Privacy Policy

This Privacy Policy ("Policy") describes how Henon Financial Technologies Inc. and its subsidiaries and affiliates (collectively, "Henon," "Company," "we," "us," or "our") collect, use, disclose, and otherwise process personal information in connection with our websites, including henon.ai and any sub-domains (the "Websites"), our cloud-based financial infrastructure platform and related products (the "Platform"), and any other services, sales, marketing, or events that reference this Policy (collectively, the "Services").

Henon provides enterprise software infrastructure to institutional investors, private equity firms, private credit managers, fund administrators, and other financial services organizations. This Policy applies to personal information we collect from visitors to our Websites, prospective and current clients, authorized users of our Platform, business partners, and job applicants. It does not apply to information processed by Henon on behalf of our clients in our capacity as a data processor or service provider — that processing is governed by the applicable Data Processing Agreement ("DPA") between Henon and the client.

By accessing or using our Services, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, please discontinue use of our Services. We encourage you to review this Policy periodically, as we may update it from time to time.

1. Our Role: Data Controller vs. Data Processor

Henon operates in two capacities depending on the context of data processing:

Data Controller

When you visit our Websites, request a demo, subscribe to our communications, apply for a job, or otherwise interact with us directly, Henon acts as the data controller. We determine the purposes and means of processing your personal information and are responsible for compliance with applicable data protection laws.

Data Processor / Service Provider

When our clients use the Henon Platform to process financial data, portfolio information, or other data that may include personal information of their employees, investors, or counterparties, Henon acts as a data processor (or "service provider" under the CCPA). In this capacity, we process personal information solely on behalf of and under the instructions of our clients. The terms of such processing are governed by the Data Processing Agreement executed between Henon and the client, not this Policy. If you are an individual whose data is processed through the Henon Platform by one of our clients, please contact that client directly regarding your privacy rights.

2. Information We Collect

2.1 Information You Provide Directly

We collect personal information that you voluntarily provide to us, including when you request a demo, create an account, fill out a form, subscribe to our newsletter, attend an event, apply for a position, or otherwise communicate with us. This information may include:

• Identity and Contact Data: Full name, email address, phone number, mailing address, job title, company name, and professional role.
• Account Data: Username, password (stored in hashed form), account preferences, and authentication credentials.
• Transaction Data: Billing address, payment method details (processed by our third-party payment processor — we do not store full payment card numbers), purchase history, and subscription information.
• Communications Data: The content of messages you send to us, feedback, survey responses, and any other information you choose to provide in correspondence.
• Employment Application Data: Resume/CV, cover letter, work history, education, references, and any other information submitted through our careers portal.

2.2 Information Collected Automatically

When you visit our Websites or use our Services, we automatically collect certain technical and usage information, including:

• Device and Browser Data: IP address, browser type and version, operating system, device type, device identifiers, screen resolution, and language preferences.
• Usage Data: Pages visited, links clicked, time spent on pages, referring URL, navigation paths, features used, search queries, and other interactions with our Services.
• Log Data: Server logs that record requests made to our servers, including timestamps, HTTP method, response codes, and diagnostic information.
• Location Data: Approximate geographic location inferred from your IP address. We do not collect precise GPS-based location data.
• Cookie and Tracking Data: Information collected through cookies, web beacons, pixels, and similar technologies as described in Section 8 below.

2.3 Information from Third-Party Sources

We may receive personal information about you from third-party sources, including:

• Business Partners and Referrals: Information provided by partners, resellers, or other individuals who refer you to our Services.
• Public and Commercial Sources: Business contact information from publicly available sources, industry databases, and data providers for sales and marketing purposes.
• Social Media Platforms: If you interact with us on platforms such as LinkedIn, we may receive profile information consistent with your privacy settings on those platforms.
• Authentication Providers: If you use single sign-on (SSO) or OAuth-based authentication to access our Platform, we receive identity information from the authentication provider as necessary to verify your identity and provision your account.

3. How We Use Your Information

We use the personal information we collect for the following purposes:

• Service Delivery: To provide, maintain, and improve our Services, including account provisioning, technical support, and Platform functionality.
• Communications: To respond to your inquiries, send transactional communications (e.g., account confirmations, security alerts), and, where permitted, send marketing communications about products, services, and events that may be relevant to you.
• Security and Fraud Prevention: To detect, investigate, and prevent security incidents, unauthorized access, fraud, and other malicious activity, and to protect the rights and safety of Henon, our clients, and others.
• Analytics and Improvement: To understand how our Services are used, identify trends, measure the effectiveness of our marketing, and improve user experience and product functionality.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests, and to establish, exercise, or defend legal claims.
• Business Operations: To manage our business, including financial reporting, internal auditing, and corporate transactions such as mergers, acquisitions, or asset sales.
• Recruitment: To evaluate job applications, conduct background checks where permitted, and manage the hiring process.

We do not sell your personal information to third parties for monetary consideration. We do not use personal information for automated decision-making that produces legal or similarly significant effects on individuals without appropriate safeguards.

