Skip to main content
HikmaAI

Privacy at HikmaAI

Privacy Policy

We secure agentic systems for a living. We hold ourselves to the same standard on this website — collect the minimum, name the purpose, give you control.

Privacy at a glance

The short version, before the long version.

Last updated

What we collect

The minimum to run a demo conversation.

Business email and company name when you request a demo. Aggregated, opt-in analytics about how visitors use this website — nothing more.

Why we collect it

To reply to you, secure the service, improve the site.

Each purpose maps to a specific legal basis under Article 6 GDPR. We don't repurpose data, we don't sell it, and we don't profile you for advertising.

Your rights

Access, rectify, erase, object — anytime.

Articles 15–22 GDPR are not paperwork to us. Email info@hikmaai.io and we respond within 30 days. You can also complain to the Garante per la protezione dei dati personali.

This Privacy Policy explains how HikmaAI S.r.l. ("HikmaAI", "we", "us") collects, uses, stores, and protects personal data submitted through the hikmaai.io marketing website. It does not describe the HikmaAI platform itself; customer agreements and the platform Data Processing Addendum govern any processing carried out on behalf of customers.

Effective and last updated: 19 May 2026.

Article 4(7) GDPR

1. Data controller

HikmaAI S.r.l. is the data controller for personal data collected through this website. Our registered office and corporate identification are published on the Legal Notes page.

We have not appointed a Data Protection Officer because the volume and nature of processing carried out through this marketing site do not trigger the mandatory designation under Article 37 GDPR. Privacy inquiries should be sent to info@hikmaai.io with the subject line "Privacy".

What we receive

2. Information we collect

We collect personal data in three contexts, each kept separate from the others:

Data you give us
  • Demo request form: business email address and company name. The form is hardened with a honeypot field and a per-client cooldown; no other fields are submitted.
  • Direct correspondence: any details you choose to include in an email to info@hikmaai.io, support@hikmaai.io, or messages received via the LinkedIn, X, or GitHub accounts linked from this site.
Data we observe
  • Server access logs (request URL, timestamp, IP address, user agent) retained briefly for security, abuse mitigation, and infrastructure debugging.
  • Aggregated, opt-in product analytics when you accept the analytics cookie category (see the Cookie Policy). We do not run device fingerprinting, session replay, heat-maps, or behavioural advertising trackers.
Data from third parties
  • When you click through from a referrer such as a search engine or a partner page, the referrer URL is included in the analytics event (only if you consented).
  • If your organisation is a HikmaAI customer or prospect, business contact data may also reach us through legitimate B2B sources such as Linkedin Sales Navigator or partner introductions. That processing is governed by our internal CRM policy, not this notice.

Purposes

3. How we use your information

Personal data is processed for clearly defined, limited purposes:

  • Respond to demo requests and follow-up correspondence.
  • Operate, secure, and debug the website and its forms (abuse prevention, anti-spam, log analysis).
  • Measure aggregate, anonymised website performance and content effectiveness when analytics consent is given.
  • Comply with legal obligations, defend legal claims, and respond to lawful requests from public authorities.

We do not use personal data submitted through this site for automated decision-making, profiling for targeted advertising, sale to data brokers, or training of HikmaAI's own machine-learning models.

Recipients

5. Sharing and processors

We do not sell personal data and we do not share it for cross-context behavioural advertising. We do rely on a small set of carefully selected processors who act on documented instructions under written agreements that satisfy Article 28 GDPR.

Active processors
  • Cloud hosting and CDN — for serving the website and storing operational logs.
  • Email delivery — to relay correspondence sent to info@hikmaai.io and support@hikmaai.io.
  • Customer relationship management — to record demo requests and pipeline conversations.
  • Web analytics (Google Analytics 4) — only when you consent to the analytics cookie category.

A current list of sub-processors, their role, and their place of establishment is available on request to info@hikmaai.io. Personal data may also be disclosed where required by law, court order, or to investigate suspected fraud or abuse against the site.

