Privacy Policy

Hone Labs LLC (“Hone Labs,” “we,” “us,” or “our”) operates the Hone Studio platform (“Platform”). We built Hone Studio for organizations that handle sensitive institutional data, including higher education institutions subject to FERPA. Our data practices reflect that responsibility: we minimize what we collect, we don’t sell data, and we give institutions full control over their information.

Information You Provide

Information Generated

Collected Automatically

We do NOT collect: Social Security numbers, financial account numbers or payment card data, biometric data, health or medical records, precise geolocation data, or data from children under 13 (see Section 9).

We use information only for the purposes below. We do not sell, rent, or trade your information.

Each client organization operates on fully isolated infrastructure and their data is strictly isolated:

• Separate infrastructure per client — Each client has a dedicated Supabase project (independent database, auth, and storage), a dedicated Railway backend deployment, and a dedicated Vercel frontend deployment with its own domain. There is no shared database, application server, or frontend between clients.
• Separate database schemas — Within each client’s Supabase project, data resides in dedicated, client-prefixed database tables. There is no shared data pool between clients.
• Row-Level Security (RLS) — Database-level policies enforce that queries can only return data belonging to the requesting client’s workspace.
• Separate storage — Uploaded files are stored in client-specific storage buckets.
• No cross-client data access — It is architecturally impossible for one client’s users to access another client’s data through the Platform — both at the infrastructure level (separate deployments) and the application level (prefixing, RLS, bucket isolation).

For comprehensive details, see our Security Practices page.

We share information only with the service providers (“sub-processors”) necessary to operate the Platform. We do not share your data with advertisers, data brokers, or any party for marketing purposes.

AI Providers

No AI provider uses your data to train their models. This is guaranteed by their API terms of service for commercial API customers.

Infrastructure Providers

For the complete and current list of sub-processors, see our Sub-Processor List.

Other Disclosures

We may disclose information if required by:

• Applicable law, regulation, or legal process
• Lawful requests by public authorities (including national security or law enforcement)
• Protection of our rights, property, or safety, or that of our users or others
• Emergency situations involving danger of death or serious physical injury

We will notify the affected client institution before disclosing their data in response to legal process, unless prohibited by law or court order.

Accidental deletion protection: Every deletion in the Platform goes through a soft-delete pipeline. If data is deleted by mistake, it can be recovered within 30 days.

Contract Termination Timeline

We protect your data through multiple layers of security:

• Encryption at rest — AES-256 encryption (AWS KMS managed keys)
• Encryption in transit — TLS 1.2+ for all connections, HSTS enforced
• Authentication — JWT-based with algorithm confusion prevention; API keys with bcrypt hashing and constant-time comparison
• Access control — Email/domain allowlisting, Row-Level Security on all database tables (defense-in-depth; primary authorization via application layer), workspace-scoped permissions
• Rate limiting — Redis-backed rate limiting to prevent abuse and resource exhaustion
• Input validation — Parameterized queries (SQL injection prevention), Pydantic model validation, SSRF protection
• Security headers — Full suite including X-Frame-Options, Content-Security-Policy, X-Content-Type-Options
• Monitoring — Error monitoring with PII scrubbing, application performance monitoring
• CI/CD security — Automated linting, type checking, and testing on every code change

For comprehensive details, see our Security Practices page.

Data Export

You may request a complete export of your organization’s data at any time. Exports include all uploaded documents (original files), generated documents, knowledge base content, conversation history, research projects, and workspace structure. Exports are delivered in JSON format (structured data) and original format (uploaded files) within 15 business days. For exports exceeding 100GB, we will provide a delivery timeline within 3 business days of the request.

Data Deletion

You may request deletion of specific data or all data at any time:

1. Send a written request to privacy@honelabs.dev
2. We confirm the scope within 2 business days
3. Soft deletion within 5 business days (data becomes invisible in the Platform)
4. 30-day grace period (cancellable — in case of accidental deletion)
5. Permanent deletion after grace period
6. Written certification of deletion provided upon request

Account Closure

Contact your organization’s administrator to request account deprovisioning, or contact us directly at privacy@honelabs.dev.

Communication Preferences

The Platform sends only transactional communications (magic link authentication emails, account notifications). We do not send marketing emails.

For higher education clients that designate Hone Labs as a “school official” under FERPA (20 U.S.C. § 1232g):

• Legitimate educational interest — We access education records only to provide the contracted Platform services
• Direct control — The institution controls which users have access and what data is uploaded
• No re-disclosure — We do not disclose education records to any third party except our sub-processors, who are bound by the same restrictions
• No use beyond purpose — Education records are used solely for the contracted service — never for marketing, profiling, or product development
• AI provider protections — All AI providers do not use education records for training. Zero-retention agreements are confirmed with Google and Perplexity, and requested from Anthropic and Cohere
• Data return and deletion — Upon contract termination, education records are returned (via data export) and deleted per the timeline in Section 5
• Breach notification — In the event of unauthorized disclosure of education records, we notify the institution within 24 hours per our Incident Response Plan

We do not condition the provision of services on a student or parent waiving FERPA rights.

Hone Studio is designed for institutional use by authorized adult users. We do not knowingly collect personal information directly from children under the age of 13. The Platform is not directed at children.

If education records pertaining to students under 13 are included in content uploaded by an institution, that data is processed solely under the institution’s authority as part of the contracted service, subject to the same protections described in Section 8.

If we become aware that we have collected personal information directly from a child under 13 without appropriate consent, we will delete that information promptly. If you believe we have collected such information, please contact us at privacy@honelabs.dev.

New York Education Law 2-d

For New York education institution clients: Hone Labs maintains practices designed to meet NY Education Law § 2-d requirements for third-party contractors handling student data. We maintain data security and privacy standards consistent with NIST Cybersecurity Framework guidelines, limit data use to the contracted educational purpose, and will not sell or release student data or teacher/principal data for commercial purposes.

California (SOPIPA)

Hone Labs does not use student information to target advertising, create profiles for non-educational purposes, sell student information, or disclose student information except as permitted under SOPIPA (SB 1177). The Platform is designed solely for the institutional purposes contracted by the client.

Rhode Island

For Rhode Island institution clients: We comply with Rhode Island’s Identity Theft Protection Act (R.I. Gen. Laws § 11-49.3) regarding breach notification requirements. In the event of a security breach involving personal information of Rhode Island residents, we will notify affected individuals and the Rhode Island Attorney General as required by law.

What We Use

What We Don’t Use

• No third-party advertising cookies
• No cross-site tracking
• No social media tracking pixels
• No fingerprinting
• No retargeting or remarketing

All Platform data is processed and stored in the United States. If you are accessing the Platform from outside the United States, your information will be transferred to and processed in the United States.

For clients requiring specific data residency arrangements, please contact us at privacy@honelabs.dev to discuss options.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top of this policy. For changes that affect how we handle client data, we will provide at least 30 days’ advance notice via email to client administrators. For changes required by law, we will implement them as required and notify clients as soon as practicable.

For privacy questions, data requests, or concerns:

• Email: privacy@honelabs.dev
• AI Ethics: ai@honelabs.dev
• Security: security@honelabs.dev

Mailing Address:
Hone Labs LLC
Berkshires, MA