Privacy Policy

1. Introduction and Company Identity

AIHive.global (“AIHive,” “we,” “our,” or “us”) is an enterprise AI agent platform developed and operated by AHT Tech. We provide organizations with the infrastructure, tooling, and engineering services required to build, deploy, and govern AI agents at production scale. Our platform is designed from the ground up to meet the stringent data protection, compliance, and sovereignty requirements of regulated industries, including financial services, healthcare, manufacturing, and the public sector.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you hold regarding your data. We operate across multiple jurisdictions — including the United States, the European Union, the United Kingdom, Vietnam, Singapore, and Australia — and we apply the highest applicable standard of data protection law to all our processing activities.

This Policy applies to:

All users of the AIHive SaaS Platform (app.aihive.global)

Enterprise clients accessing AIHive through modular on-premise or private cloud deployments

Visitors to our marketing website (aihive.global)

Personnel of organizations that have entered into a Master Service Agreement (MSA) or similar contract with AIHive or AHT Tech

Individuals whose data is processed by AI agents deployed using the AIHive platform (as Data Subjects)

2. Key Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings defined below:

Term	Definition
Personal Data	Any information that relates to an identified or identifiable natural person, including name, email address, IP address, usage identifiers, and any data that can be linked to an individual.
Customer Data	All data — including Personal Data — that enterprise clients or their end users submit to the AIHive platform for the purposes of AI agent processing, training, or workflow automation.
Usage Data	Technical data automatically generated through platform interaction, including log files, session metadata, feature usage patterns, and performance telemetry.
Controller	The entity that determines the purposes and means of processing Personal Data. Enterprise clients act as Controllers of their Customer Data processed via AIHive.
Processor	The entity that processes Personal Data on behalf of the Controller. AIHive acts as Processor for Customer Data submitted by enterprise clients.
AI Agent Output	Any content, decision, recommendation, or action generated by an AI agent operating within the AIHive platform.
On-Premise Deployment	An AIHive deployment configuration in which all data processing occurs entirely within the client’s own infrastructure, with no data transmitted to AIHive or third-party cloud systems.
PII / PHI	Personally Identifiable Information and Protected Health Information — categories of sensitive data subject to enhanced protection under applicable regulations including GDPR, HIPAA, and Vietnam’s data protection framework.

3. Categories of Data We Collect

3.1 Account and Identity Data

When you register for an AIHive account or enter into a service agreement with us, we collect information necessary to create and manage your account and to deliver our contractual obligations. This data includes:

Full name and professional title

Business email address and phone number

Organization name, industry, and size

Billing information and payment method details (processed via PCI-DSS compliant payment processors; AIHive does not store raw card data)

Authentication credentials (stored in hashed, salted format; never in plaintext)

3.2 Customer Data and AI Interaction Data

Enterprise clients submit business data to the AIHive platform for AI agent processing. This constitutes Customer Data, for which the enterprise client is the Data Controller. AIHive processes Customer Data solely in accordance with the client’s instructions and the applicable Data Processing Agreement (DPA). Customer Data may include:

Documents, records, and datasets uploaded for AI agent processing (e.g., contracts, medical records, financial filings, customer inquiries)

Workflow configurations, agent instructions, and business logic parameters

End-user queries and conversational inputs submitted to AI agents deployed by our clients

AI Agent Outputs and decision logs generated during agent operation

On-Premise Deployment: For enterprise clients who deploy AIHive on their own infrastructure (on-premise or private cloud), Customer Data is processed entirely within the client’s environment. AIHive does not receive, access, or store this data. The client assumes full Data Controller and Processor responsibilities for their on-premise deployment.

3.3 Usage and Technical Data

We automatically collect technical data when you interact with the AIHive SaaS platform. This data is used to maintain platform performance, ensure security, and improve service quality. It includes:

IP address, browser type, and operating system

Session duration, page views, and feature interaction patterns

API call logs, error reports, and system performance telemetry

Device identifiers and network metadata

3.4 Communications Data

When you contact our support team, submit a demo request, participate in onboarding sessions, or communicate with us via email or in-platform channels, we retain those communications for customer service continuity, quality assurance, and contractual documentation purposes.

