icon

Hideez Privacy Policy

Last Updated: Feb 6, 2026

This Privacy Policy ( Privacy Policy” or "Policy" ) outlines the principles and practices governing the collection, use, and protection of Personal Information by Hideez Group Inc. ( "Hideez", "we", "us", or "our" ). We specialize in enterprise-grade identity and access management, and this Policy applies to all interactions with our ecosystem, including:

  • The Site: Our website www.hideez.com and all its subdomains.

  • The Services: Our hardware (Hideez Key) and software (Hideez Server, Hideez Client, Hideez Authenticator).

  • Business Interactions: Communications via email, support tickets, demo requests, and industry events.

We respect your privacy and process data in accordance with applicable laws, including the European General Data Protection Regulation ( GDPR ) and the California Consumer Privacy Act ( CCPA ). This Policy supplements our Terms of Use and our Cookie Policy . If you have questions or concerns regarding this Policy, please contact us at: support@hideez.com

By accessing or using our Services, you acknowledge that you have read and understood the practices described in this Policy. 

Section 1: Our Role and Applicability
Section 2: Information We Collect and How We Collect It
Section 3: Purposes of Processing and Legal Bases
Section 4: Data Security and Retention
Section 5: Data Sharing, Disclosure, and International Transfers
Section 6: Third-Party Links and Integrations
Section 7: Your Rights and How to Exercise Them
Section 8: Children’s Privacy
Section 9: Changes to This Privacy Policy
Section 10: Contact Information

Section 1: Our Role and Applicability

To ensure the effective exercise of your data subject rights, it is essential to distinguish between the different roles Hideez assumes depending on your interaction with our Services:

Hideez as a Data Controller (or "Business" under CCPA): We act as a Data Controller when we determine the "why" and "how" of data processing. This applies to:

  • Visitors to our Site and individuals who interact with our marketing materials.

  • Direct customers who purchase hardware keys for personal use.

  • Business contacts representing our clients, partners, or other vendors.

Hideez as a Data Processor (or "Service Provider" under CCPA): When providing Enterprise Services, our corporate clients (e.g., your employer) are the Data Controllers. In this capacity, Hideez processes personal data (such as device identifiers and authentication logs) strictly as instructed by the client to provide the Services. While we minimize data access, Hideez acts as a Processor by hosting and securing the data environment on behalf of the Controller.

Note for end-users: If you use Hideez through your organization, please contact your IT administrator for requests regarding your personal data. Hideez does not independently access, manage, or modify end-user personal data within a customer-controlled instance, except where explicitly authorized for support purposes.

Section 2: Information We Collect and How We Collect It

We collect several categories of information depending on the nature of your interaction with Hideez. We do not engage in the sale of your personal data; all collection is strictly for the purposes of providing, securing, and improving our Services.

2.1. Information You Voluntarily Provide

This category includes data you may submit directly through our Site, during the procurement process, or while seeking support:

  • Contact and Professional Identifiers: Full name, business email address, phone number, job title, and company name.

  • Transaction and Billing Data: Shipping address, billing address, and organization tax IDs. Note: Financial transactions are processed via our third-party payment processors (e.g., Stripe, Shopify); we do not store full credit card numbers.

  • Inquiry and Support Data: Content of messages sent via contact forms, technical support tickets, or communications at trade shows and industry events.

2.2. Information Collected Automatically

When you visit our Site, we capture technical data such as IP addresses, browser types, and access times. During mobile application registration with our corporate server, we collect device-specific identifiers including Device ID, operating system version, and phone model to facilitate secure pairing and management.

To enhance your experience and improve our Site’s usability, we also use cookies and advanced behavioral analytics tools. These technologies may record user interactions, such as mouse movements, scrolling, and navigation paths (session replays), to help us identify and fix technical issues. You may opt-out of such tracking at any time by adjusting your preferences in our Cookie Settings. 

While basic technical data is part of our security logs, specific details regarding cookie types, behavioral tracking, and your management options are governed by our Cookie Policy

2.3. Information from Third-Party Sources

To better understand our market and reach potential corporate clients, we may receive information about you from third parties, such as:

  • Lead generation partners: Professional databases (e.g., LinkedIn), marketing service providers, and organizers of industry conferences.

  • Referral partners: Organizations that may recommend our Services to you.

  • Social media platforms: If you interact with our official pages on social media, we may receive public profile information.

2.4. Data Provided by Your Organization

If you are using Hideez as an employee or contractor of our enterprise client, your organization may provide us with your business identity data (e.g., via Active Directory or LDAP integration) to facilitate your access to the platform.

Hideez does not transmit, store, or otherwise possess biometric templates on its servers. The verification process (fingerprint, Face ID, etc.) is performed exclusively within the hardware device’s Secure Element (SE) or the mobile device’s Trusted Execution Environment (TEE), ensuring that biometric templates are isolated from the main operating system and cannot be extracted. 

