Privacy Policy

Last updated: June 15, 2026

This Privacy Policy explains how Haltless collects, uses, shares, and protects personal data when you use the Haltless Services, including our website, dashboard, edge agent software, and API. It applies to data we process as a controller. Where we process customer data on a customer’s behalf as a processor, the customer is the controller and our written Data Processing Addendum governs that processing.

1. Who we are

Haltless ("we", "us", "our") is the controller of personal data described in this Privacy Policy.

  • Company: Haltless, Inc.
  • Address: Delaware, United States
  • Privacy contact: privacy@haltless.io

Where required by Applicable Data Protection Law we appoint a Data Protection Officer (DPO). The DPO can be reached at the address above with "DPO" in the subject line.

2. Information we collect

We collect the following categories of personal data, all in connection with providing the Service.

  • Account information you provide directly, first and last name, work email, phone number (optional), job title (optional), company name, VAT or tax identification number (optional).
  • Authentication artifacts, hashed password, encrypted TOTP MFA secret, IP address and browser/device fingerprint at sign-in, session and token metadata.
  • Audit trail data, user identifier (actor), IP address, action, resource affected, timestamp.
  • Operational data tied to people, shift logs (supervisor and operator names, shift times), work-order signoffs (signer name, role, IP, timestamp), comments and threaded messages on alerts and work orders.
  • Support communications, email correspondence, ticket history, in-product messages.
  • Marketing data, opt-in only, communication preferences with a timestamp, attribution source.
  • Telemetry that incidentally references a person, machine telemetry collected by the Edge Agent is not personal data, but where a record is tied to a named operator via shift logs the resulting record is treated as personal data.

3. Sources of personal data

We obtain personal data from the following sources.

  • Directly from you when you create an account, request a quote, contact support, or submit a form.
  • From your Edge Agents, transmitting machine telemetry that may incidentally reference operators identified in your shift logs.
  • From identity providers (Google, Microsoft) when you sign in via SSO. We receive your email address, name, and provider identifier.
  • From our payment processor (Paddle.com Market Limited, our Merchant of Record), which provides billing-related fields required to invoice you.
  • From cookies and similar technologies on our marketing site, where you have given consent for analytics or marketing categories.

4. How we use your information and legal bases

For visitors and customers in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following lawful bases under Articles 6 and 9 of the GDPR (or equivalent under UK GDPR or the Swiss FADP).

Purpose Legal basis (EU/UK GDPR)
Creating and operating your account; providing the Service Performance of a contract, Art. 6(1)(b)
Billing, invoicing, and tax compliance Legal obligation, Art. 6(1)(c), and contract, Art. 6(1)(b)
Authenticating users, logging access, preventing abuse Legitimate interests, Art. 6(1)(f)
Maintaining the tamper-evident audit chain (security and compliance evidence) Legitimate interests, Art. 6(1)(f); legal obligation, Art. 6(1)(c)
Responding to support requests and customer inquiries Performance of a contract, Art. 6(1)(b)
Sending product-related transactional emails Performance of a contract, Art. 6(1)(b)
Sending optional marketing communications Consent, Art. 6(1)(a), withdrawable at any time
Improving the Service using aggregated, anonymized data Legitimate interests, Art. 6(1)(f)
Meeting regulatory and audit obligations (SOC 2 trace, ISO 27001 alignment) Legitimate interests, Art. 6(1)(f); legal obligation, Art. 6(1)(c)

Where we rely on legitimate interests we have weighed those interests against your rights and concluded that the processing does not override your privacy interests. You may object at any time on grounds relating to your particular situation (see Section 8).

5. Recipients and sub-processors

We share personal data with carefully selected service providers, only to the extent needed for the purposes above.

  • Cloud hosting and infrastructure provider
  • Payment processor, Paddle.com Market Limited (Ireland), acting as our Merchant of Record for tax and billing
  • Identity providers, Google and Microsoft when you choose application-level SSO; tenant-level SAML or OIDC providers you configure
  • Notification and push-message providers, email delivery service and browser push services (Apple, Google FCM, Mozilla autopush)
  • Customer-relationship and support tools
  • Audit, security, and error-monitoring providers

A current list of sub-processors is available on request at privacy@haltless.io. We notify customer administrators in advance of material changes. We do not sell personal data, and we do not share it with advertising networks for cross-context behavioural advertising.

