Skip to content
Hexaa
What we automateIndustriesCase studiesAbout
Book a call
AutomateIndustriesCasesAbout
Hexaa

Document automation, built around your operations. Vendor-agnostic, and yours to own.

What we automate

  • The pipeline
  • Classification
  • Extraction
  • Validation
  • Routing and integration

Industries

  • Logistics and freight
  • Construction
  • Banking and financial services
  • Healthcare
  • All ten industries

Company

  • About
  • Case studies
  • Book a call

Legal

  • Privacy
  • Terms
  • Cookies
  • DPA
  • Accessibility
© Hexaa 2026. Austin · Brantford · Lahore.
hello@hexaa.aiLinkedIn

Legal

Privacy Policy

Last updated: 2026-05-16

How Hexaa collects, uses, retains, and protects personal data on this marketing site and the readiness assessment tool, and the rights you have under GDPR, the UK Data Protection Act 2018 plus PECR, and the California Consumer Privacy Act.

This Privacy Policy describes how Hexaa, Inc. collects, uses, retains, and shares personal data on the Hexaa marketing site, the readiness assessment tool at /readiness, and the booking flow at /book-a-call. Material legal interpretation should be sought from counsel.

Who we are

Hexaa, Inc. is the controller for marketing-site, lead-generation, booking, and readiness-assessment personal data. Email privacy@hexaa.ai for access, correction, objection, portability, restriction, or erasure requests.

What data we collect and why

We collect contact details, company details, readiness-assessment answers, booking details, technical request metadata, consent state, analytics identifiers, and AI observability traces. The categories correspond to docs/legal/data-flow-inventory.md. We write first-party cookies hexaa-consent, hexaa.utm, and hexaa.client_id, and vendor cookies _ga, _ga_*, _clck, _clsk, and cf_turnstile_* as described in Cookie Policy.

Lawful basis

  • Legitimate Interest: B2B lead-generation data, UTM attribution, security diagnostics, rate limiting, and abuse prevention.
  • Consent: analytics cookies, marketing cookies, Google Analytics 4, Microsoft Clarity, and Google Consent Mode v2 updates.
  • Contract: readiness assessment report generation, booking confirmation, report PDF delivery, and transactional email.
  • Legal Obligation: anti-fraud, anti-abuse, and security records where applicable.

Sub-processors

The following sub-processors are recipients under GDPR Article 13(1)(e).

VendorPurposeRegionTransfer mechanism
Vercel, Inc.Hosting, edge functions, deployment, and Speed InsightsUS multi-region
SCC + DPA
Supabase, Inc.Postgres database, storage, authentication, and operational audit dataUS project regionSCC + DPA
Sanity, Inc.CMS content lake for marketing and legal pagesEU dataset regionSCC + DPA
Google LLC (Google Tag Manager)Consent-aware analytics tag deliveryUSSCC + DPA
Microsoft Corporation (Clarity)Consent-aware product analytics and session diagnosticsUSSCC + DPA
Cloudflare, Inc.Turnstile bot-protection challenge verificationUSSCC + DPA
Resend, Inc.Transactional email delivery for booking and report workflowsUSSCC + DPA
Cal.com, Inc.Booking availability and meeting schedulingUSSCC + DPA
Langfuse GmbHAI observability for traces with PII redaction before transitEU or US cloud regionSCC + DPA

International data transfers

Where personal data transfers outside the EEA or United Kingdom, Hexaa relies on the European Commission Standard Contractual Clauses under Implementing Decision 2021/914 and the UK IDTA or UK Addendum where required.

Retention

  • Assessment sessions and report download links: 7 days.
  • Leads and engineer review requests: until erasure request, or 24 months from last activity.
  • Consent cookie hexaa-consent: 13 months.
  • UTM cookie hexaa.utm: 30 days.
  • Hexaa analytics fallback cookie hexaa.client_id: 13 months.
  • GA4 cookies _ga and _ga_*: 24 months.
  • Clarity cookies _clck and _clsk: 12 months for _clck and session for _clsk.
  • Turnstile cookies cf_turnstile_*: session.
  • Langfuse trace events: 90 days after PII redaction.
  • Erasure requests are completed within 30 days where no legal exception applies.

Your rights

You have the right to access, right to rectification, right to erasure, right to restriction, right to data portability, right to object, right to withdraw consent, right not to be subject to solely automated decision-making with legal or similarly significant effects, and right to lodge a complaint with a supervisory authority.

California residents (CCPA / CPRA)

California residents have the right to know, right to delete, right to correct, right to opt-out of sale or share, right to limit use of sensitive personal information, and right to non-discrimination. Hexaa does not sell or share personal information as those terms are defined by the CCPA / CPRA.

UK PECR (cookies)

Our use of cookies for UK visitors is governed by PECR Regulation 6. See Cookie Policy for the per-cookie inventory.

Automated decision-making

The readiness assessment uses Anthropic Claude and Google Gemini model providers to generate recommendations. The report is informational and does not produce legal effects or similarly significant effects by itself.

Contact

Email privacy@hexaa.ai for privacy requests. Security-disclosure contact is published at security.txt.

Note on legal review

This policy is maintained for procurement readiness and should be reviewed by counsel before material legal reliance.

Questions? Email privacy@hexaa.ai.