H2O.ai Privacy Policy

Effective Date: April, 2026

1. Introduction and Scope

H2O.ai, Inc. (“H2O”, “we”, “our”, or “us”) values your privacy and takes the protection of personal information seriously. This Privacy Policy explains how we collect, use, store, and share personal information when you use the H2O.ai platforms or services, including SaaS-based offerings, websites, and related services (collectively, the “Services”).

By accessing or using our Services, you acknowledge that your personal information will be handled as described in this Privacy Policy and in accordance with applicable laws. We rely on a variety of legal bases depending on the context, including contract, legitimate interests, legal obligations, and, where required, consent.

Customer-provided input data, metadata, and model data are not used to train H2O.ai AI models, unless explicitly agreed in writing. Such data is processed solely to provide the requested Services and according to our contractual agreements.

This Privacy Policy applies globally, with additional information for residents of California, the EU/EEA/Switzerland, Brazil, Canada, Singapore, Australia, and other jurisdictions where applicable data protection laws provide specific rights.

If you have a disability, you may request an alternative format of this Privacy Policy by contacting privacy@h2o.ai

 

2. What Does This Privacy Policy Cover?

This Privacy Policy covers H2O’s treatment of personally identifiable information (“Personal Information”) collected when you use our Services, participate in H2O events, or engage with our marketing activities. “Personal Information” refers to information that identifies or relates to a particular individual, and includes “personal data” under applicable laws.

This Policy does not cover models or information collected by third parties outside our control.   To the extent H2O processes personal data on behalf of customers as a processor or service provider, such processing is governed by applicable customer agreements (including DPAs), and this Privacy Policy applies only to H2O’s processing as a controller.  Any such use of that data is governed by agreements covering access and use of those offerings.    

 

 

3. What Personal Information Does H2O Collect?

3.1 Information You Provide to Us

We collect information you provide when you:

●      Subscribe to, purchase, or use Services;

●      Create or manage H2O accounts;

●      Register for or attend events, or communicate with us via phone, email, or otherwise;

●      Submit support tickets, feedback, questionnaires, or other requests;

●      Utilize notification services

●      Participate in community features or post on H2O websites.

Types of information you may provide include:

●      Name, email, address, phone, and other contact details;

●      Payment information, including credit card and bank account information;

●      Location information;

●      Organization and colleagues’ contact information;

●      Usernames, aliases, roles, and other authentication or security credentials;

●      Feedback, testimonials, inquiries, support tickets, phone/chat/video sessions, email, and other communications with H2O;

●      Image, video, 3D, or voice data from events or use of Services;

●      Information regarding identity, including Government-issued ID information where necessary for verification or legal compliance.

H2O does not require or intentionally collect special categories of personal data (health, biometric, political, etc.) unless required by law.

 

3.2 Automatic Information

We automatically collect certain data when you interact with H2O Services, including:

●      Network and connection information (IP address, ISP);

●      Device, application, browser type/version, operating system, time zone;

●      Device location;

●      Authentication/security credentials;

●      Interaction and service metrics (downloads, streams, API calls, backup information, errors, and other logs);

●      Clickstream and page interaction data (scrolls, clicks, downloads).

In addition to the information you provide, we automatically collect telemetry, logs, and metrics to maintain, secure, and improve our Services. These may be processed outside the region you selected for customer data storage, but are handled separately from customer input data.

 

3.3 Information from Other Sources

We may collect data from partners, service providers, or public sources, such as:

●      Marketing, sales, and recruitment information;

●      Purchase, subscription, or support interactions;

●      Search results and links, including paid listings (such as sponsored links);

●      Credit history and publicly available professional information.

H2O collects this information where permitted by applicable law and for purposes described in this Policy.

 

3.4 Free Services and API-Based Offerings

Certain Services (including free-tier, trial, or API-based offerings) may allow users to submit data for processing without persistent storage. In such cases:

●      Input data is processed transiently and not retained, except as necessary for security, debugging, or abuse prevention;

●      We may retain limited metadata (e.g., usage logs, API activity, account identifiers);

Users should not submit personal data or sensitive information unless explicitly permitted by the Service documentation.

 

 

4. Cookies and Tracking

We use cookies, pixels, and similar technologies to:

●      Recognize devices and user preferences;

●      Improve services and security;

●      Conduct research and diagnostics;

●      Deliver personalized content and interest-based advertising.

Cookies may persist for up to 365 days. You can manage cookie preferences via our Cookie Preferences page. Where required by applicable law (including in the EEA/UK), we obtain consent before placing non-essential cookies or similar technologies. Third-party advertising and analytics providers may also collect anonymized or aggregated data via cookies or web beacons.

