Privacy Policy — Humarains

The short version: We collect only what we need to run the service. We never sell your data. Email account credentials (IMAP/SMTP) are stored encrypted and used only to read enquiries and send replies you approve. You can delete your account and all associated data at any time by emailing hello@humarains.com.

1. Who We Are

Humarains is an AI-powered lead conversion platform for small service businesses, operated by Ekambaram Saraswathi as a sole proprietor based in Singapore ("we", "us", or "our"). We are the data controller responsible for your personal data under applicable law, including Singapore's Personal Data Protection Act (PDPA), the EU General Data Protection Regulation (GDPR), and the UK GDPR.

Contact: hello@humarains.com

2. What We Collect

Account information: Name, email address, and (for email/password login) a bcrypt-hashed password. We never store passwords in plain text.
Google OAuth (sign-in): If you sign in with Google, we receive your Google profile ID, name, email, and profile photo URL. This sign-in flow does not grant us access to your email inbox.
Business profile: Business name, type, owner name, contact details, service descriptions, and pricing rules that you enter in the dashboard. This is used by the AI to generate accurate quotes and replies.
Inbound lead data: Email enquiries and form submissions from your customers that you choose to process through Humarains. This content is sent to our AI provider (Anthropic) to generate quote replies on your behalf.
Email account credentials: If you connect an email account, we store your email address and password (or app-specific password), along with your IMAP and SMTP server details, encrypted at rest using AES-256-GCM. These credentials are used to read inbound enquiries from your inbox via IMAP and to send outbound replies you have reviewed and approved via SMTP.
Billing information: Payment is processed by Stripe. We store only your Stripe customer ID and subscription status. We never see or store your card number.
Usage data: Number of AI replies used, plan type, and timestamps. We do not use third-party analytics trackers.
Server logs: Standard HTTP request logs (IP address, URL, status code, timestamp) retained for up to 30 days for security and debugging.

3. How We Use Your Information

Processing Activity	Lawful Basis
Account creation and authentication	Performance of a contract (GDPR Art. 6(1)(b))
Generating AI quote replies from your business settings and lead content	Performance of a contract (GDPR Art. 6(1)(b))
Reading inbound enquiries from your connected email account via IMAP	Performance of a contract (GDPR Art. 6(1)(b))
Sending approved replies via your connected email account via SMTP	Performance of a contract (GDPR Art. 6(1)(b))
Billing and subscription management via Stripe	Performance of a contract (GDPR Art. 6(1)(b))
Sending transactional emails (receipts, account notices)	Performance of a contract (GDPR Art. 6(1)(b))
Server logs and security monitoring	Legitimate interests (GDPR Art. 6(1)(f)) — protecting system integrity
Essential cookies (authentication, CSRF protection)	Legitimate interests (GDPR Art. 6(1)(f)) — strictly necessary

4. Email Account Data — Specific Disclosures

When you connect your email account, you provide your email address, password (or app-specific password), and your IMAP/SMTP server details. These credentials are used for two purposes:

IMAP (reading): Used to check your inbox for new, unread customer enquiries on your behalf, so the AI can identify and process leads automatically. We only read message content needed to identify and respond to enquiries; we do not browse, search, or export your historical mail beyond what is needed to process incoming leads.
SMTP (sending): Used solely to send outbound reply emails and follow-ups that you have reviewed and approved in the Humarains dashboard. We never send automatically without your explicit configuration of an autonomous or consent-based sending mode that you control.

Your email credentials are stored encrypted (AES-256-GCM) and are used only for the purposes above. You can disconnect your email account at any time from your dashboard settings, which immediately and permanently deletes the stored credentials. Because Humarains connects via standard IMAP/SMTP protocols rather than a provider-specific API, no third-party API terms (such as Google's) govern this integration — our handling of your email data is governed entirely by this Privacy Policy.

5. AI Processing

Customer enquiry content and your business settings are sent to Anthropic's Claude API to generate quote replies. Anthropic processes this data as a data processor on our behalf under their API terms. Your data is not used to train AI models. We do not share your business settings or customer lead data with any other third party for AI processing.

6. Data Sharing

We share your data with the following categories of third parties only where necessary to provide the service:

Anthropic — AI processing for quote and reply generation (data processor)
Stripe — payment processing (independent controller for payment data)
Supabase — database hosting on PostgreSQL (data processor)
Render — server hosting (data processor)
Google — OAuth authentication for sign-in only (independent controller for your Google account)

We do not sell your data. We do not share it with advertisers or use it for any purpose other than operating the service.

7. Data Retention

We retain your account data for as long as your account is active. Lead data and AI-generated replies are retained so you can access your history. If you delete your account, all personal data is deleted within 30 days, except where we are required to retain it by law (e.g. billing records for tax purposes, retained for up to 7 years).

8. Your Rights

Depending on your location, you may have the right to access, correct, delete, or export your personal data, and to object to or restrict certain processing. To exercise any of these rights, email hello@humarains.com. We will respond within 30 days. EU and UK residents may also lodge a complaint with their local supervisory authority.

9. Cookies

We use only strictly necessary cookies: an authentication cookie (bp_token) and a CSRF protection cookie (bp_csrf). We do not use advertising, analytics, or tracking cookies. No cookie consent banner is required for strictly necessary cookies under applicable law.

10. Security

All data is transmitted over HTTPS. Sensitive credentials (email account passwords, IMAP/SMTP details) are encrypted at rest using AES-256-GCM before being stored in our database. Passwords are hashed using bcrypt with 12 rounds. We apply rate limiting, CSRF protection, and input validation throughout the platform.

11. International Transfers

We are based in Singapore. Our infrastructure (Supabase, Render) may process data in the United States. For EEA/UK users, transfers to the US are made under appropriate safeguards including Standard Contractual Clauses where applicable.

12. Children

Humarains is not directed at anyone under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us at hello@humarains.com and we will delete it promptly.

13. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or via an in-app notice at least 14 days before they take effect. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

14. Contact

For any privacy questions or to exercise your data rights: hello@humarains.com