HONCHO — PRIVACY POLICY
Effective Date: April 24 2025 | Last Updated: April 24 2025
This Privacy Policy explains how Plastic Labs, Inc. ("Plastic Labs," "we," "us," "our") collects, uses, discloses, and protects personal data when you or your end-users interact with Honcho—the cloud API, dashboard, and related services we operate (together, the "Services").
It is part of, and governed by, the Honcho Terms of Service. Capitalized terms not defined here have the meanings given in the Terms.
1. Information We Collect
| Category | Examples | Source |
|---|---|---|
| Account Data | Name, email, company, billing address | You |
| Authentication Data | API keys, OAuth tokens, hashed passwords | You / automated |
| Usage Data | Request logs, IP address, user-agent, timestamps, error traces | Automated |
| Customer Content | Messages, file uploads, embeddings, prompts and other data you or your end-users send to the API (may include personal or sensitive info) | You / your end-users |
| Payment Data | Last 4 digits of card, billing country, transaction IDs | Flowglad (using Stripe as payment processor) |
| Marketing & Analytics | Newsletter preferences, product-update clicks, PostHog event data | Automated |
We do not knowingly collect data about children under 13. You must not allow children under 13 to use the Services.
2. How We Use Information
| Purpose | Legal Basis (GDPR, if applicable) |
|---|---|
| Provide, secure and maintain the Services | Contract |
| Improve, debug and develop features (including non-public fine-tuning on de-identified data) | Legitimate interests |
| Process payments and invoices | Contract |
| Detect, prevent and investigate fraud or abuse | Legitimate interests |
| Send product or marketing communications (you may opt out) | Consent / Legitimate interests |
| Comply with legal obligations (tax, export control, court orders) | Legal obligation |
We never train public large-language models on Customer Content without your explicit opt-in.
3. Sharing & Sub-Processors
We use a small number of trusted vendors ("sub-processors") solely to operate the Services:
| Vendor | Function | Primary Region* |
|---|---|---|
| Supabase | Postgres DB & file storage | United States (default) |
| Fly.io | API hosting | Global anycast (primary US & EU) |
| Flowglad | Billing & payments (using Stripe as payment processor) | United States |
| Groq | Model inference (optional) | United States |
| Anthropic | Model inference (optional) | United States / EU |
| Google Cloud Platform | Model inference (optional) | United States |
| Vercel | Dashboard & docs hosting | United States / EU |
| Sentry | Error tracking | United States |
| Langfuse | Observability / monitoring | United States |
| AWS (S3 / Glacier) | Log-archive storage | United States |
| PostHog | Product analytics | United States / EU |
* "Primary Region" shows where each vendor initially stores or processes data. Some vendors operate globally-redundant systems; contact privacy@honcho.dev if you need region-specific guarantees.
Changes to sub-processors. We may add or replace a sub-processor. If the change materially affects how we handle personal data, we will notify account owners (e-mail or in-dashboard) before the new vendor goes live.
4. International Transfers
Our primary infrastructure is in the United States, so your information will be processed there regardless of your location. By using the Services, you acknowledge and consent to the transfer of your personal data to the United States and any other country where we or our sub-processors operate, as detailed in Section 7.5 of our Terms of Service.
If specific legal mechanisms are required for cross-border data transfers (such as the EU's Standard Contractual Clauses or the U.K.'s International Data Transfer Addendum), we will implement appropriate safeguards before accepting such data.
Plastic Labs has not yet self-certified to the EU-U.S. Data Privacy Framework. We will update this Policy if that changes.
5. Security
- TLS 1.2+ encryption in transit; AES-256 encryption at rest
- Least-privilege IAM with MFA; all production access logged
- Continuous vulnerability scanning and 24 × 7 infrastructure monitoring
- Third-party penetration test performed at least once per calendar year
- Incident-response target: initial assessment within 24 hours of detection
(Honcho is not yet SOC 2 or ISO 27001 certified; those audits are on our 2025 roadmap.)
6. Data Retention
| Data | Default Retention | Deletion |
|---|---|---|
| Account & Billing | While account active + 90 days | Purged after 90 days of inactivity |
| API Logs | 90 days | Deleted from AWS archive on day 91 |
| Customer Content | Configurable; default 90 days | Immediate hard-delete when you issue a "purge" call or delete a workspace |
| Backups | Encrypted snapshots for 90 days | Overwritten on rolling basis |
You may request shorter retention via the dashboard or API where supported.
7. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
| Right | Description | How to exercise |
|---|---|---|
| Access / Portability | Obtain a copy of your personal data in a structured, machine-readable format | Email privacy@honcho.dev |
| Correction | Update inaccurate or incomplete information | Update profile or email support |
| Deletion | Request erasure of your personal data (subject to certain exceptions) | Email privacy@honcho.dev → identity verified → completed within 30 days |
| Restrict / Object | Limit how we use your data or object to certain processing | Email privacy@honcho.dev |
| Opt-out of marketing | Stop receiving marketing communications | Click "unsubscribe" in any message |
| Opt-out of sales/sharing | For California residents: opt out of personal information sales or sharing | Visit privacy settings in dashboard or email privacy@honcho.dev |
We will not discriminate against you for exercising your rights.
8. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights regarding your personal information:
- Right to Know: You can request information about the categories of personal information we collect, the purposes for which we use it, the categories of sources from which we collect it, and the categories of third parties with whom we share it.
- Right to Delete: You can request that we delete personal information we have collected from you, subject to certain exceptions.
- Right to Opt-Out: You can opt out of the "sale" or "sharing" of your personal information, as defined under California law. We do not sell your personal information for monetary consideration, but some data sharing may constitute a "sale" or "sharing" under the broad definitions in California law.
- Shine the Light: California residents may request information about how we share certain categories of personal information with third parties for their direct marketing purposes.
To exercise these rights, please contact us at privacy@honcho.dev. We will verify your identity before responding to your request.
9. Cookies & Tracking
Our website and dashboard use the following cookies:
- Essential cookies: Session management, security, and fraud prevention (cannot be disabled). These cookies typically persist for the duration of your session or up to 30 days for persistent authentication.
- Analytics cookies: We use PostHog to understand product usage and improve our services. These cookies collect information about how you interact with our website, including pages visited and features used.
Visitors in the EU/UK will see a consent banner and can refuse non-essential cookies. We respect Global Privacy Control (GPC) signals from your browser.
We do not serve third-party behavioral advertisements or sell your data to advertising networks.
10. Children's Privacy
The Services are not directed to children under 13, and we do not knowingly collect their data. If we discover that we have inadvertently received such data, we will delete it.
11. Changes to This Policy
We post any changes here and, for material changes, notify account owners at least 30 days in advance. Continued use of the Services after the effective date constitutes acceptance of the revised Policy.
12. Contact Us
Plastic Labs, Inc.
169 Madison Avenue, STE 2703
New York, NY 10016 USA
privacy@honcho.dev | +1 (917) 773-8115
For European users: While we do not specifically target EU users, we welcome them to use our Services. Although we have not appointed a formal EU representative under GDPR Article 27, we remain committed to respecting EU privacy rights. Please contact us directly at privacy@honcho.dev with any EU-specific privacy inquiries.