The device conducts a local match and transmits only a cryptographically signed "Yes/No" token to the Hideez Server to authorize access. Because we never have access to your raw biometric templates, they cannot be compromised in the event of a server-side security incident.

2.5. Information Collected via Mobile Application 

When you use our mobile application (Hideez Authenticator), we may request access to specific features on your device to provide full functionality:

  • Camera: To scan QR codes for pairing devices or logging in. We do not store or transmit any raw video or image data from your camera.

  • Push Notifications: To send authentication requests and security alerts. You can manage these permissions in your device settings.

  • Crash Reports & Analytics: We may collect anonymized crash logs to identify and fix bugs. This data does not contain your Personal Information.

Hideez processes Personal Information only when there is a valid legal basis under applicable law (such as GDPR or CCPA). This section outlines the purposes for which we process data and the legal grounds for doing so.

Note on End-User Data: As specified in Section 1, when acting as a Data Processor, Hideez processes end-user data (e.g., business identifiers and technical telemetry) solely to fulfill our contractual obligations to the Data Controller. The following table describes processing activities where Hideez acts as a Data Controller for Administrators, direct customers, and Site visitors.

Categories of Data Involved

Purpose of Processing

Legal Basis

Contact Identifiers, Account Credentials, Public Keys, Device UDIDs.

Managing your account, activating Hideez Keys, and facilitating secure authentication sessions across your organization’s infrastructure.

Necessary to provide the core functionality of our Services as per our Terms.

IP Addresses, Access Logs, API Telemetry, Approximate Geolocation.

Monitoring for suspicious activity, detecting "brute force" or "impossible travel" patterns, and protecting our servers from unauthorized access or DDoS attacks.

Legitimate Interest. Our interest in ensuring the security and integrity of our systems is fundamental to our business and your safety.

Hardware Serial Numbers, Firmware Versions, OS Types, Feature Usage Data.

Analyzing technical telemetry to identify bugs, improve firmware stability, and enhance the user experience of our desktop and mobile applications.

Legitimate Interest. Improving our technology ensures we remain competitive and provide a superior security product.

Business Email, Phone Number, Support Ticket Content.

Sending critical security alerts, firmware update notifications, invoices, and responding to technical support tickets.

Performance of a Contract (for support) and Legitimate Interest (for security alerts).

Publicly available contact info

Identifying and reaching out to professional stakeholders at potential corporate clients to offer our Enterprise Identity solutions.

Legitimate Interest. Conducting marketing and business development within a professional context.

Billing Data, Transaction History, Legal Identifiers.

Maintaining financial records, adhering to export control regulations, and complying with lawful government or judicial requests.

Legal Obligation. Mandatory compliance with US and international laws.

Email Address, Preferences.

Sending newsletters, promotional offers, and product updates to individual subscribers who have opted-in.

Consent. You may withdraw your consent at any time via the "Unsubscribe" link in any email.

Section 4: Data Security and Retention

4.1. Security Measures

Hideez employs a "Security by Design" and "Security by Default" approach. We implement technical and organizational measures to protect Personal Information against unauthorized access, alteration, disclosure, or destruction. Our security framework includes:

  • Encryption Standards: All data in transit is encrypted using TLS 1.2 or higher, while data at rest within our production environments is protected using AES-256 or equivalent industry-standard algorithms

  • Hardware-Level Protection: Our Hideez Keys utilize a Secure Element (SE) to store sensitive cryptographic material. Personal information remains on the local device and is never accessible to Hideez.

  • Application Integrity: The Hideez Authenticator app features advanced anti-tampering measures, including Root and Jailbreak detection , OS integrity verification, and protection against unauthorized debugging or emulation. The application may restrict access if a compromised environment is detected.

  • Cloud and On-Premise Governance

    • Cloud: Our services are hosted on Azure in data centers complying with ISO 27001, SOC 2, and PCI-DSS standards.

    • On-Premise: Enterprise clients using Hideez Server maintain full physical and logical control over their data environment; Hideez has no access unless explicitly granted for support.

  • User-Managed Backups: Users of the Hideez Client may create local, password-encrypted backups of their credentials. Hideez does not have access to these passwords or files, and users are solely responsible for their secure storage.

4.2. Data Retention 

We retain Personal Information only for the period necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required by law (e.g., for tax or regulatory audits).

Data Category

Retention Period

Admin Account Data

For the duration of the active service contract plus 12 months (to allow for account recovery or renewals).

Technical & Security Logs

Retained on a rolling basis for 12 months before being automatically deleted or anonymized.

Billing & Transaction Records

Up to 7 years to comply with statutory tax and accounting obligations.

Marketing Leads & Prospects

Until the individual opts out or after 24 months of inactivity.

Customer Support Tickets

3 years after the resolution of the ticket to ensure continuity of service.

Section 5: Data Sharing, Disclosure, and International Transfers

5.1. Limited Disclosure to Third Parties

In Enterprise deployments, Hideez does not disclose end-user data to third parties except as required to provide the contracted services or as instructed by the customer acting as Data Controller. Hideez does not sell, rent, or trade your Personal Information. We share data only with a limited number of categories of recipients, and only to the extent necessary to fulfill the purposes described in this Policy:

  • Sub-Processors and Service Providers: We engage trusted third-party vendors to support our business operations, such as cloud hosting (Azure) and customer relationship management (HubSpot). These providers are contractually obligated to process data only under our instructions and are prohibited from using it for their own purposes. 

  • Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your Personal Information may be transferred as part of the transaction. We will notify you via email or a prominent notice on our Site of any such change in ownership.

  • Legal and Law Enforcement Requests: We may disclose data if required by law, such as to comply with a subpoena, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.2. International Data Transfers (Cross-Border)

As Hideez is a global organization headquartered in the United States with operations and partners worldwide, your information may be transferred to, and processed in, countries other than the one in which you reside.

We ensure that the recipient of your Personal Data offers an adequate level of data protection, and, if required, Standard Contractual Clauses (SCCs) for the transfer of data as approved by the European Commission or UK Secretary of State (as described in Article 46 of the GDPR). In addition to SCCs, we apply technical measures (such as secure encryption) to ensure that your data remains secure during and after the transfer.

Hideez complies with the principles of the EU-U.S. Data Privacy Framework (DPF) regarding the collection, use, and retention of personal information transferred from the European Union to the United States. While we rely on Standard Contractual Clauses (SCCs) as our primary legal mechanism for transfer, we monitor and adhere to the evolving standards of transatlantic data privacy.

Our Site and Services may contain links to third-party websites or integrations (e.g., social media plugins, partner portals). Please be aware that:

  • Hideez is not responsible for the privacy practices or the content of such third-party sites.

  • We do not endorse or make any representations about third-party websites.

  • Any personal data you provide to unrelated third parties is not covered by this Policy. We encourage you to review the privacy policy of any company before submitting your Personal Information.

Section 7: Your Rights and How to Exercise Them

7.1. For Administrators and Direct Customers If you are an administrator managing a Hideez Enterprise Server or a direct purchaser of our Services, you are a Data Subject in a direct relationship with Hideez. You have the following rights:

  • You can request a copy of the administrative contact data we hold about you or request its correction.

  • You may request the deletion of your administrative account at any time if you no longer wish to use Hideez Services.

  • Administrators and direct users can initiate the termination of their relationship with Hideez. Please note that deleting an administrative account may result in the immediate loss of access to the management console and associated Services for the entire organization. 

To exercise your rights, you may send your request to support@hideez.com from the email address associated with your administrative account. Since we only hold data for registered administrators, we will verify your identity by cross-referencing your request with our active administrative records. We cannot fulfill requests that cannot be verified.

7.2. For Enterprise End-Users: If you use Hideez Services as part of your employment or under a corporate subscription managed by your organization, please note that your organization is the "Data Controller" of your personal information. Hideez acts as a "Data Processor" on their behalf. 

You should direct your requests to exercise data rights (such as access, correction, or deletion) to your organization’s IT administrator. We cannot process requests regarding corporate data without the authorization of the Data Controller. We will assist your organization in fulfilling these requests as required by law. 

7.3. Statutory Rights and Frameworks

Depending on your jurisdiction, such as the EU/UK under the GDPR or California under the CCPA/CPRA, you may exercise specific rights regarding your Personal Information, including the rights of access, rectification, erasure, and data portability. 

In compliance with California law, we disclose that in the preceding 12 months, Hideez has not "sold" personal information for monetary compensation, although we may "share" identifiers and internet activity with third-party analytics providers to optimize our Services. 

To ensure the security of your data, we will take reasonable steps to verify your identity before granting access or making any corrections to your records. Once a request is verified, we commit to responding within the statutory timeframes, which are typically 30 days for GDPR requests and 45 days for CCPA requests.

Section 8: Children’s Privacy

Our Services are professional tools intended for institutional and adult use. We do not knowingly collect Personal Information from individuals under the age of 16. If we become aware that a child under 16 has provided us with data, we will take immediate steps to delete such information from our production environments.

Section 9: Changes to This Privacy Policy 

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make changes, we will update the "Last Updated" date at the top of this Policy.

If we make material changes that significantly affect your privacy rights, we will provide a more prominent notice, such as:

  • Sending an email notification to the address associated with your account;

  • Displaying a notice within our Services or on our website before the change becomes effective.

We encourage you to review this Policy periodically. Your continued use of our Services after any changes signify your acknowledgment of the updated terms.

Section 10: Contact Information

If you have questions, concerns, or wish to exercise your rights, please contact our Data Privacy Team:

Hideez Group Inc.
3 Germay Dr, Unit 4 #1081, Wilmington, DE 19804, USA.
Email: support@hideez.com