Privacy Policy
Hive Bastion LLC · Version 1.0 · Effective 24 June 2026
1. Who We Are
Hive Bastion LLC ("Hive Bastion," "we," "us," or "our") is a Tennessee limited liability company. For U.S. federal income-tax purposes, Hive Bastion is a disregarded entity. Hive Bastion provides artificial-intelligence ("AI") systems, software, automation, and related professional services to business and enterprise clients.
This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information in connection with our website at https://hivebastion.com (the "Site"), our services and software (collectively, the "Services"), and our business operations generally. It also explains the privacy rights available to individuals under United States state privacy laws and how to exercise them.
Mailing / notice address:
Hive Bastion LLC
1556 Hankook Rd Suite A, PMB 1021
Clarksville, TN 37043
Privacy contact: david@hivebastion.com (see Section 16).
This Policy is written to align with the Privacy (P) category of the AICPA SOC 2 Trust Services Criteria, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Tennessee Information Protection Act ("TIPA"), and analogous comprehensive state privacy statutes in Virginia, Colorado, Connecticut, Texas, and other states.
2. Scope of This Policy
This Policy applies to three distinct categories of individuals and data, which are governed by different roles and obligations described in Section 6:
- Site Visitors. Individuals who browse or interact with the Site, submit a contact or inquiry form, or otherwise communicate with us through the Site.
- Client and Enterprise Users. Authorized personnel of our business clients who access, configure, or use the Services on behalf of their organization (for example, account administrators and team members).
- Consumer Personal Data Processed on Behalf of Clients. Personal information of a client's own end users, customers, leads, or prospects that we process on behalf of and under the instructions of that client when delivering the Services. A representative example is consumer information submitted through a real-estate lead-capture form on a client's website or intake system.
For category 3, the client is the controller / business and Hive Bastion is the service provider / processor. We do not determine the purposes for which that data is processed and we handle it only as the client's documented instructions and the parties' written agreement direct. See Section 6.
2.1 Published Policy Is a Gateway, Not the Contract
This Policy is a unilateral, good-faith baseline describing our general privacy practices, made available to you as a condition of access to the Site and the Services. It is a published statement of practice, not a negotiated contract, and it confers no third-party-beneficiary rights. Any client or enterprise engagement is governed by a separate signed written agreement between the parties — which may include a Master Services Agreement and a Data Processing Addendum — and that signed agreement controls in the event of any conflict with this published Policy. Nothing in this Policy limits or expands either party's liability beyond what a separate signed agreement provides; in the event of any conflict, the signed agreement controls.
3. Categories of Personal Information We Collect
We collect the following categories of personal information. Specific elements depend on how you interact with us.
3.1 Account and Contact Information
- Name, business email address, business phone number, employer/organization, job title.
- Account credentials and authentication identifiers for Client and Enterprise Users.
- Communications you send to us (inquiry messages, support requests, correspondence).
- Billing and transaction records relating to a business engagement (we do not store full payment-card numbers — see Section 7).
3.2 Usage and Technical Information
- IP address, device and browser type, operating system, and similar technical identifiers.
- Pages viewed, referring/exit pages, approximate location derived from IP, and dates/times of access.
- Cookie and similar-technology identifiers, subject to our Cookie Policy.
- Server, application, and security logs generated when you use the Site or Services.
3.3 Client-Provided Consumer Personal Information (Processed as a Service Provider / Processor)
When we deliver the Services, a client may route personal information about its own consumers, leads, customers, or contacts through our systems. Depending on the client's configuration, this may include:
- Identifiers such as name, email address, postal address, and phone number.
- Information a consumer submits through a client's intake or lead form (for example, a real-estate inquiry: property interest, budget range, timeline, free-text message).
- Records and content the client directs us to process to perform the Services.
We process this category only on behalf of the client, only to provide the contracted Services, and only as instructed. We do not use it for our own purposes, and we do not use it to train AI models (see Section 5.4 and Section 9). The specific consumer-data fields, flows, and storage locations for any given engagement are confirmed per client and documented in the applicable Data Processing Addendum and Data-Flow & Architecture record.
3.4 Sensitive Personal Information
We do not seek to collect "sensitive personal information" (as defined under CCPA/CPRA) or "sensitive data" (as defined under TIPA and similar laws) about Site Visitors or Client Users for our own purposes. Where a client directs us to process such data as part of the Services, we handle it strictly as a processor under the parties' written agreement and applicable law.