Articles 44–49 GDPR

6. International transfers

Some processors are established outside the European Economic Area, primarily in the United States. Where personal data is transferred outside the EEA, we rely on one of the following safeguards:

  • An adequacy decision adopted by the European Commission for the recipient country (for example, the EU–US Data Privacy Framework, where the recipient is certified).
  • Standard Contractual Clauses approved by the European Commission, supplemented by a transfer impact assessment and additional technical measures (encryption in transit and at rest, access controls, audit logging).

You may request a copy of the safeguards in place for a specific transfer by emailing info@hikmaai.io.

Storage limitation

7. Retention

Personal data is retained only as long as needed for the purpose for which it was collected, then deleted or anonymised:

  • Category

    Demo request submissions (email, company)

    Retention

    Up to 24 months from last interaction, then deleted from active CRM. Backup copies are overwritten on a rolling 90-day cycle.

  • Category

    Inbound email correspondence

    Retention

    Up to 24 months from the last reply, then archived or deleted in line with our retention schedule.

  • Category

    Server access logs

    Retention

    Up to 30 days for routine operational purposes; longer only where retained for an active security investigation.

  • Category

    Analytics events (with consent)

    Retention

    Configured in Google Analytics 4 at 14 months. Aggregated reports may be kept longer in non-identifying form.

Article 32 GDPR

8. Security

We apply technical and organisational measures appropriate to the limited scope of processing carried out through this website. These include TLS encryption for data in transit, encryption at rest for stored CRM and email records, hardened cloud infrastructure with least-privilege access, multi-factor authentication for all staff accounts that can read personal data, application-level rate limiting and bot mitigation on form endpoints, and a documented incident-response process.

No system is invulnerable. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Garante within 72 hours where required by Article 33 GDPR, and inform affected individuals without undue delay where required by Article 34 GDPR.

Articles 15–22 and 77 GDPR

9. Your rights

Whenever we process your personal data, you can exercise the following rights at any time, free of charge in ordinary cases:

Access

Confirm whether we are processing your data and obtain a copy of it (Art. 15).

Rectification

Have inaccurate or incomplete data corrected without undue delay (Art. 16).

Erasure

Have your data deleted where one of the grounds in Article 17 applies ("right to be forgotten").

Restriction

Restrict processing in the situations listed in Article 18 — for example while we verify a rectification request.

Portability

Receive your data in a structured, commonly used, machine-readable format, where Article 20 applies.

Objection

Object to processing based on legitimate interest (Art. 21), including any direct marketing.

Withdraw consent

Withdraw analytics or marketing consent at any time, with no effect on past processing carried out lawfully.

Lodge a complaint

File a complaint with the Garante per la protezione dei dati personali — garanteprivacy.it (Art. 77).

To exercise any of these rights, email info@hikmaai.io with the subject "Privacy rights request" and enough information to identify yourself. We respond within 30 days, extendable by a further 60 days for particularly complex requests under Article 12(3) GDPR. We may need to verify your identity before disclosing personal data.

e-Privacy

10. Cookies and similar technologies

The website uses a minimal set of cookies and local storage entries. Categories, purposes, providers, and retention are described in the Cookie Policy. You can change your consent at any time using the "Manage cookie preferences" link in the website footer.

Audience

11. Minors

This website is aimed at security, platform, and compliance professionals. It is not directed at children, and we do not knowingly collect personal data from anyone under 16. If you believe a minor has submitted personal data through this site, contact info@hikmaai.io and we will delete it.

Versioning

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our processing or in applicable law. Material changes will be announced at the top of this page with a new effective date; where the change affects a basis on which we collected your consent, we will ask for fresh consent.

Last updated: 19 May 2026.

Get in touch

13. Contact

For any question about this Privacy Policy or about how HikmaAI handles your personal data:

Data controller

HikmaAI S.r.l.

info@hikmaai.io

Subject line: "Privacy"

Email privacy

You always have the right to lodge a complaint with the Italian supervisory authority, the Garante per la protezione dei dati personali (garanteprivacy.it).

Request Demo

Stop hoping.
Start proving.

Request a 30-minute demo. We walk your team through the threat model for your specific agentic footprint — and what controlling it looks like.

Get in touch.

Submissions open soon.
Email hello@hikmaai.io to request a demo.