notifications — account confirmations, billing receipts, security alerts, and important service updates.
• Improve the service — using aggregated, anonymized usage analytics to identify bugs, optimize performance, and develop new features.
• Comply with legal obligations — satisfy applicable laws, regulations, legal processes, or government requests.
• Detect and prevent fraud and abuse — protect the security and integrity of NoSheet and our users.

4. How We Handle Your Uploaded Data

We take the privacy of your uploaded data seriously. The following principles govern how we handle the data you upload to NoSheet:

• ✓Your data is YOUR data. We do not claim any ownership rights over data you upload to NoSheet.
• ✓Purpose-limited processing. We process your uploaded data ONLY to perform the cleaning, transformation, and analysis operations you request.
• ×No AI/ML training. We do NOT use your uploaded data to train artificial intelligence or machine learning models.
• ×No selling or monetization. We do NOT sell, share, license, or otherwise monetize your uploaded data.
• ×No unauthorized access. We do NOT access your data except as necessary to provide the service, respond to your support requests, or comply with legal obligations.
• •Encrypted at all times. Your data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
• •US-based storage. Uploaded data is stored in AWS US-East-1 (Northern Virginia).

5. Data Retention

We retain your information only as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

6. Data Sharing

We do NOT sell your personal data. Period.

We may share limited information with the following categories of recipients, solely as necessary to provide and operate the service:

Service Providers (Sub-Processors)

We engage trusted third-party service providers who process data on our behalf under strict contractual obligations:

• Amazon Web Services (AWS) — cloud hosting and data storage
• Stripe, Inc. — payment processing
• Auth1 / H33.ai — authentication and identity verification
• Twilio, Inc. — SMS delivery for campaigns (only when initiated by you)

Legal Requirements

We may disclose your information if we believe in good faith that disclosure is necessary to comply with applicable law, regulation, legal process, or enforceable government request; enforce our Terms of Service; detect, prevent, or address fraud, security, or technical issues; or protect against harm to the rights, property, or safety of H33.ai, Inc., our users, or the public.

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

7. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

• Right of Access — You may request a copy of the personal data we hold about you.
• Right to Correction — You may request that we correct inaccurate or incomplete personal data.
• Right to Deletion — You may request that we delete your account and associated personal data, subject to legal retention requirements.
• Right to Portability — You may request an export of your data in standard, machine-readable formats such as CSV or JSON.
• Right to Object — You may object to certain types of processing, including processing based on legitimate interests.
• Right to Restriction — You may request that we limit the processing of your personal data in certain circumstances.

To exercise any of these rights, contact us at privacy@h33.ai. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

8. GDPR Compliance (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR apply to our processing of your personal data. This section provides additional information specific to your rights and our obligations under those regulations.

Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract performance — processing necessary to provide the NoSheet service you have signed up for (Article 6(1)(b)).
• Legitimate interests — processing necessary for security, fraud prevention, and service improvement, where our interests do not override your fundamental rights (Article 6(1)(f)).
• Consent — where you have given explicit consent, such as for marketing communications or optional analytics cookies (Article 6(1)(a)). You may withdraw consent at any time.
• Legal obligation — processing necessary to comply with applicable laws, including tax and accounting requirements (Article 6(1)(c)).

International Data Transfers

Your data is stored and processed in the United States. We rely on the EU-US Data Privacy Framework and, where applicable, Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for data transferred outside the EEA/UK.

Data Protection Officer

You may contact our Data Protection Officer at privacy@h33.ai.

Right to Lodge a Complaint

If you believe our processing of your personal data violates the GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

9. CCPA Compliance (California Users)

If you are a California resident, the California Consumer Privacy Act (CCPA) and its amendments under the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information. This section supplements the information in this Privacy Policy.

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers (name, email address, phone number, IP address)
• Commercial information (transaction records, subscription details)
• Internet or electronic network activity (usage data, browser type, pages visited)
• Geolocation data (approximate location derived from IP address)

Sale of Personal Information

We do NOT sell your personal information. We have not sold personal information in the preceding 12 months, and we have no plans to sell personal information in the future.

Your California Privacy Rights

• Right to Know — You may request the categories and specific pieces of personal information we have collected about you.
• Right to Delete — You may request that we delete the personal information we have collected from you, subject to certain exceptions.
• Right to Correct — You may request that we correct inaccurate personal information.
• Right to Opt-Out of Sale — We do not sell personal information; however, you may contact us at privacy@h33.ai with any concerns.
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights.

“Do Not Sell My Personal Information”

We do not sell personal information as defined by the CCPA. If you have questions or concerns about our data practices, please contact us at privacy@h33.ai.

10. Cookies

NoSheet uses cookies and similar technologies to provide core functionality and, with your consent, to collect anonymized analytics. We categorize our cookies as follows:

You can manage your cookie preferences through your browser settings. Please note that disabling essential cookies may prevent you from using certain features of NoSheet.

11. Security

We implement industry-standard technical and organizational measures to protect your personal information and uploaded data against unauthorized access, alteration, disclosure, or destruction.

• Encryption in transit — All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest — Stored data is encrypted using AES-256.
• Authentication — Powered by Auth1 with BotShield cryptographic bot protection to prevent unauthorized access and automated attacks.
• Access controls — Role-based access control (RBAC) and tenant isolation ensure that your data is accessible only to authorized personnel and only when necessary.
• Security assessments — We conduct regular security reviews and vulnerability assessments.
• Incident response — We maintain documented incident response procedures. In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law.
• Compliance — SOC 2 compliance program is in progress.

While we strive to protect your personal information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining and continuously improving our security posture.

12. Children’s Privacy

NoSheet is not directed at children under the age of 13 (as defined by the Children’s Online Privacy Protection Act, or COPPA) or under the age of 16 (as defined by the GDPR). We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without verification of parental consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child, please contact us at privacy@h33.ai.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will provide at least 30 days’ notice before the changes take effect. Notice will be provided via email to the address associated with your account and/or through a prominent in-app notification.

Your continued use of NoSheet after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. We encourage you to review this page periodically for the latest information on our privacy practices.

14. Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us: