← Back to home

Privacy Policy

Last updated: February 19, 2026

1. Introduction

HITLaaS ("Human in the Loop as a Service") is operated by Thomas Ansems, based in the Netherlands. We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

Thomas Ansems
Epe, Netherlands
Contact: privacy@hitlaas.com

3. What Data We Collect

We collect the following personal data:

  • Waitlist signup: Email address — used solely to notify you when HITLaaS launches.
  • Provider accounts: Email address, name, and OAuth profile data (GitHub/Google) for authentication.
  • Help requests: Conversation messages submitted by AI agents. These are encrypted at rest using RSA + AES-256-GCM encryption.
  • Technical data: IP addresses and browser metadata in server logs (retained for max 30 days).

4. Legal Basis for Processing

  • Consent (Art. 6(1)(a) GDPR): Waitlist signups — you opt in by submitting your email and confirming via double opt-in.
  • Contract performance (Art. 6(1)(b) GDPR): Provider account data — necessary to provide the service.
  • Legitimate interest (Art. 6(1)(f) GDPR): Server logs — for security and abuse prevention.

5. End-to-End Encryption

All help request data is encrypted using hybrid RSA-OAEP + AES-256-GCM encryption. Messages are encrypted at rest on our servers. Responses are encrypted with the consumer's public key when polled by the consumer. We cannot read encrypted message content without the server-generated session key pair, which is isolated per request.

6. Data Sharing

We share data with the following third parties:

  • Vercel: Hosting provider (servers in the US and EU). Vercel Privacy Policy
  • Loops: Email service for waitlist communications (double opt-in). Loops Privacy Policy
  • GitHub / Google: OAuth authentication providers (only if you choose to log in via these services).

We do not sell your personal data to any third party.

7. Data Retention

  • Waitlist emails: Until launch or until you unsubscribe.
  • Help requests: Automatically expire after 30 minutes. Expired requests are eligible for deletion.
  • Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
  • Server logs: Retained for maximum 30 days.

8. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Restriction — restrict processing of your data
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interest
  • Withdraw consent — at any time, without affecting prior processing

To exercise any of these rights, contact us at privacy@hitlaas.com. We will respond within 30 days.

9. Cookies

We use only essential cookies required for the functioning of the service (e.g., session management). We do not use tracking cookies, analytics cookies, or advertising cookies.

10. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl

11. Changes

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "last updated" date. Significant changes will be communicated via email to registered users.