Privacy Policy

H Company
8 rue Sainte-Cécile, 75009
Paris, Île-de-France, France
Last Updated: March 26, 2026

Introduction

This Privacy Policy ("Policy") constitutes a comprehensive document that governs the collection, use, disclosure, retention, and protection of personal information by H Company ("H Company," "we," "us," or "our") in connection with the Holotab Chrome extension ("Holotab") and all associated services, backend infrastructure, and technical operations (collectively referred to as the "Services").

This Policy applies without limitation to all users worldwide who access, install, or otherwise utilize Holotab through the Chrome Web Store or any authorized distribution channels. H Company maintains an unwavering commitment to protecting user privacy through responsible data stewardship, implementing industry-leading technical and organizational measures designed to minimize data processing risks while ensuring seamless service delivery.

By installing Holotab, accessing its functionality, submitting task instructions, or otherwise engaging with the Services, you expressly acknowledge that you have carefully read, fully understood, and unconditionally accept the terms and conditions set forth in this Policy. Should you find any provision unacceptable or disagree with our data practices, you are respectfully requested to immediately cease all use of Holotab and uninstall the extension.

For any privacy-related inquiries, rights exercise requests, data subject access demands, or clarification regarding our processing activities, please contact us directly at privacy@hcompany.ai. H Company responds to all legitimate inquiries within statutory timeframes and maintains detailed records of all communications as part of our comprehensive accountability framework.

1. Data Controller Identification and Legal Framework

H Company, duly incorporated and maintaining its registered office at 8 rue Sainte-Cécile, 75009 Paris, Île-de-France, France, acts as the data controller with respect to all personal data processed through Holotab. Data Protection Officer: H Company's designated Data Protection Officer can be reached exclusively at dpo@hcompany.ai for matters pertaining specifically to GDPR compliance, data protection impact assessments, or cross-border data transfer documentation.

Users physically located within jurisdictions maintaining dedicated data protection supervisory authorities retain the right to lodge formal complaints with their competent local authority. By way of non-exhaustive example, residents of France may contact the Commission Nationale de l'Informatique et des Libertés (CNIL) at www.cnil.fr, while users in other Member States should refer to their respective national supervisory bodies as listed on the European Data Protection Board's official registry.

H Company maintains comprehensive internal records documenting all processing activities pursuant to GDPR Article 30, conducts regular data protection impact assessments for high-risk processing operations, and implements appropriate technical and organizational measures to ensure ongoing compliance with evolving regulatory requirements across all jurisdictions served by the Services.

2. Categories of Personal Data Processed and Privacy by Design Principles

H Company implements data minimization practices by processing screenshots only transiently during task execution – immediately deleting them upon completion – while retaining solely user prompts and anonymized processing traces for service improvement purposes. This architecture ensures transient handling of visual data while preserving essential operational records necessary for service optimization, error resolution, and quality assurance.

2.1 User Instructions (Task Prompts)

The sole substantive personal data actively collected comprises natural language task instructions voluntarily authored and submitted by users through Holotab's interface. These prompts typically consist of concise directives such as "summarize the visible content on this page," "populate the adjacent form fields with the following information," "extract and compile key data points from the current document," or "navigate sequentially through this multi-step workflow."

Such prompts represent the user's explicit instruction to initiate automated task execution and constitute the foundational input for all Holotab processing activities. No visual representations or environmental data accompanies these instructions during processing.

2.2 Processing Traces and Essential Technical Metadata

To ensure operational reliability, H Company systematically generates and temporarily retains limited processing traces comprising exclusively non-identifying operational metadata, including without limitation: precise UTC timestamps marking task initiation and completion; binary success/failure status codes; non-identifying browser user-agent strings; Holotab extension version identifiers; high-level performance metrics (execution latency, resource utilization); and aggregated statistical measures across user cohorts (feature adoption rates, error classifications).

