Privacy Policy

Effective date: February 25, 2026 · Last updated: April 4, 2026

This Privacy Policy explains how Humagician (“Humagician,” “we,” “us,” or “our”) collects, uses, and protects personal information when you visit humagician.com, sign in to the Humagician operator platform at app.humagician.com, or interact with Humagician chat and form widgets embedded on third-party merchant websites.

1. Scope

This policy applies to personal information collected through:

humagician.com — our public-facing website and marketing pages.
app.humagician.com — the Humagician operator platform, including the login screen, operator dashboard, AI configuration, analytics, and team management.
Humagician chat widget — a JavaScript embed that merchants place on their own websites to provide Conversational AI, Automation Workflows, and human-assisted customer support to their visitors.
Humagician Forms — forms that merchants embed on their websites to collect information from visitors, with optional Conversational AI and Automation Workflows features.
Waitlist and mailing-list subscriptions — subscribe forms on humagician.com (and Humagician-powered forms) used to join waitlists and optional product-update emails.

Visitors to merchant websites who interact with embedded Humagician widgets are subject to this policy in addition to any privacy policy published by the merchant.

2. Accountability and Privacy Contact

Humagician, operated by Fluenik, LLC, is responsible for personal information under its control. Fluenik, LLC is a Michigan limited liability company in the United States. For privacy questions, requests, or complaints, contact us at:

Privacy Contact: Fluenik, LLC Privacy Officer
Email: [email protected]
Request label: Please include “Privacy Request” in the subject line so we can route your inquiry promptly.

3. Information We Collect

3.1 Through the login and account forms (app.humagician.com)

When you sign in to the Humagician operator platform, we collect:

Email address and password-derived authentication data (your password is immediately hashed using industry-standard algorithms; we never store or transmit your plaintext password) to authenticate your identity.
Session tokens — short-lived access tokens and refresh tokens stored in your browser to maintain your authenticated session. These are not used for tracking or advertising.
Name and profile information you provide when setting up or updating your operator account.
Usage and activity data within the platform, such as workspace actions, configuration changes, and feature interactions, to support your account and improve the product.
Server, application, and security logs — we and our infrastructure providers maintain logs that may include IP address, request metadata, timestamps, device/browser information, and related technical data for security, debugging, fraud prevention, and service reliability.

3.2 Through the Humagician chat widget

When a visitor interacts with the Humagician chat widget embedded on a merchant’s website, we collect and store the following to operate the chat service:

Name and email address if the visitor voluntarily provides them during the chat session.
Chat logs — the text of messages exchanged during the session, including AI-generated responses and system messages.
Browsing history on the merchant’s site — pages visited during the session, used to provide contextually relevant responses.
Shopping cart data (on supported e-commerce platforms) — a snapshot of items in the cart at the time of the session, used to generate relevant product assistance.
Timestamps for the session and individual messages.
IP address (masked) of the device used during the chat session.
Automation and workflow logs — records of any automated actions (such as order lookups, refund processing, or workflow execution) triggered during the session, including request/response payloads.
AI usage records — token counts and cost tracking for AI-generated responses during the conversation.

Chat conversations are recorded and retained as chat history so merchants can review prior interactions and continue support conversations. Visitors may request deletion of their chat session data by emailing [email protected]; note that because widget and form data is processed on behalf of the merchant, deletion requests may need to be coordinated with the merchant who controls the data.

3.3 Through Humagician Forms

When a visitor submits a form powered by Humagician on a merchant’s website:

The details entered in the form (such as name, email address, message content, and any other fields configured by the merchant) are stored in our database.
Submissions are recorded and retained as submission history, including message content and timestamps, so merchants can review prior form communications.
This data is accessible only to the specific merchant whose site the form is installed on. Humagician does not sell this data or share it with any other party.

Visitors may request deletion of their submitted form data by emailing [email protected]; as with chat data, deletion may need to be coordinated with the merchant controller.

3.4 Promotional emails

We send promotional emails about our products and updates only with your consent. You may unsubscribe at any time using the link in our emails or by contacting us.

