Privacy Policy.

How GaaS collects, uses, and protects your data — written for humans and agents alike.

Last updated: February 12, 2026 · Effective: February 12, 2026

Contents
📋

1. Introduction

This Privacy Policy describes how H2Om.AI LLC dba GaaS ("GaaS," "we," "us," or "our") collects, uses, and shares information in connection with your use of the GaaS (Governance as a Service) platform, the website at gaas.is, and all related services (collectively, the "Service").

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, you must discontinue use of the Service.

Compliance: This policy is designed to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.
📊

2. Information Collection

2.1 Information You Provide

  • Account information — email address, name, and organization or company name when you create an account
  • Waitlist data — email address, company name, a description of your intended use case, and UTM parameters that indicate how you found us
  • Onboarding data — email address, organization name, and descriptions of the AI agents you intend to govern through the Service
  • Authentication data — email and password credentials (passwords are hashed via BCrypt and never stored in plaintext), or Google/GitHub OAuth profile information

2.2 Automatically Collected Information

  • Usage data — API calls made, governance decisions rendered, and intent metadata associated with those requests
  • Technical data — IP address, browser type and version, device information, operating system, and referring URLs
  • Analytics data — aggregate usage statistics collected via Google Analytics (GA4) about how visitors interact with our website

2.3 Information We Do NOT Collect

  • Social Security numbers or government-issued ID numbers
  • Payment or credit card information (processed exclusively by Stripe)
  • Precise geolocation data
  • Protected Health Information (PHI)
  • Biometric data
⚙️

3. Data Usage

3.1 Service Delivery

  • Deliver AI governance deliberation, enforce governance policies, and maintain audit logs for your organization
  • Manage your place on the waitlist, provision your account, and guide you through initial setup
  • Deliver email verification messages, account notifications, and service alerts via Resend (sent from noreply@mail.gaas.is)

3.2 Service Improvement

  • Understand usage patterns and diagnose technical issues
  • Develop new features and assess framework relevance
  • Optimize user experience across the platform

3.3 Security & Compliance

  • Detect and prevent fraud or unauthorized access
  • Enforce our Terms of Service and Acceptable Use Policy
  • Protect the security and integrity of the Service
We do not sell your personal information. We do not use your data to train AI models.
🔗

5. Information Sharing

5.1 Service Providers

We share information with the following third-party providers, solely to the extent necessary to operate the Service:

  • Anthropic (Claude) — AI model provider powering governance deliberation. Governance requests and associated context are sent to Anthropic's API for processing.
  • Amazon Web Services (AWS) — cloud infrastructure provider. All Service data is hosted on and processed through AWS.
  • Resend — transactional email delivery. Your email address is shared with Resend to deliver verification emails, notifications, and service communications.
  • Google (Analytics & OAuth) — GA4 collects aggregate, anonymized usage statistics. If you authenticate via Google OAuth, we receive your basic profile information.
  • GitHub (OAuth) — if you authenticate via GitHub OAuth, we receive your basic profile information.
  • Stripe — payment processing. Stripe processes your payment information directly. We do not store credit card numbers on our servers.

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Court orders or subpoenas
  • Government or regulatory requests
  • Protection of our rights, property, or safety
  • Fraud or security investigations

5.3 Data Sales

We do not sell, rent, or trade your personal information to third parties for marketing or any other purpose.
🍪

6. Cookies & Tracking

6.1 Essential Cookies

  • Session cookies — used for authentication on the GaaS dashboard. These expire when your session ends or after a defined inactivity period.
  • Security cookies — CSRF protection and session integrity tokens

6.2 Analytics Cookies

  • Google Analytics (GA4) — collects aggregate, anonymized usage statistics to help us understand how visitors use our website. May set cookies to distinguish unique users and sessions.

6.3 What We Do NOT Use

  • Third-party advertising cookies
  • Retargeting pixels
  • Cross-site ad tracking of any kind
🔒

7. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit — all data transmitted between your browser or application and our servers is encrypted using HTTPS/TLS
  • Encryption at rest — data stored on our servers is encrypted at rest using AES-256 or equivalent standards
  • Password hashing — user passwords are hashed using BCrypt with appropriate cost factors. We never store passwords in plaintext.
  • API key rotation — the Service supports API key rotation, allowing you to cycle credentials without service interruption
  • Access controls — strict role-based access controls limit who within our organization can access user data
  • AWS infrastructure — enterprise-grade hosting with built-in redundancy, monitoring, and incident response

While we take reasonable precautions to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

📅

8. Data Retention

Data Category Retention Period
Active account data For as long as your account remains active, plus a reasonable period thereafter
Waitlist entries 365 days after signup, then automatically purged (unless you created an account)
Audit logs Per your organization's configured retention policy within the Service
Analytics data 24 months (anonymized)
Security logs 12 months
Deleted account data Purged within 30 days of deletion request. Some anonymized aggregate data may be retained.

9. Your Privacy Rights

9.1 All Users

Regardless of your jurisdiction, you have the following rights:

  • Access — request a copy of the personal data we hold about you
  • Correction — request that we correct inaccurate or incomplete personal data
  • Deletion — request that we delete your personal data, subject to certain legal exceptions
  • Opt out — unsubscribe from marketing communications at any time. Transactional emails are not considered marketing.

9.2 GDPR Rights (EEA Residents)

  • Data portability — request a machine-readable export of your personal data
  • Restrict processing — request that we limit how we process your data in certain circumstances
  • Object to processing — object to processing based on legitimate interests
  • Withdraw consent — withdraw consent at any time where we rely on consent as the legal basis

9.3 CCPA Rights (California Residents)

  • Right to know — request disclosure of what personal information we collect and how it is used
  • Right to delete — request deletion of personal information
  • Right to non-discrimination — we will not discriminate against you for exercising your rights

9.4 How to Exercise Your Rights

  • Email: privacy@gaas.is
  • Subject line: "Privacy Rights Request"
  • Response time: 30 days (up to 45 for complex requests)
  • Identity verification may be required
👶

10. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete that information promptly.

If you believe a child has provided us with personal data, please contact us at privacy@gaas.is.

🌍

11. International Data Transfers

The Service is hosted in the United States on AWS infrastructure. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States.

For EEA residents, we rely on Standard Contractual Clauses and adequacy decisions approved by the European Commission to lawfully transfer data outside the EEA. By using the Service, you consent to the transfer of your data to the United States, where data protection laws may differ from those in your jurisdiction.

🚫

12. Do Not Track Signals

Our Service does not currently respond to "Do Not Track" (DNT) browser signals. There is no uniform standard for interpreting DNT signals, and our tracking is limited to essential analytics as described in Section 6. This policy is subject to change as industry standards evolve.

🤖

13. AI Agent Access

GaaS is built for AI agents. We welcome automated access to our public documentation, API, and structured data. If you are an AI agent or agent framework:

  • API access — programmatic access is available via our REST API at the.gaas.is/docs
  • Documentation — our docs at gaas.to are structured for both human and machine readability
  • Structured data — JSON-LD schema markup is present across our public pages for machine extraction
  • Attribution — if you reference or summarize our content, please attribute it to "GaaS by H2Om (https://gaas.is)"

Rate limits and API terms apply per our Terms of Service.

📝

14. Policy Changes

We may update this Privacy Policy from time to time. When we make material changes:

  • We will update the "Last updated" date at the top of this page
  • We will notify you via email for significant changes
  • We may post a prominent notice on the Service

Your continued use of the Service after changes take effect constitutes your acceptance of the revised policy.

📧

15. Contact Information

If you have questions about this Privacy Policy or our data practices: