Privacy Policy.

1. About this Policy

This Privacy Policy describes how Akii Technologies Ltd, a private company registered at the Dubai International Financial Centre (DIFC) under commercial licence number CL12662, with its registered office at IH-00-01-03-OF-05, Level 3, Innovation One, Dubai International Financial Centre, Dubai, United Arab Emirates (collectively “HIP”, “we”, “our”, or “us”), handles personal information. HIP operates the Holm Intelligence Partners brand and publishes this website at holm.com.

This Policy applies to every visitor to the Website, every person who submits an application or contact request, every individual who interacts with us as a Client, Client personnel, prospective Client, referral partner, or vendor, and every authorised user of any HIP-controlled portal, platform, or tool. This Policy is incorporated by reference into our Terms of Service. Terms used but not defined here have the meaning given in the Terms.

2. Controller and applicable law

Akii Technologies Ltdis the controller of personal information processed under this Policy, except where it acts as a processor on behalf of a Client in connection with a specific Engagement, in which case the processing is governed by the applicable Data Processing Addendum (“DPA”) rather than by this Policy.

HIP operates from the DIFC and is subject to the DIFC Data Protection Law (DIFC Law No. 5 of 2020) and its supporting regulations. Where your personal information is subject to another data-protection framework that grants additional or different rights (including the EU General Data Protection Regulation, the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act, and other applicable laws) we will also honour those rights where they apply to you. Sections 9 and 10 summarise the main regional carve-outs.

3. Personal information we collect

We collect personal information from the following sources and in the following categories.

3.1 Information you provide through the application form

When you submit an application at /apply, we collect the information you enter in each of the three steps:

• Basics. Company name, company website, industry, approximate company size, company location, your full name, your job title, your business email address, and your business phone number.
• Operational context. Free-text answers about operational challenges, manual workflows, why now, and desired outcome.
• Reality check. Executive-sponsor identity, buying-group composition, willingness to pay for a review, and indicative budget range.
• Technical and attribution metadata. Source page, UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content), referrer, referral code or prospect identifier, IP address, approximate geolocation derived from the IP address, a bot-mitigation token from Cloudflare Turnstile, and timestamps.

We use a hidden honeypot field to detect automated submissions. Applications that trigger the honeypot are treated as spam.

3.2 Information you provide through the contact form or by email

When you use the contact form or email us directly, we collect the information you provide (for example name, email address, company, message content) together with routing metadata (source page, UTM parameters, IP address, timestamp) and a Turnstile bot-mitigation token.

3.3 Information we collect automatically from the Website

• Device and connection data, including IP address, user-agent, operating system, browser, device type, language, and screen resolution.
• Usage data, including pages viewed, referring URL, time spent on pages, clicks, scroll depth, outbound links, and events measured through our analytics provider.
• Performance and error telemetry, including stack traces, error identifiers, page performance metrics, and release identifiers collected by our error-monitoring provider.
• Cookies and similar technologies as described in Section 7.

3.4 Information we collect during an Engagement

When we deliver Services under a signed SOW, we may receive or access personal information about Client personnel and, depending on the scope of the Engagement, about the Client’s own customers, suppliers, or other stakeholders. This may include:

• identifiers and professional details of Client personnel involved in the Engagement (name, title, business email, business phone, reporting line);
• workflow artefacts supplied by the Client, including documents, policies, screenshots, call recordings, meeting notes, transcripts, system exports, configuration files, prompts, logs, and diagnostic outputs;
• credentials, API keys, OAuth tokens, or other access artefacts supplied by the Client for read or write access to Client systems;
• communications between HIP and the Client, including email, chat, calendar invitations, video-conferencing metadata, and shared documents;
• feedback and survey responses provided by Client personnel.

In most Engagements HIPacts as a processor of Client personnel data under the Client’s instructions. Specific processor obligations are set out in the DPA between us and the Client. In the absence of a DPA, the Client must not cause us to process personal data beyond what is strictly necessary to administer the Engagement.

3.5 Information we collect when you access the HIP platform

When a Client, Client user, sales contact, administrator, or operator accesses anyHIP-controlled portal or platform, we collect account-management information (identifier, email, role, authentication status, IP address, session metadata, authentication provider, multifactor status), audit logs of platform actions, content created or uploaded in the platform, and support requests.