We retain your email address for marketing purposes until you unsubscribe or request deletion.

We use third-party email delivery providers to send communications.

We do not use phone numbers for marketing communications unless explicitly stated.

3.5 Through mailing-list and waitlist subscriptions

When you subscribe to Humagician waitlists or mailing lists (including optional product update emails), we collect information needed to manage your subscription:

Contact details such as email address and, if provided, name and phone number.
Subscription metadata such as list membership, consent status (including optional promotional-email consent), and subscribe/unsubscribe timestamps.
Technical and anti-abuse data such as IP address, browser/device metadata, and captcha verification status when anti-spam checks are enabled.

You can unsubscribe at any time using the unsubscribe link in promotional emails or by contacting [email protected]. We may retain minimal suppression-list data (such as email address and unsubscribe status) to honor opt-out requests and comply with legal obligations.

3.6 Through humagician.com (public website)

On our public-facing website, we collect limited information automatically, including IP address, browser type, device information, and page-visit data. This data is used for security, network management, performance monitoring, and privacy-friendly web analytics.

Specifically, our public website uses Cloudflare for CDN and security services (which processes IP addresses and sets strictly necessary cookies for bot protection), and Umami (self-hosted) for cookie-free, privacy-friendly web analytics (which processes anonymized page-visit data without setting cookies or tracking individuals across sites; all analytics data is processed on our own infrastructure). If you enable the optional anti-spam check on a form, hCaptcha may also process IP address and device information as described in Section 11 below.

3.7 Contact form submissions

Legal basis: We process contact form submissions based on our legitimate interest in responding to inquiries, or your consent where applicable.

Purpose: We use this information solely to respond to your request and communicate with you.

Retention: We retain contact form submissions for up to 1 month unless required longer for an active support matter, security issue, dispute, or legal obligation.

Your rights: You may request access, correction, or deletion of your submitted data at any time by contacting us.

4. Data Roles

Fluenik, LLC acts in different data-protection roles depending on the category of personal data and purpose of processing:

Humagician as controller: For operator account registration and administration, website visitor data, waitlist and contact form submissions, billing and payment data, security and abuse-prevention logging, error diagnostics, product usage analytics, direct marketing communications, and compliance and legal obligations, Fluenik, LLC acts as an independent data controller and determines the purposes and means of processing.

Humagician as processor: For customer content submitted by visitors through embedded chat widgets and forms on merchant websites — including chat transcripts, form submissions, visitor contact details, browsing context, and shopping cart snapshots — Fluenik, LLC acts as a data processor on behalf of the merchant. The merchant, as the data controller, determines the purposes for which this visitor data is processed. The merchant’s own privacy policy governs how they subsequently use and retain this information.

Mixed-role processing: Some data may be processed in both roles. For example, chat logs and form submissions are processed as a processor to deliver the service the merchant directs, and also as a controller for limited purposes such as maintaining service continuity, security monitoring, abuse prevention, debugging, and enforcing our terms. Automation task logs, AI usage records, and notification delivery logs are similarly retained as a processor to provide service functionality, and as a controller for diagnostics, billing, security, and compliance purposes. Visitor IP addresses and session metadata are used as a processor to deliver contextual chat assistance, and as a controller for security and anti-fraud purposes.

The widget uses browser session storage (not localStorage) to maintain your chat session within a single browsing session on the merchant’s site. This is strictly functional and cleared when the session ends or the browser tab is closed. We do not set persistent advertising or tracking cookies through the widget. This is separate from the operator platform (app.humagician.com), which uses localStorage for authenticated session tokens as described in Section 11.

If you are a customer that requires Article 28 GDPR processor terms, our Data Processing Agreement is available at /data-processing-agreement.

5. AI Features and Data Processing

Chat messages and form submissions may be processed by Conversational AI to generate automated responses and suggestions. Automation Workflows may also execute predefined workflow actions and related events configured by the merchant. Messages submitted through the widget or Humagician Forms may also be reviewed by human support agents employed or engaged by the merchant.