4. How and Why We Use Personal Information
4.1 Site Visitor and Client/Enterprise User Data
We use account, contact, usage, and technical information to:
- Operate, secure, maintain, and improve the Site and the Services.
- Respond to inquiries, provide customer and technical support, and communicate about engagements.
- Establish, administer, and bill for business engagements and maintain business records.
- Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our terms (see our Acceptable Use Policy, and Terms of Service).
- Comply with legal, tax, accounting, and regulatory obligations and to establish, exercise, or defend legal claims.
4.2 Client-Provided Consumer Data
We process client-provided consumer personal information (Section 3.3) solely to perform the Services for the client that provided it, strictly under that client's documented instructions and the parties' written agreement. We do not sell or share it, do not use it for cross-context behavioral advertising, and do not use it for any purpose of our own.
4.3 Legal Bases and Standards
Most U.S. state privacy laws operate on a notice-and-rights model rather than a consent-by-default model. We process personal information where it is reasonably necessary to provide and secure the Services, to pursue our legitimate business interests in a manner consistent with your rights, to perform a contract, or to comply with law. Where a specific processing activity requires consent under applicable law, we (for our own data) or the client (for consumer lead data — see Section 11) obtain that consent.
4.4 No Sale or Sharing of Personal Information
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under CCPA/CPRA and analogous state laws. We have not done so in the preceding twelve (12) months. Because we do not sell or share personal information, where required by applicable law we are designed to treat a recognized opt-out preference signal — including the Global Privacy Control (GPC) transmitted by your browser or device — as a valid request to opt out, which simply confirms a status we already maintain (see Section 8.1.1).
5. Roles, Disclosure to Subprocessors, Retention, Security, and AI
Because this is a public operational document, the following control areas are presented in the Standard / Commitment → Current Implementation Status → Roadmap structure used across Hive Bastion's policy set, so that the reader can distinguish what we commit to from what we have in place today.
5.1 Controller / Processor Roles
Standard / Commitment. For client-provided consumer personal information, Hive Bastion acts as a service provider (CCPA/CPRA) / processor (TIPA and other state laws); the client is the business / controller. We are designed to process such data only on documented client instructions, to assist clients with their own privacy obligations and consumer-rights requests as required by contract, and to flow these obligations down to subprocessors. For Site Visitor and Client User data described in Sections 3.1–3.2, Hive Bastion acts as the business / controller.
Current Implementation Status. Hive Bastion documents processor/controller roles in each engagement's written agreement and Data Processing Addendum. Role designations and data flows are confirmed per engagement and recorded in.
Roadmap. Formalize a standard intake checklist that captures the controller/processor determination, lawful-basis notes, and consumer-rights routing for every new engagement; add periodic review of role designations as the client base grows.
5.2 Disclosure to Subprocessors and Service Providers
Standard / Commitment. We disclose personal information to a limited set of vetted subprocessors and service providers strictly to operate and secure the Site and the Services (for example, cloud hosting, edge/DNS, AI inference, business email, and source-code hosting). Each is engaged under terms designed to require confidentiality, to limit use of the data to the services they provide to us, and — for client consumer data — to honor the processor obligations flowed down from the client agreement. We do not disclose personal information to third parties for their own independent marketing.
Current Implementation Status. Our current subprocessors are published in our Subprocessor List and maintained internally in the Subprocessor Register. Subprocessor risk is governed by our Vendor & Subprocessor Risk Management Policy. The current list includes major U.S. cloud and platform providers.
Roadmap. Implement scheduled subprocessor reassessment, change-notification mechanics for material subprocessor additions (with at least thirty (30) days' advance notice and an objection right where required by the applicable agreement), and contractual flow-down verification at onboarding.
We may also disclose personal information (a) to comply with law, legal process, or lawful governmental requests; (b) to enforce our agreements and protect the rights, safety, and property of Hive Bastion, our clients, or others; and (c) in connection with a merger, financing, acquisition, or sale of assets, subject to the protections of this Policy and applicable law.
