top of page

Privacy Policy

Effective Date: May 29, 2026 

 

Project Mongoose, Inc., a Virginia corporation, doing business as HIO ("HIO")

This Privacy Policy explains how HIO collects, uses, shares, and protects Personal Data in connection with the HIO website at heyhio.com and the AI Assistant, Studio, Vector Store, and related services (collectively, the "Services"). Please read it carefully. By using the Services, you acknowledge that you have read this Privacy Policy. Where you use the Services as part of your work for an HIO customer (a "Customer"), that Customer is the "controller" of your Personal Data for most data-protection purposes, and HIO acts as a "processor" or "service provider" on the Customer's behalf. This Privacy Policy describes HIO's direct privacy practices.

1. Who We Are

The data controller for purposes of this Privacy Policy is Project Mongoose, Inc., a Virginia corporation, doing business as HIO, located at 1717 East Cary St., Richmond, VA 23223. You can reach us at:  connect@heyhio.com

2. Scope

This Privacy Policy applies to Personal Data we collect through:

  • the heyhio.com website and any HIO-operated subdomains;

  • the AI Assistant and Studio (where you interact with them in HIO's capacity as data controller, e.g., when you create an HIO account or contact us directly); and

  • email, SMS, and other communications with HIO.

Where you interact with an AI Assistant configured for a particular Customer (for example, asking a question of your employer's knowledge base), the Customer is the controller of your Personal Data, and the Customer's privacy notice (not this one) applies to that interaction. HIO processes that data on the Customer's behalf as a processor.

3. Categories of Personal Data We Collect

We collect the following categories of Personal Data:

3.1 Personal Data you provide directly

  • Account information: name, work email, phone number, employer, role.

  • Communications: messages and files you send us by email, support tickets, or web forms.

  • Billing information: where applicable, billing contact details (HIO uses third-party payment processors and does not store full payment-card numbers).

3.2 Personal Data we collect automatically

  • Usage data: pages visited, features used, time and duration of interactions, browser type, device information, IP address, approximate location derived from IP.

  • Log data: technical logs created by your interaction with our infrastructure.

  • Cookies and similar technologies: see Section 11.

3.3 Personal Data generated by your interaction with the AI Assistant

  • Where HIO is acting as controller (rather than as a Customer's processor): the content of your questions to the AI Assistant and the responses generated, conversation metadata, and any feedback or ratings you provide.

3.4 Personal Data we receive from third parties

  • From your employer (a Customer), where you are Authorized Personnel: information necessary to provision your account and authorize your access to the Services.

  • From our service providers, such as analytics and security vendors, to the extent they collect data on our behalf.

We do not knowingly collect special categories of Personal Data (health, biometric, racial or ethnic origin, religious or philosophical beliefs, trade-union membership, genetic data, sexual orientation, or government identifiers). Please do not provide such information through the Services.

4. How We Use Personal Data and the Legal Bases (GDPR)

We use Personal Data for the purposes set out below. Where the GDPR applies, the lawful bases for our processing are also set out below.

  • Provide the Services. Authenticate accounts, deliver features, respond to your inputs, and operate the AI Assistant. Lawful basis: performance of a contract with you, or our legitimate interests in operating the Services.

  • Communicate with you. Respond to inquiries, provide support, send service notices and security alerts. Lawful basis: performance of a contract; legitimate interests in operating and securing the Services.

  • Improve and secure the Services. Monitor performance, detect and prevent fraud and abuse, debug, and conduct analytics using Aggregated Anonymous Data. Lawful basis: legitimate interests; compliance with legal obligations.

  • Marketing. Send marketing communications about HIO products. You can opt out at any time as described in Section 12. Lawful basis: consent (where required) or legitimate interests.

  • Legal and compliance. Comply with legal obligations, enforce our terms, and respond to lawful requests from authorities. Lawful basis: compliance with legal obligations; legitimate interests.

We do not use Customer Data to train, fine-tune, or otherwise improve any foundation model or other machine-learning model that benefits any party other than the relevant Customer, except where the Customer has expressly authorized that use.

5. AI Systems and Automated Processing

THE AI ASSISTANT IS AN ARTIFICIAL-INTELLIGENCE SYSTEM. When you interact with it, you are communicating with an automated system, not a human.

How it works at a high level: the AI Assistant retrieves relevant content from the applicable Vector Store (which contains content provided by the relevant Customer) and applies one or more third-party large language models, hosted by our AI model Sub-Processors, to generate a response. We do not use the AI Assistant to make legal or similarly significant decisions about you. The AI Assistant's responses are informational and should be reviewed by a human in any context where the response will be used to make a decision about a person.

Your rights regarding automated processing. To the extent the GDPR Article 22 right applies, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. If you believe an automated decision has been made about you on the basis of the AI Assistant, you can request human review by contacting connect@heyhio.com.

We do not use the AI Assistant to make Consequential Decisions. To the extent any of our Customers configures the AI Assistant in a way that materially influences a Consequential Decision, the Customer is responsible for the deployer-side obligations under applicable AI laws (including providing the consumer notice required by the Colorado AI Act and its successors).

6. How We Share Personal Data

We share Personal Data only as described below. We do not sell Personal Data, and we do not share Personal Data for cross-context behavioral advertising.

6.1 Sub-Processors and Service Providers

We share Personal Data with the Sub-Processors, including AI model providers, cloud-hosting providers, analytics providers, and customer-support tooling. Each Sub-Processor is contractually obligated to use Personal Data only for the purposes for which we engaged them and to maintain appropriate security and confidentiality. Our contracts with our AI model Sub-Processors prohibit those Sub-Processors from using inputs derived from Customer Data to train their own models.