4. Legal Bases for Processing (EEA/UK/Switzerland)

If you are located in the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland, we process your personal information only when we have a valid legal basis to do so. The legal bases we rely on include:

• Performance of a Contract: Processing necessary to perform our obligations under a contract with you or to take pre-contractual steps at your request (e.g., providing the Services, managing your account).
• Legitimate Interests: Processing necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include operating and improving our Services, marketing our products, ensuring security, and preventing fraud.
• Consent: Where you have given clear, informed consent for specific processing activities, such as receiving marketing communications or the use of certain non-essential cookies. You may withdraw consent at any time.
• Legal Obligation: Processing necessary to comply with a legal obligation to which we are subject, such as tax reporting, regulatory compliance, or responding to lawful government requests.

5. Sharing and Disclosure of Information

We do not sell, rent, or trade your personal information. We may share your personal information in the following circumstances:

• Service Providers and Sub-Processors: We engage trusted third-party companies and individuals to perform services on our behalf (e.g., cloud hosting, payment processing, analytics, customer support tools, email delivery). These providers are contractually obligated to use personal information only as necessary to provide services to us and in accordance with this Policy.
• Affiliates: We may share information with our subsidiaries and corporate affiliates for purposes consistent with this Policy, including internal administration and provision of Services.
• Business Transfers: In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, personal information may be transferred to the acquiring entity or successor. We will provide notice before personal information becomes subject to a different privacy policy.
• Legal Requirements: We may disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to comply with applicable law, respond to a court order, judicial or other government subpoena, or warrant, or to cooperate with law enforcement or regulatory authorities.
• Protection of Rights: We may disclose personal information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our terms of service, suspected fraud, situations involving potential threats to the physical safety of any person, or as evidence in litigation in which we are involved.
• With Your Consent: We may share your personal information for any other purpose disclosed to you at the time we collect the information or pursuant to your consent.

6. Sub-Processors and Third-Party Services

Henon uses a limited number of sub-processors to deliver our Services. These sub-processors are carefully vetted for their security practices, data protection capabilities, and compliance with applicable regulations. Categories of sub-processors include:

• Cloud Infrastructure: We host our Platform and data on enterprise-grade cloud infrastructure providers that maintain SOC 2 Type II, ISO 27001, and other relevant certifications.
• Payment Processing: Payment transactions are handled by PCI DSS-compliant payment processors. Henon does not store, process, or transmit cardholder data directly.
• Analytics and Monitoring: We use analytics services to understand usage patterns and improve our Services. Where possible, we use privacy-preserving configurations (e.g., IP anonymization).
• Communication Tools: We use email delivery services and customer relationship management platforms to manage communications with prospects and clients.

Enterprise clients may request a current list of sub-processors and will be notified of material changes to our sub-processor list in accordance with the terms of their DPA.

7. International Data Transfers

Henon is headquartered in North America with offices in the United States, Canada, the United Kingdom, and Ireland. Your personal information may be transferred to, stored in, and processed in countries other than your country of residence, including countries that may not provide the same level of data protection as your home jurisdiction.

Where we transfer personal information from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we implement appropriate safeguards, including:

• Standard Contractual Clauses ("SCCs") approved by the European Commission.
• The UK International Data Transfer Agreement or Addendum, as applicable.
• Binding Corporate Rules, where applicable.
• Any other transfer mechanism recognized under applicable data protection law.

You may request a copy of the applicable transfer safeguards by contacting us at the address provided in Section 21.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our Websites, remember your preferences, understand how our Services are used, and deliver relevant content. The categories of cookies we use include:

• Strictly Necessary Cookies: Essential for the operation of our Websites (e.g., session management, authentication, security). These cookies cannot be disabled.
• Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences and settings.
• Analytics Cookies: Help us understand how visitors interact with our Websites by collecting and reporting information anonymously or in aggregate.
• Marketing Cookies: Used to track visitors across websites and display relevant advertisements. We use these only with your consent where required by law.

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling certain cookies may affect the functionality of our Websites. For more information, see our Cookie Notice (if published separately) or contact us.

9. Artificial Intelligence and Machine Learning

Henon's Platform incorporates artificial intelligence and machine learning capabilities, including our henonGPT product. It is important to understand how data is used in connection with these features:

• Client Data Isolation: Each client's data is logically isolated. We do not commingle client data across accounts, and one client's data is never used to train models that serve another client.
• No Training on Client Data: Henon does not use client-submitted data to train general-purpose AI or machine learning models unless a client has provided explicit, informed consent under a separate agreement.
• Deterministic Outputs: Our AI systems are designed to produce verifiable, deterministic outputs grounded in source data. We do not rely on probabilistic AI outputs for financial calculations or reporting without human verification safeguards.
• Third-Party AI Providers: Where we use third-party AI services (e.g., large language model providers), we ensure that client data is not used by those providers to train their models, and we maintain contractual protections to that effect.

10. Data Retention

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements. Retention periods are determined based on:

• The nature of the personal information and the purposes for processing.
• Applicable legal, regulatory, and contractual obligations (e.g., financial record-keeping requirements, statute of limitations periods).
• Whether the information is necessary to establish, exercise, or defend legal claims.
• Legitimate business needs, such as maintaining backups for disaster recovery.

