Cloud Privacy
Last updated: 8 July 2026 — DRAFT pending counsel sign-off
This page explains what Hive Cloud — the paid, hosted memory-substrate subscription operated by ISANNA TECNOLOGIA LTDA ("isanna", "we") — collects and processes on behalf of a subscribed organization, in addition to the general website/beta notice.
Hive Cloud service data
Two different roles apply to two different kinds of data, and we keep them distinct:
- Tenant memory content (what your agents store and retrieve — memory text, embeddings, associated metadata) — isanna acts strictly as a processor. The subscribed organization is the controller of that content; isanna processes it only on the organization's instructions, as detailed in the Data Processing Addendum.
- Account & commercial data (billing contact, invoicing details, subscription administration, support correspondence) — isanna is the controller of this data, in the same way it is controller of beta-application data under the general Privacy notice.
Data categories
- Memory content: the text and vector embeddings your agents write via
hive_add_memory/hive_insert/related tools, plus content-free operational metadata (timestamps, actor/device identifiers, byte counts). - Account/commercial data: organization name, billing contact, invoice records, subscription tier/seat count.
Where it lives
Memory content and the hosted database live on Supabase, region us-west-2 (the
dedicated isanna-hivemind Postgres project), reached only through the non-bypass, Force-RLS
hive_cloud_app connection role — never the Supabase service-role key. Compute (the hosted
MCP endpoint and the in-house embedder) runs on Fly.io, region gru.
Retention
Memory content is retained for the life of the active subscription. On cancellation or offboarding it is retained only for the wind-down window stated in the Data Processing Addendum, then erased.
Erasure
Deletion requests (a single memory, a full offboarding, or a data-subject erasure request) are honored
as a hard row DELETE against the underlying Postgres table — not a
soft/tombstone flag. A content-free, hash-chained ledger entry records that the delete
happened (an append-only audit trail containing no memory content, so the ledger itself cannot leak
what was deleted). The signed erasure receipt is minted only after the delete has fully
completed — if a delete is only partially applied, no receipt is minted and the operation is
surfaced as an error rather than silently reported as "erased." (Self-host and Console deployments mint
this receipt today; the hosted serve-http delete path receiving the same signed-receipt
treatment is a separate, later increment — see the R12 roadmap item — and this notice does not claim
hosted-path receipts ahead of that landing.)
International transfer
isanna (the controller of account/commercial data, and processor of tenant memory content) is based in Brazil; the hosted database is in the United States (Supabase us-west-2). This is a Brazil→US international transfer of tenant memory content on the organization's instructions. For EU/EEA personal data specifically: isanna does not onboard EU/EEA personal data into Hive Cloud until a Standard Contractual Clauses (SCC) transfer mechanism (or equivalent) is executed for that customer — this is a hard precondition, not a formality, and is tracked as an open item in the Data Processing Addendum.
Processor list
The only third-party infrastructure subprocessors in the Hive Cloud data path are:
| Subprocessor | Role | Region |
|---|---|---|
| Fly.io | Container runtime (hosted MCP endpoint + embedder) | gru (São Paulo) |
| Supabase | Persistent memory substrate (Postgres) | us-west-2 |
The embedding model (Ollama mxbai-embed-large) is self-hosted on isanna's own Fly
infrastructure and is not a third-party subprocessor. No transactional-email provider
is in the Hive Cloud service-data path. This list is kept consistent with
hivemind-cloud/SUBPROCESSORS.md and the Data Processing Addendum's Annex A — the three are
checked for agreement by claims-CI (subprocessor-consistency) and this page will fail that
check if it ever diverges from the other two.
Your rights
For account/commercial data, the same rights and contact channel apply as in the general Privacy notice. For tenant memory content, requests are directed to the subscribed organization (the controller); isanna assists the organization with data-subject requests per the Data Processing Addendum.
Contact
Questions about this notice: legal@isanna.ai.