3.6 Information collected through payments

Where the Client pays online, payments are processed by Stripe, Inc. (“Stripe”). Card details are collected and processed directly by Stripe, not by us. We receive from Stripe transaction metadata including payer name, email, billing country, transaction identifier, amount, currency, receipt URL, and, where applicable, the last four digits and brand of the card. Stripe is independently a PCI-DSS Level 1 service provider. Stripe’s own privacy practices apply to your payment data.

3.7 Information collected when you sign documents electronically

Where you execute a SOW, engagement letter, DPA, or other document using our electronic-signature provider, the provider collects your name, business email address, IP address, timestamps, and signature audit trail, and makes that data available to us and to you as the signed instrument. The provider acts as our processor for this purpose.

3.8 Information we receive from third parties

We may receive personal information from referral partners who have introduced you to us, from data-enrichment providers used for outbound research, from sanctions- or adverse-media screening services applied before entering into an Engagement, from publicly available sources (including company registries, LinkedIn, and news reporting) where we are evaluating or pursuing a commercial relationship, and from our own clients where a Client instructs us to contact a named individual on its behalf.

4. How we use personal information

We use personal information for the following purposes:

• to operate, maintain, and secure the Website, the Platform, and our internal systems;
• to evaluate applications, respond to contact requests, and decide whether to offer an Engagement;
• to enter into, perform, administer, and invoice Engagements, including to produce Deliverables, to communicate with the Client, and to operate the Platform;
• to provide customer support and respond to questions, requests, and disputes;
• for marketing and business development, including sending information we believe is relevant to your role, organising events, and measuring the effectiveness of our content and campaigns (with consent where required by law);
• for analytics, research, and improvement of our Services, Deliverables, methodologies, and operations, using aggregated or de-identified diagnostic data where appropriate;
• to detect, prevent, and respond to fraud, abuse, spam, security incidents, unauthorised access, and other harmful activity;
• to comply with applicable law, including tax, accounting, anti-money-laundering, sanctions, export-control, and data-protection obligations, and to enforce our Terms of Service, SOWs, and other contracts;
• to establish, exercise, or defend legal claims, and to manage risk, insurance, corporate governance, and professional indemnity.

5. Lawful bases for processing

Under the DIFC Data Protection Law (and, where applicable, the GDPR or UK GDPR), we process personal information on the following lawful bases:

• Performance of a contract. To deliver Services to Clients under a SOW and to administer the contractual relationship.
• Legitimate interests. To respond to inbound applications and contact requests, to operate the Website and Platform safely, to conduct direct business-to-business marketing to professionals at organisations that fit our profile, to carry out analytics and improve our Services, and to protect our rights and business interests. Where we rely on legitimate interests, we conduct a balancing exercise and you may object as described in Section 9.
• Consent. For non-essential cookies and similar technologies where required by applicable law, for marketing communications to individuals where consent is the applicable basis, and for any specific processing for which we request your consent. You may withdraw consent at any time; withdrawal does not affect the lawfulness of processing before withdrawal.
• Legal obligation. To comply with tax, accounting, corporate, anti-money-laundering, sanctions, and data-protection obligations.
• Establishment, exercise, or defence of legal claims. Including record-keeping, insurance, and litigation-readiness.

6. Sharing and disclosure

We do not sell personal information, we do not rent personal information, and we do not share personal information for cross-context behavioural advertising. We share personal information only as described below.

6.1 Our service providers and sub-processors

We share personal information with vetted providers that help us operate the Website, the Platform, and our business. Each provider is bound to use the information only for the purposes we authorise. The current primary providers are:

• Supabase, Inc.: database and authentication hosting for the Website, application form, contact form, and Platform data, with row-level-security access controls.
• Vercel Inc.: hosting of the Website, edge network, and serverless compute.
• Railway Corp.: background worker and observability hosting.
• Resend, Inc.: transactional email delivery for application confirmations, contact responses, and Client communications.
• Stripe, Inc.: online payment processing and invoicing.
• Cloudflare, Inc.: bot mitigation (Cloudflare Turnstile), edge security, and content delivery.
• Google LLC: website analytics through Google Analytics 4 (GA4), and, where applicable, workspace tools for internal operations.
• Functional Software, Inc. (d/b/a Sentry): error monitoring and performance telemetry.
• OpenAI, L.L.C., Anthropic PBC, and other AI providers (directly or via an aggregator such as OpenRouter): inference for the AI Systems that power our diagnostic, classification, and drafting workflows. We use enterprise or zero-retention settings where available and instruct these providers not to train on our or our Clients’ content.
• Our electronic-signature provider: execution, storage, and audit-trail for SOWs, DPAs, and other signed documents.
• Supadata: structured data and knowledge-extraction tooling used in selected Engagements.

