Privacy Policy

Last updated: January 2026

1. Introduction

H2IO ("we", "our", or "us") is committed to protecting the privacy of our customers and users. This Privacy Policy explains how we collect, use, and safeguard information in connection with our infrastructure compliance monitoring services.

2. Data Controller

The data controller for processing activities is triageIO, registered in the European Union. All personnel are exclusively EU member state citizens. For self-hosted deployments, the customer acts as the data controller for their own infrastructure telemetry.

3. Information We Collect

H2IO collects the following categories of information:

• Infrastructure Metadata: System identifiers, software versions, configuration states, and operational metrics necessary for compliance monitoring
• Audit Records: Timestamped logs of administrative actions for regulatory compliance purposes
• Account Information: Business contact details for licensed customers

4. Purpose of Processing

We process data for the following purposes:

• Providing infrastructure compliance monitoring services
• Generating audit reports required by regulatory frameworks (NIS2, DORA, GDPR)
• Maintaining service security and integrity
• Fulfilling contractual obligations to customers

5. Legal Basis

Our processing activities are based on:

• Contract: Processing necessary to fulfill our service agreements
• Legal Obligation: Compliance with applicable regulatory requirements
• Legitimate Interest: Service security and improvement

6. Data Retention

Infrastructure telemetry and audit logs are retained according to customer-configured policies, with a default retention period aligned to regulatory requirements (typically 5-7 years for financial services). Customers may configure shorter retention periods where permitted.

7. Data Security

Telemetry data is protected using appropriate cryptographic measures in transit and at rest. We endeavor to implement technical and organizational measures appropriate to the risk in accordance with Article 32 GDPR, which may include access controls, audit logging, and periodic security reviews. Access to customer data is restricted to authorized personnel who are exclusively EU member state citizens.

8. Data Transfers

Data processing generally occurs within the European Economic Area. In the event that a transfer outside the EEA becomes necessary, such transfer would be conducted in accordance with GDPR Chapter V requirements.

9. Your Rights

Under applicable data protection law, you have rights including access, rectification, erasure, restriction, portability, and objection. To exercise these rights, contact your account representative or our data protection team.

10. Contact

For privacy-related inquiries, please contact us through the standard customer support channels or at the address listed in your service agreement.