Conversational AI features use Microsoft Azure OpenAI Service as our AI provider. When a merchant enables Conversational AI, visitor messages and relevant context are sent to this provider to generate responses, in accordance with the Microsoft Products and Services DPA and contractual data protection terms. Do not submit sensitive personal information (such as payment card numbers, government ID numbers, or passwords) through chat or form fields.

Humagician does not use chat messages, form submissions, or related customer data to train our own generalized AI models. We also use provider controls and contractual terms intended to prevent customer content from being used to train third-party generalized AI models. Specifically: when customer content is submitted through Humagician via Microsoft Azure OpenAI Service (as configured in our production environment), that content is not used by Microsoft to train generalized models, subject to the applicable Microsoft Products and Services DPA. Azure OpenAI Service may retain limited content for short periods for abuse monitoring and safety purposes as described in its data processing terms. If our provider's terms or our configuration change materially, we will update this policy.

For plan usage and billing metrics, Humagician counts AI interactions as follows:

1 AI interaction is counted when any AI feature is used in a single chat conversation or ticket thread.
AI can be used an unlimited number of times within that same chat conversation or ticket thread and it still counts as 1 AI interaction.
A ticket is counted any time either (a) a chat conversation is opened or (b) a help desk ticket is opened.

These definitions are used for usage measurement and pricing calculations.

6. Service Providers and Vendors

The following third-party service providers process personal data on our behalf or as part of providing Humagician. A full list with transfer mechanism references is published at /subprocessors.

DigitalOcean — application hosting, managed PostgreSQL database, and managed Redis. Processes operator account data, chat conversations, form submissions, visitor data, and all platform data stored at rest.
AWS (Amazon S3) — object storage for file attachments, knowledge-base documents, and static assets.
Microsoft Azure OpenAI Service — AI model hosting and inference. Processes chat messages and conversation context sent for AI response generation when merchants enable Conversational AI features.
Cloudflare — CDN, DDoS protection, bot management, and DNS. Processes IP addresses, request headers, and sets strictly necessary security cookies on page load across humagician.com, app.humagician.com, and embedded widget requests.
Sentry — error monitoring and application diagnostics. Receives error reports and associated technical context (such as stack traces, request metadata, and browser/device information) when application errors occur on the Humagician platform and embedded widgets.
Proton — email communications. Processes email addresses and message content for transactional and support email delivery (such as account verification and privacy request responses).
hCaptcha (Intuition Machines, Inc.) — anti-spam verification on contact and waitlist forms (consent-gated; not loaded unless the user enables it). Processes IP address and device interaction data when activated. See Section 11 for details.
Umami (self-hosted) — cookie-free, privacy-friendly web analytics on humagician.com, hosted on our own DigitalOcean infrastructure. Processes anonymized page-visit data (page URL, referrer, browser, OS, and country derived from IP address, which is discarded after processing). Does not track individuals across sites or sessions and does not set cookies. No analytics data is sent to any third party.

7. How We Use Information

Authenticate and operate your operator account.
Provide, maintain, and improve the Humagician platform and embedded products.
Deliver Conversational AI services and Automation Workflows on behalf of merchant clients, including generating AI responses to visitor messages when Conversational AI is enabled.
Record and retain chat and form data for merchant support workflows.
Manage waitlists and mailing lists and send product updates where you opt in.
Respond to support requests and account communications.
Monitor errors and application performance for diagnostics and reliability.
Analyze anonymized website usage through privacy-friendly analytics.
Protect against fraud, abuse, and unauthorized access.
Comply with legal obligations.

Most of the processing described above is necessary to perform our contract with you (providing the Humagician service) or is carried out under our legitimate interests in operating, securing, and improving our services. Where we rely on consent as the legal basis — specifically for promotional emails, product-update newsletters, and optional hCaptcha anti-spam verification — you may withdraw consent at any time by using the unsubscribe link in promotional emails, disabling the anti-spam check, or by contacting our Privacy Officer. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.

Creating an account or submitting a form does not, by itself, constitute consent for all purposes. Account-related and service-delivery processing is based on our contractual relationship and legitimate interests, not consent.

