Privacy Policy

Last updated: March 2026

1. Who We Are

HumanKey (“we”, “us”) provides AI traffic intelligence services. This policy explains how we collect, use, and protect personal data in compliance with the GDPR and ePrivacy Directive.

Data Controller: HumanKey · ChainGuard, Poland.
Contact: Contact Form (Privacy Inquiries)

2. Data We Collect

Account Data

• Email address, name (optional)
• OAuth provider identifiers (Google) — only if you use social login
• Hashed password (industry-standard algorithm) — only if using email/password authentication
• Account metadata: plan tier (Free, Pro, Business, or Enterprise), role (user/admin), registration timestamp, email verification status
• Stripe customer ID (only if you subscribe to a paid plan)

New accounts receive a 14-day Pro trial. No payment information is required during the trial period.

Traffic Analysis Data

• IP addresses: Hashed with a cryptographically rotating salt — we never store raw IP addresses
• User-Agent strings: Truncated to 200 characters for bot classification only
• Page URLs and referrer URLs (for traffic analysis)
• Visit timestamps and duration
• Bot classification results (human/bot, confidence score)
• Country-level geographic data: Derived from IP address via a geolocation database (stored as country code only — no city or precise location data)
• Session Pattern Analysis: Aggregated session patterns processed by our proprietary analysis engine. Stored in our EU database. Used exclusively for identifying coordinated bot activity — no individual profiling.
• ASN Metadata: Autonomous System Number enrichment via Cloudflare Radar public API. Only the ASN number is queried — no personally identifiable information is transmitted to Cloudflare Radar.

3. Legal Basis (GDPR Art. 6)

• Contract performance: Processing account data to provide our service
• Legitimate interest: Bot detection and traffic classification to protect website owners
• Consent: Analytics cookies (optional, via cookie consent banner)

Consent is obtained through (a) explicit checkbox during email registration, or (b) acceptance of our Terms through OAuth sign-in (Google). User consent for account data processing (Art. 6(1)(a)) is separate from the legitimate interest basis for bot detection (Art. 6(1)(f)).

Automated Processing (Art. 22 GDPR)

Our bot detection uses automated classification of web traffic requests through a proprietary multi-layered analysis methodology. All processing runs on our EU infrastructure — no visitor data is sent to external services. This automated processing does not produce legal effects or similarly significantly affect your website visitors — it classifies network requests, not individuals. Visitors whose requests are classified as non-human traffic are not individually profiled or subjected to consequential automated decisions. Additionally, a proprietary analysis pipeline is used to identify coordinated bot farm activity — this is an informational technique and does not result in automated blocking of any individual visitor.

We also use an AI language model to periodically analyze aggregated, non-personal platform metrics (detection counts, confidence distributions, bot volume trends) and generate advisory recommendations for detection system improvement. Only statistical summaries are processed — no individual visitor data is ever sent to the AI model. All recommendations require manual administrator review.

We may send you periodic email notifications about your site's bot traffic (daily reports, weekly AI-generated insights, new crawler alerts, quota warnings). You can control each notification type independently in Dashboard → Settings → Email Notifications. Weekly AI insight emails use the same aggregated metrics described above — no personal data is processed by the AI model.

AI Assistant Chatbot:HumanKey provides an AI-powered chatbot assistant on our website and dashboard. Conversations are processed by an AI language model to generate responses. Only the text of your chat messages is sent to the AI model — no personal data, IP addresses, session identifiers, or account information is transmitted. All conversations are ephemeral: they are held in server memory for a maximum of 30 minutes and are never stored in any database. Conversations cannot be recovered after the session ends. The AI assistant provides advisory information only and cannot make binding decisions. In compliance with EU AI Act Article 50, the assistant is clearly marked as AI-powered and a link to human support is always available.

In addition to automated classification, HumanKey administrators may manually verify borderline traffic classifications to improve detection accuracy. This manual review is informational only, does not constitute automated decision-making under Art. 22 GDPR, and does not produce legal or similarly significant effects on website visitors. Admin identifiers are hashed before storage.

Aggregated Trend Analysis: HumanKey periodically aggregates historical traffic patterns into anonymized daily statistics (visitor counts by category: human, bot, unknown, blocked). This aggregated data contains no personal information and cannot be used to identify individual visitors. Processing basis: legitimate interest (Art. 6(1)(f) GDPR).

4. Data Minimisation

We follow the principle of data minimisation. IP addresses are hashed before storage, User-Agent strings are truncated, and we only retain data necessary for traffic analysis.