6. International data transfers

Haltless is established in the United States (Delaware). Where we process the personal data of individuals in the European Economic Area, the United Kingdom, or Switzerland, that data is transferred to the United States and may be processed by our hosting provider and sub-processors in other regions. We rely on appropriate safeguards for such transfers, including the EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework, the UK International Data Transfer Addendum, and EU adequacy decisions.

For transfers not covered by an adequacy decision we rely on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) together with a Transfer Impact Assessment. For United Kingdom transfers we apply the UK International Data Transfer Addendum or the UK Addendum to the EU SCCs. For transfers out of mainland China we use the China Standard Contract for the Cross-Border Transfer of Personal Information. You can request a copy of the safeguards by writing to privacy@haltless.io.

7. How long we keep your data

We retain personal data only as long as needed for the purposes for which it was collected, subject to legal retention obligations.

  • Account profile data, for the life of your account, deleted within 90 days of account closure unless required for legal claims.
  • Authentication metadata, 90 days after the session ends.
  • Operational data (alerts, work orders, shift logs), per the retention period agreed in your subscription. Defaults are configured at signup and can extend up to ten years for audit-relevant operational data.
  • Audit trail (audit_logs), 7 years (2,555 days), platform-wide, to satisfy SOC 2 CC2.2 / CC4.1 and analogous security-audit obligations.
  • Billing records and invoices, kept for the period required by applicable U.S. tax law, typically seven years.
  • Marketing data, until you withdraw consent, plus a short cooling-off period.
  • Backups, full backups roll off according to our backup retention policy (currently 30 days). After roll-off, restored data follows the deletion choices made above.

Where we anonymize data so that it can no longer identify a person (for example aggregating telemetry into benchmark statistics) we may retain it indefinitely.

8. Your rights

Subject to your jurisdiction, you have the following rights with respect to your personal data.

  • Access, obtain a copy of the personal data we hold about you.
  • Rectification, correct inaccurate or incomplete data.
  • Erasure (right to be forgotten), request deletion, subject to legal retention obligations such as audit logs and tax records.
  • Restriction, limit how we process your data while a request is resolved.
  • Objection, object to processing based on legitimate interests, and at any time to direct marketing.
  • Data portability, receive a structured, commonly used, machine-readable copy of data you provided to us.
  • Withdraw consent, for any processing based on consent, with effect for the future.
  • Not be subject to a decision based solely on automated processing producing legal or similarly significant effects on you.
  • Lodge a complaint with your local data protection or supervisory authority.

To exercise any of these rights, email privacy@haltless.io. We respond within 30 days. If we cannot fulfil your request within that period we will tell you why and give a revised timeline. We may need to verify your identity before completing some requests. To unsubscribe from our marketing emails and be removed from our mailing list, email unsubscribe@haltless.io.

9. Children’s data

The Service is not directed to children. We do not knowingly collect personal data from anyone under 16 in the European Economic Area, under 13 in the United States (COPPA), or under 14 in the People’s Republic of China. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Cookies and similar technologies

Our Service uses cookies and similar technologies as described in our Cookie Policy. Essential cookies (authentication, security) are always present; analytics and other non-essential cookies are subject to your consent on our marketing site. We respect Global Privacy Control (GPC) signals as a valid opt-out preference where required by law.

11. Automated processing

The Service uses three deterministic anomaly-detection algorithms (static baseline, exponentially weighted moving average, rate-of-change) plus a transparent health-score formula to assess machine condition. These decisions affect equipment maintenance, not people.

The platform does not profile workers, evaluate operator performance, or rank employees. If a customer chooses to use the dashboard to monitor operators rather than machines, that processing falls outside the design of the Service and the customer (not Haltless) is the controller. Under EU AI Act transparency obligations applicable from August 2026, we will disclose any model-based output that affects natural persons. To date, no Service output is intended to affect natural persons.

12. Security

We implement appropriate technical and organisational measures to protect personal data.

  • TLS 1.3 with mutual certificate authentication for traffic between edge agents and our backend.
  • AES-256 encryption at rest, with keys managed in a hardware-backed key service.
  • PostgreSQL row-level security policies isolating tenants.
  • 12-character password minimum, 90-day rotation, TOTP MFA with encrypted secrets at rest.
  • Short-lived JWT access tokens in memory only, HttpOnly refresh cookies, per-device session revocation.
  • Tamper-evident audit chain (HMAC-SHA256 row chaining + append-only database trigger).

