Last updated: February 25, 2026

TL;DR
  • We don't use cookies
  • We don't track individual users
  • We don't store your API request content
  • We collect only what's needed for rate limiting
  • We use Cloudflare Analytics (privacy-first, no cookies)

1. Introduction

HUMMBL ("we", "us", "our") operates the hummbl.io website and the HUMMBL Base120 API. This Privacy Policy explains what data we collect, how we use it, and your rights.

2. Data We Collect

2a. API Usage Data (Automatic)

When you make API requests, we automatically collect:

  • IP address (used for rate limiting; stored in memory only, not persisted)
  • Request timestamp (for rate limit window calculation)
  • Request path and method (for routing; not logged)

We do NOT store the content of your API requests (your problem descriptions, etc.). Request bodies are processed in-memory and discarded.

2b. Website Analytics (Cloudflare Web Analytics)

Our website uses Cloudflare Web Analytics, which:

  • Does NOT use cookies
  • Does NOT track individual users
  • Does NOT collect personal information
  • Collects only aggregate page view data (page URL, referrer, country, browser type)
  • Is privacy-first by design (no cross-site tracking)

More info: cloudflare.com/web-analytics

2c. Data You Provide Voluntarily

If you contact us via our scheduling link (cal.com), that interaction is governed by Cal.com's privacy policy. We do not collect email addresses or personal information through hummbl.io.

3. Data We Do NOT Collect

  • No cookies (zero cookies, ever)
  • No personal identification information
  • No email addresses (unless you voluntarily contact us)
  • No tracking pixels or third-party trackers
  • No cross-site tracking
  • No fingerprinting
  • No advertising IDs

4. How We Use Data

  • IP addresses: Rate limiting only (100 req/min per IP). Stored in Cloudflare Workers memory during the rate limit window (~60 seconds), then discarded.
  • Analytics: Understanding aggregate traffic patterns (which pages are popular, geographic distribution). No individual user tracking.

5. Data Storage & Security

  • API: Runs on Cloudflare Workers (edge computing). No persistent database stores user data.
  • Website: Hosted on Cloudflare Pages. Static files only.
  • Rate limit data: In-memory on Cloudflare Workers. Automatically evicted after the rate limit window.
  • No data is transferred to third parties (except Cloudflare as our infrastructure provider).

6. Security Pipeline

Our API includes a 5-layer security pipeline that processes inputs in real-time:

  • Prompt injection detection
  • PII detection and redaction
  • Input sanitization

If PII is detected in your input, it is flagged in the response but NOT stored or logged.

7. Third-Party Services

Service Purpose Privacy Policy
Cloudflare Workers API hosting cloudflare.com/privacypolicy
Cloudflare Pages Website hosting cloudflare.com/privacypolicy
Cloudflare Web Analytics Aggregate analytics cloudflare.com/web-analytics
Cal.com Meeting scheduling (optional) cal.com/privacy

8. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect data from children.

9. Your Rights

Since we collect minimal data and don't identify individual users, there is limited personal data to access, correct, or delete. If you have concerns, contact us.

For EU/UK users (GDPR): Our lawful basis for processing IP addresses is legitimate interest (rate limiting to prevent abuse). No consent is required as no personal data is stored persistently.

For California users (CCPA): We do not sell personal information. We do not share personal information for targeted advertising.

10. Changes to This Policy

We may update this Privacy Policy. Changes will be reflected in the "Last updated" date. Material changes will be noted in our changelog.

11. Contact

For privacy questions, contact us at cal.com/hummbl/30min.