Privacy Policy

Hestia's design philosophy is local-first and security-oriented, but local-first does not mean data-free. Some information is required to provision accounts, authenticate users and devices, maintain service integrity, investigate errors, prevent abuse, process support requests, and comply with applicable law. This Policy describes those flows in plain language and is intended to help users understand both what Hestia actually needs and what Hestia tries to avoid collecting unless there is a clear reason.

Where possible, Hestia seeks to reduce collection, shorten retention, and avoid using operational data for unrelated purposes. At the same time, a platform that coordinates cloud services, edge systems, identity, firmware, and diagnostics must maintain enough records to keep users safe, detect incidents, honor support obligations, and preserve a trustworthy operational history.

This Policy applies when Hestia acts as the primary operator of a website, account system, hosted control plane, API service, or customer-facing support workflow. In Indian data protection terminology, Hestia will often act as a data fiduciary in relation to personal data collected directly for our own product, security, legal, and administrative purposes.

In some business deployments, Hestia may also process personal data on behalf of a customer that decides why a particular environment should collect, store, or use the data. In those cases, the customer may have separate duties to provide notices, collect consent where required, and handle rights requests from affected individuals. Hestia may assist within the scope of the applicable contract and technical capability.

This Policy does not apply to third-party websites, apps, services, or hardware that we do not control, even if they are linked from or interoperable with Hestia. It also does not override any processing that a customer performs outside the Hestia environment using exported data or its own independent systems.

The personal data Hestia may collect depends on your relationship with us. Categories may include identity and contact data such as name, email address, company, job title, account identifiers, and communication preferences; authentication and access data such as login records, role assignments, token events, and security logs; commercial and transaction data such as quotations, invoices, contract contacts, payment status, and support entitlements; and technical data such as IP address, browser type, device model, approximate geolocation derived from network signals, and system performance metadata.

If you use Hestia-hosted dashboards, APIs, firmware services, command interfaces, or device management tooling, we may also process device and environment-related data such as node identifiers, deployment names, health checks, configuration metadata, error traces, command history, event timestamps, software versions, patch status, and network quality indicators. Depending on the implementation, some of that information may be personal data because it relates to an identifiable user, household, administrator, or physical location.

Support interactions may include ticket content, email correspondence, uploaded screenshots, configuration snippets, logs, diagnostic files, or other material you choose to send to us. If you or your administrators provide personal data in free text, we may process that data to investigate the issue, fulfill the request, maintain a case record, and improve support quality.

• directly from you when you contact us, sign up, request a demo, subscribe for updates, or use the Services;
• from your organization or account administrator when they create or manage your access;
• from the devices, nodes, SDKs, firmware components, and software agents connected to a Hestia environment;
• from service providers who help with identity, analytics, communications, hosting, or support infrastructure;
• from public business sources, referral channels, or professional interactions relevant to legitimate B2B engagement.

We may also infer limited information from technical signals, such as likely session continuity, security risk, or service health. We do not treat every signal as equally important or equally personal, but where a signal can reasonably be tied to an individual or account, we treat it as governed by this Policy.

Hestia processes personal data for purposes such as:

• creating and administering accounts, workspaces, and organization access controls;
• authenticating users, devices, requests, and software actions;
• provisioning cloud and edge services, distributing software, and maintaining compatibility;
• monitoring reliability, diagnosing faults, preventing abuse, and maintaining auditability;
• responding to support requests, incidents, bugs, and operational inquiries;
• communicating about product changes, legal terms, billing, security, and account administration;
• developing, testing, improving, and securing current and future Hestia offerings;
• complying with applicable law, lawful requests, court orders, contractual commitments, and internal governance requirements.

We may also use data in aggregated or de-identified form for service planning, usage analysis, forecasting, product development, and operational reporting where that use no longer reasonably identifies a specific individual.

Hestia aims to provide notice in clear and practical language and to obtain consent where consent is the appropriate basis for processing under applicable Indian law. In other cases, we may process personal data because the processing is necessary to provide a service you requested, to perform or prepare for a contract, to comply with law, to respond to security risks, or for other legitimate and lawful operational purposes that are compatible with the context in which the data was provided.

Where you provide consent, you may withdraw it by contacting us or by discontinuing the relevant optional feature, subject to legal or technical limitations and the need to continue certain processing for core service operation, recordkeeping, or incident response. Withdrawal of consent does not invalidate processing that took place before the withdrawal became effective.