Despite these measures, no Internet-based service is completely secure. If we become aware of a personal data breach, we notify affected customers and the relevant supervisory authority in line with applicable law.

13. EU and UK specific provisions

If you are in the European Economic Area, the United Kingdom, or Switzerland, the following apply in addition to the above. See the table in Section 4 for the lawful basis we rely on for each purpose.

EU Data Act (Regulation (EU) 2023/2854). Where you are a user of a connected industrial product served by the Haltless Edge Agent, you have a right to access the data the product generates, in real time, in a machine-readable format, free of charge. Your tenant administrator can export this data from the Haltless dashboard at any time and we make it available via API on request.

EU AI Act (Regulation (EU) 2024/1689). Our predictive-maintenance scoring is deterministic and explainable, not a foundation model. We disclose model logic on request. The scoring is not designed to make decisions about natural persons.

Cyber Resilience Act (Regulation (EU) 2024/2847). Our Edge Agent is a product with digital elements within scope of the Act. We maintain a coordinated vulnerability disclosure policy at security@haltless.io.

14. California residents

This section applies if you are a California resident, under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Notice at collection. We collect the categories of personal information listed in Section 2 of this Policy. We collect them for the business and commercial purposes described in Section 4 and disclose them to the recipients listed in Section 5.

Do Not Sell or Share My Personal Information. Haltless does not sell personal information and does not share personal information with third parties for cross-context behavioural advertising. You may confirm this status at privacy@haltless.io.

Sensitive personal information. Where we collect authentication credentials (a category of sensitive personal information under §1798.140(ae)) we use them only as reasonably necessary to provide the Service. You may direct us to limit our use of sensitive personal information by contacting privacy@haltless.io.

Your rights. You have the right to know, access, delete, correct, opt out of sale or share, limit the use of sensitive personal information, and not be discriminated against for exercising these rights. To exercise any of these rights email privacy@haltless.io. You may use an authorized agent. We will require proof of agent authority and your identity. In the past 12 months we have disclosed identifiers, professional/employment information, and internet/network activity for business purposes only, and have not sold or shared any personal information.

15. Other US state residents

If you are a resident of another US state with a comprehensive privacy law, including Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Florida, Oregon, Montana, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Rhode Island, Nebraska, and others, you have substantially the same rights of access, correction, deletion, data portability where applicable, and opt-out from targeted advertising or sale. To exercise these rights email privacy@haltless.io. You also have the right to appeal a denial of a rights request; contact us at the same address with "Appeal" in the subject and we will respond within 30 days.

16. China residents

If you are a resident of mainland China, the People’s Republic of China Personal Information Protection Law (PIPL) applies to your personal data.

Local representative. Where we process personal information of residents in China from outside China we maintain a designated representative. Contact details are available at privacy@haltless.io.

Separate consent. Where we process sensitive personal information, transfer personal information outside mainland China, share personal information with another controller, publicly disclose personal information, or process personal information of minors under 14, we obtain separate, explicit consent.

Cross-border transfer. We rely on the China Standard Contract for the Cross-Border Transfer of Personal Information (effective June 2023). Where applicable we additionally complete a Security Assessment under the CAC Measures.

Your rights under PIPL. You have the right to access, copy, correct, delete, withdraw consent, receive an explanation of automated decisions, and request portability (subject to implementing rules). You may lodge a complaint with the Cyberspace Administration of China or your local market-supervision authority. To exercise these rights email privacy@haltless.io.

17. Changes to this Policy

We may update this Privacy Policy from time to time. The current version number and last-updated date appear at the top of this page. For material changes we notify customer administrators by in-product banner and email at least 30 days before the change takes effect. Prior versions remain available on request. The version of this Policy in force when you first accepted our Terms of Service is recorded against your account.

18. Contact

For any questions about this Privacy Policy, the exercise of your rights, or the processing of your personal data, contact us by email at privacy@haltless.io.

Postal mail: Haltless, Inc., Delaware, United States.

We use cookies to improve your experience, analyze site traffic, and optimize our marketing. By clicking "Accept All", you consent to our use of cookies. Privacy Policy