Privacy Policy

This policy explains what information Hugrun collects, how we use it, who we share it with, and the rights you have over it. We've tried to write it in plain English. If anything is unclear, email [email protected].

Hugrun Cloud is sold globally. Wherever you are, your local data protection rights apply. Sections 10–13 below cover the EU, UK, US (California), and Australia specifically.

1. Who we are (data controller)

Hugrun Cloud is operated by Hugrun Pty Ltd, an Australian proprietary limited company. Hugrun Pty Ltd is the data controller for all personal information collected through Hugrun Cloud.

• Registered office: Melbourne, Victoria, Australia
• Privacy contact: [email protected]
• Security incident contact: [email protected]
• We have not appointed a Data Protection Officer (DPO). Under GDPR Art. 37 we are not required to. If we appoint one in future this section will be updated.

2. What we collect

We only collect what we need to run the service:

• Account information — your name, email, business name, and any profile details you enter during signup or onboarding.
• Email content — when you connect Gmail or Outlook, we access messages so our AI can draft replies and extract quote details. We store the metadata (sender, subject, received-at) and the body text so the AI can produce useful responses.
• Quotes and customer data — information you upload or that we extract from past quotes so the AI can generate new quotes in your voice and pricing.
• Payment information — handled entirely by Stripe Inc. We never see, touch, or store card numbers. Stripe is PCI-DSS Level 1 certified.
• OAuth tokens — encrypted at rest using Fernet (AES-128-CBC + HMAC) so we can talk to Google and Microsoft on your behalf.
• Usage data — application logs, error reports, page-view counts, request latency. Used to keep the service running.
• IP address and approximate location — for fraud prevention and currency detection (see section 8 on third-party services).

3. How we use it (purposes)

• Deliver the email automation features you signed up for.
• Tune the AI to your writing style and pricing. This is per-tenant — your data never trains a model shared with other customers, and we do not sell or share it for any AI training purpose.
• Send transactional emails (welcome, password reset, billing receipts). We do not send marketing emails unless you explicitly opt in.
• Investigate bugs, improve performance, and ship new features.
• Provide customer support when you ask for help.
• Comply with legal obligations (tax records, fraud investigations, lawful requests from authorities).
• Detect, prevent, and respond to security incidents.

4. Lawful basis for processing (GDPR Art. 6)

Where the EU or UK GDPR applies, we rely on the following lawful bases:

• Performance of contract (Art. 6(1)(b)) — for everything needed to deliver Hugrun Cloud to you: account creation, AI processing, billing, support.
• Legitimate interest (Art. 6(1)(f)) — for fraud detection, service security, basic analytics, and product improvement. We balance our interest against your privacy and stop if you object.
• Consent (Art. 6(1)(a)) — when you connect Gmail or Outlook via OAuth, when you opt in to marketing emails, and for any optional cookies. Consent is freely given, specific, informed, and revocable at any time.
• Legal obligation (Art. 6(1)(c)) — when we have to keep records for tax law, anti-money-laundering, or to respond to lawful requests.

We do not rely on automated decision-making with legal or similarly significant effects (GDPR Art. 22). The AI drafts replies; you approve every send.

5. Google API Limited Use disclosure

Hugrun Cloud's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements. In plain English:

• We do not transfer Gmail data to others except as necessary to provide or improve user-facing features that are prominent in Hugrun Cloud.
• We do not use Gmail data for advertising, including retargeting, personalised, or interest-based advertising.
• We do not allow humans to read your Gmail data, except: (a) with your explicit consent for specific messages, (b) for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) where data is aggregated and used for internal operations in accordance with applicable privacy law.
• We do not sell Gmail data, transfer it to a data broker, or use it for any purpose unrelated to providing the Hugrun Cloud service.

The same principles apply to data accessed via Microsoft Graph (Outlook).

6. Subprocessors (who we share data with)

We share data with a short list of infrastructure and AI providers so Hugrun can do its job. Each is bound by their own data processing terms and applicable privacy law.

We never sell your personal information, and we never use it for advertising.

7. International data transfers

Some of our subprocessors are located outside Australia or the EEA, primarily in the United States. When personal data is transferred outside your home jurisdiction, we rely on:

• EU/UK Standard Contractual Clauses (SCCs) with all US subprocessors that handle EU/UK personal data.
• EU–US Data Privacy Framework certifications where available (e.g. Stripe, Cloudflare).
• Australian Privacy Principle 8 reasonable steps — contractual obligations binding our subprocessors to protect transferred data to Australian standards.

8. Data retention

• Account data — retained while your account is active and for 30 days after deletion to handle billing reconciliation, then deleted.
• Email content + AI drafts — retained while your account is active, deleted within 7 days of account deletion.
• OAuth tokens — deleted immediately when you disconnect a provider or delete your account.
• Billing records — retained for 7 years to comply with Australian tax law.
• Logs — application logs are retained for 30 days; security audit logs for 12 months.