5. Your Rights

Under the GDPR, you have the right to:

• Access: Export all your data from Dashboard → Settings → Export Data
• Erasure: Delete your account and non-financial data from Dashboard → Settings → Delete Account. When you delete your account, your email address is also scrubbed (replaced with a redacted marker) from audit log entries created by other organizations that interacted with you as a team invitee — preserving the third-party's audit-trail continuity while honouring your right to erasure under Art. 17 GDPR. Financial audit records (invoice events, payment confirmations) are retained for up to 5 years per Art. 17(3)(b) GDPR and Polish Ustawa o rachunkowości art. 74 (legal-obligation exemption), then permanently deleted.
• Portability: Download your data in JSON format
• Rectification: Update your profile information in Dashboard → Settings
• Object: Contact us to opt out of specific processing activities

6. Cookies

• Essential: Authentication tokens (httpOnly, secure) — required for login
• Optional: Analytics cookies — only set with your consent

7. Data Retention

Visit data retention depends on your plan:

• Free plan: 7 days
• Pro plan: 30 days
• Business plan: 90 days
• Enterprise plan: 365 days

Data beyond these periods is automatically and permanently deleted. Account data is retained until you delete your account. After subscription cancellation, a 7-day grace period applies during which you retain access to your previous plan's features.

8. Account Deletion & Data Portability

Deletion

You may delete your account at any time from Settings > Account > Delete Account. Upon deletion, traffic records (visit data), API keys, and non-financial account data are permanently erased within 30 days; site configuration data is deleted immediately. Financial audit log records (invoice events, payment confirmations) are retained for up to 5 years per Art. 17(3)(b) GDPR and Polish Ustawa o rachunkowości art. 74 (legal-obligation exemption), then permanently deleted by our retention cron job. Audit log entries created by other organizations that interacted with you as a team invitee have your email address scrubbed (replaced with a redacted marker) while preserving the third-party's audit-trail continuity.

Data Portability

GDPR data portability (your personal data) is available on all plans. Analytics data export (CSV/JSON) is available on Business plans and above.

9. Sub-Processors & Third-Party Services (GDPR Art. 28)

We use the following sub-processors to deliver our service. All processors are contractually bound by Data Processing Agreements (DPAs) that comply with GDPR requirements. See our full Sub-Processors list with data locations and DPA links.

Right to Object: If you object to data transfers outside the EU, contact us at contact us. Note that certain services (billing, OAuth) require US processors — opting out may limit functionality.

10. Security

We implement industry-standard encryption in transit and at rest, password hashing, token-based authentication, rate limiting, and access controls to protect your data.

Account isolation:Each dashboard session is fully isolated from other sessions in the same browser. Logging out triggers a full client-state purge (session storage, query cache, per-user settings) and a hard page reload, so no account ever inherits another account's data — consistent with GDPR Article 32 (security of processing).

Browser security headers: HumanKey enforces industry-standard browser security policies including Content Security Policy, cross-origin resource protection, and referrer policy. These headers prevent unauthorized script injection, resource theft, and data leakage across origins. Our Content Security Policy is strict by design — we do not permit dynamic code evaluation, and we never embed third-party scripts that we cannot audit. If your browser reports console warnings from installed extensions while visiting a HumanKey-enabled site, those warnings come from the extension, not from our service. See our troubleshooting guide for common browser warnings and their causes.

11. Data Protection Impact Assessment

Our systematic bot monitoring processing has been assessed under GDPR Article 35. View the full Data Protection Impact Assessment (DPIA) for details on risk assessment, safeguards, and compliance measures.

11A. Embeddable Verified Badge

Customers on Pro+ plans may opt in to embed our HumanKey Verified Badge on their websites. When a visitor loads a page containing the badge, the visitor's browser fetches an SVG image from api.humankey.io. This HTTP request includes the visitor's IP address (hashed with a daily rotating salt before any storage per GDPR Art. 32), User-Agent (truncated to 200 characters), and optionally a Referer header. The recommended embed snippet includes Referrer-Policy: no-referrer to suppress the Referer header. Legal basis: GDPR Art. 6(1)(f) legitimate interest — trust signaling for our customers and visitor transparency about AI traffic monitoring. The Legitimate Interest Assessment (LIA) is documented in our DPIA.

12. Children's Data

HumanKey is a business-to-business (B2B) service intended for website owners and operators. We do not knowingly collect data from individuals under 18 years of age. If you become aware of a minor using the Service, please contact us via our contact form.

13. Contact

For privacy-related inquiries, contact us at contact us or write to the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl