Cloud Privacy

Last updated: 8 July 2026 — DRAFT pending counsel sign-off

DRAFT. This notice is additive to the website/beta Privacy notice — it does not replace or contradict it. It covers the paid, hosted Hive Cloud service only. It becomes operative for a given pilot once the Data Processing Addendum for that pilot is executed.

This page explains what Hive Cloud — the paid, hosted memory-substrate subscription operated by ISANNA TECNOLOGIA LTDA ("isanna", "we") — collects and processes on behalf of a subscribed organization, in addition to the general website/beta notice.

Hive Cloud service data

Two different roles apply to two different kinds of data, and we keep them distinct:

Data categories

Where it lives

Memory content and the hosted database live on Supabase, region us-west-2 (the dedicated isanna-hivemind Postgres project), reached only through the non-bypass, Force-RLS hive_cloud_app connection role — never the Supabase service-role key. Compute (the hosted MCP endpoint and the in-house embedder) runs on Fly.io, region gru.

Retention

Memory content is retained for the life of the active subscription. On cancellation or offboarding it is retained only for the wind-down window stated in the Data Processing Addendum, then erased.

Erasure

Deletion requests (a single memory, a full offboarding, or a data-subject erasure request) are honored as a hard row DELETE against the underlying Postgres table — not a soft/tombstone flag. A content-free, hash-chained ledger entry records that the delete happened (an append-only audit trail containing no memory content, so the ledger itself cannot leak what was deleted). The signed erasure receipt is minted only after the delete has fully completed — if a delete is only partially applied, no receipt is minted and the operation is surfaced as an error rather than silently reported as "erased." (Self-host and Console deployments mint this receipt today; the hosted serve-http delete path receiving the same signed-receipt treatment is a separate, later increment — see the R12 roadmap item — and this notice does not claim hosted-path receipts ahead of that landing.)

International transfer

isanna (the controller of account/commercial data, and processor of tenant memory content) is based in Brazil; the hosted database is in the United States (Supabase us-west-2). This is a Brazil→US international transfer of tenant memory content on the organization's instructions. For EU/EEA personal data specifically: isanna does not onboard EU/EEA personal data into Hive Cloud until a Standard Contractual Clauses (SCC) transfer mechanism (or equivalent) is executed for that customer — this is a hard precondition, not a formality, and is tracked as an open item in the Data Processing Addendum.

Processor list

The only third-party infrastructure subprocessors in the Hive Cloud data path are:

SubprocessorRoleRegion
Fly.ioContainer runtime (hosted MCP endpoint + embedder)gru (São Paulo)
SupabasePersistent memory substrate (Postgres)us-west-2

The embedding model (Ollama mxbai-embed-large) is self-hosted on isanna's own Fly infrastructure and is not a third-party subprocessor. No transactional-email provider is in the Hive Cloud service-data path. This list is kept consistent with hivemind-cloud/SUBPROCESSORS.md and the Data Processing Addendum's Annex A — the three are checked for agreement by claims-CI (subprocessor-consistency) and this page will fail that check if it ever diverges from the other two.

Your rights

For account/commercial data, the same rights and contact channel apply as in the general Privacy notice. For tenant memory content, requests are directed to the subscribed organization (the controller); isanna assists the organization with data-subject requests per the Data Processing Addendum.

Contact

Questions about this notice: legal@isanna.ai.