Privacy Policy

Last updated: 21 April 2026

1. Introduction

Haiman Limited, a company registered in England and Wales with company number 17143318, whose registered office is at 66 Paul Street, London, EC2A 4NA, United Kingdom ("Haiman", "we", "us", "our"), operates the Haiman SDR Agent platform (the "Service"), an AI-powered sales development tool that helps businesses automate outreach, qualify leads, and manage prospect engagement.

This Privacy Policy explains how we collect, use, store, and share personal data when you visit our website, create an account, or use the Service. It applies to all users of the Service, including subscribers (companies and individuals who hold accounts) and the prospects and leads whose data is processed through the platform.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Data Controller

Haiman Limited is the data controller for personal data relating to your account, billing information, and use of the Service. Our registered office is at 66 Paul Street, London, EC2A 4NA, United Kingdom (company number 17143318).

Where subscribers upload or import prospect and lead data into the Service, the subscriber is the data controller for that data, and Haiman acts as a data processor on the subscriber's behalf. Subscribers are responsible for ensuring they have a lawful basis to process their prospect and lead data using the Service.

3. Data We Collect

We collect and process the following categories of personal data:

  • Account information: Name, email address, and password hash, collected when you create an account or are invited to join a company workspace.
  • Company information: Company name, domain, ideal customer profile (ICP) criteria, product knowledge, and communication tone preferences, provided during onboarding and configuration.
  • Billing data: Payment processing is handled by Stripe. We do not store full payment card details. We retain your Stripe customer ID and subscription status for account management purposes.
  • Usage data: Records of API calls made, emails sent, web searches performed, and enrichment lookups completed. This data is collected for usage limit enforcement, billing, and service monitoring.
  • Prospect and lead data: Names, email addresses, company names, job titles, LinkedIn profile URLs, and other professional contact information uploaded or imported by subscribers. This may also include lead qualification scores and notes generated by the Service.
  • Email content: AI-generated outreach emails created by the Service on behalf of subscribers, and replies received from prospects through connected email accounts.
  • Style corpus (opt-in only): For subscribers who enable the "Learn from my sent emails" toggle in settings, we import up to 500 of their most recent sent emails from their connected Gmail or Outlook account. Before storage, we apply regex-based redaction to remove recipient email addresses, phone numbers, and URLs from each message. The redacted content, together with a derived style profile (a structural summary: average message length, greeting and sign-off patterns, phrases the subscriber favours and phrases they avoid), is retained in our EU-hosted database and used to provide per-subscriber writing-style personalisation when the AI drafts new emails.
  • Draft-capture pairs: Where the subscriber edits an AI-generated draft before sending, we retain the original AI draft alongside the sent version together with a token-level edit distance. This is used to measure personalisation quality and to grow a per-subscriber list of phrases the subscriber consistently removes.
  • Consent events: An append-only log of each opt-in or opt-out action taken by the subscriber across the personalisation toggles, including a timestamp and the version of the notice text in effect at the time. Retained as evidence of lawful processing.
  • AI call audit log: A compliance record of each AI call made on the subscriber's behalf, including the call's purpose, provider, model, the data-residency classification applied, and a cryptographic hash of the input (never the input itself).
  • Optional draft feedback: Where the subscriber clicks the 1-5 "How close to your voice?" widget after sending a draft, we retain the score and timestamp.
  • Technical data: IP addresses and user agent strings collected from email tracking pixels (open and click tracking), as well as standard server access logs.