5.3 Data Retention — Data Minimization / Transient Pass-Through
Standard / Commitment. Our default data architecture is data minimization with transient pass-through: we are designed to collect only the personal information we reasonably need, to retain it only as long as reasonably necessary for the purposes described here or as required by law, and — where the Services can deliver a result into the client's own system without our retaining the underlying consumer data — to pass that data through without persistent storage on our systems.
Current Implementation Status. Retention practices, schedules, and destruction methods are governed by our Data Retention & Destruction Policy and Data Handling SOP. Where an engagement requires transient pass-through, the specific flow is confirmed per client and recorded in.
Notwithstanding the data-minimization default, any record evidencing a consumer's consent to be contacted (opt-in source, timestamp, identifier, channel, and scope) is retained for the longer of (i) four (4) years or (ii) the period the controlling Data Processing Addendum or written agreement requires, as TCPA/UDAP consent-defense evidence, unless the agreement assigns that retention to the client.
Roadmap. Document per-data-category retention periods in a published retention schedule; implement automated deletion/expiry tooling where feasible; add retention attestation to engagement closeout.
5.4 Security
Standard / Commitment. We maintain a written information-security program and apply commercially reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, and destruction. Our program is designed to align with SOC 2 Trust Services Criteria, NIST CSF 2.0, and ISO/IEC 27001:2022 Annex A control themes.
Current Implementation Status. A public summary of our security posture is published in our Information Security Policy (Public Summary). We are designed to rely on encryption in transit (TLS) and provider-managed encryption at rest, both inherited from our cloud providers and subject to the providers' terms; Hive Bastion does not independently warrant provider controls. We are designed to use individual accounts with multi-factor authentication where supported, and a password manager; current implementation status is described in. No method of transmission or storage is completely secure; we do not represent that our safeguards are impenetrable.
Roadmap. Pursue SOC 2 Type I, expand logging and monitoring coverage, formalize periodic access and risk reviews, and add container vulnerability scanning and independent testing as the organization matures.
5.5 AI Processing Disclosure
Standard / Commitment. Certain Services use AI systems to generate, summarize, classify, extract, or otherwise process content. Hive Bastion does not itself use customer or consumer personal data, or client confidential data, to train, fine-tune, or otherwise improve any AI model (see Section 9). AI outputs are estimates intended for the recipient's professional review, not regulated determinations.
Current Implementation Status. AI inference is currently performed via the Anthropic Claude API. For third-party AI providers, Hive Bastion selects and configures each provider so that, under the provider's then-current terms, submitted content is not used by the provider to train its models by default, and Hive Bastion does not opt into any program that would change that posture. Hive Bastion does not warrant the conduct of third-party providers beyond their published terms; where an engagement requires a contractual no-training commitment stronger than a provider default, that term is captured in the governing Data Processing Addendum. AI governance is addressed in our AI Governance & Acceptable AI Use Policy. The following disclosure applies to AI-generated content produced through the Services:
This document contains content generated, in whole or in part, by AI systems operated by Hive Bastion LLC. AI can make mistakes. Every result herein is an estimate produced for the named recipient's professional review - not a regulated determination, not an underwriting decision, not a rate quote, not legal advice, not medical advice, not investment advice. The named recipient is responsible for the final decision and for verifying any factual claim before acting on it.
Roadmap. Publish an AI transparency summary, formalize human-in-the-loop review expectations per service, and add model/provider change governance.
6. Summary of Roles by Data Category
| Data category | Source | Hive Bastion's role | Primary use |
|---|---|---|---|
| Account / contact (Section 3.1) | Site Visitors, Client Users | Business / Controller | Operate Services, support, billing, security, legal |
| Usage / technical (Section 3.2) | Site, Services | Business / Controller | Secure and improve Site/Services, fraud prevention |
| Client-provided consumer PII (Section 3.3) | Provided by client | Service Provider / Processor | Provide contracted Services only, on client instruction |
7. Cookies and Similar Technologies
The Site uses cookies and similar technologies for essential operation, security, and basic analytics. Details — including categories, purposes, and how to manage preferences — are described in our Cookie Policy. We do not store full payment-card numbers; any payment processing is handled by a third-party payment provider under its own terms.
8. Your Privacy Rights
Depending on your state of residence and applicable law, you may have some or all of the following rights regarding personal information for which Hive Bastion is the business / controller. For client-provided consumer personal information where Hive Bastion is a service provider / processor (Section 3.3), please direct your request to the client that collected the data — the client is the controller and is responsible for responding; we will support the client as required by our agreement and applicable law (see Section 8.4).