 

 

5. Commercial and Business Purposes for Collecting Personal Information.

H2O collects Personal Information for purposes including:

●      Providing, customizing, and improving the Services;

●      Managing user accounts and profiles;

●      Processing orders and billing;

●      Marketing and advertising Services;

●      Communicating with users;

●      Improving the Services, including testing, research, internal analytics, and product development;

●      Fraud prevention, security, and debugging;

●      Legal compliance, enforcement of agreements, and dispute resolution.

We do not collect or use Personal Information for materially unrelated purposes without providing notice.

 

 

6. How H2O Uses and Shares Personal Information

6.1 Service Providers

We share Personal Information with third-party service providers to assist with:

●      Hosting, technology, and communications;

●      Security and fraud prevention;

●      Customer support;

●      Product fulfillment and delivery.

 

6.2 Advertising and Analytics Partners

●      Advertising partners may use aggregated or anonymized data to provide targeted marketing.

●      Analytics partners provide insights into web traffic, usage, and Service interaction.

 

6.3 Business Partners and Authorized Parties

●      H2O may share Personal Information with joint promotion partners, social media services, or other users authorized by you.

 

6.4 Business Transfers

In mergers, acquisitions, or similar transactions, Personal Information may be transferred to a third party, with efforts to notify affected individuals.

 

6.5 Legal Obligations

We may disclose Personal Information where required to comply with applicable law, regulation, legal process, or enforceable governmental request, or to enforce our agreements or protect the rights, property, or safety of H2O, our customers, or others.

Where legally permitted, H2O will use reasonable efforts to notify the relevant customer of such request and may, at its discretion, challenge or seek to limit the scope of any request that appears unlawful, overbroad, or otherwise inappropriate.

 

6.6 Data Not Considered Personal Information

H2O may collect, use, and share aggregated, de-identified, anonymized, or derived data (including telemetry, usage patterns, and performance metrics) for any lawful business purposes such as operating, maintaining, improving, and developing its products and services, provided such data cannot reasonably be used to identify any individual or customer.

 

6.7 AI Services

H2O does not use Customer Content to train or improve its AI models, except for the benefit of the applicable customer.

H2O may use third-party artificial intelligence services (including large language models) to support and operate the Services. H2O does not control, modify, or have access to the training data or model parameters of such third-party systems and is not responsible for how such systems are trained, maintained, or operate. Requests regarding such systems should be directed to the applicable third-party provider.

AI-generated outputs may be probabilistic, incomplete, or inaccurate and may contain errors, omissions, or unintended or harmful content. Certain features may involve automated or agentic functionality that can generate or recommend actions without human intervention. Users should not rely on AI-generated outputs as a substitute for professional judgment or advice. Users are solely responsible for reviewing, validating, and determining the appropriateness of any outputs or actions prior to reliance or use.

To the maximum extent permitted by law, H2O disclaims liability for decisions made, actions taken, or failures to act based on AI-generated outputs.

 

 

7. Retention of Personal Information

Customer data is deleted upon termination of the customer environment unless otherwise agreed. Logs are retained for up to three (3) years. Telemetry, metrics, and diagnostic data may be retained for as long as necessary for security, operational, business and reliability purposes, unless deletion is requested and feasible (subject to technical limitations and legal obligations).

 

 

8. Children’s Personal Information

We do not knowingly collect personal information from children under applicable age thresholds in your jurisdiction.  Our Services are designed for and directed to enterprise users, and are not intended for use by children.  If we become aware that personal information has been collected from a child in violation of applicable law, we will take reasonable steps to delete such information.  If you become aware that a child under the applicable age has provided any personal information to us while using our Services, please email us at privacy@h2o.ai, and we will investigate the matter.

 

9. Subprocessors

H2O uses subprocessors to support delivery of Services. A current list is published at https://trust.h2o.ai/ and updated periodically.

 

 

10. Information Security

H2O implements technical and organizational safeguards, including encryption (for both data at-rest and in transit), role-based identity and access controls, monitoring, and audits. H2O maintains SOC 2 Type II certification and is pursuing ISO 27001. Further, H2O performs proactive security practices including but not limited to penetration testing, continuous vulnerability scanning and internal code reviews to scan and mitigate threats.

H2O implements technical and organizational safeguards designed to protect Personal Information. Where required by applicable law, H2O will notify affected individuals or customers of a confirmed security incident involving unauthorized access to, acquisition of, or disclosure of Personal Information.

Not all security incidents result in a risk to Personal Information. H2O evaluates incidents in accordance with applicable law and will provide notifications where legally required.

Despite these efforts, no method of transmission or storage is completely secure or error-free, and you should exercise care in determining what information you provide to the Services. H2O is not responsible for the circumvention of any privacy or security measures contained in the Services or on third-party systems.

To the maximum extent permitted by law, H2O disclaims liability for unauthorized access, loss, or alteration of data except to the extent caused by its failure to implement reasonable and appropriate safeguards required under applicable law.

