Your data, your institution’s data, held with intent.
What we collect, why we collect it, who can see it, and how to make us stop. Written for higher-ed privacy offices, in language they don't have to translate.
Section 01Scope of this policy
This Privacy Policy describes how Habeo LLC (“Habeo,” “we,” “us”) handles personal information collected through usehabeo.com, our marketing channels, sales process, and the Habeo platform (collectively, the “Services”).
It applies to three audiences: (a) website visitors and prospects who interact with our marketing surfaces; (b) authorized users of customer institutions who log in to the Habeo platform; and (c) data subjects whose personal information our customers choose to load into Habeo as part of their asset, contract, or workforce records.
For category (c), the customer institution is the data controller and Habeo acts as a data processor / service provider. The terms of the customer’s subscription agreement and our Data Processing Addendum govern that relationship and take precedence over this policy if there is any conflict.
Section 02Information we collect
Information you give us directly
- Account and contact data — name, work email, institution, role/title, and password when you sign up for an account, request a demo, or sign a contract.
- Billing data — name of payer, billing email, purchase order references, and (for paid subscriptions) the last four digits of a payment instrument processed by our payment provider. Habeo does not store full payment card data on its own servers.
- Communications — messages you send to
sales@usehabeo.com, support tickets, in-product chat threads, and transcripts of scheduled calls when you have agreed to recording. - Customer Data — any data that your institution chooses to load into Habeo (asset records, purchase orders, user directories, contract metadata, etc.). The categories of personal data are defined in Annex I of our DPA.
Information we collect automatically
- Service usage data — pages viewed, features used, API calls issued, search queries, and timestamps of those events, associated with your authenticated user identity for security and reliability purposes.
- Device and network data — IP address (truncated to /24 in our analytics store), user-agent string, browser language, and screen characteristics needed to render the UI correctly.
- Cookies and similar technologies — see Cookies & tracking below.
Information we receive from third parties
- Identity providers — when your institution uses SAML SSO, Workday, or Microsoft Entra ID for sign-in, we receive the attributes those providers release (typically name, work email, and group membership).
- Public business data — Carnegie Classification, IPEDS enrollment band, and similar institutional metadata used to scope and price proposals.
Section 03How we use information
We use personal information for the following purposes:
- Provide the Services. Authenticate users, render the application, run scheduled jobs, deliver email and webhook notifications, and generate the reports our customers request.
- Secure the Services. Detect and investigate fraud, abuse, account compromise, and policy violations; produce immutable audit trails our customers can review.
- Support our customers. Respond to tickets, troubleshoot tenant-specific issues with explicit authorization, and run scheduled health reviews.
- Improve the Services. Analyze aggregate, de-identified usage patterns to prioritize the roadmap, fix defects, and tune performance. We do not train machine-learning models on Customer Data without a specific written agreement with the customer.
- Sell and market the Services. Contact prospects who have requested information, send the Habeo newsletter to opted-in subscribers, measure marketing-campaign performance.
- Meet legal obligations. Comply with tax, accounting, audit, and procurement laws; respond to lawful requests from public authorities consistent with our Government-request commitments below.
Section 04Legal bases (EEA, UK, Switzerland)
For individuals in the European Economic Area, the United Kingdom, and Switzerland, our legal bases for processing personal data under the GDPR and UK GDPR are:
- Performance of a contract — to provide the Services under our subscription agreement, or to take steps at your request before entering into a contract.
- Legitimate interests — to secure the Services, prevent fraud, run our business, and market our Services to prospective customers, where those interests are not overridden by your rights.
- Consent — for non-essential cookies, the marketing newsletter, and any optional features that ask for your explicit opt-in.
- Legal obligation — to comply with tax, accounting, and other laws applicable to Habeo.
Section 06International data transfers
Habeo is headquartered in the United States and our production infrastructure runs in U.S. AWS regions (us-east-2, us-west-2). When we transfer personal information from the EEA, UK, or Switzerland to the United States or another country, we rely on:
- EU Standard Contractual Clauses (Module Two: controller to processor) and the UK International Data Transfer Addendum, incorporated by reference into our DPA.
- EU–U.S. Data Privacy Framework, the UK Extension to the DPF, and the Swiss–U.S. DPF where applicable.
- Supplementary measures — envelope encryption (AES-256-GCM) at rest, TLS 1.3 in transit, and per-tenant data-segregation controls.
Section 07How long we keep information
For Customer Data, retention is configured by the customer institution. Habeo retains Customer Data for the duration of the subscription and for up to 30 days after termination, after which it is purged from primary systems and (within an additional 90 days) from backups. Self-service export in CSV and Parquet ships Q3 FY26; until then, we provide the same export within five business days on request.
For Habeo-controlled data, our default retention windows are:
| Data category | Retention | Reason |
|---|---|---|
| Account and contact data | Life of the relationship + 24 months | Re-engagement and successor handoff |
| Billing and tax records | 7 years | U.S. federal and state tax law |
| Security and access logs | 13 months | Incident investigation; SOC 2 evidence |
| Marketing analytics | 14 months (aggregated thereafter) | Campaign attribution windows |
| Sales call transcripts | 24 months | Sales coaching; deleted earlier on request |
Section 08How we protect information
Habeo maintains a written information-security program aligned to SOC 2 Type II (audit closes Q3 FY26) and the HECVAT 2024 control set (full HECVAT 4.1.5 response published at /compliance/hecvat). Highlights:
- Encryption. AES-256-GCM at rest with per-organization, HKDF-derived keys; TLS 1.3 in transit. Secrets are envelope-encrypted with keys held in AWS KMS.