These traces enable critical functions such as real-time system monitoring, root cause analysis of technical failures, capacity planning, and proactive security incident detection without compromising individual user anonymity or enabling re-identification.

3. Lawful Bases for Processing and Legitimate Interests Assessment

Each distinct processing purpose benefits from an independently assessed lawful basis, rigorously documented through H Company's internal Records of Processing Activities (ROPA) and, where required, formal Legitimate Interests Assessments (LIA) conducted pursuant to GDPR Article 6(1)(f):

Contractual Necessity (GDPR Art. 6(1)(b), equivalent provisions): Processing user-submitted task prompts constitutes the indispensable means of fulfilling H Company's contractual obligation to execute the precise automation services requested by each user upon extension installation and activation.

Legitimate Interests (GDPR Art. 6(1)(f)): Temporary retention and analysis of processing traces serves H Company's well-established legitimate interests in maintaining service availability, ensuring operational continuity, detecting and mitigating security threats, resolving technical incidents, and iteratively improving service quality through data-driven optimization – balanced against and demonstrably not overriding individual privacy rights through comprehensive safeguards including data minimization, pseudonymization, and strict access controls.

4. Specific Processing Purposes and Prohibited Activities

H Company's data processing activities remain strictly circumscribed within four exhaustive legitimate purposes, each implemented through purpose-specific technical architectures that preclude commingling or secondary usage:

1. Primary Task Execution: Real-time interpretation and fulfillment of user-submitted natural language instructions through advanced language model inference, representing the core contractual deliverable;

2. Service Integrity & Quality Assurance: Systematic analysis of processing traces to identify, diagnose, and remediate technical anomalies, optimize inference latency, prevent service degradation, and maintain contractual service level commitments;

3. Cybersecurity & Threat Intelligence: Continuous monitoring for anomalous patterns indicative of malicious activity, unauthorized access attempts, or potential service abuse, enabling proactive risk mitigation;

4. Statutory Compliance & Legal Accountability: Documentation and retention necessary to demonstrate compliance with applicable regulatory frameworks and respond appropriately to lawful authority requests.

Express Prohibitions: H Company conducts no behavioral advertising, individual profiling, automated decision-making producing legal effects, or any form of data monetization. All processing remains inextricably linked to legitimate service delivery imperatives.

5. Data Retention and Deletion Framework

To use Holotab's services, users must provide certain information such as their email address, name - which are encrypted and protected, and used for authentication, notifications, and account management. No additional profile fields are required beyond what is strictly necessary to operate the account and associated services.

From a technical standpoint, H‑tab must process visual information displayed in the user’s browser in order to perform the requested tasks. The extension captures and analyzes visual elements of the active tab (including screenshots or equivalent visual representations) solely for the time strictly necessary to interpret the context and execute the user’s instructions. These visual elements are processed in memory and are deleted immediately after the operation is completed; they are not retained, logged, or stored in any persistent form. Only user prompts and limited, non-visual processing traces are retained for service improvement, debugging, and security purposes, in accordance with the data minimization and storage limitation principles applicable to our Service.

6. Comprehensive Technical and Organizational Security Measures

H Company implements appropriate technical and organizational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with GDPR Article 32 and applicable standards. These measures include:

Technical protections: Transport Layer Security (TLS) encryption for data transmissions between Holotab and our servers; access controls limiting data availability to authorized personnel only; regular software updates and patching; and basic monitoring for unusual activity.

Operational safeguards: Internal policies governing data access and usage; password protection for administrative systems; secure development practices during extension updates; and procedures for responding to potential security incidents.

Continuous improvement: H Company regularly reviews and enhances security practices based on industry developments, threat intelligence, and lessons learned from operational experience.

While no system can guarantee absolute security, H Company maintains proportionate protections given the limited scope of data processed (user prompts and anonymized traces only) and implements prompt deletion protocols to minimize exposure.