 

 

11. Privacy Information for Specific Jurisdictions

Depending on where you live and subject to applicable exceptions, you may have the following rights in respect of Personal Information:

●      The right to know information about our processing of your Personal Information, including the right to access your Personal Information, often in a portable format;

●      The right to request deletion of your Personal Information;

●      The right to correct your Personal Information; and

●      The Right to be free from discrimination relating to the exercise of any of your privacy rights.

 

11.1 California Residents (CCPA/CPRA)

●      Rights to access, deletion, and non-sale of Personal Information.

●      We do not sell personal information. We may share limited data with service providers and partners for marketing and analytics purposes, consistent with applicable law.

●      Methods to exercise rights: email privacy@h2o.ai.

 

11.2 Nevada Residents

●      Right to opt out of sales of certain Personal Information, email privacy@h2o.ai. H2O does not sell Personal Information.

 

11.3 EU/EEA/Switzerland Residents (GDPR)

●      H2O is the controller for personal data collected in these jurisdictions.

●      Lawful bases: contract, legal obligation, legitimate interest, consent (where required).

●      Rights: access, rectification, erasure, portability, objection, restriction, withdrawal of consent.

●      Complaints may be filed with local supervisory authorities.

 

11.4 Global Privacy Rights

●      Residents of Brazil, Canada, Singapore, India, and Middle East jurisdictions may have rights to access, correct, delete, or port personal data, and to object or restrict processing.  These rights may vary by jurisdiction and are subject to local legal requirements.

 

11.5  Exercising Your Rights 

You can exercise your privacy rights by submitting a request through privacy@h2o.ai.

 

11.6  Verification. 

In order to protect your Personal Information from unauthorized access, change, or deletion, we may require you to verify your identity before you can submit a request to know, correct, or delete Personal Information.  If you do not have an account with us, or if we suspect fraudulent activity, we may ask you to provide additional Personal Information for verification.  If we cannot verify your identity, we will not be able to honor your request.

 

11.7  Authorized Agents.

You may also submit requests through an authorized agent, but if you do so, the agent must present written authorization to act on your behalf, and you may also be required to independently verify your identity.

 

 

12. Transfers of Personal Data

●      Personal data is primarily processed in the U.S., but customers can select data residency options where available.

●      International transfers rely on Standard Contractual Clauses, EU-U.S. Data Privacy Framework, UK Addendum, or Swiss Addendum.

●      By using the Services, you authorize transfer, storage, and processing of your information in the U.S. and other countries as necessary.

 

 

13. Conditions of Use

Privacy disputes are subject to this Policy, our Terms of Service, and any written agreement between you and H2O, including applicable limitations, arbitration, and California law.

 

 

14. Marketing Communications

●      You may unsubscribe from marketing emails by clicking “Unsubscribe” or emailing privacy@h2o.ai.

 

 

15. Changes to this Privacy Policy

 

H2O may update this Policy from time to time. The version in effect at the time of data collection governs. Material changes will be posted at https://h2o.ai/privacy.

 

 

16. Questions or Concerns

Contact us at privacy@h2o.ai with questions, concerns, or to exercise your rights.

To protect privacy and prevent fraud or abuse, H2O will process requests only where we can reasonably verify the identity of the requestor and, where applicable, the authority of an authorized agent. We may request additional information as necessary to complete verification, and we may deny requests where identity or authorization cannot be reasonably confirmed. Authorized agents must provide valid written authorization from the consumer and may be required to verify their authority directly with us.

Requests must include sufficient detail to allow us to understand, evaluate, and respond. We are not obligated to respond to requests that are vague, overly broad, or do not reasonably relate to the requestor. We may also limit the number or frequency of requests as permitted under applicable law and are not required to re-identify or link information that is not maintained in a manner reasonably capable of being associated with a particular consumer, or to retain personal information solely for the purpose of responding to a request.

H2O reserves the right to decline to act on requests that are manifestly unfounded, excessive, repetitive, automated, or abusive, including requests submitted in bulk or by third parties without sufficient proof of authorization or identity. We may also decline or limit requests where we have a reasonable basis to believe the request is fraudulent, malicious, or intended to disrupt our operations. Where appropriate and permitted by law, we may request clarification, extend response timelines, or decline to act on a request to ensure proper verification and handling.

H2O may utilize third-party service providers, including artificial intelligence or machine learning models, in connection with its services and operations. H2O does not control the training data, internal parameters, or data retention practices of such third-party systems. To the extent personal information may be contained within or processed by such third-party models, H2O does not have the ability to access, identify, correct, or delete such information within those systems. Requests relating to data held or processed independently by third-party providers should be directed to the applicable provider.

H2O will make reasonable efforts to respond to valid and verifiable requests in accordance with applicable law.