Privacy Policy

Sixth Hive ("Company", "we", "us", or "our") operates an AI-native professional networking platform. We are the data controller for personal data processed through our Services.

This Privacy Policy applies to all users of the Sixth Hive platform, website, mobile applications, and related services. It describes how we collect, use, store, and share personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Sixth Hive is a data-intensive platform: AI personalization is core to our product. We are transparent about how your data powers these features and give you meaningful controls over what we collect and how it is used.

Information you provide directly:

• Account data: Name, email address, password (PBKDF2-hashed, never stored in plaintext), profile photo
• Profile data: Professional headline, bio, work history, skills, current role, company, location
• Goals & intent: Active fundraising goals, networking objectives, deal preferences, target metrics (e.g. "Raise £5M seed")
• Content: Posts, comments, reactions, messages, connection notes, AI chat history, Hive contributions
• Opportunity data: Opportunities you post, express interest in, or are matched with
• Talent data (Talent AI users): Role briefs, candidate shortlists, outreach messages, saved searches, hiring page content
• Event data: Events you create, attend, bookmark, or share; briefing pins
• Payment data: Billing details processed by Stripe; we store only your Stripe customer ID and subscription status — never card numbers

Data we collect automatically:

• Usage data (pages visited, features used, session duration, click patterns)
• AI interaction signals (accepted/rejected suggestions, message triage outcomes)
• Device and browser information (user agent, screen resolution, OS)
• IP address and approximate location (country/city level only)
• JWT session metadata (token issuance time, expiry, refresh history)
• Real-time connection metadata (WebSocket connection events via Centrifugo)
• Performance and error data (via Sentry and OpenTelemetry)

We use your data to:

• Provide and operate the Services — authentication, profile, networking, messaging (legal basis: contract performance)
• Power AI personalization — Maya companion, triage, scoring, feed curation, Discover matching (legitimate interest / consent)
• Score opportunities against your profile and goals using semantic embeddings and pgvector (legitimate interest)
• Send transactional communications — account confirmation, password reset, billing receipts, security alerts (contract performance)
• Send product updates, newsletters, and platform announcements (legitimate interest; opt-out available)
• Detect and prevent fraud, abuse, spam, and security threats (legitimate interest)
• Improve AI model quality through aggregated, anonymized feedback signals (legitimate interest)
• Analyse platform usage to improve features and user experience (legitimate interest)
• Comply with legal obligations including tax, accounting, and law enforcement requests (legal obligation)

We will never sell your personal data to third parties.

AI personalization is central to Sixth Hive. Here is a transparent breakdown of how your data is processed by AI systems:

• Profile embeddings: Your profile text (headline, bio, skills, experience) is converted into vector embeddings stored in PostgreSQL via pgvector. These embeddings power semantic search and opportunity matching.
• Opportunity scoring: Your active goal and profile embedding are compared against opportunity embeddings to produce a relevance score (0–100). This score is recalculated periodically via background Celery tasks.
• Message triage: Inbound messages may be processed by AI to generate a relevance score and suggested reply. Message content is processed transiently and not stored long-term beyond your conversation history.
• Feed curation: Your engagement history, connection graph, and goals are used to rank feed content. Behavioural signals (likes, saves, views) influence future ranking.
• Discover matching: Network discovery uses embedding similarity between your profile and others to surface aligned professionals.

We use a hybrid AI routing system: tasks are routed between Anthropic Claude models (cloud) and self-hosted Llama-3 8B models (on-premises via vLLM/LiteLLM) based on your subscription tier, task type, and cost. Your data processed by Anthropic is subject to their Data Processing Agreement; data processed by on-premises models never leaves our infrastructure.

We implement prompt cachingon all Anthropic API calls. Static system prompts (including Maya's persona) are cached. Your personal data (goals, profile, messages) is never included in the cached portion. Anthropic does not use data sent via the API to train its models without explicit consent per their API usage policy.

You may opt out of AI personalization in Settings → Privacy. This will significantly limit the usefulness of AI features including Maya, opportunity scoring, and feed curation.

