Hashline — Privacy Policy
Effective Date: April 21, 2026 Last Updated: April 21, 2026
1. Introduction
Hashline ("Hashline", "we", "us", "our") is committed to protecting the privacy of individuals who visit our website (hashline.dev), use our Service, or otherwise interact with us. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights regarding your personal data.
This Privacy Policy applies to personal data we collect as a data controller — that is, data relating to visitors, prospective customers, and Account holders. It does not govern the processing of personal data that our customers submit to the Service as part of their Client Data (such as event payloads containing information about their own end users). For that processing, Hashline acts as a data processor on behalf of the customer, and the terms of our Data Processing Addendum (DPA) at https://hashline.dev/legal/dpa apply.
If you have questions about this Privacy Policy, contact us at privacy@hashline.dev.
2. Who We Are
Hashline is a hosted audit log platform for AI agent workloads.
Contact details:
- Email: privacy@hashline.dev
- Address: Hashline · hello@hashline.dev
3. Personal Data We Collect
3.1 Data You Provide Directly
When you create an Account, subscribe to a Plan, or contact us, we may collect:
- Account information: name, email address, company name, job title
- Billing information: billing address, VAT/tax identification number. Payment card details are collected and processed by our Merchant of Record, Paddle.com (see Section 5), and are not stored by Hashline.
- Communications: the content of emails, support requests, and feedback you send us
- Early access requests: name, email, company name, and any information you voluntarily provide in your request
3.2 Data Collected Automatically
When you visit our website or use the Service, we may automatically collect:
- Usage data: API call volumes, endpoints accessed, error rates, feature usage, and other Service interaction data
- Log data: IP address, browser type and version, operating system, referring URL, pages visited, date and time of access
- Device data: device type, screen resolution, language settings
3.3 Data from Third Parties
We may receive limited data from:
- Paddle.com: transaction confirmations, subscription status, and billing country (Paddle is the Merchant of Record; see Section 5)
- Authentication providers: if we implement third-party authentication (e.g., GitHub OAuth), we receive the profile information you authorise the provider to share
3.4 Data We Do Not Collect
Hashline does not intentionally collect:
- Payment card numbers, CVVs, or bank account details (these are handled exclusively by Paddle)
- Special categories of personal data (racial/ethnic origin, political opinions, religious beliefs, health data, biometric data, sexual orientation) unless voluntarily provided by you
- Data from children under 18
4. How We Use Your Data
We process your personal data for the following purposes and legal bases:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and maintaining the Service, including Account creation and API key management | Performance of contract (Art. 6(1)(b)) |
| Processing subscriptions and coordinating billing with Paddle | Performance of contract (Art. 6(1)(b)) |
| Sending transactional communications (Account confirmations, security alerts, service notifications) | Performance of contract (Art. 6(1)(b)) |
| Responding to support requests and communications | Performance of contract / Legitimate interest (Art. 6(1)(b)/(f)) |
| Monitoring and improving the Service (performance, reliability, security) | Legitimate interest (Art. 6(1)(f)) |
| Detecting and preventing fraud, abuse, and security incidents | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations (tax records, regulatory requests) | Legal obligation (Art. 6(1)(c)) |
| Sending product updates and relevant communications about the Service | Legitimate interest (Art. 6(1)(f)) — you can opt out at any time |
| Enforcing our Terms and Conditions | Legitimate interest (Art. 6(1)(f)) |
| Aggregated analytics and reporting (non-identifiable) | Legitimate interest (Art. 6(1)(f)) |
We do not use your personal data for automated decision-making or profiling that produces legal effects.
We do not sell your personal data. We do not use Client Data to train machine learning or AI models.
5. Payments and Paddle
Our order process is conducted by our online reseller Paddle.com. Paddle.com is the Merchant of Record for all our orders. Paddle provides all customer service inquiries related to billing and handles returns.
When you purchase a subscription, your payment information is collected and processed directly by Paddle in accordance with Paddle's Privacy Policy (https://www.paddle.com/legal/privacy) and Paddle's Checkout Buyer Terms (https://www.paddle.com/legal/checkout-buyer-terms). Hashline does not receive, store, or have access to your payment card details.
Paddle may share the following information with us: your name, email address, billing country, transaction identifiers, subscription status, and invoice records. We use this information to manage your Account and subscription.
For questions about payment processing or to request a refund, please contact Paddle directly or refer to our Refund Policy at https://hashline.dev/refund.