8. Sharing of Information

We do not sell personal information. We do not share personal information with third parties for advertising or marketing purposes. We may share information with service providers that help operate our infrastructure (hosting, security, AI processing, error monitoring, email delivery, and analytics), subject to contractual confidentiality and security obligations. See Section 6 for a description of each service provider and the data it processes.

Humagician chat widget: chat data (transcripts, visitor contact details, session data) is accessible only to the specific merchant whose site the widget is installed on. It is not shared with any other party.

Humagician Forms: form submission data is accessible only to the specific merchant whose site the form is installed on. It is not shared with any other party.

AI provider: visitor messages and conversation context are sent to our AI provider (Microsoft Azure OpenAI Service) solely to generate AI responses. This provider processes data under contractual terms that prohibit training on customer content, as described in Section 5.

Mailing lists and waitlists: subscription data may be processed by service providers that support email delivery and list management on our behalf, subject to contractual confidentiality and security obligations. We do not sell this data and do not share it for cross-context behavioral advertising.

We may also share information where required by law or to enforce our rights.

Our current subprocessor list, including transfer mechanism references, is published at /subprocessors.

If you are a customer and need Article 28 processor terms, our DPA is available at /data-processing-agreement.

9. EU/EEA/UK Article 13 Privacy Notice

If you are in the EU, EEA, or UK, this section provides Article 13 GDPR transparency for personal information we collect directly from you through app.humagician.com and humagician.com. For personal information processed through the Humagician chat widget or Forms on merchant websites, the merchant is responsible for providing primary visitor-facing notice for merchant-directed support processing (as the data controller under Section 4). Humagician independently provides notice here for its own controller-role processing — specifically security monitoring, error diagnostics, abuse prevention, and compliance — as described in Section 4.

Controller: Fluenik, LLC (acting as controller for account, website, security, diagnostics, analytics, billing, and compliance data; and as processor for merchant customer content used to deliver the service, as described in Section 4).
Controller contact: [email protected]
Purposes and legal bases:
- Performance of contract (Article 6(1)(b)): providing and operating the Humagician platform, processing chat conversations, delivering form submissions, executing Automation Workflows, and generating AI responses under merchant account agreements.
- Legitimate interests (Article 6(1)(f)): securing our services and preventing abuse; error monitoring and diagnostics; product usage analytics; maintaining service continuity and debugging; enforcing our terms.
- Consent (Article 6(1)(a)): sending promotional emails and product updates where you opt in; loading optional hCaptcha anti-spam verification when you enable it.
- Legal obligation (Article 6(1)(c)): complying with applicable legal, regulatory, and accounting requirements.
Recipients: hosting providers (DigitalOcean), object storage (AWS S3), AI/language model provider (Microsoft Azure OpenAI Service), security and CDN (Cloudflare), anti-spam verification (hCaptcha, consent-gated), error monitoring (Sentry), email communications (Proton), self-hosted web analytics (Umami, on our own infrastructure), and professional advisors where required.
International transfers: our core services are hosted in the United States, and your information may be transferred to or accessed from the United States or other countries where our subprocessors operate. Where required, we rely on recognized transfer safeguards such as adequacy decisions (including the EU-U.S. Data Privacy Framework where applicable) and/or Standard Contractual Clauses (including required UK and Swiss transfer addenda).
Retention: see Section 14 for specific retention periods by data category.
Your rights: subject to applicable law, you may request access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where processing is based on consent.
Complaint route: you may lodge a complaint with your local supervisory authority. A directory of EU supervisory authorities is available via the EDPB.
Automated decision-making: we do not use solely automated decision-making that produces legal or similarly significant effects. AI-generated responses and automated workflow actions are provided as tools under merchant control and do not constitute automated individual decision-making under GDPR Article 22.

10. California Notice at Collection (CCPA/CPRA)

At or before the point of collection, we provide this notice describing the categories of personal information collected, the purposes for collection or use, whether personal information is sold or shared, and retention periods.

