Privacy
Your content stays in your network. Only the proof travels.
heso is designed so the raw content of an agent action never leaves your infrastructure. What crosses the wire is a commitment — a fingerprint and the metadata needed to verify it — not the action body. This page explains that model plainly, and flags the parts still being finalized into a binding policy.
This is a working draft, not the binding privacy policy.
The technical model below is accurate and reflects how the product actually moves data. The legally binding text — your rights, retention windows, sub-processors, and contact-for-requests — is being finalized with counsel and will replace the placeholders marked below. Nothing here is a legal commitment until that lands.
How data actually moves
The privacy model is the architecture.
Privacy here is not a setting you toggle — it is the shape of the system. Four facts carry the weight, and they are true by construction, not by promise.
Raw content never leaves your network
The classify → redact → sign pipeline runs inside your own infrastructure. When a receipt is sent to the heso cloud, the wire carries a commitment — a BLAKE3 fingerprint, primitive-indexed metadata, the chain head, and signatures — not the action body. The cloud verifies that commitment before storing it, without ever holding the content.
Secrets are removed before anything is signed
Pre-sign redaction strips sensitive fields before the bytes are hashed, so a secret a verifier never needs to see is gone from the record by construction. The recorder also keeps argument capture off by default — argument content is fingerprinted, not stored.
Verification needs no account and no content
A receipt can be re-verified offline from the bytes alone — no network call, no heso login, no signing key. The proof stands on its own, which means the trust path never requires us to hold or process the underlying content.
Keys stay with you
The operator Ed25519 signing key lives with your instance — sealed by a passphrase or wrapped by your own cloud KMS. heso holds no signing keys. The browser verify surface cannot sign or generate keys by design.
Honest limit: a receipt is not encrypted. Fields you choose not to redact are visible to anyone holding the receipt. Privacy comes from what you redact and from content staying in your network — not from encryption of the record itself.
The binding policy
The sections a finalized policy will cover.
These are the headings of the binding document. Each one needs reviewed legal copy before it makes any promise — so each is a marked placeholder, not a claim.
What we collect
Account data, commitments (fingerprints and metadata), billing, and operational telemetry — never raw action content.
binding copy: to be finalized with counsel
How we use it
Operating the service, verifying and storing commitments, billing, and support.
binding copy: to be finalized with counsel
Sub-processors
The third parties that process data on our behalf (infrastructure, billing, email).
binding copy: to be finalized with counsel
Data retention
How long commitments and account data are kept. Retention windows differ by plan and are listed on Pricing.
binding copy: to be finalized with counsel
Your rights and requests
Access, correction, deletion, and how to contact us about your data.
binding copy: to be finalized with counsel
Security and incident notification
How data is protected and how we notify you in the event of a breach.
binding copy: to be finalized with counsel
International transfers
Where data is processed and the safeguards applied to cross-border transfers.
binding copy: to be finalized with counsel
Changes and contact
How policy changes are communicated and how to reach us.
binding copy: to be finalized with counsel
See the data model for yourself.
The clearest privacy claim is one you can verify yourself. Read how the commitment wire and offline verification work — no content, no account, no trust in us required.
