Privacy Policy | House of AI

Plain-language summary. We collect the data you give us (email, name, progress) and a small amount we observe (IP, device, country). We use it to run the Services, process payments, and improve learning. We share it only with the vendors listed below. We do not sell your personal information. You can request access, correction, deletion, or opt out of sale at any time by emailing privacy@hofai.io.

1. Who we are

This Privacy Policy explains how Hilor LLC, a New York limited liability company, d/b/a House of AI (“House of AI,” “we,” “our”) collects, uses, shares, and protects personal information when you use our website at hofai.io and related services (the “Services”). Our mailing address is New York, USA.

2. What we collect

2.1 You give us directly

Account registration: email, password (hashed), name, Google OAuth ID if you sign in with Google.
Profile: display name, avatar, locale, timezone, age confirmation, optional profession / learning goals.
Payment: billing name, billing address, payment-method token (full card numbers never touch our servers — handled by Stripe).
Learning activity: quiz answers, assignment submissions, chat prompts, progress, streaks, XP, certificates earned.
Optional integrations: Telegram user ID and username if you link Telegram.
Support: any content of messages you send us.

2.2 Collected automatically

Device & connection: IP address, user-agent, browser type, operating system, referring URL.
Approximate location: country and city derived from your IP address (via Vercel edge headers).
Usage events: pages viewed, features used, clicks, session timing.
Cookies and similar technologies — see our Cookie Policy.

2.3 From third parties

Identity providers (Google) when you sign in with Google OAuth.
Payment-processor verification signals from Stripe (e.g. fraud risk score).

3. How we use it

Provide the Services (accounts, lessons, AI features, certificates).
Process payments and manage subscriptions.
Send transactional emails (receipts, renewal reminders, cancellation confirmations, password resets).
Send marketing emails only if you opted in; you can unsubscribe anytime.
Personalize your learning path based on your profession and goals.
Detect abuse, enforce our Terms, and maintain security.
Improve the Services and develop new features.
Comply with legal obligations and respond to lawful requests.

4. AI features — important disclosure

When you use AI features, the content you enter (your prompts, assignment text, chat messages) is sent to third-party large-language-model providers via OpenRouter or equivalent intermediaries. Those providers process your prompt to generate a response, and may retain logs per their own policies. Do not submit sensitive personal data, health information, government IDs, or payment-card numbers into AI features. AI output can be inaccurate and is not a substitute for professional advice.

5. How we share your data — sub-processors

We share personal information only with the vendors below, each under a contract that limits use of your data to the purpose stated:

Processor	Purpose	Location	Legal
Stripe, Inc.	Payment processing, subscription billing, invoicing	USA (EU via Stripe Payments Europe Ltd.)	Privacy · DPA
Vercel Inc.	Application hosting, edge delivery, deployment	USA (global edge network)	Privacy · DPA
Neon, Inc.	Primary PostgreSQL database hosting	AWS eu-central-1 (Germany)	Privacy · DPA
Better Auth	Authentication (session tokens, OAuth flows)	Self-hosted within our Vercel + Neon stack	Privacy
Google LLC (OAuth + Analytics)	Google Sign-In authentication; anonymized traffic analytics via Google Analytics 4	USA, global	Privacy · DPA
PostHog Inc.	Product analytics (event tracking, funnels, session context)	EU (eu.i.posthog.com)	Privacy · DPA
Resend Inc.	Transactional + lifecycle email delivery	USA	Privacy · DPA
OpenRouter / Large Language Model providers	AI tutoring, quiz grading, assistant replies. Prompts are forwarded to third-party LLM APIs (e.g. OpenAI, Anthropic) via OpenRouter.	USA (with downstream model providers in USA / EU)	Privacy
Telegram FZ-LLC	Optional community group, Pro group invite delivery, bot notifications	Global (Telegram-controlled infrastructure)	Privacy

We also disclose information when required by law, subpoena, or court order, or to protect rights, safety, or property.

6. We do not sell your personal information

We do not sell personal information for money. We also do not “share” personal information for cross-context behavioral advertising as defined by the California Privacy Rights Act. If this changes, we will update this Policy and honor all opt-out requests. You may submit a “Do Not Sell or Share” request at any time by emailing privacy@hofai.iowith the subject line “Privacy Request”.

7. Your rights

7.1 California (CCPA / CPRA)

California residents have the right to:

Know what personal information we have collected, used, disclosed, and sold/shared.
Request deletion of your personal information.
Correct inaccurate personal information.
Opt out of sale or sharing (we do not sell or share).
Limit use and disclosure of sensitive personal information.
Non-discrimination for exercising any of the above.

Submit requests by emailing privacy@hofai.iowith the subject line “Privacy Request” and your full name, email, and state of residence. We will respond within 45 days.

7.2 Virginia, Colorado, Connecticut, Texas, Utah, and similar states

Residents of these states have rights to access, correct, delete, and port their personal data, and to opt out of targeted advertising, sale, and certain automated profiling. Submit requests to privacy@hofai.io.

7.3 European Economic Area & United Kingdom (GDPR / UK GDPR)

If you are in the EEA, UK, or Switzerland, you have rights to access, rectify, erase, restrict, and port your personal data, and to object to certain processing. Our lawful bases are:

Performance of a contract (Art. 6(1)(b)) — providing the Services you paid for.
Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, analytics, service improvement.
Consent (Art. 6(1)(a)) — marketing emails, non-essential cookies.
Legal obligation (Art. 6(1)(c)) — tax, accounting, and legal requests.

International transfers from the EEA/UK to the USA rely on the European Commission’s Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework where applicable. To exercise GDPR rights, email privacy@hofai.io. You may also lodge a complaint with your local supervisory authority.

8. How long we keep your data

Active account data: as long as your account is active.
Closed account data: up to 90 days in backups for disaster recovery, then purged.
Billing records: 7 years, as required by US tax and financial-reporting law.
Security logs: up to 12 months.
Legal-hold data: as long as legally required.

9. How we protect your data (N.Y. SHIELD Act)

Consistent with the New York SHIELD Act (N.Y. Gen. Bus. Law § 899-bb), we maintain reasonable administrative, technical, and physical safeguards designed to protect personal information, including: encrypted transport (TLS), encryption at rest for database storage, least-privilege access control, regular security reviews, vendor due-diligence, and an incident-response plan. No system is 100% secure; if a breach occurs we will notify affected residents and the relevant authorities as required by law.

10. Children

The Services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If we discover we have, we will delete the account. Parents or guardians who believe their child under 13 gave us personal information may contact privacy@hofai.io.

11. Cookies

See our Cookie Policy for a list of cookies and how to manage them.

12. Changes to this Policy

We may update this Policy. Material changes will be announced by email or in-app notice at least 30 days before they take effect.

13. Contact

Privacy requests: privacy@hofai.io
General legal: legal@hofai.io
Mailing address: New York, USA