Categories collected: identifiers (name, email address, session ID, IP address); authentication credentials (password hash); professional information (company or workspace name); internet/network activity information (browser/device metadata, page interactions, browsing history on merchant sites during widget sessions); mailing-list subscription data (list membership, consent/opt-in status, unsubscribe status, and related timestamps); communications content (chat messages, form submissions); and commercial information (shopping cart data on supported e-commerce platforms).
Sensitive personal information: we do not intentionally request sensitive personal information. Please do not submit payment card numbers, government ID numbers, or similar data through chat or form fields.
Business purposes: authenticating and operating operator accounts; delivering Conversational AI services and Automation Workflows to merchant customers; recording and retaining chat and form data for merchant support workflows; managing waitlists and mailing lists; sending product updates where you opt in; error monitoring and diagnostics; protecting services against spam and abuse; web analytics; maintaining unsubscribe and suppression lists; maintaining business records; and complying with legal obligations.
Sold or shared: we do not sell personal information and do not share it for cross-context behavioral advertising.
Retention by category: see Section 14 for specific retention periods by data category.
Right to know, delete, correct, and opt out: California residents may exercise their rights under the CCPA/CPRA by contacting us at [email protected]. You may also designate an authorized agent to submit a request on your behalf; we may require the agent to provide proof of authorization and may separately verify your identity. We will verify your identity before processing requests. We will not discriminate against you for exercising your privacy rights.

11. Cookies and Tracking Technologies

We use a small number of cookies and similar technologies to support security and functionality. We do not use advertising cookies.

Session tokens — short-lived tokens stored in your browser (localStorage) after login to maintain your authenticated session on app.humagician.com. These are functional, not tracking cookies, and are cleared when you sign out or your session expires.
Cloudflare cookies (__cf_bm and related __cf_ prefixed cookies, strictly necessary) — our sites are served through Cloudflare, which automatically sets essential cookies to manage bot protection, security, and network performance. These cookies are set on page load, do not track you across sites, and are not used for advertising. They are governed by the Cloudflare Privacy Policy.
Umami (no cookies, self-hosted) — we use Umami on humagician.com for privacy-friendly web analytics, hosted on our own DigitalOcean infrastructure. Umami does not set any cookies, does not use personal identifiers, and is configured to avoid identifying individual visitors. It processes anonymized page-visit data (page URL, referrer, browser, OS, and country derived from IP). The IP address itself is discarded after processing and is not stored. No analytics data is sent to any third party.
hCaptcha cookies (optional, consent-gated) — our contact and waitlist forms optionally use hCaptcha to protect against spam and automated abuse. The hCaptcha widget is not loaded, and no hCaptcha cookies are set, unless you explicitly enable the anti-spam check by clicking the “Enable anti-spam check” button on the form. If you enable it, hCaptcha may set cookies (such as hc_accessibility and hmt_id) and may collect IP address, device information, and interaction data for security and anti-bot purposes. These cookies and data collection are governed by hCaptcha's own policies, which describe broader data uses than our summary here; for full details, see the hCaptcha Privacy Policy and hCaptcha Terms of Service. If you do not enable the anti-spam check, no hCaptcha cookies are placed. You may disable the anti-spam check at any time before submitting, which resets and removes the widget.

12. California Do Not Track Disclosure (CalOPPA)

Some browsers include a “Do Not Track” (DNT) setting. Because there is no universal standard for interpreting DNT signals, our website does not currently respond to DNT signals in a uniform way. We do not knowingly allow third-party advertising networks to collect personal information on our properties for cross-site behavioral advertising.

13. Hosting Infrastructure

Humagician is hosted on DigitalOcean App Platform in the United States, with managed PostgreSQL for database services and managed Redis for caching, session management, and real-time messaging. Static assets and object storage use Amazon S3. All infrastructure providers are listed on our subprocessors page.