3.5 Data We Do Not Collect

AIHive does not collect the following categories of data, and we take explicit technical and contractual measures to prevent their unauthorized collection:

Biometric data, genetic data, or data relating to racial or ethnic origin

Political opinions, religious beliefs, or trade union membership

Data from children under the age of 18 (our platform is strictly enterprise B2B)

Raw payment card numbers, CVV codes, or bank account details

4. Legal Basis for Processing

AIHive processes Personal Data only when a valid legal basis exists under applicable law. The following table summarizes our processing activities and their corresponding legal bases:

Processing Activity	Legal Basis (GDPR Art. 6)	Applicable Framework
Account creation and management	Contract performance (Art. 6(1)(b))	GDPR, Vietnam Cybersecurity Law
Delivery of SaaS platform services	Contract performance (Art. 6(1)(b))	GDPR, HIPAA BAA (where applicable)
Customer Data processing per client instructions	Legitimate interests / DPA (Art. 6(1)(f))	GDPR, HIPAA, MAS TRM
Platform security monitoring and fraud prevention	Legitimate interests (Art. 6(1)(f))	GDPR, ISO/IEC 27001
Sending product updates and service notifications	Contract performance / Legitimate interests	GDPR, CAN-SPAM
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))	All applicable laws
Marketing communications (opt-in only)	Consent (Art. 6(1)(a))	GDPR, Vietnam Consumer Protection Law

5. How We Use Your Data

AIHive uses collected data for the following specific purposes:

5.1 Platform Operations

Authenticating users and controlling access to platform features via Role-Based Access Controls (RBAC)

Executing AI agent workflows as configured by enterprise clients

Delivering API responses and agent outputs in real time

Maintaining platform uptime, availability, and disaster recovery capabilities

5.2 Security and Compliance

Monitoring for unauthorized access attempts, anomalous behavior, and security threats

Generating audit trails and decision logs required for regulatory compliance

Enforcing data retention policies and automated data deletion schedules

Conducting penetration testing, vulnerability assessments, and SOC 2 audit activities

5.3 Product Improvement

Analyzing anonymized, aggregated usage patterns to improve platform performance and reliability

Testing new features and AI model integrations in isolated, non-production environments

Developing and refining AIHive’s proprietary orchestration layer and governance engine

AIHive does not use Customer Data to train third-party foundation models (e.g., GPT, Claude, Gemini) without explicit written consent from the enterprise client. Our model-agnostic architecture processes data via client-selected LLM providers under separate data processing agreements with each provider.

5.4 Customer Support and Communication

Responding to support tickets, technical inquiries, and onboarding requests

Sending service notifications, security alerts, and platform status updates

Delivering product documentation, release notes, and compliance reports upon request

6. Data Sharing and Third-Party Disclosure

AIHive does not sell, rent, or trade Personal Data or Customer Data to any third party. We share data only in the circumstances described below, and only to the extent necessary to fulfill our contractual and legal obligations:

6.1 AI Model Providers (LLM Infrastructure)

The AIHive platform is model-agnostic and enables enterprise clients to select from multiple Large Language Model (LLM) providers, including but not limited to OpenAI (GPT-4o), Anthropic (Claude), Google (Gemini), and Meta (Llama, for on-premise self-hosted deployments). When a client selects a cloud-hosted LLM provider, their input data is processed by that provider under the provider’s own data processing agreement. AIHive maintains active DPAs with all integrated LLM providers and provides clients with transparent documentation of data flows to each provider.

6.2 Cloud Infrastructure Providers

Our SaaS platform is hosted on enterprise-grade cloud infrastructure. These providers process data only as directed by AIHive and are bound by data processing agreements that require them to implement appropriate technical and organizational security measures. Specific cloud providers are disclosed to enterprise clients within their DPA schedules.

6.3 Payment Processing

Payment transactions are handled by PCI-DSS Level 1 certified payment processors. AIHive does not receive or retain raw payment card data. Financial transaction records are retained in accordance with applicable accounting and tax regulations.

6.4 Professional and Legal Advisors

We may share data with our legal counsel, auditors, and compliance advisors under strict confidentiality obligations, solely for the purpose of obtaining professional advice or for establishing, exercising, or defending legal claims.

6.5 Regulatory and Law Enforcement Authorities

AIHive will disclose data to competent authorities when required to do so by applicable law, court order, or regulatory mandate. We will, to the extent permitted by law, notify affected enterprise clients of such requests before disclosure and will limit the scope of disclosure to what is legally required.

6.6 Business Transfers

In the event of a merger, acquisition, or sale of substantially all of our assets, Personal Data and Customer Data may be transferred to the acquiring entity. We will notify affected users and enterprise clients of any such transfer with no less than thirty (30) days’ advance notice and will ensure the acquiring entity is bound by obligations no less protective than those in this Policy.

7. International Data Transfers

AIHive operates globally, with clients and infrastructure across Vietnam, Singapore, the United States, the European Union, Australia, and the United Arab Emirates. When Personal Data is transferred across international borders, we implement appropriate safeguards to ensure that the transfer complies with applicable law:

For transfers of EU/EEA personal data to third countries: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or we transfer data only to countries with an EU adequacy decision.

For transfers involving UK personal data: We apply UK International Data Transfer Agreements (IDTAs) or UK Addendum SCCs as required by the UK Information Commissioner’s Office (ICO).