4. How We Use Your Data

We use personal data for the following purposes:

  • Service provision: To operate the SDR Agent platform, including AI-powered email generation, lead qualification, sequence automation, web research, and prospect enrichment.
  • Billing and account management: To process subscriptions, enforce usage limits, and manage your account.
  • Usage tracking and limit enforcement: To monitor consumption against your subscription tier limits and send notifications when approaching or exceeding thresholds.
  • AI model prompts: Prospect data, company knowledge, and email content are sent to the Anthropic Claude API (and, when Anthropic is unavailable, the OpenAI API as an automatic failover) to generate personalised outreach emails and perform lead qualification. Your data is not used to train either provider's models. Each provider's commercial data processing terms, including Standard Contractual Clauses for international transfers, govern their handling of API inputs and outputs.
  • Style learning (opt-in): For subscribers who enable the style-learning toggles in settings, we use their PII-redacted style corpus and derived style profile as contextual examples when the AI drafts new emails on their behalf. The subscriber's sent-email content is used only as reference at inference time — it is not used to train, fine-tune, or otherwise modify the weights of any AI model, ours or our providers', for that subscriber or for any other. The subscriber can disable the toggles, or delete their corpus, style profile, and draft-capture data in one click, from the settings page at any time.
  • Email delivery and tracking: To send outreach emails through your connected Gmail or Outlook account and to track email opens and link clicks via tracking pixels.
  • Product improvement: To analyse aggregated, anonymised usage patterns to improve the Service. We do not use individual prospect or lead data for this purpose.

5. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases as defined by the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR):

  • Contract performance: Processing necessary to provide the Service to you under our Terms of Service, including account creation, email generation, and lead management.
  • Legitimate interests: Processing necessary for our legitimate interests, including platform security, fraud prevention, service monitoring, and product improvement, where those interests are not overridden by your rights and freedoms.
  • Consent: Where we send marketing communications or apply optional personalisation features such as style learning (see Section 4), we rely on your consent, which you may withdraw at any time by flipping the relevant settings toggle off or using the self-serve deletion button. Each opt-in is recorded in an append-only consent log.
  • Legal obligation: Processing required to comply with applicable laws, including tax reporting and regulatory requirements.

6. Third-Party Processors

We share personal data with the following third-party service providers who process data on our behalf:

  • Anthropic (Claude AI API): Based in the United States. Primary provider for AI-powered email generation, lead qualification, content analysis, and — where the subscriber has opted in — style-learning personalisation (retrieval at inference time; not model training). Data sent to Anthropic includes prospect information, company knowledge, email content, and, where opted in, redacted excerpts from the subscriber's own sent emails. Anthropic's commercial API terms prohibit training on this data and apply a 30-day abuse-monitoring retention window.
  • OpenAI: Based in the United States. Used as an automatic failover provider when the Anthropic API is unavailable, so the Service remains online during provider outages. When active, OpenAI processes the same categories of data as Anthropic, under equivalent commercial API terms (no training, 30-day abuse retention).
  • Stripe: Based in the United States and European Union. Used for payment processing and subscription management.
  • Amazon Web Services (AWS): Hosting infrastructure located in the EU (eu-west-1, Ireland). Used for application hosting, database storage, email delivery (SES), and secrets management.
  • Google (Gmail API): Used for sending and receiving emails through subscribers' own Gmail accounts, only with the subscriber's explicit OAuth consent.
  • Microsoft (Outlook/Graph API): Used for sending and receiving emails through subscribers' own Outlook accounts, only with the subscriber's explicit OAuth consent.
  • Brave Search: Used for web research queries to identify and research prospective companies and contacts.

Each third-party processor is bound by contractual obligations to protect personal data and to process it only in accordance with our instructions.

7. International Data Transfers

Our primary hosting infrastructure is located in the European Union (AWS eu-west-1, Ireland). However, some of our third-party processors, including Anthropic and Stripe, are based in the United States.

Where personal data is transferred outside the UK or the European Economic Area, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement or Addendum, as applicable. We may also rely on adequacy decisions where they exist.

For subscribers based in the European Union, we record a data-residency classification against the subscriber's company record which is stamped on every AI call in our audit log. At present this classification is a policy flag only — AI calls still physically reach Anthropic and OpenAI via their US-hosted commercial endpoints under the safeguards described above. Routing EU-classified traffic through provider-operated EU endpoints (AWS Bedrock EU for Anthropic, Azure OpenAI EU) is a planned infrastructure change. We will update this policy and notify affected subscribers when it is in place.