We may add, replace, or remove providers from time to time. The current authoritative list of sub-processors engaged in any Engagement is maintained with the Client under the applicable DPA. Where a DPA requires notice of changes to sub-processors, we will give that notice.

6.2 Advisors, auditors, and insurers

We may share personal information with our professional advisors (including lawyers, accountants, and tax advisors), auditors, bankers, and insurers, in each case bound by professional duties of confidentiality or by contract.

6.3 Corporate transactions

If we are involved in a merger, acquisition, financing, restructuring, asset sale, or similar corporate transaction, we may disclose personal information to the counterparty and its advisors on a confidential basis as part of due diligence and, on completion, may transfer it to the successor entity, which will be bound to honour this Policy in respect of the transferred information.

6.4 Legal, regulatory, and safety disclosures

We may disclose personal information where we reasonably believe disclosure is required or permitted by law, by a court order, or by a competent regulator, or is necessary to protect the rights, property, or safety of any person, to investigate or prevent fraud or abuse, to enforce our contracts, or to defend legal claims.

6.5 Client-directed disclosures

When acting as a processor on behalf of a Client, we share personal information according to the Client’s documented instructions and the DPA.

7. Cookies and similar technologies

We use the following categories of cookies and similar technologies:

• Strictly necessary. Required to deliver the Website and Services, including security (for example Cloudflare Turnstile tokens) and session state. These cannot be switched off.
• Functional. Remember preferences, for example the referral code (hip_ref) set when you arrive via a partner link.
• Performance and analytics. Used by GA4 and Sentry to help us understand how the Website and Platform are used and to identify performance issues.

Where required by applicable law, we obtain your consent before setting non-essential cookies and similar technologies. You can withdraw or change your cookie choices at any time through our cookie-consent interface or through the privacy controls of your browser or device. Blocking or deleting cookies may affect the functionality of the Website or the Platform.

We do not respond to Do Not Track signals. Where we receive a recognised Global Privacy Control signal from a resident of a jurisdiction that recognises it, we will treat the signal as a valid request to opt out of non-essential analytics and marketing cookies on the device from which it originates.

8. International transfers

HIP is based in the DIFC and relies on providers located in the United States, the European Economic Area, the United Kingdom, Singapore, and other jurisdictions. Your personal information may therefore be transferred to, stored in, or accessed from countries other than the one in which you are resident, including countries whose data-protection laws may differ from those in your home jurisdiction.

Where we transfer personal information out of a jurisdiction that restricts international transfer (including the DIFC, the EEA, the UK, and California), we rely on an appropriate safeguard recognised by that jurisdiction, which may include an adequacy decision, the standard contractual clauses of the destination or origin-jurisdiction regulator, an intra-group transfer framework, or another lawful mechanism. You may request a copy of the specific safeguard relied on for a transfer relevant to you at [email protected].

9. Your rights

Subject to applicable law and to the limitations that law places on each right, you have the following rights in relation to your personal information:

• Access. A copy of the personal information we hold about you.
• Rectification. Correction of inaccurate or incomplete personal information.
• Erasure. Deletion of personal information where we no longer have a lawful basis to hold it.
• Restriction. Restriction of processing in certain circumstances, for example while we verify a rectification request.
• Objection. Objection to processing based on legitimate interests, and objection to direct marketing at any time.
• Portability. A copy of the personal information you provided to us, in a structured, commonly used, machine-readable format, where processing is based on consent or contract and is carried out by automated means.
• Withdrawal of consent. Withdrawal of any consent you have given, without affecting the lawfulness of processing before withdrawal.
• Complaint. The right to lodge a complaint with the DIFC Commissioner of Data Protection, with any other competent supervisory authority (including your national data-protection authority in the EEA or UK), or with an applicable state authority.

To exercise any right, email [email protected] from the email address the personal information is associated with, or otherwise supply sufficient information to allow us to verify your identity. We may ask for additional information to verify your identity before responding. We will respond within the period required by the applicable law (generally one month under the DIFC Data Protection Law and the GDPR, or forty-five days under the CCPA, in each case extendable as permitted).

Where we process personal information on behalf of a Client as a processor, you should address your data-subject request directly to the Client. We will support the Client in responding to your request in accordance with the DPA.