If you are an organization deploying Hestia in a place where personal data of employees, occupants, visitors, or contractors may be involved, you are responsible for making sure you have the appropriate authority, notice, consent, and workplace policy basis to use the system in that way.

Hestia uses browser and device-side technologies that may include cookies, local storage, session identifiers, or similar mechanisms to keep the website functional, remember limited preferences, understand basic traffic patterns, and help protect the site against abuse. Some of these technologies are essential to the operation of a website session. Others support measurement, diagnostics, or experience improvement.

As of the date listed above, the website also loads Google Analyticsafter interactive page load. Google Analytics may collect information such as page views, browser characteristics, approximate location, device identifiers, and interaction metadata in accordance with Google's own service terms and privacy practices. Hestia uses that information to understand site usage, improve content and navigation, and monitor overall site health.

You can control or limit cookies and similar technologies through your browser settings, privacy tools, device controls, and certain third-party opt-out mechanisms. Restricting cookies may affect site functionality, sign-in continuity, or analytics quality. We do not currently present a separate site-wide cookie preference center on this website.

Hestia's platform may process telemetry, diagnostics, command traces, error reports, health status, and related technical signals to keep systems working and to help users understand what occurred within a deployment. Those records may include timestamps, device IDs, node state, software versions, connectivity conditions, and operator-linked activity records. Depending on the deployment, these records can be personal data when they are associated with identifiable users or physical premises.

Where Hestia provides voice, natural-language, or AI-assisted features, the related inputs may be processed to execute commands, interpret intent, answer requests, or troubleshoot failures. Hestia does not state on this page that every such input is always processed entirely locally or never retained. Instead, our position is narrower: raw or richly identifying inputs are intended to be handled as sparingly as possible, retained only for as long as reasonably needed for the feature, support, or security purpose involved, and handled with heightened care where they may reveal personal, sensitive, or household-level information.

If you do not want support personnel to see specific content, do not send that content in support tickets, screenshots, or exported logs unless it is genuinely necessary to resolve the issue. Where feasible, redact unnecessary personal information before sharing files with us.

Hestia may share personal data with the following categories of recipients:

• service providers that help us host, secure, support, analyze, authenticate, and operate the Services;
• professional advisers, auditors, insurers, payment handlers, and legal representatives where necessary;
• our business customers or administrators where they control the account or deployment through which the data was generated;
• competent authorities, regulators, law enforcement agencies, courts, or other parties where disclosure is required by law or reasonably necessary to protect rights, safety, and system integrity;
• a purchaser, investor, successor, or restructuring counterparty as part of a merger, financing, acquisition, reorganization, or sale of assets, subject to appropriate confidentiality measures.

We do not state that we "sell personal data" in the colloquial advertising sense often used on consumer internet sites. We may, however, disclose data to vendors and processors that help us operate the business. Those recipients are expected to use the data only for the relevant service they provide to Hestia or as otherwise lawfully permitted.

Hestia may use service providers, infrastructure, or support workflows that involve processing outside the state, region, or country from which you access the Services. The geographic location of storage or processing may change over time based on vendor arrangements, resilience planning, or operational needs.

When Hestia transfers or permits access to personal data across borders, we seek to do so in a manner consistent with applicable Indian law and with reasonable contractual, technical, and organizational safeguards. If you are a business customer with jurisdiction-specific transfer requirements, those should be addressed in the relevant enterprise or commercial agreement.

Hestia retains personal data for as long as reasonably necessary to fulfill the purpose for which it was collected, to provide the Services, maintain records, resolve disputes, investigate incidents, and comply with legal or contractual obligations. Different categories of data may have different retention periods.

By way of example, account profile and organizational data may be retained while an account is active and for a reasonable follow-on period needed for reactivation, compliance, recordkeeping, or dispute handling; security logs and access records may be retained for operational and legal reasons, commonly up to 180 days or longer where an incident, fraud inquiry, lawful request, or applicable rule requires longer retention; support tickets and attached diagnostics may be retained for as long as needed to close the case and maintain a defensible support history; backup copies may persist for a limited additional period until they cycle out under ordinary backup rotation.

Where deletion, anonymization, or de-identification is reasonably feasible and no longer inconsistent with our obligations or legitimate needs, we will take one of those steps. Some residual records may remain where immediate deletion is not technically practical, where records are embedded in immutable logs, or where preservation is needed for security and legal reasons.

Hestia uses a combination of administrative, technical, and organizational safeguards intended to protect personal data against unauthorized access, disclosure, alteration, and destruction. These measures may include access controls, role-based permissions, encryption in transit, logging, monitoring, internal review processes, vendor controls, and environment-specific security practices.

Even strong safeguards cannot guarantee perfect security. Users and customers also play a critical role. You should maintain secure devices, use strong and unique passwords, protect recovery channels, apply updates, restrict unnecessary administrator access, and promptly notify us if you suspect compromise of an account, token, device, or Hestia environment.

If you are a business customer and need more detailed security commitments, audit support, or environment-specific controls, those requirements should be handled through a separate commercial and security review process rather than inferred from this public website statement alone.

Subject to applicable law and verification of identity or authority, you may request access to a summary of personal data we process about you, ask us to correct inaccurate or incomplete data, request erasure of data that is no longer required for the applicable purpose, withdraw consent where processing is based on consent, and seek grievance redressal if you believe your data has been handled improperly.

To exercise a privacy-related request, you may contact Hestia at contact@hestialabs.in. Please provide enough detail for us to identify the account, interaction, or deployment concerned. We may request additional information to verify identity or to ensure that we do not disclose data to the wrong person.

Your request may be limited where the law permits or requires us to retain certain records, protect another person's rights, preserve evidence, maintain security logs, or continue processing necessary for the service or for a lawful obligation. If your account is controlled by an organization, we may direct you to the relevant administrator for certain account-level actions while still handling requests that Hestia must answer directly as the service operator.

Hestia's Services are generally designed for adults, businesses, developers, and authorized operators rather than for children. We do not knowingly create consumer accounts for children or intentionally design general website experiences to solicit children's personal data. If a deployment involves a household, school, shared family environment, or any context in which a child's personal data may be implicated, the responsible adult or deploying organization must ensure that the use is lawful and that any required consent or authorization has been obtained.

If you believe a child has provided personal data to Hestia in a way that should not have occurred, contact us so that we can review the situation and take appropriate steps. Depending on the context, those steps may include restricting access, deleting data where appropriate, or seeking additional verification.

If your Hestia access is provided by an employer, landlord, facility operator, system integrator, property manager, or another organization, that organization may control the workspace, user roster, role assignments, integrations, and configuration choices associated with your account. Hestia may share account-level and deployment-level data with authorized administrators of that organization as necessary to provide the Services, maintain security, and honor the applicable contract.

Organizations that deploy Hestia into homes, buildings, offices, or operational sites must ensure that they have an appropriate legal basis and internal governance framework for any monitoring, logging, or automation that affects people in those spaces. Hestia does not assume that every deployment is lawful merely because the technology can be configured to do something.

Hestia maintains incident response processes intended to detect, assess, contain, and remediate security events. If Hestia becomes aware of a personal data breach affecting data under our control, we will review the incident, take appropriate response steps, and provide notifications where required by applicable law, contractual commitment, or operational necessity.

If you suspect an account compromise, malicious device behavior, exposed token, unauthorized command execution, or another security issue involving Hestia, notify us as soon as possible at contact@hestialabs.in. Timely reporting improves containment and helps us distinguish genuine incidents from transient errors or local environment issues.

The Hestia website and Services may link to or integrate with third-party websites, code repositories, app providers, analytics services, documentation tools, authentication systems, communications platforms, or hardware vendors. Those third parties operate under their own terms and privacy practices. Hestia is not responsible for the privacy, security, or content practices of a third-party service that we do not control.

Before using a third-party integration or submitting data through an external link, you should review the applicable third-party policies and make an independent judgment about whether the service is appropriate for your use case.

If you have a complaint about how Hestia has processed your personal data, please send us the details by email and include enough information for us to identify the relevant account, interaction, or deployment. We may ask follow-up questions to verify identity, authority, or technical context before processing the request. We aim to review privacy grievances promptly and to provide a reasoned response within a commercially reasonable period.

Hestia may update this Policy from time to time to reflect changes in the law, in our products, in vendor arrangements, in security practice, or in the way we process personal data. The updated version will be posted on this page with a revised last-updated date. Where a change is material and affects an active account or business relationship, we may also provide supplemental notice through email, the dashboard, or administrative channels where reasonably practical.

Your continued use of the Services after an updated Policy becomes effective means that the updated Policy will apply going forward, subject to any contractual rights you may have under a separate written agreement and any non-waivable rights available under applicable law.