8. Data Retention

We retain personal data for the following periods:

  • Account data: Retained while your subscription is active, plus 30 days after cancellation to allow for reactivation or data export.
  • Lead and prospect data: Retained while your subscription is active. Following cancellation, data is available for export for 30 days, after which it is permanently deleted.
  • Usage logs: Retained for 12 months from the date of the event.
  • Email tracking events: Open and click records are retained for 12 months from the date of the event.
  • Style corpus, style profile, and draft-capture pairs: Retained while the subscriber's style-learning opt-in is active. On opt-out, or when the subscriber clicks "Delete my personalisation data" in settings, all three are permanently deleted from our database. Provider-side retention at Anthropic and OpenAI is limited to their commercial API abuse-monitoring window (30 days).
  • Consent events: Retained for the duration of the subscriber's account plus 6 years, as evidence of lawful processing. Deletion of the underlying personalisation content does not delete these log entries — they are the record that consent was given and, where applicable, withdrawn.
  • AI call audit log: Retained for 12 months. Stores purpose, provider, model, residency classification, and an input hash — never the input itself.
  • Draft feedback scores: Retained while the subscriber's subscription is active.
  • Billing records: Retained as required by applicable law, typically 6 years for UK tax and accounting purposes.

9. Your Rights (GDPR)

Under the UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may request that we correct any inaccurate or incomplete personal data.
  • Right to erasure: You may request that we delete your personal data, subject to any legal obligations requiring us to retain it.
  • Right to restriction of processing: You may request that we restrict the processing of your personal data in certain circumstances.
  • Right to data portability: You may request a copy of your personal data in a structured, commonly used, and machine-readable format.
  • Right to object: You may object to the processing of your personal data where we rely on legitimate interests as the legal basis.
  • Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Right to lodge a complaint: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the United Kingdom or the relevant supervisory authority in your jurisdiction.

For personalisation data specifically (style corpus, style profile, and draft-capture pairs), subscribers can exercise the right to erasure directly from their settings page via the "Delete my personalisation data" button — no contact required, the deletion is immediate and cascades across all personalisation tables.

To exercise any of the other rights, please contact us at hello@haiman.ai. We will respond to your request within one month, as required by law.

10. Cookies

The Service uses session cookies for authentication purposes. These are HTTP-only cookies with a 30-day expiry, used to maintain your logged-in session. They are strictly necessary for the operation of the Service.

We do not use third-party tracking cookies, advertising cookies, or third-party analytics services.

For our marketing website (haiman.ai) we use a small first-party analytics layer to count visits, identify the channels that bring traffic to us, and measure conversion to sign-up. This uses two first-party cookies: haiman_v (a randomly generated visitor identifier, expires after 12 months) and haiman_s (a randomly generated session identifier, expires after 30 minutes of inactivity). We do not store IP addresses, do not share any of this data with third parties, and do not use it for advertising. You can review or change your preferences at any time by visiting /cookie-preferences. Opting out sets a long-lived haiman_no_track cookie that excludes you from all future analytics on this device.

Email tracking pixels are embedded in outreach emails sent through the Service. When a recipient opens an email or clicks a link, the pixel records the event along with the recipient's IP address and user agent string. This data is used to measure email engagement and is retained for 12 months.

11. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security).
  • Encryption at rest: Database storage is encrypted at rest using AWS RDS encryption.
  • Password hashing: User passwords are hashed using PBKDF2-SHA256 and are never stored in plaintext.
  • Access controls: Role-based access controls restrict access to personal data to authorised personnel and systems only.
  • Infrastructure security: Our hosting environment benefits from AWS's security practices, including network isolation, monitoring, and regular patching.

12. Children

The Service is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Where we make material changes, we will notify you by email or by posting a prominent notice within the Service.

Your continued use of the Service after notification of changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.

14. Contact

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us:

Haiman Limited
66 Paul Street, London, EC2A 4NA, United Kingdom
Registered in England and Wales, company number 17143318
Email: hello@haiman.ai