Privacy Policy

Henric respects your privacy and is committed to protecting any personal data we process about you. This Privacy Policy explains how we collect, use, share, and protect your personal data when you access or use our website at henricai.com (the "Site"), our platform at app.henricai.com (the "Platform"), and any related services (together, the "Services").

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you have any questions, please contact us at privacy@henricai.com.

Data controller

Henric Sweden AB, with registered address in Stockholm, Sweden ("Henric", "we", "us", or "our") is the data controller responsible for processing your personal data as described in this Privacy Policy.

Important distinction: This Privacy Policy covers personal data we process as a data controller — for example, your account information and usage data. When you or your organization upload documents to our Platform ("Content"), we process that Content as a data processor on behalf of your organization (the "Subscriber"). Our processing of Content is governed by a separate Data Processing Agreement (DPA) between Henric and the Subscriber. Any questions about personal data contained in Content should be directed to your organization.

What personal data we collect

Information you provide to us

Account information: When you or your organization creates an account, we collect your name, email address, role or title, organization name, and account credentials (password stored in hashed form).

Communication information: When you contact us for support, feedback, or inquiries, we collect your name, email address, and the content of your communication.

Information we collect automatically

Log data: When you use our Services, we automatically collect your IP address, browser type and version, the date and time of your request, and referring URLs.

Device information: We collect information about the device you use to access our Services, including device type, operating system, and browser version.

Usage data: We collect information about how you use our Services, including the features you access, the actions you take, timestamps, time zone, and the types and volumes of queries you submit. We do not collect or store the content of your queries or your uploaded documents other than as described in section 4.

Cookies: We use cookies and similar technologies to provide, secure, and improve our Services. We use the following types of cookies:

• Essential cookies: Required for basic functionality such as authentication and security.
• Analytics cookies: Help us understand how our Services are used so we can improve them. We use privacy-friendly analytics.
• Functional cookies: Remember your preferences such as language and region.

You can manage your cookie preferences through your browser settings. Disabling essential cookies may limit the functionality of our Services.

Information from connected services

When you connect third-party services to Henric, we may access data from those services solely to provide our Services:

• Google Drive: If you connect your Google Drive, we access files you explicitly select to work with in Henric. We do not access your entire Drive.
• Microsoft SharePoint: If you connect your SharePoint, we access files you explicitly select to work with in Henric. We do not access your entire SharePoint environment.

Data accessed from connected services is processed as Content under your Subscriber Agreement and DPA, not under this Privacy Policy.

Information from third parties

We may receive information about you from your organization (our Subscriber) in order to set up your account, or from service providers who assist us with fraud prevention and security.

Legal bases for processing

We process your personal data based on the following legal grounds under the GDPR:

Performance of a contract (Article 6(1)(b)): To provide and maintain our Services, manage your account, and provide customer support.

Legitimate interest (Article 6(1)(f)): To improve and develop our Services, ensure security, prevent fraud, and analyze usage patterns. We always balance our interests against your rights and freedoms.

Legal obligation (Article 6(1)(c)): To comply with applicable laws, such as bookkeeping and anti-money laundering requirements.

Consent (Article 6(1)(a)): Where required, such as for marketing communications. You can withdraw your consent at any time.

How we process Content with AI

Henric uses artificial intelligence, provided by Anthropic (Claude), to deliver our Services. When you upload documents, ask questions, or perform other tasks in our Platform, your Content is sent to Anthropic's API for processing.

Your Content is never used to train AI models

We have a zero-training-data agreement with Anthropic. Your Content is never used to train, fine-tune, or improve any AI model. This is contractually guaranteed in our agreement with Anthropic.

Processing and retention

Content is sent to Anthropic's API in real-time for processing and is not retained by Anthropic beyond the immediate API request. Anthropic processes data within the EU/EEA. We maintain a Data Processing Agreement with Anthropic that ensures full GDPR compliance.

How Content flows

• You upload a document or ask a question in Henric.
• Henric sends the relevant Content to Anthropic's API.
• Anthropic processes the request and returns a response.
• Anthropic does not store your Content after the response is delivered.
• Henric stores your Content on EU-hosted servers as part of your workspace.

How we use your personal data

We use your personal data for the following purposes:

• To provide, operate, and maintain our Services.
• To manage your account and authenticate your access.
• To provide customer support and respond to your inquiries.
• To improve, develop, and optimize our Services.
• To ensure the security of our Services and prevent fraud.
• To comply with legal obligations.
• To communicate with you about our Services, including service updates and, where you have consented, marketing communications.

Who we share your personal data with

We do not sell your personal data. We share your personal data only in the following circumstances:

Service providers: We use third-party service providers who process personal data on our behalf, including hosting providers, analytics services, and email communication tools. All service providers are bound by data processing agreements and process data only on our instructions.

AI provider (Anthropic): We share Content with Anthropic to deliver our AI-powered Services. Anthropic processes this data under a strict Data Processing Agreement that prohibits any use of your data for training purposes. Anthropic processes data within the EU/EEA.

Connected services: When you connect Google Drive or Microsoft SharePoint, data flows between Henric and those services as necessary to provide the functionality you requested. We do not share your data with Google or Microsoft beyond what is necessary for the integration to function.

Legal requirements: We may disclose your personal data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Henric, our users, or others.

Business transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change.

International data transfers

Henric is based in Sweden and processes personal data primarily within the EU/EEA. Our AI provider (Anthropic) processes Content within the EU/EEA under our Data Processing Agreement.

If we need to transfer personal data outside the EU/EEA, we ensure appropriate safeguards are in place, including:

• EU Commission adequacy decisions for the recipient country.
• Standard Contractual Clauses (SCCs) approved by the EU Commission.

Your rights under the GDPR are not affected by any international transfer of your data.

How long we keep your data

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account data: For the duration of your account and for a reasonable period thereafter, unless your organization's Subscriber Agreement specifies otherwise.
• Content: Stored for the duration of the Subscriber Agreement. Upon termination, Content is deleted within 30 days unless legal retention requirements apply.
• Usage and log data: Retained for up to 12 months for security and analytics purposes.
• Legal obligations: Where we are required by law to retain data (e.g., bookkeeping), we retain it for the legally required period (typically 7 years for financial records in Sweden).

When we no longer need your personal data, we delete or anonymize it in accordance with our data retention policies.

Your rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access: You have the right to request a copy of the personal data we hold about you and information about how we process it.

Right to rectification: You have the right to request that we correct any inaccurate or incomplete personal data.

Right to erasure: You have the right to request that we delete your personal data, subject to certain exceptions (such as legal retention obligations).

Right to restriction: You have the right to request that we restrict the processing of your personal data in certain circumstances.

Right to data portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to object: You have the right to object to processing based on our legitimate interest. You can always object to direct marketing, and we will stop immediately.

Right to withdraw consent: Where processing is based on consent, you have the right to withdraw your consent at any time. This does not affect the lawfulness of processing prior to withdrawal.

Right to lodge a complaint: If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se.

To exercise any of your rights, please contact us at privacy@henricai.com. We will respond within 30 days.

Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Currently in the ISO/IEC 27001:2022 certification audit for our Information Security Management System.
• Encryption of data in transit (TLS) and at rest.
• Access controls and authentication requirements.
• Regular security assessments.
• EU-hosted infrastructure.
• Strict access controls limiting which Henric personnel can access personal data.

No method of transmission or storage is 100% secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at privacy@henricai.com.

Children's privacy

Our Services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data from a child, please contact us and we will delete it promptly.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. For material changes, we will provide notice through our Services or by email. Your continued use of our Services after any changes constitutes acceptance of the updated Privacy Policy.

Contact us