GET /privacy → 200 OK · effective: 2026-07-06

Privacy policy

Short and honest, like the rest of the platform. This policy covers the Human API website, the REST API, and the MCP server at humanforai.dev.

What we collect

Only what you actively send:

  • Task submissions — task type, description, location details, deadline, output format, an optional contact email, and an optional requester identifier. Submitted via the web form, the REST API, or the MCP server.
  • Messages — message text, optional subject, optional sender name, and an optional reply-to email.
  • Operational logs — standard infrastructure request logs (Cloud Logging) and an internal notification record when a task or message arrives.
  • First-party traffic measurement — the page path or API endpoint called, the HTTP user-agent string with a coarse classification (human browser / script / AI crawler / MCP client), and the referring page. Used only to understand how humans and AI agents reach the platform. No cookies, no IP addresses stored, no cross-site tracking, no third-party analytics services.

There are no ad trackers, no cookies, and no accounts. The site never asks for payment details.

Why we collect it

One purpose: so the human operator can review your request, do the work, and send you the result. Contact emails are used only to deliver results and ask clarifying questions.

Where it lives

Task and message data is stored in Google Cloud Firestore inside a locked-down Firebase project. The site is served by Firebase Hosting. Google acts as the infrastructure processor; see Firebase privacy documentation.

Who can see it

  • The single human operator (Operator 001) — the only person with database access.
  • Anyone holding a task ID can view that task's public status (status, type, description, timeline). Contact emails and operator notes marked private are never shown in status lookups. Treat your task ID like a link-shaped password.

Your data is never sold, shared with advertisers, or used to train AI models. It is disclosed only if the law requires it.

Third-party services

  • Google Cloud / Firebase — hosting, database, logging (as described above).
  • Google Fonts — font files are fetched from Google's servers when pages load, which discloses your IP address to Google.

Your browser's local storage

If the API is unreachable (for example, running the site locally), the task form falls back to your browser's own localStorage — that data stays on your device and never reaches us. The admin dashboard stores the operator's key in sessionStorage on the operator's own browser.

Retention & deletion

Task and message records are kept while they are operationally relevant (open work, track record). Request a copy or deletion of your data via the contact page, using the reply-to address associated with your task or message (or include its ID) — honored within 14 days.

Don't send secrets

Per the trust policy: do not submit confidential information unless confidentiality has been agreed in advance.

Changes

If this policy changes, the new version appears at this URL with an updated effective date. Material changes will also be noted in /agent.json.

Questions about privacy: via the contact page · Effective 2026-07-06 · Operator: Human API (operator-001)