9.1 EEA and UK residents

If you are located in the EEA or the UK, you also have the right to object to automated decision-making that produces legal or similarly significant effects (see Section 11), and, where your personal information is processed in a country outside the EEA or UK, to be informed about the transfer safeguards we rely on (see Section 8). You may lodge a complaint with the data-protection authority in your country of residence, work, or the alleged breach.

9.2 California residents

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with additional rights, including the right to know the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for which we use it, and the categories of third parties with which we share it; the right to delete personal information; the right to correct inaccurate personal information; the right to limit the use and disclosure of sensitive personal information; and the right not to receive discriminatory treatment for exercising these rights. We do not sell or share personal information for cross-context behavioural advertising as those terms are defined under California law. We do not knowingly collect personal information from consumers under sixteen years of age.

10. Retention

We keep personal information for as long as we need it to fulfil the purposes for which it was collected, including to operate the Services, to perform contracts, to comply with legal, tax, accounting, audit, and reporting obligations, to resolve disputes, and to enforce our contracts. Actual retention depends on the nature of the data and the applicable purpose. Our standard baselines are:

• Application submissions. Retained for up to thirty-six (36) months from submission for commercial follow-up, pipeline continuity, and conversion analytics, unless you ask us to delete earlier.
• Contact form submissions. Retained for up to twenty-four (24) months from the last interaction.
• Client records (including SOWs, DPAs, Deliverables, invoices, and engagement correspondence). Retained for the duration of the Engagement and for at least seven (7) years after the end of the Engagement, to meet our corporate, tax, audit, insurance, and professional-indemnity obligations.
• Payment records. Retained for at least seven (7) years after the transaction to meet tax and audit obligations.
• Platform account records and audit logs. Retained for the duration of the account and for up to twenty-four (24) months after closure for security-incident investigation.
• Website analytics and error telemetry. Retained in accordance with the default retention settings of the underlying provider (for GA4, typically fourteen months; for Sentry, typically ninety days for events and up to thirty days for attachments).
• Marketing data. Retained while you remain a subscriber and for up to twenty-four (24) months following your most recent engagement, after which we will either suppress or delete.

Where we are required to keep personal information longer by law, court order, or regulatory request, or where we reasonably need to keep it to establish, exercise, or defend a legal claim, we will retain it for that longer period. We may retain aggregated or de-identified data indefinitely for analytics and research purposes.

11. Automated decision-making and AI processing

We do not make decisions that produce legal or similarly significant effects about you on a solely automated basis. The application-review process is assisted by software, but every admissions, fit, and engagement decision is made by a member of the HIP team.

In delivering our Services we use AI Systems, including large language models operated by third parties, to analyse Client-supplied material, draft Deliverables, and accelerate diagnostic work. When we submit Client Data to an AI provider we select an enterprise, business, or zero-retention service tier where available, and we configure the provider, where it offers that configuration, not to use our or our Clients’ content to train its models. We apply human review to the outputs of AI Systems before they are delivered to the Client. AI outputs are probabilistic and may be inaccurate; our Terms of Service set out the applicable disclaimers and responsibilities.

12. Security

We implement technical, organisational, and administrative measures designed to protect personal information against unauthorised access, alteration, disclosure, and destruction. These measures include transport-layer encryption (TLS) for data in transit, encryption at rest for our primary databases, row-level-security policies on Client and application data, least-privilege access controls, multifactor authentication for administrative access, secrets management, HMAC verification on inbound webhooks, bot mitigation on public forms, observability and alerting on production systems, and periodic review of access. No system can be guaranteed secure. You are responsible for keeping any credentials we issue you confidential and for notifying us promptly if you believe they have been compromised.

13. Children

The Services are directed to business users and professionals. We do not knowingly collect personal information from children under sixteen (16) years of age. If we become aware that we have collected personal information from a child under sixteen, we will take reasonable steps to delete it. If you believe we have collected such information, contact us at [email protected].

14. Third-party sites and links

The Website may link to third-party websites, documents, or services. We are not responsible for the privacy practices of those third parties. You should review their own privacy notices before providing information to them.

15. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, in applicable law, or in the providers we use. The “Last updated” date at the top of this page will reflect the most recent change. Where changes are material we will take additional steps, such as posting a notice on the Website, or notifying users of the Platform or Clients by email.

16. Contact

Questions, complaints, or requests about this Policy or your personal information should be directed to [email protected], or by post to Akii Technologies Ltd, IH-00-01-03-OF-05, Level 3, Innovation One, Dubai International Financial Centre, Dubai, United Arab Emirates. We will route your request to the appropriate person within HIP and respond within the time required by applicable law.