For Vietnamese personal data: Transfers comply with Decree 13/2023/ND-CP and, where applicable, the Vietnam AI Law 134/2025/QH15 requirements for national data sovereignty.

For Singapore personal data: Transfers are governed by the PDPA 2012 (as amended) and MAS TRM Guidelines where financial sector data is involved.

Enterprise clients who require zero cross-border data transfer may select AIHive’s On-Premise Deployment option. Under this deployment model, all AI processing occurs entirely within the client’s own infrastructure, and no data is transmitted externally under any circumstances.

8. Data Security and Technical Safeguards

AIHive applies a defense-in-depth security architecture aligned with ISO/IEC 27001 information security management principles and SOC 2 Type II trust service criteria. Our technical and organizational security measures include:

8.1 Encryption

All data in transit is encrypted using TLS 1.2 or higher

All data at rest is encrypted using AES-256 encryption

Cryptographic key management follows NIST SP 800-57 standards

PII and PHI fields within the platform are subject to field-level encryption as an additional safeguard

8.2 Access Controls

Role-Based Access Control (RBAC) is enforced across all platform modules

Privileged access to production systems is governed by a Privileged Access Management (PAM) solution

Multi-Factor Authentication (MFA) is mandatory for all administrative accounts

Zero-trust network architecture is applied to internal service-to-service communication

8.3 Monitoring and Incident Response

Continuous security event monitoring via Security Information and Event Management (SIEM) systems

All AI agent decision-making activities are logged in a tamper-evident audit trail

Our Security Incident Response Plan (SIRP) defines response procedures, escalation paths, and notification timelines

Data breach notification will be provided to affected clients and relevant supervisory authorities within 72 hours of confirmed discovery, in compliance with GDPR Article 33

8.4 Compliance Framework Alignment

Framework / Standard	Scope	Deployment Mode
GDPR (EU) 2016/679	All EU/EEA personal data processing	SaaS and On-Premise
HIPAA (US)	Protected Health Information in healthcare deployments	SaaS and On-Premise
Vietnam AI Law 134/2025/QH15	All Vietnam-jurisdiction deployments	SaaS and On-Premise
MAS TRM Guidelines (SG)	Financial sector deployments in Singapore	On-Premise recommended
SOC 2 Type II Framework	Platform-wide trust service criteria	SaaS Platform
ISO/IEC 27001	Information security management system	Organization-wide
PDPA 2012 (Singapore)	Singapore personal data processing	SaaS and On-Premise
Decree 13/2023/ND-CP (VN)	Vietnamese personal data protection	SaaS and On-Premise

Enterprise clients in regulated industries (BFSI, Healthcare) are encouraged to request a copy of our Security Architecture Overview and available compliance documentation by contacting info@aihive.global.

9. Data Retention

AIHive retains Personal Data and Customer Data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law and regulatory obligations. Our retention schedule is as follows:

Data Category	Retention Period	Basis
Account and identity data	Duration of account + 7 years post-termination	Contractual / Legal obligation
Customer Data (SaaS)	As specified in DPA; default 12 months post-contract	Contractual
AI Interaction and agent logs	12 months (configurable by enterprise client)	Contractual / Audit
Usage and technical telemetry	12 months (anonymized aggregates retained longer)	Legitimate interests
Support communications	36 months from last interaction	Customer service
Payment and billing records	7 years (applicable accounting law)	Legal obligation
Security and audit logs	Minimum 12 months; 24 months for regulated sectors	Legal / Regulatory
Customer Data (On-Premise)	Client-controlled; AIHive retains no copy	Client sole responsibility

10. Your Data Subject Rights

Depending on your location and applicable law, you hold the following rights regarding your Personal Data. We are committed to honoring these rights within the legally mandated timeframes:

10.1 Rights Under GDPR (EU/EEA/UK Residents)

Right of Access (Art. 15): Request a copy of all Personal Data we hold about you.

Right to Rectification (Art. 16): Request correction of inaccurate or incomplete Personal Data.

Right to Erasure / ‘Right to Be Forgotten’ (Art. 17): Request deletion of your Personal Data where no overriding legal basis exists for continued processing.

Right to Restriction of Processing (Art. 18): Request that we restrict processing of your data in specified circumstances.

Right to Data Portability (Art. 20): Receive your Personal Data in a structured, commonly used, machine-readable format.

Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time for processing activities based on consent, without affecting the lawfulness of prior processing.

Right to Lodge a Complaint: File a complaint with your national Data Protection Authority (DPA).

10.2 Rights Under Vietnam Data Protection Law

Vietnamese residents hold rights under Decree 13/2023/ND-CP and the Vietnam AI Law 134/2025/QH15, including the right to know, access, correct, and request deletion of their Personal Data, as well as the right to be informed about automated decision-making affecting them.

