Privacy Policy

We collect the minimum information necessary to provide and improve the HiveDesk service.

Account information: When you sign up, we collect your email address and a hashed password. If you provide a name, we store that too.

Usage data: We log actions within the platform such as agent creation, task status changes, and instance provisioning events. These logs help us debug issues and improve reliability.

Agent configurations: We store the configuration you define for each agent — name, model, role, and instructions. This is necessary to run your agents on your behalf.

What we do NOT collect: We do not store or read the content your agents process. Conversations between you and your agents pass through your isolated container and are subject to your AI provider's data policy, not ours.

Provide the service: Your account data, agent configurations, and instance state are used solely to operate HiveDesk on your behalf.

Improve the product: Aggregated, anonymised usage patterns (e.g. which features are used most) inform our roadmap. We never sell individual usage data.

Billing: If you subscribe to a paid plan, your email is shared with our payment processor (Stripe) to manage subscriptions and invoices. We never store raw payment card details.

Communications: We may send you transactional emails (account confirmation, password reset, billing receipts). We will only send product update emails if you opt in.

Security is not an afterthought at HiveDesk — it is central to the architecture.

Encryption at rest: All API keys and sensitive credentials are encrypted with AES-256-GCM before being written to our database. The encryption key itself is stored separately from the data it protects.

Isolated containers: Each user account runs its own dedicated Fly.io container. Your agent fleet has no shared runtime with any other user's fleet. There is no multi-tenancy at the compute layer.

Encrypted volumes: Container storage volumes are encrypted at the infrastructure level by Fly.io. Data at rest inside your container is protected even if physical media is compromised.

Transport security: All communication between your browser, our servers, and your container is encrypted via TLS 1.2 or higher. We enforce HTTPS everywhere.

Despite these measures, no system is 100% secure. If you discover a security vulnerability, please disclose it responsibly to security@hivedesk.io.

HiveDesk follows a bring-your-own-API-key model. You connect your own Anthropic, OpenAI, or other provider keys to power your agents.

Storage: Your API keys are encrypted with AES-256-GCM immediately upon receipt and stored only in encrypted form. The plain-text key is never written to disk or logs.

Usage: Your keys are decrypted in memory only when needed to provision or configure your isolated container. They are then passed directly to your container and are not retained by our application layer.

Direct billing: Your API usage costs go directly to your provider accounts (Anthropic, OpenAI, etc.). HiveDesk does not proxy or mark up your API calls, and we do not have visibility into what you spend with your providers.

No logging: We do not log the content of any requests sent to your AI provider through your agents.

We retain your data only as long as necessary to provide the service or as required by law.

Active accounts: Account data, agent configurations, task history, and associated records are retained while your account is active.

Account deletion: When you delete your account, all personal data — including your account details, agent configurations, task history, and encrypted API keys — is permanently deleted within 30 days.

Billing records: Payment and billing records may be retained for up to 7 years to comply with financial regulations, even after account deletion. These records are held by our payment processor and contain no sensitive credential data.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: You can request a copy of the personal data we hold about you at any time.

Correction: If any data we hold is inaccurate, you can request that we correct it. Many details (such as your email) can be updated directly from the settings panel.

Deletion: You can request deletion of your account and all associated data. You can initiate this from the settings panel or by contacting us directly.

Data export: You can export your task history, agent configurations, and other account data from the settings panel in a machine-readable format.

Objection and restriction: In certain circumstances you may object to or request restriction of processing. To exercise any of these rights, contact us at privacy@hivedesk.io.

We use cookies sparingly and only where necessary.

Session cookies: We set a single session cookie to keep you authenticated while you use the platform. This cookie contains a cryptographically signed session token and expires when you log out or after an inactivity period.

No tracking cookies: We do not set any advertising, tracking, or cross-site analytics cookies.

No third-party analytics: We do not embed Google Analytics, Meta Pixel, or similar third-party tracking scripts on any page of the HiveDesk platform.

If you block all cookies in your browser, authentication will not function. All other parts of the marketing site will work normally.

If you have questions, concerns, or requests related to this Privacy Policy, please reach out to our privacy team:

We aim to respond to all privacy-related enquiries within 5 business days. For security disclosures please email security@hivedesk.io instead.