Legal

Privacy Policy

Last updated: May 20, 2026

Controller

The controller for personal data processed by the managed service at holobase.dev is:

m12k GmbH
Seligerstraße 47
89537 Giengen, Germany
Contact: privacy@holobase.dev

What holo is

Holo is an open-source context layer for AI agents. The managed service at holobase.dev hosts an instance for your organization that connects to your existing tools (e.g. GitHub, Slack, Notion, Google Drive, Google Chat, Linear, Microsoft Teams), indexes the content you grant access to, and exposes that index to AI agents (Claude, Cursor, ChatGPT, and our own chat surfaces) through the Model Context Protocol.

Data we process

  • Account data: your email, name, organization, and role, used to authenticate you and scope access.
  • Connector credentials: OAuth tokens, API keys, or service-account keys you provide to authorize holo to read from your third-party tools. Stored encrypted at rest.
  • Indexed content: messages, documents, issues, files, and metadata fetched from your connected sources, plus vector embeddings derived from that content. We preserve the original access-control lists so a user only retrieves content they could already see in the source system.
  • Operational logs: sync job status, query traces, and error logs used to operate and debug the service.

Legal basis (GDPR Art. 6)

  • Performance of contract (Art. 6(1)(b)): processing account data, connector credentials, and indexed content to provide the service you signed up for.
  • Legitimate interest (Art. 6(1)(f)): operational logs and error traces for security, abuse prevention, and reliability.
  • Consent (Art. 6(1)(a)): for any optional features you explicitly enable that go beyond providing the core service.

Subprocessors

We use the following subprocessors to operate the service:
  • Railway (Railway Corp., USA): application hosting, managed Postgres, managed Redis.
  • Anthropic (USA): LLM inference when an agent configured for Claude queries the index.
  • OpenAI (USA): LLM inference and embedding generation.
  • Google (USA): LLM inference when an agent configured for Gemini queries the index, and identity/authorization when you connect Google Workspace tools (Drive, Chat).
  • PostHog (PostHog, Inc., EU region — hosted in Frankfurt, Germany): first-party product analytics for the managed holobase.dev service. Collects pseudonymous event data; for signed-in users, your user ID, email, and active workspace are attached so we can analyze usage by workspace. We do not enable session replay, and we never send the content of your messages, queries, or indexed sources to PostHog.

An up-to-date list is available on request at privacy@holobase.dev.

International data transfers

Our subprocessors are based in the United States. Transfers are made on the basis of the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework certification of the receiving party. Indexed content is only forwarded to an LLM provider when one of your agents issues a query that requires it.

How we use it

We process the data above only to provide the service: running connector syncs, answering retrieval queries from your agents, and keeping the system reliable. We do not sell your data, do not train foundation models on it, and do not share it with third parties for advertising.

Security

We protect your data with industry-standard measures including TLS 1.2+ for all data in transit, encryption at rest for credentials and the managed database, scoped access controls, and environment isolation between organizations. Access to production systems is limited to authorized personnel and audited. No system is perfectly secure; if you discover a vulnerability please report it to privacy@holobase.dev.

Retention and deletion

Indexed content and embeddings are retained while the corresponding connector is active. Disconnecting a connector deletes the credentials immediately and queues the indexed content for deletion. Deleting your organization removes all associated data within 30 days. Operational logs are retained for up to 90 days.

Cookies and analytics

We use the cookies strictly necessary to keep you signed in and to operate the service. On the managed holobase.dev service we additionally use PostHog(EU region) for first-party product analytics so we can understand how the product is used and improve it — what pages and dashboard surfaces people interact with, which connectors get configured, and whether agents successfully reach the index. Analytics events are sent through our own domain (first-party), and PostHog session replay is disabled. We do not run marketing pixels, advertising trackers, or cross-site tracking. PostHog is off by default on self-hosted Holo deployments: the operator opts in by setting a PostHog API key, and without one no analytics traffic leaves the deployment.

Data breach notification

If we become aware of a personal-data breach affecting your data we will notify the competent supervisory authority within 72 hours and, where required, notify affected users without undue delay, in line with GDPR Art. 33 and 34.

Your rights

Under the GDPR you have the right to access, rectify, erase, restrict or object to processing of your personal data, and the right to data portability. Exercise any of these by emailing privacy@holobase.dev. You also have the right to lodge a complaint with the competent supervisory authority — for m12k GmbH this is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Königstraße 10a, 70173 Stuttgart, Germany

Self-hosting

Holo’s Community Edition is AGPL-3.0 and can be self-hosted. When self-hosted, this policy does not apply — your organization is the data controller for your own deployment. Product analytics (PostHog) are disabled by default in self-hosted deployments; the operator chooses whether to configure them.

Changes

We may update this policy; the “Last updated” date above reflects the current version. Material changes will be communicated to active organizations.

Contact

Questions about this policy: privacy@holobase.dev.