Privacy Policy

Hamiltonian Lab ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, process, and safeguard your information when you use our services, visit our website, or interact with our AI agents.

By using our services, you agree to the collection and use of information in accordance with this policy. We will not use or share your information with anyone except as described in this Privacy Policy.

For the purposes of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and the Danish Data Protection Act, the data controller responsible for your personal data is:

Hamiltonian Lab
Contact: via the contact form on our website

For client engagements where we process personal data on your behalf as part of our services, we act as a data processor under your instructions, and a separate Data Processing Agreement (DPA) will govern that processing.

We process personal data on the following legal bases under Article 6 GDPR:

• Performance of a contract (Art. 6(1)(b)): Delivering the services you or your organisation has engaged us for, responding to inquiries, and operating the chat widget you initiate
• Legitimate interests (Art. 6(1)(f)): Securing our systems, preventing fraud and abuse, analysing aggregated website performance to improve our services, and informing existing clients about closely related services, balanced against your interests and rights
• Consent (Art. 6(1)(a)): Non-essential cookies, marketing communications to new contacts, and any optional data collection; you may withdraw consent at any time without affecting prior lawful processing
• Legal obligation (Art. 6(1)(c)): Retaining accounting and tax records, responding to lawful requests from authorities, and complying with regulatory requirements

Where we rely on legitimate interests, you may object to processing at any time using the contact form; we will stop unless we demonstrate compelling legitimate grounds that override your interests.

We use the collected information for the following purposes:

• Service Delivery: To provide, maintain, and improve our AI implementation services
• Communication: To respond to inquiries, provide support, and send service-related notifications
• Analysis: To understand your business needs and design appropriate AI solutions
• Optimization: To enhance our AI agents and improve service quality
• Legal Compliance: To comply with applicable laws and regulations
• Security: To protect against fraud, abuse, and security threats

We do not sell, trade, or rent your personal information to third parties. We may share information in the following limited circumstances:

• Sub-processors: See the dedicated section below for our current list
• Legal Requirements: When required by law, court order, or regulatory authority; we will challenge overbroad requests where lawful and feasible
• Business Transfer: In the event of a merger, acquisition, reorganisation, or sale of assets, subject to equivalent privacy protections
• Consent: When you have given explicit consent for specific sharing
• Protection: To protect our rights, property, or safety, or that of our users or the public

We use the following service providers to operate the website and deliver services. Each is bound by a written agreement requiring confidentiality and protection of personal data, including, where applicable, EU Standard Contractual Clauses.

This list may change as we evolve the service. Material changes will be reflected here with a revised "Last updated" date.

We implement comprehensive security measures to protect your information:

• Encryption: All data is encrypted in transit and at rest using industry-standard protocols
• Access Controls: Strict role-based access controls and multi-factor authentication
• Infrastructure: Secure cloud infrastructure with regular security audits
• Monitoring: Continuous monitoring for security threats and unauthorized access
• Incident Response: Comprehensive incident response procedures and breach notification protocols

You have the following rights regarding your personal information:

To exercise any of these rights, please use our contact form. We will respond within one month (extendable by a further two months for complex requests, as permitted by Art. 12 GDPR). You also have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet), Carl Jacobsens Vej 35, 2500 Valby, Denmark (datatilsynet.dk), or with the supervisory authority in your EU country of residence.

Our chat widget uses third-party large language models to generate responses. These responses are produced automatically and may be inaccurate. They are not used to make decisions that produce legal effects or similarly significant effects on you within the meaning of Article 22 GDPR.

Where a client engagement involves automated decision-making about individuals on the client's behalf, the client (as data controller) is responsible for the lawful basis, the safeguards required by Art. 22 GDPR, and providing meaningful human review.

Personal data submitted to our chat widget is transmitted to LLM providers (e.g., OpenAI, Anthropic) under contracts that prohibit using your data to train their general-purpose models, where such option is available.

We use cookies and similar technologies to enhance your experience:

• Local Storage: Cookie consent preferences (hamilton-cookie-consent)
• Session Storage: Chat session IDs (hamilton-chat-session-id) and scroll positions
• Vercel Analytics: Privacy-focused website usage analytics (no personal data)
• Vercel Speed Insights: Performance monitoring and Core Web Vitals tracking
• No Traditional Cookies: We do not set traditional HTTP cookies for tracking

You can control cookie settings through your browser preferences. However, disabling certain cookies may affect website functionality.

We retain your information for no longer than necessary for the purposes set out in this Policy:

• Chat session ID: Cleared when the browser session ends
• Chat message logs (server-side): Up to 90 days for quality, debugging, and abuse prevention, then deleted or anonymised
• Contact information from inquiries: Up to 24 months after the last interaction, then deleted unless a contract is signed
• Client business records: Duration of the engagement plus 5 years (Danish Bookkeeping Act / Bogføringslov)
• Accounting and tax records: 5 years from the end of the financial year, as required by Danish law
• Cookie consent records: 12 months, then re-asked
• Vercel Analytics: Aggregated, anonymised data retained under Vercel's policy
• Marketing contacts: Until you unsubscribe or object
• Backups: Cycled out within 30 days of the primary deletion

Where retention is required by law or to establish, exercise, or defend legal claims, we may retain data longer to the minimum extent necessary.

Some of our sub-processors (notably Vercel and LLM providers) are based in the United States. Where personal data is transferred outside the EEA, we rely on one or more of the following safeguards under Chapter V of the GDPR:

• EU Commission Standard Contractual Clauses (2021/914) with supplementary technical and organisational measures where required
• An EU adequacy decision, where one applies (e.g., the EU-US Data Privacy Framework for certified recipients)
• Your explicit, informed consent for the specific transfer, where appropriate

You may request a copy of the relevant safeguards by contacting us through the website's contact form.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Danish Data Protection Authority (Datatilsynet) without undue delay, and in any event within 72 hours of becoming aware, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to you, we will also notify affected individuals as required by Article 34 GDPR.

Our services are intended for business users and are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided personal data to us, please contact us through the website's contact form and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For material changes, we will provide additional notice through email or prominent website notification.