When personal information is no longer required, we securely delete or anonymize it. If deletion is not immediately possible (e.g., because the information is stored in backup archives), we isolate the information and apply protective measures until deletion is feasible.

For Platform data processed on behalf of clients, retention and deletion are governed by the applicable client agreement and DPA. Upon termination of a client relationship, we will delete or return client data in accordance with the agreed terms.

11. Data Security

Henon takes the security of personal information seriously. We implement and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. Key measures include:

• Encryption: Data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
• Access Controls: Role-based access controls, multi-factor authentication, and the principle of least privilege are enforced across our systems.
• Infrastructure Security: Our Platform is hosted on enterprise-grade cloud infrastructure with network segmentation, intrusion detection, and continuous monitoring.
• Security Assessments: We conduct regular vulnerability assessments, penetration testing, and security audits. Our security practices are evaluated through independent third-party assessments.
• Employee Training: All employees receive security awareness training and are subject to confidentiality obligations.
• Incident Response: We maintain a documented incident response plan that is tested and updated regularly.

Despite our efforts, no method of transmission over the Internet or method of electronic storage is completely secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee its absolute security.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Henon will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by the GDPR and other applicable laws.

Where a breach is likely to result in a high risk to individuals, we will also notify affected individuals directly, providing information about the nature of the breach, the likely consequences, and the measures taken or proposed to address the breach.

For breaches involving data processed on behalf of clients, Henon will notify the affected client in accordance with the timeframes and procedures set forth in the applicable DPA.

13. Your Privacy Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information. These rights may include:

• Right of Access: The right to request confirmation of whether we process your personal information and to obtain a copy of that information.
• Right to Rectification: The right to request correction of inaccurate or incomplete personal information.
• Right to Erasure: The right to request deletion of your personal information, subject to certain exceptions (e.g., legal retention obligations).
• Right to Restrict Processing: The right to request that we limit the processing of your personal information in certain circumstances.
• Right to Data Portability: The right to receive your personal information in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to Object: The right to object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within the timeframe required by applicable law (generally 30 days, extendable in certain circumstances). We may need to verify your identity before processing your request.

14. Rights for EEA, UK, and Swiss Residents (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in Section 13 above under the General Data Protection Regulation ("GDPR") and applicable local implementing legislation. In addition:

• You have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. For the UK, you may contact the Information Commissioner's Office (ICO). For Switzerland, you may contact the Federal Data Protection and Information Commissioner (FDPIC).
• Where we rely on legitimate interests as a legal basis, you have the right to object, and we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• We will not subject you to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects, unless we have your explicit consent, the processing is necessary for a contract, or it is authorized by applicable law with appropriate safeguards.

15. Rights for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), provides you with specific rights regarding your personal information:

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share personal information.
• Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: Henon does not sell personal information for monetary consideration. We do not "share" personal information for cross-context behavioral advertising as defined under the CCPA/CPRA.
• Right to Limit Use of Sensitive Personal Information: To the extent we process sensitive personal information, you have the right to limit its use to purposes permitted under the CCPA/CPRA.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a request, please contact us at [email protected] or call us at +1 833 232 3230. We will verify your identity before processing your request. You may also designate an authorized agent to submit a request on your behalf.

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA: identifiers, commercial information, internet or other electronic network activity information, geolocation data (approximate), and professional or employment-related information. These categories are collected from the sources and for the purposes described in Sections 2 and 3 of this Policy.

16. Rights for Canadian Residents (PIPEDA)

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy legislation provide you with rights regarding your personal information, including the right to access, correct, and withdraw consent for the collection, use, or disclosure of your personal information. You may also file a complaint with the Office of the Privacy Commissioner of Canada.

Henon obtains consent for the collection, use, and disclosure of personal information as required by PIPEDA. Consent may be express or implied depending on the sensitivity of the information and the reasonable expectations of the individual. You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting us at [email protected].

17. Children's Privacy

Our Services are designed for business use and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take reasonable steps to delete such information promptly. If you believe we may have collected information from a child under 18, please contact us at [email protected].

18. Do-Not-Track Signals

Some web browsers transmit "Do-Not-Track" ("DNT") signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, we do not currently respond to DNT browser signals. However, you can manage your tracking preferences through your browser's cookie settings and through any cookie consent mechanism we provide on our Websites. We will update this Policy if a uniform DNT standard is adopted.

19. Third-Party Links

Our Websites and Services may contain links to third-party websites, services, or applications that are not operated by Henon. This Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you visit. Henon is not responsible for the privacy practices or content of third-party websites.

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. The "Last updated" date at the top of this Policy indicates when it was most recently revised. If we make material changes, we will provide notice through our Websites, by email, or by other means as required by applicable law. Your continued use of our Services after the effective date of any changes constitutes your acceptance of the revised Policy.

21. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

If you are located in the EEA or UK and wish to contact our representative, or if you have an unresolved privacy concern that we have not addressed satisfactorily, you may contact your local data protection authority as described in Section 14.