6.2 Customers

Where you use the Services as Authorized Personnel of a Customer, we share with that Customer the Personal Data necessary for the Customer to administer its use of the Services and to oversee its AI Assistant.

6.3 Legal and Safety

We may disclose Personal Data where we reasonably believe it is necessary to (a) comply with law, legal process, or government requests; (b) enforce our agreements; (c) protect HIO, our Customers, our users, or others from harm; or (d) detect, prevent, or investigate fraud or security incidents.

6.4 Business Transfers

In connection with a merger, acquisition, financing, reorganization, or sale of all or substantially all of our assets, we may transfer Personal Data to the relevant counterparty, subject to commitments to protect that Personal Data consistent with this Privacy Policy.

7. Aggregated Anonymous Data

We compile and use de-identified, aggregated metadata about how the Services are used (for example, the categories of questions asked, response latencies, error rates, and usage volumes) for purposes of operating, securing, benchmarking, and improving the Services and developing new products and services. "De-identified" means the metadata cannot reasonably be re-identified to any individual or Customer by any technical means reasonably likely to be used. We do not re-identify, or attempt to re-identify, Aggregated Anonymous Data, and we do not disclose Aggregated Anonymous Data in a manner that identifies any individual or Customer.

8. International Data Transfers

HIO is based in the United States and processes Personal Data on infrastructure located in the United States and in other jurisdictions where our Sub-Processors operate. Where we transfer Personal Data out of the European Economic Area, the United Kingdom, or Switzerland, we use appropriate safeguards required by applicable law, including the European Commission's Standard Contractual Clauses (Module 2 or Module 3 as appropriate), the UK International Data Transfer Addendum, and supplementary technical and organizational measures where required. Copies of the safeguards are available on request to connect@heyhio.com.

9. Retention

We retain Personal Data for as long as necessary for the purposes described in this Privacy Policy and as required by law. Our retention principles include:

  • Account information: for the duration of your account, plus a reasonable period (typically 30 days) to handle deletion requests and disputes.

  • Customer Data (where HIO is processor): for the duration of the applicable Customer's subscription, plus the deletion window set out in the Customer's Order Form or, by default, 30 days.

  • Vector Embeddings derived from Customer Data: deleted within 30 days of the end of the Customer's subscription or earlier on Customer instruction.

  • Conversation logs (where HIO is controller): up to 90 days unless you instruct otherwise.

  • Aggregated Anonymous Data: retained indefinitely.

  • Records required for legal, accounting, or audit purposes: retained for the periods required by applicable law.

10. Your Rights

Depending on where you reside, you have some or all of the rights described below. To exercise any right, contact us at connect@heyhio.com. We will respond within the timeframe required by applicable law (typically 30 days, with a one-time 60-day extension where reasonably needed).

10.1 Rights under U.S. State Privacy Laws

Depending on your state of residence, you may have rights including the right to (a) know what categories of Personal Data we collect and the purposes of processing; (b) access a copy of your Personal Data; (c) correct inaccurate Personal Data; (d) delete Personal Data, subject to exceptions; (e) opt out of the "sale" or "sharing" of Personal Data and of targeted advertising (HIO does not sell Personal Data or share for cross-context behavioral advertising); (f) limit the use of sensitive Personal Information (we do not knowingly collect sensitive Personal Information); and (g) opt out of profiling that produces legal or similarly significant effects (HIO does not engage in such profiling). These rights apply to residents of California (CCPA/CPRA), Colorado (CPA), Virginia (VCDPA), Connecticut (CTDPA), and other states with comparable laws.

You may also designate an authorized agent to submit a request on your behalf. We will verify your identity and authority before responding.

10.2 Appeal Right

If we deny your request, you may appeal by responding to our denial within 60 days. Where required by state law, you may also contact the relevant state attorney general.

11. Cookies and Similar Technologies

We use cookies and similar technologies on the heyhio.com website. These include strictly necessary cookies (required to operate the website), functional cookies (to remember your preferences), and analytics cookies (to understand how the website is used). Where required by law, we obtain your consent before placing non-essential cookies. You can manage your cookie preferences at any time through our cookie banner or browser settings. 

12. Marketing and Communications

You can opt out of marketing emails by clicking "unsubscribe" in any marketing email or by emailing connect@heyhio.com. You can opt out of marketing text messages by replying STOP. Even after opting out of marketing, we will continue to send transactional and service-related messages necessary to operate the Services.

13. Security

We maintain administrative, technical, and physical safeguards designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. Our measures include encryption in transit (TLS 1.2 or later) and at rest (AES-256), role-based access controls and least-privilege provisioning, audit logging, regular vulnerability testing, multi-tenant isolation in the Vector Store, and an incident-response program. We will notify affected Customers and, where applicable, individuals and regulators in accordance with applicable law in the event of a Personal Data Breach.

No system is perfectly secure. We encourage you to use strong, unique passwords and to notify us promptly at connect@heyhio.com of any suspected unauthorized access to your account.

14. Children's Privacy

The Services are not directed to children. We do not knowingly collect Personal Data from anyone under 13 (or under 16 in jurisdictions where the GDPR-K minimum applies). If you believe we have collected Personal Data from a child, please contact connect@heyhio.com and we will take appropriate steps to delete it.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated Privacy Policy with a new Effective Date. 

16. Contact

To exercise your rights, ask a question, or submit a complaint, contact:

Project Mongoose, Inc. d/b/a HIO

Attn: Privacy

1717 East Cary St., Richmond, VA 23223

Email: connect@heyhio.com

bottom of page