6. Who We Share Your Data With
We share personal data only as necessary and with the following categories of recipients:
| Recipient | Purpose | Data Shared |
|---|---|---|
| Cloudflare, Inc. | Infrastructure hosting (the Service runs on Cloudflare's network) | All data transmitted through the Service |
| Paddle.com | Payment processing, billing, tax compliance (Merchant of Record) | Name, email, billing address, transaction data |
| Email service provider [TBD] | Transactional and account-related emails | Email address, name |
| Professional advisors | Legal, accounting, and compliance advice | As necessary, under confidentiality obligations |
We do not share, sell, rent, or trade personal data with third parties for their marketing purposes.
We may disclose personal data if required to do so by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
A current list of subprocessors is maintained at https://hashline.dev/legal/subprocessors.
7. International Data Transfers
Hashline's Service runs on Cloudflare's global network, and our payment processor Paddle operates internationally. Your personal data may be transferred to and processed in countries outside your country of residence, including the United States.
Where personal data is transferred outside the European Economic Area (EEA), United Kingdom, or Switzerland to a country not recognised as providing an adequate level of data protection, we rely on:
- EU Standard Contractual Clauses (SCCs) as adopted by the European Commission; and/or
- UK International Data Transfer Addendum to the EU SCCs, as applicable
Details of transfer mechanisms are set out in our DPA at https://hashline.dev/legal/dpa.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy:
| Data Category | Retention Period |
|---|---|
| Account information | Duration of the Account plus 30 days after deletion |
| Billing and transaction records | As required by applicable tax and financial record-keeping laws (typically 7 years) |
| Support communications | 2 years from last communication, or longer if related to an ongoing dispute |
| Usage and log data | 90 days (automatically rotated) |
| Marketing consent records | Duration of consent plus 3 years after withdrawal |
Client Data submitted to the Service is retained according to the customer's Plan retention period and the terms of our Terms and Conditions (Section 12).
9. Data Security
We implement commercially reasonable technical and organisational measures to protect personal data, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent, provided by our infrastructure provider)
- API key authentication with one-way hashing (raw keys are never stored)
- Tenant isolation enforced at multiple layers of the architecture
- Access controls limiting employee access to personal data on a need-to-know basis
- Regular review of security practices
No method of transmission or storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.
10. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
10.1 Rights Under GDPR (EEA, UK, Switzerland)
- Access: request a copy of the personal data we hold about you
- Rectification: request correction of inaccurate personal data
- Erasure: request deletion of your personal data (subject to legal retention obligations)
- Restriction: request that we restrict processing of your personal data
- Data portability: receive your personal data in a structured, machine-readable format
- Objection: object to processing based on legitimate interests, including direct marketing
- Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
To exercise these rights, contact us at privacy@hashline.dev. We will respond within 30 days (or within the time required by applicable law).
If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority.
10.2 Rights Under CCPA / CPRA (California Residents)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information (subject to exceptions)
- Opt out of sale or sharing — we do not sell or share (as defined by the CCPA) your personal information
- Non-discrimination — we will not discriminate against you for exercising your rights
To exercise these rights, contact us at privacy@hashline.dev.
10.3 Rights Under Other Jurisdictions
If you are located in another jurisdiction with applicable data protection laws (such as Brazil's LGPD, Canada's PIPEDA, or Australia's Privacy Act), you may have similar rights. Contact us at privacy@hashline.dev and we will endeavour to accommodate your request in accordance with applicable law.
11. Cookies and Tracking
11.1 Essential Cookies
We use strictly necessary cookies to operate the Service, such as session cookies for authentication. These cannot be disabled.
11.2 Analytics
We may use privacy-respecting analytics to understand how our website is used. We do not use third-party advertising trackers, and we do not serve ads.
11.3 Your Choices
You can control cookies through your browser settings. Disabling essential cookies may affect the functionality of the Service.
12. Third-Party Links
Our website or Documentation may contain links to third-party websites (such as GitHub, npm, or Paddle). We are not responsible for the privacy practices of those websites. We encourage you to review their privacy policies.
13. Children
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@hashline.dev and we will delete it promptly.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. The "Last Updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes.
15. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data:
- Email: privacy@hashline.dev
- General enquiries: hello@hashline.dev
- Address: Hashline · hello@hashline.dev
This Privacy Policy is provided as a template and should be reviewed by qualified legal counsel before publication. It does not constitute legal advice.