Privacy Posture

What we see, what we don't, what we never will. Hart Intelligence MasterOZ Family Edition.

Last updated: 2026-06-01 · Version 1.0 · privacy@harthq.com

The one-paragraph version

Family Edition runs on infrastructure you can audit. Your family's traffic is processed in a Kubernetes pod that ONLY your family touches. We never sell ads. We never train AI models on your family's data. The bypass library we share between customers contains technical fingerprints of broken apps — never the content of your messages, never your kids' photos, never who your family is. We can delete your entire footprint within 48 hours of request. The audit log of every AI decision the system made about your family is yours to read.

1. What we collect

Network metadata (every connection your family makes)

To detect when an app breaks (the core product), we observe each connection's:

Source device IP (on your own LAN — never your public IP outside the household)
Destination domain (SNI hostname, e.g. roblox.com)
Destination IP
Timestamp + connection outcome (success, server disconnect, timeout)
Approximate latency (for anomaly detection)

Retention: 30 days, then automatically deleted from your isolated pod's database. You can configure to 7 days minimum if preferred.

Decrypted application traffic (HTTPS payload) — IF and ONLY IF mitm is enabled

This is the most powerful and most sensitive capability. By default, Family Edition runs in cert-pinning-aware passthrough mode: we see only metadata above + the SNI domain. To enable full payload inspection (required for in-app content monitoring of, e.g., chat messages), you must:

Explicitly toggle "payload inspection" per-device in your dashboard
Install our root CA on the specific device — we never silently install certificates
Acknowledge a per-device consent screen that documents what gets inspected

When enabled, payload data is processed in-memory in your isolated pod for anomaly detection, then discarded unless you've opted in to longer retention (max 7 days for payload by policy).

Account information

Email, family name, family size, plan tier, billing info (via Stripe — we never store card numbers). That's it.

2. What we do NOT collect

What we structurally cannot see

Banking app traffic — pattern banking-app-mandatory-cert-pin guarantees passthrough for Chase, Bank of America, Wells Fargo, Capital One, Citi, Discover, US Bank, Fidelity, Schwab + payment apps (CashApp, Venmo, PayPal). Non-negotiable.
Apple Push notification content — pattern apple-services-mandatory-cert-pin guarantees passthrough for all of apple.com/icloud.com/push.apple.com. iMessage end-to-end encrypted content never traverses our system in a readable form.
Signal / WhatsApp message content — end-to-end encryption defeats us by design.
Anything outside your home LAN — Family Edition does NOT follow devices to school, friends' houses, or cellular data. We see only what crosses your home router.

What we choose not to collect

Geolocation (the router doesn't have it; we don't ask)
Microphone audio (we never request OS-level mic access)
Camera images (no device-side camera hook)
Browsing-history advertising data (we don't run an ad network)
Social graph (we don't ingest your address book)

3. The 4 promises we make and enforce technically

Promise	How we enforce it
No ad sale, ever	No ad network code in the stack. No third-party trackers on any Hart Intelligence domain. Verifiable in the open-source bypass-library module — your data only ever leaves your pod to display in your dashboard.
No AI training on your family's data	Our self-healing AI uses Claude Opus 4.7 via API. Anthropic's API Terms (which we accept) prohibit training on customer prompts. Your traffic prompts go in, decisions come out — Anthropic discards them per their commercial terms. We do not retain prompts beyond the 30-day audit log.
Cryptographic per-customer isolation	Each paying customer runs in their own Kubernetes namespace + their own PersistentVolumeClaim + their own NetworkPolicy restricting ingress to their subnet. Other customers' pods cannot read your pod's filesystem, cannot connect to your pod's services, cannot see your traffic. Audit-able via `kubectl get ns,pvc,networkpolicy` in your account.
You can delete everything in 48h	Hit `/forget` in your dashboard. We deprovision your K3s pod, delete your PVC, purge your Redis keyspace `kb:tenant:family-edition:<your-id>:*`, delete your audit log, send you confirmation. Stripe subscription cancels concurrently. Within 48h: zero footprint on our infrastructure.