10.3 Rights Under Singapore PDPA

Singapore residents hold the right to access Personal Data held about them and to correct any inaccuracies, subject to the exemptions provided under the PDPA 2012 as amended.

10.4 Exercising Your Rights

To exercise any of the rights described above, submit a written request to info@aihive.global. We will verify your identity before processing the request. We will respond within 30 days of receipt (or within the applicable statutory period). We do not charge a fee for data subject requests unless requests are manifestly unfounded or excessive.

11. Cookies and Tracking Technologies

Our marketing website (aihive.global) uses cookies and similar tracking technologies to understand visitor behavior and improve the user experience. The AIHive application platform (app.aihive.global) uses strictly necessary cookies for authentication and session management.

Cookie Category	Legal Basis	Purpose
Strictly Necessary	Contract performance	Session management, authentication, security token validation
Functional	Consent	User preference storage, language settings, dashboard layout
Analytics	Consent / Legitimate interests	Aggregated usage analytics to improve platform UX and performance
Marketing	Consent	Interest-based advertising on third-party platforms (opt-in only)

You may manage or withdraw consent for non-essential cookies at any time through the Cookie Preference Center accessible in the footer of aihive.global.

12. AI-Specific Data Governance

Given that AIHive is an AI agent platform, we apply additional safeguards specific to AI data processing that go beyond the requirements of general privacy law:

12.1 PII Masking and Data Minimization

The AIHive platform includes built-in PII masking and data minimization controls. Enterprise clients can configure these controls to automatically detect and redact PII and PHI fields before data is passed to any LLM provider. This technical safeguard is enabled by default for healthcare and financial services deployments.

12.2 Audit Trails for AI Decisions

Every action taken by an AI agent deployed on the AIHive platform is logged in a comprehensive, tamper-evident audit trail. The audit trail records the input data, the model and prompt version used, the AI output generated, and the human actions taken in response. This audit capability supports compliance with explainability requirements under GDPR Article 22, the EU AI Act (high-risk AI systems), and the Vietnam AI Law 134/2025/QH15.

12.3 Human-in-the-Loop Governance

For AI agent workflows that affect significant decisions impacting individuals — such as credit scoring, medical triage prioritization, or employment-related automation — AIHive’s governance engine enforces mandatory human review checkpoints. These checkpoints cannot be disabled without explicit administrative authorization and are logged in the audit trail.

12.4 Model Agnosticism and Data Portability

Because AIHive supports multiple LLM providers, enterprise clients retain full control over which model processes their data. Clients may switch models, add new providers, or move to self-hosted open-source models (such as Meta Llama) at any time without requiring data migration or re-platforming. This architectural principle directly supports data sovereignty and prevents vendor lock-in.

13. Children’s Privacy

The AIHive platform is designed exclusively for enterprise and commercial use and is not directed at individuals under the age of 18. We do not knowingly collect Personal Data from minors. If we become aware that Personal Data of a person under 18 has been submitted to the platform without appropriate authorization, we will take immediate steps to delete such data. If you believe this has occurred, contact info@aihive.global immediately.

14. Changes to This Privacy Policy

AIHive may update this Privacy Policy periodically to reflect changes in our data processing practices, applicable law, or platform capabilities. We will notify enterprise clients of material changes via email or in-platform notification with no less than thirty (30) days’ advance notice. For minor or non-material updates, the updated Policy will be posted at aihive.global/privacy-policy with the revised “Last Updated” date noted at the top of this document.

Continued use of the AIHive platform after the effective date of any updated Policy constitutes acceptance of the revised terms. If you do not accept the revised Policy, you must discontinue use of the platform and contact your account manager to arrange an orderly offboarding.

15. Contact Information and Data Protection Officer

For all privacy-related inquiries, data subject access requests, complaints, or to contact our Data Protection Officer (DPO), please use the following contact details:

Privacy Inquiries	info@aihive.global
Data Protection Officer	info@aihive.global
Security Inquiries	info@aihive.global
Legal / Compliance	info@aihive.global
Website	aihive.global/privacy-policy
Response Time	We respond to all privacy inquiries within 5 business days. Data subject access requests are fulfilled within 30 days (or the applicable statutory period).
Registered Address	[AHT Tech registered address — to be confirmed by legal team]
EU Representative	[EU GDPR Article 27 representative — to be designated if required]

LEGAL DISCLAIMER: This Privacy Policy is provided for informational purposes and does not constitute legal advice. Enterprise clients with specific regulatory compliance requirements should consult with qualified legal counsel to assess how AIHive’s data processing practices interact with their own compliance obligations. Certain sections of this document, particularly regarding compliance certifications and regulatory alignment, should be verified with your account manager before reliance in regulated procurement contexts.