Effective April 17, 2026

Privacy Policy

We collect the minimum we need to run Huddle. This page explains exactly what that is, how we use it, and the rights you have over your data.

1. Who we are

Huddle ("we", "us", "our") is operated by Huddle Labs, based in Queensland, Australia. We are the data controller for the personal information described in this policy. You can reach us at privacy@huddleide.com.

2. What we collect

We collect only what we need to provide the service:

  • Account data — email, display name, and a password hash when you sign up. We never store your password in plaintext.
  • Session content — the documents, files, and chat you create or share inside a Huddle session, plus the CRDT metadata needed to sync them.
  • Usage data — IP address, user agent, timestamps, and coarse route information for security, abuse prevention, and debugging.
  • Billing data — if you upgrade, our payment processor (Stripe) handles your card; we see only the last four digits, brand, and billing country.
  • Support interactions — emails and form submissions you send us, retained for as long as we need them to help you.

3. How we use it

We use personal information to:

  • Provide, maintain, and improve Huddle;
  • Authenticate you and protect against abuse, fraud, and security incidents;
  • Process payments and manage subscriptions;
  • Send essential service notifications (account alerts, billing receipts);
  • Respond to your support requests; and
  • Comply with legal obligations when we have to.

We do not sell your personal information. We do not use your session content, code, or prompts to train machine-learning models.

4. BYOK (Bring Your Own Keys)

When you add a third-party API key (Anthropic, OpenAI, Google, DeepSeek, etc.) to your Huddle account, it is encrypted at rest with AES-256-GCM using keys we rotate regularly. Keys are decrypted only in memory, only at the moment a request is made to the provider you chose, and only by the infrastructure that serves your account.

We never share your keys with anyone — not the model provider beyond the one you're calling, not a partner, not a subprocessor for analytics. If you delete your account, your keys are purged within 30 days.

5. Third parties

We rely on a small number of carefully chosen subprocessors:

  • Stripe — payment processing. Stripe receives your card details directly and is PCI-DSS compliant.
  • Email provider — transactional email (receipts, security alerts). Receives your email address and display name only.
  • Cloud infrastructure — hosting and storage for your session content. Data is encrypted in transit (TLS 1.3) and at rest.

We do not use third-party advertising trackers on huddleide.com.

6. Cookies

We use a small number of cookies: a session cookie to keep you logged in, and a functional cookie to remember your interface preferences. We do not set third-party analytics or advertising cookies by default. See our Cookies policy for the full list.

7. Data retention

We keep personal information for as long as your account is active, plus a short period after (typically 30 days) for backups and dispute resolution. Security logs may be retained for up to 12 months. You can request earlier deletion at any time — see your rights below.

8. International transfers

Huddle is operated from Australia but our infrastructure spans multiple regions. If your personal information crosses borders, we use appropriate safeguards (standard contractual clauses, adequacy decisions where applicable) consistent with the Australian Privacy Act and, for EEA/UK users, the GDPR.

9. Your rights

Depending on where you live, you have rights over your personal information:

  • Access — request a copy of what we hold about you;
  • Correction — ask us to fix anything that's wrong;
  • Deletion — ask us to erase your personal information;
  • Portability — request an export in a machine-readable format;
  • Objection — tell us to stop processing for specific purposes;
  • Restriction — ask us to pause processing in certain circumstances.

Email privacy@huddleide.com from your account email and we'll respond within 30 days. You also have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) or your local supervisory authority.

10. Security

We encrypt data in transit (TLS 1.3) and at rest, hash passwords with bcrypt, isolate tenants at the database level, and follow least-privilege access controls. No system is perfect; if you believe you've found a vulnerability, please write to security@huddleide.com.

11. Children

Huddle is not directed at children under 16. We do not knowingly collect personal information from children. If you believe we have, contact us and we'll delete it promptly.

12. Changes to this policy

We'll update this page when our practices change. For material changes we'll email active account holders and post a banner on the site at least 14 days before the change takes effect.

13. Contact

Questions about privacy? Email privacy@huddleide.com, or write to: Huddle Labs, PO Box placeholder, Queensland, Australia.