4. The bypass library — what gets shared between families

The product moat is a shared technical fingerprint library of broken apps. When your family's Roblox breaks because Akamai changed their TCP fingerprinting, our AI diagnoses it and writes a pattern like:

{
  "name": "akamai-tcp-fingerprint-roblox",
  "trigger_signal": "server disconnect within 50ms of upstream open",
  "trigger_dest_range": "128.116.0.0/16,136.22.0.0/16",
  "fix_action": "verify nft accept rules BEFORE MITM-VLAN4-CATCHALL-443"
}

That pattern ships to every other Family Edition customer so their Roblox keeps working. What is NOT in the pattern: your family's IP, your kids' Roblox usernames, your chat messages, your photos, who you are. The shared library is pure technical fingerprint — IPv4 prefix + protocol behavior + fix instruction. No PII.

You can read the full library at :8810/api/bypass-library (homelab-local for now; pip package hart-bypass in planning).

5. Audit log — every AI decision about your family is yours to read

Every time our AI auto-diagnoses or auto-fixes something for your household, we write an audit entry to kb:family-cu-decision:<timestamp> containing:

What was observed (anomaly trigger + raw signal)
Which pattern matched in the bypass library
Confidence score
What action was taken (no-op / domain added to bypass / nft rule verified)
Phantom verification result
LLM model used (default: claude-opus-4-7)

You can read this log via your dashboard, export it as JSON, or receive a weekly email digest. We retain audit logs for 30 days by default; you can extend to 1 year or shorten to 7 days. This is the same LangSmith-style observability that enterprise customers demand of their AI vendors — applied to your household.

6. Our legal posture on minors' data

COPPA + state-level kid privacy laws. Family Edition processes traffic data that may include connections from devices used by children under 13. We treat ALL household data as if it includes minor data — meaning:

No advertising profile is ever built — period, for any household member
No third-party data broker receives anything about your family
Account holder (you, the parent) is the sole consent authority for the household
If you suspect a school-issued device is on your network, you can blacklist it from inspection in dashboard (FERPA hygiene)
We do not respond to law enforcement requests without a valid US court order specific to your account; we will notify you within 24h unless legally prohibited

7. Subprocessors

Vendor	Purpose	What they see
Anthropic (Claude API)	Self-healing AI diagnosis	Anomaly signal (SNI, IP, timing) — no content, no PII
Stripe	Billing	Email, name, card data (Stripe holds card; we don't see it)
Brevo (Sendinblue)	Transactional email	Email + first name
Cloudflare (DNS only)	DNS for harthq.com domains	Standard DNS query metadata
Telnyx	SMS notifications (optional)	Phone number + alert text

We do NOT use: AWS, GCP, Azure, OpenAI, Meta Pixel, Google Analytics, Facebook Pixel, TikTok Pixel, ad networks, data brokers.

8. Your rights

Right to access — export your audit log + tenant config as JSON from dashboard, any time
Right to deletion — /forget nukes everything in 48h, no questions, no retention
Right to rectification — edit family member labels, device labels, retention preferences in dashboard
Right to object — pause inspection per-device any time; we won't process while paused
Right to portability — export your bypass-library contributions + audit log + config in machine-readable JSON
Right to complain — email privacy@harthq.com with 7-day response SLA. If unsatisfied: California AG (CCPA), your state AG, or the FTC.

9. Breach posture

We commit to:

Notify all affected customers within 72 hours of confirmed unauthorized access
Notify state AGs within applicable statutory windows
Publish a public post-mortem within 14 days (anonymized customer impact)
Pay for credit monitoring if any payment info was compromised (we don't store cards, but if Stripe is breached we'd contribute)

Per-customer K3s isolation means a breach of one customer's pod does NOT cascade to other customers. This is the architectural defense the SaaS industry doesn't usually offer at consumer price points.

10. Changes to this posture

If we change this document, all current customers get an email + 30 days to review + opt-out (which triggers a full refund + /forget). We won't quietly change the deal.