Privacy

Your audio, your data, your region.

This is the canonical privacy policy that governs your use of Hakim's marketing site, API, dashboard, and all related services. Last updated 1 April 2026.

Plain-English summary

If you're short on time: we process the audio and text you send us solely to return a transcript or a generated voice. We never train on your production traffic. You choose the region your data sits in (EU-Frankfurt, UAE, KSA, or Qatar) and it does not leave it. We sign DPAs and BAAs on request. You can delete your workspace and all its recordings with a single API call.

1. Who we are

Hakim is operated from the United Arab Emirates. For data-protection purposes, Hakim is the data controller for account-holder information (your name, billing contact, usage logs) and the data processor for customer content (the audio and text you send through the API). For questions about this policy, write to privacy@tryhakim.ai, a privacy-trained engineer responds within two business days.

2. What we collect

Account data
Email address, full name, workspace/organization name, billing address, and the password hash Auth.js issues when you sign up with email. We also keep a hashed record of the API keys you create so we can authorise requests without storing the plaintext secret.
Customer content
The audio bytes you send to Hakim Arab v2 for transcription and the text you send to Hakim Fast v1.3 for speech synthesis. We also keep the resulting transcripts and the generated audio for the retention window below, this is what powers the "replay last 10 requests" feature in the dashboard.
Telemetry
Request metadata: timestamp, model ID, region ID, latency, byte count, HTTP status, client IP hash, and the workspace the request belongs to. This is what appears on your usage dashboard and powers quota enforcement. We do not log request bodies or response bodies as part of telemetry.

3. Why we collect it

Account data authenticates you, lets us bill you, and lets us email you about incidents you care about. Customer content is processed exclusively to fulfil the API call you made. Telemetry drives rate limiting, anomaly detection, and the health indicators on the status page. We do not train any model on your traffic, our training corpus is contractually licensed separately, as documented in our DPA.

4. Where your data lives

You pick a region at workspace creation time. Today we operate four live regions: UAE, KSA, Qatar, and EU-Frankfurt (eu-central-1). Every request you make, audio in, transcript/audio out, is processed entirely inside that region. We do not silently route cross-region. The only exception is account-level data (your email, billing address) which sits in GCC-UAE for all customers because that's where our billing system is homed; we disclose this up-front rather than claim a blanket-residency promise we can't keep.

5. How long we keep it

Customer content has a default 30-day retention window so replay and debugging work. Enterprise contracts can override this to zero-retention or a fixed window up to 180 days. Telemetry and account data are retained for the lifetime of your account plus 12 months for tax and dispute resolution. When you delete your workspace we purge customer content within 72 hours and scrub telemetry within 30 days, both operations are recorded on your deletion receipt.

6. Who we share it with

We share customer content with three classes of subprocessors: our hyperscaler for compute (AWS in EU-Frankfurt; regional partners in GCC), our billing provider (Stripe for credit cards, bank partners for invoicing in KSA/UAE), and our observability vendors (Sentry for errors, Datadog for infra metrics). The complete subprocessor list lives at /compliance with its own change-notification track. We never sell data, we do not accept advertising contracts, and we do not share customer content with law enforcement absent a valid subpoena addressed to Hakim under UAE law.

7. How we secure it

TLS 1.3 on the wire, AES-256-GCM at rest on both S3 and RDS, SOC 2 Type II audit engagement in progress, and quarterly third-party penetration tests against the API and dashboard. All production access is logged, reviewed weekly by the on-call engineer, and gated behind FIDO2 hardware keys. Incident response has a 24-hour notification commitment for any confirmed customer-content breach.

8. Your rights

If you're in the UAE, KSA, EU, or another jurisdiction with similar privacy laws you have a legal right to access, correct, port, or delete the personal data we hold about you, and to object to specific processing. The dashboard exposes self-serve export and delete actions for account-holder data; customer content is removed by the workspace deletion flow. If either of these doesn't cover you, for example you're a former contractor asking about old records, write to privacy@tryhakim.ai and we respond within 30 days.

9. Cookies & analytics

We use one first-party session cookie (`__Secure-hakim-session`) and one CSRF token (`__Host-hakim-csrf`), both strictly necessary. We do not run third-party advertising pixels. Optional product analytics run through PostHog in our EU cluster; anonymous unless you opt in via the cookie banner. The exact cookie inventory and their purposes are listed on /compliance.

10. Changes to this policy

Material changes are announced 30 days in advance by email to every workspace owner and in the changelog under the `privacy` tag. Continued use after the effective date constitutes acceptance. Non-material changes (typos, clarifications, subprocessor additions with equivalent commitments) ship immediately but are still listed in the changelog.

11. Contact

Privacy questions: privacy@tryhakim.ai. Security reports: security@tryhakim.ai. Compliance questionnaires: compliance@tryhakim.ai. For postal correspondence, email legal@tryhakim.ai and we'll share the registered address for the United Arab Emirates entity.

Related documents