Maya, your AI relationship copilot, maintains a persistent memory to provide continuity across sessions. This memory includes:

• Your active goal(s) — title, target metric, deadline
• Key people Maya has helped you engage with
• Preferences and context you have shared in conversation
• Important facts Maya has extracted from your interactions (e.g. "User is raising at £8M valuation")

Maya memory is stored in our database and processed on every AI call to provide context. You can view, edit, and delete individual memory entries at any time from AI Companion → Memory. Deleting your account deletes all Maya memory.

Chat history with Maya is stored for 90 days by default to enable conversation continuity. You can delete individual conversations or your full chat history from your account settings.

Users of Talent AI features generate additional categories of data:

• Role briefs: Job descriptions, required skills, compensation ranges, hiring criteria — stored and used to generate candidate matches
• Candidate data: Information about professionals you search for, shortlist, or contact via the platform. This data comes from users' public profiles on Sixth Hive.
• Outreach messages: AI-assisted messages sent to candidates are logged for compliance and quality improvement
• Search queries: Your talent search queries and filters are stored to power saved searches and alerts
• Hiring page: Company name, tagline, logo, and job listings you publish on your public hiring page

Candidates (professionals on Sixth Hive) may see that they have been shortlisted or received outreach from a Talent AI user. We do not reveal the identity of recruiters who viewed a profile without initiating contact.

Talent AI users are data controllers for candidate data they process via the platform and are responsible for compliance with applicable employment and data protection laws, including lawful basis for processing candidate data and respecting candidate opt-out preferences.

Your interactions with the Feed generate behavioural signals that are used to improve AI recommendations:

• Posts you view (scroll depth), like, comment on, or share
• Content you explicitly save or bookmark
• AI suggestions you accept, reject, or dismiss
• Opportunities you express interest in or pass on
• Profiles you visit from Discover recommendations

These signals are stored for up to 24 months and used in aggregate to improve recommendation models. You can reset your feed preferences and behavioural signals at any time from Settings. Individual signal deletion is available on request.

Direct and group messages are transmitted in real-time via Centrifugo WebSocket infrastructure and stored encrypted at rest (AES-256) in our PostgreSQL database. We access message content only to: (a) deliver the message to recipients, (b) generate AI triage scores and reply suggestions on your request, (c) detect spam or abuse, (d) comply with legal obligations.

AI triage of messages is opt-in and processes message content transiently — the content is sent to our AI pipeline, a score is returned, and the raw content is not retained by the AI system beyond the processing window.

Hive activity— your posts, reactions, and membership status within Hives — is visible to other Hive members according to the Hive's privacy settings. Hive owners may have access to moderation logs. We may retain moderation action logs for up to 12 months.

We share personal data only with the following categories of recipients:

• Infrastructure & cloud providers: Vercel (web hosting), Google Cloud Run (API hosting), Google Cloud Storage (media) — under Data Processing Agreements
• AI providers: Anthropic (Claude AI models) — data sent only for processing, not model training; governed by Anthropic's DPA
• Payment processing: Stripe, Inc. — billing data only; governed by Stripe's privacy policy and DPA
• Transactional email: Resend — email delivery only; message content not retained beyond delivery
• Notifications: Knock.app or Novu — notification orchestration (push, in-app, email); governed by their respective DPAs
• Error monitoring: Sentry — error reports may contain anonymized stack traces and user IDs; no sensitive personal data is intentionally sent
• AI observability: Langfuse — LLM call tracing and evaluation; governed by their DPA
• Other platform users: Your public profile, posts, and connection status as you configure in your privacy settings
• Legal authorities: When required by law, court order, or to prevent serious harm or fraud
• Business transfers: In the event of a merger, acquisition, or asset sale — you will be notified in advance

We do not share personal data with advertisers or data brokers. We do not allow third-party advertising scripts on authenticated pages.