14. Data Retention

We retain personal information only for as long as needed for the purposes described in this policy, including legal, accounting, and operational requirements. The following retention periods apply:

Operator account data (name, email, profile, authentication credentials) — retained for the duration of your account. After account deletion, retained in backups for up to 30 days, after which it is permanently deleted.
Chat conversations and messages (widget chat transcripts, AI responses, system messages) — automatically deleted after 90 days. Merchants can export conversations before deletion.
Form submissions (InboxMessage data including visitor name, email, message content) — automatically deleted after 90 days. Merchants can export submissions before deletion.
Visitor profiles and presence data (name, email, browsing context, cart snapshots) — automatically deleted after 30 days.
Visitor page view history — automatically deleted after 30 days.
Automation task records (workflow execution logs, Shopify API request/response payloads) — automatically deleted after 90 days.
AI usage records (token counts, cost tracking, model metadata) — automatically deleted after 90 days.
AI suggestions and recommendations (AI-generated response suggestions, analyst recommendations, librarian KB suggestions) — automatically deleted after 90 days.
Analytics snapshots (aggregated daily statistics) — retained for the duration of the merchant's account. No personal data is included in aggregated snapshots. Deleted within 30 days of account deletion.
Knowledge base and help articles (merchant-authored content) — retained for the duration of the merchant's account. Deleted within 30 days of account deletion.
Security and diagnostic logs (Sentry error reports, request audit logs) — retained for up to 90 days for security monitoring, error diagnostics, and abuse prevention, unless a longer period is required for an active investigation or legal obligation.
Contact form submissions (humagician.com) — retained for up to 1 month unless required longer for an active support matter, security issue, dispute, or legal obligation.
Waitlist and mailing-list records — retained while you remain subscribed. After unsubscribe, we retain minimal suppression-list records (email address and opt-out timestamp) for as long as needed to honor your opt-out and comply with anti-spam laws.
Web analytics data (Umami, self-hosted) — anonymized and aggregated; no personal data is retained.

15. Data Security

We apply reasonable technical and organizational safeguards designed to protect personal information, including:

Encrypted transmission (HTTPS/TLS) for all data in transit, including widget traffic.
Hashed password storage using industry-standard algorithms.
Encryption at rest for OAuth tokens, API keys, and other sensitive credentials.
Role-based access controls and least-privilege principles.
Managed PostgreSQL and managed Redis on DigitalOcean App Platform with automated backups.
Cloudflare DDoS protection and bot management.
Application error monitoring via Sentry with access restricted to authorized personnel.

No system can be guaranteed 100% secure. We cannot guarantee absolute security of information transmitted over the internet.

16. Access, Correction, and Challenge Process

You may request access to personal information we hold about you, request corrections, or challenge our compliance with applicable privacy laws by contacting our Privacy Officer at [email protected].

We may need to verify your identity before processing requests.
We aim to respond within timelines required by applicable law, including Canadian privacy laws where they apply.
If you are not satisfied with our response, you may escalate concerns to the appropriate privacy regulator, such as the Office of the Privacy Commissioner of Canada or a relevant provincial or national data protection authority.

17. Regional Rights and Choices

Depending on your location, you may have rights to access, correct, delete, or limit use of your personal information. Submit requests by contacting us at [email protected].

If you receive promotional emails from us, you can unsubscribe at any time by using the unsubscribe link in the message.

For California residents, please see our California Notice at Collection above for CCPA/CPRA-specific rights and procedures.

For EU/EEA/UK residents, please see our Article 13 Privacy Notice above for GDPR-specific rights and procedures.

For Canadian visitors, rights and obligations may vary by jurisdiction, including federal law (PIPEDA) and applicable provincial private-sector privacy laws.

18. Children's Privacy

Humagician services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us at [email protected] so we can delete it promptly.

19. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be posted on this page with a revised effective date. If we make material changes, we will provide notice through the Humagician platform or by email where practicable.

Where a material change involves a new use of personal data that requires consent under applicable law, we will obtain that consent before the new use takes effect. Your continued use of our services after non-material updates constitutes acceptance of the revised policy; for material changes, we will notify you and, where required, seek your consent.

20. Contact

For privacy questions or requests, contact us at [email protected].