7. Subprocessors, Third-Party Disclosures, and Accountability Chain

For European Economic Area users, Holotab processes data transiently during agent sessions (30-40 minutes maximum) with immediate deletion thereafter, eliminating the need for subprocessors or persistent storage within Europe.

For users outside the EEA, screenshots are deleted immediately after processing while user prompts and processing traces are retained for a maximum of ninety (90) days to support service improvement, troubleshooting, and security monitoring. Data transmissions to our U.S.-based infrastructure are protected by end-to-end encryption both in transit (TLS) and at rest. Our cloud service providers maintain standard security commitments through their commercial terms of service, including data protection warranties and confidentiality obligations.

H Company makes no disclosures for marketing, advertising, or commercial partnerships. Data is never sold, licensed, or shared with third parties except as contractually required by our service providers or compelled by lawful authority. In enterprise deployments, customers receive only non-personal, aggregated service metrics.

8. International Data Transfers and Equivalence Guarantees

Holotab processing for European Economic Area users occurs transiently during agent sessions with immediate data deletion thereafter, eliminating cross-border transfer requirements. For users outside the EEA, data is transmitted to U.S.-based infrastructure protected by industry-standard encryption protocols both in transit and at rest. While H Company has not executed specific Standard Contractual Clauses with service providers, applicable commercial terms of service incorporate confidentiality and security commitments, supplemented by technical safeguards including time-limited retention (90 days maximum for prompts and traces) and immediate screenshot deletion post-processing. H Company continues to monitor evolving transfer requirements and stands ready to implement additional measures as regulatory guidance develops.

9. Individual Data Subject Rights

Pursuant to applicable data protection legislation conferring such rights upon data subjects, users of Holotab may exercise the following prerogatives through written request directed to privacy@hcompany.ai:

a) Right of access to personal data processed concerning them and, where applicable, related processing details;

b) Right to rectification of inaccurate or incomplete personal data;

c) Right to erasure of personal data under the conditions established by law;

d) Right to restriction of processing in the circumstances contemplated by regulation;

e) Right to data portability in a structured, commonly used, and machine-readable format, where technically feasible;

f) Right to object to processing based on legitimate interests, subject to the controller's compelling grounds;

g) Right to withdraw consent where processing relies on such legal basis, without affecting the lawfulness of prior processing.

H Company shall provide substantive response within one (1) calendar month of receipt of complete request, extendible by two (2) months for manifestly complex or numerous demands upon prior notification to the data subject. Verification of requester identity may be required to prevent unauthorized disclosures.

10. Protection of Minors’ data

Holotab constitutes professional-grade automation software intended exclusively for users having attained the age of majority or legal adulthood as determined by their jurisdiction of residence. H Company does not knowingly solicit, collect, or process personal data from minors under sixteen (16) years of age.

In the event a parent, legal guardian, or authorized representative becomes aware of inadvertent minor data processing, such party may immediately request comprehensive deletion by contacting privacy@hcompany.ai. H Company shall effectuate permanent erasure within statutory timeframes and furnish confirmation of compliance.

11. Policy Amendment Procedures

Material Modifications: Amendments affecting processing purposes, categories, recipients, or retention necessitate minimum thirty (30) days advance notice delivered through persistent in-extension notifications, email (where contact information registered), and Chrome Web Store updates. Continued service utilization post-notification constitutes unqualified acceptance.

Administrative Updates: Clarifications, formatting improvements, or contact details published immediately without individual prior notice.

12. Governing Law and Jurisdiction

This Policy constitutes an integral component of H Company's contractual terms, governed exclusively by French law with all disputes subject to the mandatory, non-exclusive jurisdiction of the Paris Commercial Court (Tribunal de Commerce de Paris), without prejudice to data subjects' rights to pursue remedies through competent supervisory authorities or mandatory consumer forums.

13. Comprehensive Contact Framework

H Company
8 rue Sainte-Cécile, 75009
Paris, Île-de-France, France