HexaIndex | Private Workplace Reads for Modern Office Chaos.

Privacy At a Glance

HexaIndex is designed to keep the basic trust boundaries simple: private by default, optional analytics only by consent, and direct deletion controls when available.

Your inputs are private to your account by default.
Non-essential analytics stays off until you opt in.
We do not sell personal data.
Payment details are handled by Stripe, not stored directly by us.
You can request account deletion from this page at any time.

1. Data Controller and Scope

Data controller/operator: KEYNEST VENTURE L.L.C.

This policy explains how Hexaindex collects, uses, stores, and shares personal data when you use the service, website, and related APIs.

2. Categories of Personal Data

Category	Examples	Source	Retention
Account and Authentication Data	Email address, authentication session metadata	Provided by user or generated during login	24 months after last account activity (unless longer required by law)
Input and Session Data	Form inputs required for generated outputs, session continuity, and operational event context	Provided by user in product flows	30 days
Browser-Local Feature Data	Monthly Signal Memo history and related browser-local memo context	Stored in your browser by beta product features	Until cleared by the browser or overwritten by the feature
Waitlist and Prefill Data	Waitlist email, lead identifier, prefill mapping	Provided by user on waitlist forms	12 months
Consent and Preference Data	Terms/Privacy consent versions, cookie analytics preference	Captured when user makes consent choices	6 years for consent audit records

3. Purposes and Legal Bases

Contract/performance: authentication, session continuity, core feature delivery.
Legitimate interests: security monitoring, abuse prevention, reliability improvements, operational event logging, purchase event handling, and user-submitted product feedback.
Consent: non-essential analytics and optional tracking preferences.
Legal obligation: where retention/disclosure is required by applicable law.

4. Cookies and Tracking Technologies

Strictly necessary cookies are always enabled. Non-essential analytics are disabled by default and enabled only when you opt in through cookie settings.

When analytics is enabled, analytics providers may process page views, referrer, browser/device metadata, and performance telemetry. You can withdraw consent any time from the persistent cookie settings control.

Separate from opt-in web analytics, we may also process limited server-side operational telemetry such as product events, purchase events, security events, and user-submitted feedback to run the service, prevent abuse, and improve reliability.

Cookie / Technology	Category	Purpose	Retention
hc_reading_access	Strictly Necessary	Session access control for reading flow	Session TTL
hc_waitlist_prefill	Strictly Necessary	Waitlist-to-auth prefill mapping token	Up to 30 days
hc_auth_session_policy	Strictly Necessary	Session policy mode (default/remember)	30 or 90 days
hc_cookie_consent	Strictly Necessary	Stores cookie preference decision and policy version	180 days
Vercel Analytics / Speed Insights	Non-Essential	Traffic and performance analytics	Provider-defined

5. Data Retention

We retain personal data only for as long as necessary to fulfill operational, security, and legal requirements. Retention windows may differ by data category and environment.

Auth/account metadata: 24 months after last account activity.
Waitlist records: 12 months.
Session data: 30 days.
Consent logs: 6 years.

Some beta features may also store feature data locally in your browser. For example, Monthly Signal Memo history currently lives in browser-local storage and may persist until you clear that browser storage or the feature overwrites it.

6. Data Sharing and Processors

We may share data with infrastructure and service providers acting as processors (for example hosting, authentication, storage, and analytics providers) under contractual safeguards.

Supabase: authentication/session management and related data storage.
Vercel: hosting infrastructure, performance analytics, and traffic analytics (only if analytics consent is enabled).
Stripe: payment processing, checkout, and transaction-related billing operations for paid features.
Google Gemini / Google AI services: processing prompts and generated outputs for AI-backed product features.

7. AI Processing and Generated Output

Some HexaIndex features use third-party AI services to process prompts and generate outputs. This may include the inputs you provide in product flows together with structured context needed to return a result.

We send only the prompt and supporting context needed to generate the requested feature output.
We do not sell personal data.
Payment card details are not sent through AI providers.
If you want data deleted, you can use the account deletion controls on this page or contact us.

8. International Data Transfers

Where data is transferred across borders, appropriate safeguards are applied as required by applicable data protection law (for example contractual transfer mechanisms).

9. Your Data Protection Rights

Depending on jurisdiction, you may have rights to:

Access, correct, or delete personal data.
Restrict or object to certain processing.
Withdraw consent for non-essential processing.
Lodge a complaint with a supervisory authority.

To submit a data subject rights request (DSAR), contact privacy@hexaindex.com.

We aim to respond within 30 days of receiving a valid request, unless a longer period is permitted by applicable law.

We may request reasonable identity verification before fulfilling requests to protect account and personal data security.

10. Account Controls and Deletion

You can request permanent account deletion directly below. This action removes account access and triggers deletion or deactivation of account-linked app data in line with system design, processor behavior, and any applicable retention requirements.

Checking account status…

11. Security Measures

We apply technical and organizational safeguards appropriate to risk, including access control, signed tokens, and environment-based security controls.

Account access is handled through signed authentication sessions and account-level access controls so signed-in users can access only their own saved data under normal product permissions.
Non-essential analytics and tracking remain off until you explicitly opt in.
We do not sell personal data.
Payment card details are processed by Stripe rather than stored directly in our product database.
We may request identity verification before fulfilling deletion or data access requests.

12. Children

The Service is not directed to children below the minimum age required by applicable law, and we do not knowingly collect personal data from children in violation of legal requirements.

13. Changes to This Policy

We may update this policy periodically. Material changes are reflected by an updated effective date and, as needed, additional notice or consent refresh.

14. Privacy FAQ

Do you sell my data?

No. We do not sell personal data.

Can other users see my readings?

No. Signed-in users can access only their own saved profile and reading data under normal product permissions.

Is analytics on by default?

No. Non-essential analytics stays off until you explicitly opt in through cookie settings.

Can I delete my data?

Yes. You can request permanent account deletion from this page, and we also accept privacy requests at privacy@hexaindex.com.

15. Contact and Complaints

Privacy contact email: privacy@hexaindex.com

Registered business address is available upon verified legal request.

If Article 27 GDPR requires appointment of an EU representative for our processing activities, we will designate one and publish the contact details in this policy.

Supervisory authority contact process: if you are in the EU/EEA/UK, you may lodge a complaint with your local data protection authority; in Washington State, you may also contact the Washington State Attorney General's Office where applicable.

Privacy Policy