8.1 CCPA/CPRA Rights (California Residents)
- Right to Know / Access the categories and specific pieces of personal information we have collected, the sources, purposes, and categories of recipients.
- Right to Delete personal information, subject to legal exceptions.
- Right to Correct inaccurate personal information.
- Right to Opt Out of Sale or Sharing. As stated in Section 4.4, we do not sell or share personal information; there is accordingly nothing to opt out of, but you retain the right.
- Right to Limit Use of Sensitive Personal Information (we do not use sensitive personal information for purposes that would trigger this right — see Section 3.4).
- Right to Non-Discrimination for exercising any privacy right.
8.1.1 Opt-Out Preference Signals (Global Privacy Control)
Where required by applicable law, we are designed to treat a recognized opt-out preference signal, including the Global Privacy Control (GPC) transmitted by your browser or device, as a valid request to opt out of any sale or sharing of personal information for that browser or device, and — where applicable — out of targeted advertising. Because we do not sell or share personal information for cross-context behavioral advertising (Section 4.4), honoring GPC confirms a status we already maintain.
8.2 TIPA and Other State Rights (Tennessee, Virginia, Colorado, Connecticut, Texas, and Similar)
Under the Tennessee Information Protection Act and comparable comprehensive privacy laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states, you may have the right to:
- Confirm whether we process your personal data and access it.
- Correct inaccuracies in your personal data.
- Delete personal data you provided or that we obtained.
- Obtain a portable copy of personal data you provided, in a usable format where technically feasible.
- Opt out of (a) targeted advertising, (b) the sale of personal data, and (c) certain profiling producing legal or similarly significant effects — none of which we engage in for the data we control (see Section 4.4).
- Appeal a refusal to act on a request. If we decline to act on your request, we will notify you of our decision and the reasons. You may appeal that decision within a reasonable time by emailing david@hivebastion.com with the subject line "Privacy Rights Appeal." We will respond to your appeal within the period required by applicable law (generally sixty (60) days), with a written explanation of the action taken or not taken. If your appeal is denied, you may contact your state Attorney General to submit a complaint; for example, the Tennessee Attorney General (Consumer Protection) for Tennessee residents, the California Privacy Protection Agency or Attorney General for California residents, or the corresponding office in your state.
8.3 How to Exercise Your Rights
To submit a request, email david@hivebastion.com with the subject line "Privacy Rights Request" and describe the right you wish to exercise. We will:
- Take reasonable steps to verify your identity before acting, which may require you to confirm information we already hold. We will not use verification information for any other purpose.
- Respond within the timeframe required by applicable law (generally 45 days, extendable as the law permits, with notice to you).
- Honor authorized-agent requests where the law permits and the agent's authority is properly demonstrated. For authorized-agent requests, we may require the agent to provide proof of written authorization signed by you (or a valid power of attorney) and may separately verify your identity and confirm directly with you that you authorized the request, as permitted by law.
- Not discriminate against you for exercising any right.
If we decline to act on your request, you may appeal as described in Section 8.2.
There is generally no fee to exercise these rights, though applicable law may allow a reasonable fee or refusal for manifestly unfounded, excessive, or repetitive requests.
8.4 Requests Concerning Client-Controlled Data
If your personal information was provided to us by a business as part of a service we perform for that business (for example, a lead form you submitted on a real-estate company's website), that business is the controller. Please direct your access, deletion, correction, or opt-out request to that business. If you contact us, we will, where we can identify the controller, refer your request to the appropriate client and assist that client as required by our written agreement and applicable law.
8.5 California "Shine the Light"; No Financial Incentives
California Civil Code § 1798.83 ("Shine the Light") permits California residents to request information about disclosures of personal information to third parties for those parties' own direct-marketing purposes. We do not disclose personal information to third parties for their own direct marketing. We do not offer financial incentives in exchange for the collection, sale, or retention of personal information.
