Horlio Privacy Policy
Last Updated: July 11, 2025
1. Introduction
Welcome to Horlio. Your privacy, along with the security of every workspace and LinkedIn seat operated through our platform (the "Platform"), guides everything we build. This Privacy Policy describes how ever-growing GmbH ("Horlio", "we", "our", "us") collects, uses, discloses, and otherwise processes Personal Data when we act (a) as a data controller for our own business purposes and (b) as a data processor on behalf of customers who configure missions inside the Platform ("Customers").
We designed this document to meet the notice requirements of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the Swiss FADP, and relevant U.S. state privacy statutes. Where definitions differ, the stricter term applies.
Plain-English Promise
We never sell Personal Data. Horlio accesses publicly available LinkedIn information solely under your instruction, for the purpose of executing the missions you create. Our own analytics uses only aggregated or de-identified information.
2. Key Definitions
| Term | Meaning |
|---|---|
| Personal Data | Any information that identifies or relates to an identifiable individual. |
| Mission Data | LinkedIn profile, post, reaction, and messaging data retrieved and processed by the Horlio AI Agent under a Customer’s instruction. |
| Controller | The entity that determines the purposes and means of processing Personal Data. |
| Processor | The entity that processes Personal Data on behalf of a Controller. |
| Legitimate Interest Assessment (LIA) | A documented three-step test (purpose, necessity, balance) required when the legal basis for processing is legitimate interest under Art. 6(1)(f) GDPR. |
3. Our Role: Controller vs. Processor
Horlio as Data Controller: For information you provide directly to us to create and manage your workspace (like your name, email, and payment details), we are the Data Controller. We determine the purposes and means of processing this data.
Horlio as Data Processor: For all Mission Data, you are the Data Controller, and we are your Data Processor. We process this data solely on your behalf and according to your documented instructions. A standard Data Processing Agreement ("DPA") compliant with Art. 28 GDPR is automatically incorporated into our Terms of Service.
4. Categories of Personal Data We Collect
- Workspace Information: Name, email address, hashed password, company name, and seat allocations.
- Payment Information: Collected and processed exclusively by our payment processor, Stripe Inc. Horlio never stores full card numbers.
- Mission Data (Processor role): Public LinkedIn data such as names, headlines, posts, reactions, and comments that you instruct the AI Agent to process.
- Support & Communications: Records of chats or emails with our support team.
- Device & Usage Data: IP address, browser type, operating system, and event logs for fraud-prevention and service monitoring.
5. Purposes & Legal Bases for Processing
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide, secure, and maintain the Platform | Art. 6(1)(b) – contract performance |
| Billing and account management | Art. 6(1)(b) & (c) – contract & legal obligation |
| Product analytics & feature development (aggregate data) | Art. 6(1)(f) – legitimate interest |
| Marketing communications (B2B) | Art. 6(1)(f) – legitimate interest; opt-out any time |
| Processing Mission Data (on your behalf) | Art. 6(1)(f) – legitimate interest of Customer; Horlio acts as Processor |
Because Mission Data originates from publicly available LinkedIn profiles, individual notice may be impossible or involve a disproportionate effort (Art. 14(5)(b) GDPR). As the Controller, you are responsible for mitigating this. Our Terms of Service require you to publish a disclosure statement (e.g., the "LinkedIn Outreach Disclosure" provided in our resources) in your own company's privacy notice.
6. Automated Decision-Making & Profiling
The Horlio AI Agent scores leads and posts on a 0-100 relevance scale to prioritize outreach. This score is not used to make legal or similarly significant decisions about individuals, and a human user (you) has final control to override, ignore, or act upon the score. Consequently, Art. 22 GDPR on solely automated decision-making with legal or similarly significant effects does not apply.
7. Sharing & Sub-processors
We disclose Personal Data only to trusted third-party service providers (sub-processors) for essential business functions. A full, up-to-date sub-processor list is maintained at https://horlio.com/subprocessors. Key categories include:
- Cloud Infrastructure: AWS (EU-Central-1 / Frankfurt).
- Payment Processor: Stripe Payments Europe, Ltd. (Ireland).
- Customer Support & CRM: Providers engaged under valid data transfer mechanisms.
- Security & Analytics: Providers processing pseudonymized or aggregated data.
8. International Transfers
All primary customer data is stored and processed within the European Economic Area (EEA). When we engage a provider in a third country (like the U.S.), we rely on a valid data transfer mechanism, such as the EU-U.S. Data Privacy Framework or EU Standard Contractual Clauses ("SCCs").
9. Data Retention
- Workspace Data: Retained for the life of the account plus a limited period for legal and operational purposes (typically 12 months).
- Mission Data: Retained for 90 days after a mission ends or the Customer deletes the workspace, whichever comes first, to allow for performance analysis.
- Support Tickets & Logs: Retained for up to 24 months for security auditing and service improvement.
10. Your Privacy Rights
Depending on your jurisdiction, you may have rights to access, correct, erase, restrict, or port your Personal Data, and to object to certain processing. To exercise rights over your Workspace Data, please submit requests to privacy@horlio.com. To exercise rights over Mission Data, you must contact the responsible Data Controller (our Customer).
EU/EEA residents may lodge complaints with our lead supervisory authority, the Bavarian DPA (Bayerisches Landesamt für Datenschutzaufsicht), or their local data protection authority.
11. Security
We implement multi-layer security based on industry best practices, including:
- TLS 1.3 encryption for data in transit and AES-256 encryption for data at rest.
- A zero-trust network architecture.
- Mandatory two-factor authentication for all staff with access to production systems.
- Seat safety features: proxy rotation, configurable daily action caps, and automatic cool-downs.
12. Children's Privacy
The Platform is not directed to individuals under 18. We do not knowingly collect Personal Data from children.
13. Changes to this Policy
We will post any material changes on this page, update the "Last Updated" date, and notify workspace owners via email or an in-app banner at least 30 days in advance.
14. Contact & Data Protection Officer
Data Controller: ever-growing GmbH, Windhagerstraße 9, 84489 Burghausen, Germany
Email: privacy@horlio.com
Data Protection Officer: You can reach our DPO at dpo@horlio.com.