9. How we protect your data

• HTTPS-only with HSTS preload — browsers refuse insecure connections.
• OAuth tokens encrypted at rest with Fernet.
• Bcrypt password hashing (cost factor 12). Passwords are never recoverable even by us.
• JWT access tokens with short expiry, audience + issuer validation, and a Redis-backed revocation denylist for instant logout enforcement.
• Per-tenant database scoping — every query is filtered by your tenant ID.
• Rate limiting on login, signup, password reset, and AI chat endpoints.
• Account lockout after repeated failed login attempts.
• Stripe webhook signatures verified on every event.
• SQL injection prevented via parameterised queries throughout.
• Continuous dependency vulnerability scanning (pip-audit + npm audit).
• See our Security & Trust page for the full technical detail.

10. Your rights — Europe (GDPR) and United Kingdom (UK GDPR)

If you are in the EU, EEA, or UK, you have these rights and we will honour them within 30 days of a verified request:

• Right of access (Art. 15) — get a copy of all personal data we hold about you. Download via GET /api/auth/me/export while logged in.
• Right to rectification (Art. 16) — correct anything inaccurate. Edit it in your settings page or email [email protected].
• Right to erasure (Art. 17 — “right to be forgotten”) — delete your account and all associated data. Available immediately via DELETE /api/auth/me or through your settings page.
• Right to restrict processing (Art. 18) — pause our use of your data while a dispute is resolved.
• Right to data portability (Art. 20) — export your data in machine-readable JSON via the same export endpoint above.
• Right to object (Art. 21) — object to processing based on legitimate interest or for direct marketing.
• Right to withdraw consent — disconnect any OAuth integration in your settings page; consent is withdrawn instantly.
• Right to lodge a complaint with your local supervisory authority. EU residents can find theirs at edpb.europa.eu. UK residents complain to the ICO.

We will respond to verified data subject requests within 30 days, free of charge, unless requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse, as permitted under Art. 12(5)).

11. Your rights — California residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to know — what categories of personal information we collect, the sources, the business purposes, and who we share it with. This entire policy answers that question.
• Right to delete — have us delete your personal information (subject to legal retention requirements). Use the same DELETE /api/auth/me endpoint or email [email protected].
• Right to correct — fix inaccurate personal information.
• Right to opt out of sale or sharing — Hugrun Cloud does not sell personal information and does not share it for cross-context behavioural advertising. There is nothing to opt out of, but we honour Global Privacy Control (GPC) signals nonetheless.
• Right to limit use of sensitive personal information — Hugrun Cloud does not collect or use sensitive personal information for inferring characteristics.
• Right to non-discrimination — we will not penalise you for exercising any of these rights.

12. Your rights — Australia (Privacy Act 1988 + APPs)

Hugrun is an Australian company subject to the Australian Privacy Principles. Australian residents have the right to:

• Access the personal information we hold about you (APP 12).
• Have inaccurate information corrected (APP 13).
• Make a privacy complaint to us first; if unresolved, escalate to the Office of the Australian Information Commissioner (OAIC).
• Be notified of eligible data breaches under the Notifiable Data Breaches scheme — within 72 hours where practicable.

13. Your rights — everywhere else

If you live somewhere not covered above, we still treat your data with the same baseline care: no sale, no advertising, encryption, deletion on request, and the right to ask any question. Email [email protected] and a human will reply.

14. Cookies and similar technologies

• Strictly necessary cookies — authentication, session management, CSRF protection. These are required for the service to work and do not require consent.
• No advertising cookies. We do not run third-party advertising trackers.
• No third-party analytics on the marketing site by default. If we add product analytics inside the dashboard later, we will update this policy and provide a granular consent choice.
• Cloudflare sets a security cookie (__cf_bm) for bot management. This is essential to protect the site from malicious traffic.
• ipapi.co on the pricing page receives your IP to return your country code. Disclosed in section 6 above.

15. Data breaches

If we discover a data breach that affects you, we will notify you and the relevant supervisory authority (OAIC for Australia, EDPB for EU, ICO for UK) within 72 hours of becoming aware, where required by law. The notification will explain what happened, what data was affected, what we're doing about it, and what you should do.

16. Children's privacy

Hugrun Cloud is a business tool. It is not intended for anyone under 18, and we do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, email [email protected] and we will delete it.

17. Changes to this policy

We may update this policy from time to time. Material changes (anything that affects your rights, the data we collect, or who we share it with) will be notified by email to active account holders at least 30 days before they take effect. Minor edits (typo fixes, clarifications) may be made without notice. The “Last updated” date at the top of this page always reflects the most recent version.

18. Contact us

Questions, complaints, or data subject requests? Email [email protected]. We respond to every inquiry within 5 business days, and to formal data subject requests within 30 days.