- Access control. Role-based access with mandatory SSO and hardware-key MFA for all Habeo personnel. Production access requires time-bound, approved JIT grants.
- Tenant isolation. Every record carries an organization identifier that is enforced at the database row-security layer and re-checked in the application layer.
- Vulnerability management. Continuous dependency scanning, quarterly third-party penetration tests, and a public coordinated-disclosure program at security@usehabeo.com.
- Incident response. 24/7 on-call rotation; documented runbooks and tabletop exercises. We notify affected customers of a confirmed personal data breach without undue delay and in any case within 72 hours of confirmation.
Section 09Your privacy rights
Depending on where you live, you may have the following rights with respect to personal information about you that Habeo controls:
- Access — request a copy of the personal information we hold about you.
- Correction — ask us to fix inaccurate or incomplete information.
- Deletion — ask us to delete personal information, subject to the legal-retention obligations described above.
- Portability — receive a machine-readable copy of certain information.
- Object or restrict — object to, or restrict, certain processing — including direct marketing.
- Withdraw consent — withdraw a consent you previously gave (for example, to receive the newsletter).
- Lodge a complaint — with your supervisory authority. EEA residents may also contact the Irish Data Protection Commission via the one-stop-shop mechanism.
To exercise any of these rights, email privacy@usehabeo.com. We will verify your request — typically by confirming control of the email address associated with the request — and respond within 30 days (45 days for complex requests). We do not charge a fee for the first request in any 12-month period and never retaliate for exercising a right.
If your personal information was loaded into Habeo by your institution, please direct your request to that institution; we will support them in responding.
Section 10FERPA notice (U.S. higher education)
When Habeo holds education records as defined by the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g), we act as a school official with a legitimate educational interestunder 34 CFR § 99.31(a)(1)(i)(B) — i.e., we are performing a service for which the institution would otherwise use its own employees, and we are bound by FERPA’s use and re-disclosure rules.
Specifically, Habeo:
- uses education records only for the purposes specified in the customer’s subscription agreement;
- does not re-disclose education records except as the institution directs or as required by law;
- provides institutions with the direct control they need to respond to student access requests under 34 CFR § 99.10;
- contractually flows down these requirements to any subprocessor that may handle education records.
We do not use education records to advertise or to train general machine-learning models. The full FERPA addendum is incorporated as Schedule 3 of our DPA.
Section 11U.S. state privacy rights (CCPA, CPRA, VCDPA, others)
California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and Montana residents have the rights described above and the additional rights to know what categories of personal information we have collected, the sources, and the business or commercial purposes for collecting it. That information is set out in this Policy.
Sensitive personal information. Habeo does not collect or process sensitive personal information from website visitors. Customer Data may include sensitive personal information; the customer institution is responsible for any consent or purpose-limitation requirements applicable to that data.
Authorized agents. California residents may use an authorized agent to submit a request. We require the agent to provide written authorization and may verify the request directly with you.
“Do Not Track” and global privacy controls. Habeo honors the Global Privacy Control (GPC) signal as a valid opt-out preference for California, Colorado, and Connecticut residents.
Section 13Children
The Services are intended for higher-education institutions and their staff. Habeo does not knowingly collect personal information from children under 13 (or under 16 in jurisdictions where that age applies). If you believe a child has provided us personal information, contact privacy@usehabeo.com and we will delete it.
Section 14Government and law-enforcement requests
We require valid legal process for any government request seeking Customer Data, and we narrowly construe the scope of such requests. Unless legally prohibited, we promptly notify the affected customer so they can seek to limit or quash the request, and we challenge requests we believe are overbroad, unlawful, or made without proper jurisdiction.
We publish an annual Transparency Report summarizing the volume and nature of government requests; the first report covers calendar year 2026.
Section 15Changes to this policy
We will post material changes to this Policy on this page at least 30 daysbefore they take effect, update the “Effective” and “Last updated” dates above, and notify customers of changes that affect Customer Data via email to the security and privacy contacts on file. Historical versions are listed below.
- v3.0 · 2026-05-01Added Global Privacy Control honoring; added FERPA section; expanded retention table.
- v2.1 · 2026-01-14Clarified subprocessor notification window (30 days).
- v2.0 · 2025-08-22Incorporated EU–U.S. Data Privacy Framework certification; refreshed cookie table.
Section 16How to contact us
Data controller: Habeo LLC, a New Mexico limited liability company.
Mailing address: Habeo LLC — Attn: Privacy, 4112 Manor Oaks Ct., Export, PA 15632, United States.
Email: privacy@usehabeo.com (general), dpo@usehabeo.com (Data Protection Officer), security@usehabeo.com (security disclosures).
EU representative: appointed under Article 27 GDPR; current appointment information is available on request.
Questions about this policy?
For legal questions write to legal@usehabeo.com. Privacy requests, data-subject access, and FERPA-related inquiries go to privacy@usehabeo.com and are routed to our Data Protection Officer.