9. AI and Automated Processing; No Model Training
We use AI systems to provide certain Services. Hive Bastion does not itself use customer or consumer personal data, or client confidential data, to train, fine-tune, or otherwise improve any AI model. For third-party AI providers, Hive Bastion selects and configures each provider so that, under the provider's then-current terms, submitted content is not used by the provider to train its models by default, and Hive Bastion does not opt into any program that would change that posture. Hive Bastion does not warrant the conduct of third-party providers beyond their published terms; where an engagement requires a contractual no-training commitment stronger than a provider default, that term is captured in the governing Data Processing Addendum. AI-assisted outputs are produced for the recipient's professional review and are not regulated determinations, underwriting decisions, rate quotes, or professional (legal, medical, financial) advice. The AI-output disclosure in Section 5.5 is incorporated here by reference and applies to AI-generated content delivered through the Services. Our AI practices are further governed by the AI Governance & Acceptable AI Use Policy.
10. Children's Privacy
The Site and Services are intended for businesses and are not directed to children. We do not knowingly collect personal information from children under 16, and we do not target individuals under 16. Consistent with the federal Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13; if we learn we have done so, we will delete it. We do not sell or share the personal information of any consumer, and we do not knowingly sell or share the personal information of consumers we know to be between 13 and 16 years of age (which under the CPRA would require affirmative opt-in consent). If you believe a child has provided us personal information, contact david@hivebastion.com and we will take reasonable steps to delete it.
11. Lead Forms, Consumer Consent, and TCPA
Where the Services include processing of consumer inquiries or leads submitted through a client's website, intake form, or campaign, the client is responsible for obtaining all legally required consents and disclosures from those consumers — including, where applicable, any consent required under the Telephone Consumer Protection Act ("TCPA") and analogous laws for calls or text messages, and any required notice at collection. Consumers may withdraw consent or opt out of communications by contacting the client that collected their information; the client is responsible for honoring such opt-outs. Hive Bastion processes lead data only as the client's processor and as the parties' written agreement directs. Where we process records evidencing consumer consent on a client's behalf, those records are retained as described in Section 5.3 (TCPA/UDAP consent-defense evidence), subject to the allocation set in the applicable Data Processing Addendum.
12. Data Residency
Hive Bastion is designed to process and store personal information in the United States. Certain global infrastructure providers (for example, Google, Cloudflare, and GitHub/Microsoft) may process limited operational or transit metadata outside the United States in the ordinary operation of their global networks. We do not intend to transfer personal information internationally in the ordinary course of providing the Services. If a specific engagement requires the processing of personal data originating in the EEA, UK, or Switzerland, or otherwise requires strict US-only processing or restricts international transfers, any such requirement and any such transfer will be governed by the applicable Data Processing Addendum and an approved transfer mechanism — for example, the European Commission Standard Contractual Clauses (with the appropriate module), the UK International Data Transfer Addendum, and a transfer impact assessment — as documented in the parties' written agreement.
13. Third-Party Sites and Services
The Site may link to third-party websites or integrate with third-party services that we do not control. This Policy does not apply to those third parties, and we are not responsible for their privacy practices. Review the privacy notices of any third-party site or service you use.
14. Data Security and No Guarantee
We apply commercially reasonable safeguards designed to protect personal information, as described in Section 5.4 and in. However, no system, transmission method, or storage method is completely secure, and we cannot and do not represent that personal information will be absolutely protected. In the event of a security incident affecting personal information, we will investigate and, where notification is required, provide notice in the manner and within the timeframes required by applicable law, following our Breach Notification Policy and Incident Response Plan. Nothing in this Policy creates a notification obligation broader than applicable law requires.
15. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, the Services, or applicable law. We will update the "Last Updated" date at the top of this Policy when we make changes. When changes are material, we will take reasonable steps to provide additional notice (for example, a prominent notice on the Site and, for active client engagements, notice in accordance with the applicable written agreement and Data Processing Addendum). The version in effect at the time of your interaction governs. This published Policy is a good-faith baseline; any signed client or enterprise agreement controls in the event of a conflict (see Section 2.1).
16. Contact Us
For privacy questions or to exercise a privacy right:
- Contact: david@hivebastion.com
- Website: https://hivebastion.com
Postal:
Hive Bastion LLC — Privacy
1556 Hankook Rd Suite A, PMB 1021
Clarksville, TN 37043
Hive Bastion LLC is a Tennessee limited liability company. References in this Policy to acts or determinations of "Hive Bastion," "we," "us," or "our" mean acts of Hive Bastion LLC as a company, undertaken in its corporate capacity and not in any individual's personal capacity.