We retain your personal data for as long as your account is active or as necessary to provide the Services and comply with legal obligations:

• Account & profile data: Retained until account deletion, then purged within 30 days
• Billing records: 7 years (legal requirement under UK tax law)
• Messages: Until deleted by the sender/recipient or account deletion; maximum 3 years for inactive conversations
• Maya chat history: 90 days by default; configurable in Settings
• Maya memory entries: Until manually deleted or account deletion
• AI interaction logs & scoring history: 90 days for individual logs; aggregated analytics retained for 24 months
• Profile embeddings: Deleted within 7 days of account deletion
• Error & performance logs: 30 days maximum in Sentry
• Moderation logs: 12 months

You may request early deletion of specific data categories at any time. See "Your Rights" below.

Under UK GDPR, you have the right to:

• Access: Request a copy of the personal data we hold about you (data subject access request)
• Rectification: Correct inaccurate or incomplete data — most profile data can be edited directly in the app
• Erasure: Request deletion of your data ("right to be forgotten") — we will process within 30 days, subject to legal retention requirements
• Portability: Receive your data in a machine-readable format (JSON/CSV) — request via Settings → Privacy or email
• Restriction: Limit how we process your data in certain circumstances, such as while a dispute is pending
• Object: Object to processing based on legitimate interests, including AI personalization and feed curation
• Withdraw consent: Where processing is based on consent (e.g. marketing emails), withdraw it at any time without affecting prior processing
• Automated decision-making: Request human review of any significant decision made solely by automated means, including AI scoring that affects your access to features

To exercise any of these rights, contact us at dpo@sixthhive.com. We will respond within 30 days (extendable by 60 days for complex requests with notice). You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Essential cookies (always active):

• sh_token — JWT authentication token (HTTP-only, Secure, SameSite=Strict)
• CSRF protection tokens
• Session state and preference cookies

Analytics cookies (opt-out available):

• Usage analytics to understand feature adoption and improve the platform
• Performance monitoring via OpenTelemetry (anonymized)

We do not use:

• Third-party advertising cookies or tracking pixels
• Cross-site tracking or fingerprinting
• Social media tracking buttons on authenticated pages
• Retargeting networks of any kind

You can manage cookies in your browser settings. Disabling essential cookies will prevent authentication and platform use.

We implement industry-standard and beyond-standard security measures:

• Encryption in transit via TLS 1.3 on all connections
• Encryption at rest via AES-256 for database volumes and object storage
• Password hashing with PBKDF2 (compatible with bcrypt; never stored in plaintext)
• JWT tokens with short lifetimes, HTTP-only cookies, and automatic refresh
• Role-based access control (RBAC) for all API endpoints — verified on every request
• CORS policy with explicit allowlists — no wildcard origins
• Content Security Policy (CSP), X-Frame-Options, and security headers on all responses
• Rate limiting on authentication endpoints and AI APIs
• Automated vulnerability scanning in CI/CD pipelines
• Regular security audits and penetration testing
• Idempotent Stripe webhook processing with event ID deduplication
• Staff access to production data is logged, restricted, and reviewed

No system is 100% secure. If you discover a security vulnerability, please disclose it responsibly to security@sixthhive.com. We operate a responsible disclosure policy and will acknowledge reports within 48 hours.

The Services are not directed to children under 18. We do not knowingly collect personal data from minors. If we become aware that a child under 18 has provided personal data, we will delete it promptly. Contact us at privacy@sixthhive.com if you believe a minor has registered.

Sixth Hive is headquartered in the UK. Your data is primarily processed in the UK and EU/EEA regions. Some service providers operate in the United States (Anthropic, Stripe, Sentry, Resend).

For transfers of personal data outside the UK/EEA, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreements (IDTAs)
• Adequacy decisions where applicable
• Data Processing Agreements with all sub-processors

A full list of sub-processors and transfer mechanisms is available on request at dpo@sixthhive.com.

We may update this Privacy Policy from time to time to reflect changes in our Services, AI features, or legal requirements. We will notify you of significant changes by email and by displaying a prominent notice on the platform at least 14 days before changes take effect.

For material changes that affect how we use your data for AI personalization, we will seek fresh consent where required. Your continued use of the Services after changes take effect constitutes acceptance of the updated policy.

For any privacy-related questions, data subject requests, or concerns: