Skip to content
Hikari Blue
  • What we build
  • How we operate
  • Work
  • Compare
  • Trust
  1. Home
  2. Privacy policy

Legal · Privacy policy

What we collect, what we do with it, what you can request.

No surprises, no dark patterns. GDPR, CCPA and EU-US DPF posture documented end-to-end. For the DPA template, sub-processors list and data residency matrix, see the Trust Center.

Effective · May 12, 2026 · Controller · UNITED4 LLC (Hikari Blue) · Contact · direct email

1. Data controller

The data controller for the personal information collected on this Site is UNITED4 LLC, operating under the Hikari Blue brand, with registered office at 14205 N Mopac Expy, Suite 570, Austin, TX 78728, United States of America.

For matters concerning EU residents, an EU representative under Article 27 of the GDPR will be designated before any active commercial outreach in the European Union. Until then, EU residents may contact us directly at the email below.

Contact for any privacy matter: direct email

2. Scope of this policy

This Privacy Policy applies to personal information collected through hikariblue.com and related sub-domains operated by Hikari Blue. It does not apply to data processed under the terms of a signed engagement letter, which is governed by a separate Data Processing Agreement (DPA) available on request.

3. Categories of personal information we collect

Category Examples Source Retention
Visit data IP address, timestamp, page accessed, HTTP user-agent, referrer Automatically collected (server logs) 30 days
Inbound contact Name, work email, company, role, message content, engagement context Provided by you via contact, partners, or careers form 3 years (or duration of engagement + 6 years)
Local preferences Theme (light/dark/auto), language preference (site served in US English) Your browser only (localStorage) Until you clear browser data
Ask Hikari conversation Question text, hashed IP, language, page context, model used, token count Provided by you via Ask Hikari (⌘K) 90 days (audit log)
Audience measurement Page path, event name, referrer domain, campaign parameters, country, device class, daily-rotating anonymous key (no raw IP is ever stored) First-party script on our own origin, cookieless 25 months maximum (aggregates)

What we do not collect. We do not deploy third-party analytics, tracking pixels, advertising scripts, behavioral profiling, session recording, fingerprinting tools, or social-media share trackers on this Site. We do not knowingly collect sensitive personal information (racial or ethnic origin, religious beliefs, health data, sexual orientation, biometric data, or precise geolocation).

How audience measurement stays anonymous. Our measurement runs on our own origin only and sets no cookie. Server-side, the IP address is replaced by a hash salted with a key that rotates every 24 hours, so visits cannot be joined across days or across sites. No name, email, message content, or form value is ever attached to a measurement event, and the Do Not Track and Global Privacy Control signals stop collection entirely. The full mechanics, including the opt-out, are documented in our Cookie Statement.

4. Purposes & legal basis

  • Operating and securing the Site: visit logs. Legal basis: legitimate interest (GDPR Art. 6(1)(f)).
  • Responding to inbound inquiries and pre-contract communication: contact data. Legal basis: performance of pre-contract measures (GDPR Art. 6(1)(b)).
  • Honoring user preferences across visits: localStorage. Strictly necessary functional storage; no consent required under ePrivacy Directive.
  • Improving the quality of Ask Hikari responses: audit log. Legal basis: legitimate interest (GDPR Art. 6(1)(f)), rate-limiting and incident diagnostics.
  • Measuring how the Site is used: anonymized, cookieless, first-party audience measurement. Legal basis: legitimate interest (GDPR Art. 6(1)(f)); designed to meet the CNIL audience-measurement exemption, with Do Not Track, Global Privacy Control, and on-site opt-out honored.
  • Complying with legal obligations: record-keeping for tax, accounting, and regulatory purposes. Legal basis: legal obligation (GDPR Art. 6(1)(c)).

5. Sub-processors

We rely on a limited set of vetted sub-processors to operate the Site. Sub-processors do not have independent rights to your data; they process strictly on our instructions under appropriate contractual safeguards (Data Processing Addenda, Standard Contractual Clauses, EU-US Data Privacy Framework where applicable).

  • Netlify, Inc. Site hosting, build and edge delivery. Data residency: United States (primary), with global CDN edge. Sub-processor DPA in place.
  • Anthropic PBC. Ask Hikari live model inference (Claude). Data residency: United States. Zero-training commitment under Anthropic Enterprise terms.
  • Make.com (Celonis). Form submission routing to internal CRM (Notion). Data residency: European Union.
  • Notion Labs, Inc. Internal CRM for inbound inquiries. Data residency: United States.
  • Email infrastructure. Currently operated through Google Workspace (United States). Sub-processor DPA in place.

The current full sub-processor list, with effective dates and contractual scope, is available on request to direct email and is published in the Trust Center. Material changes to the sub-processor list are notified by email to active engagement clients no less than thirty (30) days in advance.

6. International data transfers

Personal information may be transferred to and processed in the United States and the European Union. For transfers from the EU/EEA, the United Kingdom, or Switzerland to the United States, we rely on one or more of the following safeguards:

  • The EU-US Data Privacy Framework (DPF), where the recipient sub-processor is certified;
  • Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914);
  • UK International Data Transfer Agreement and Swiss-US DPF where applicable.

UNITED4 LLC's own DPF self-certification is in progress and not yet effective on the US Department of Commerce registry.

7. Your rights. EU / UK residents (GDPR / UK GDPR).

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights regarding your personal information:

  • Right of access (Art. 15): confirm whether we process your data and obtain a copy.
  • Right to rectification (Art. 16): correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): "right to be forgotten", subject to legal retention exceptions.
  • Right to restriction (Art. 18): pause processing in defined circumstances.
  • Right to portability (Art. 20): receive your data in a structured, machine-readable format.
  • Right to object (Art. 21), including objection to processing based on legitimate interest.
  • Right not to be subject to automated decision-making (Art. 22), including profiling that produces legal effects. We do not use such automated decision-making.
  • Right to withdraw consent (Art. 7(3)), where processing relies on consent.
  • Right to lodge a complaint with your national supervisory authority.

To exercise any right: direct email. We respond within thirty (30) days. If the request is complex, we may extend by sixty (60) additional days with notice.

8. Your rights. Texas residents (TDPSA).

Effective July 1, 2024, the Texas Data Privacy and Security Act (TDPSA, Tex. Bus. & Com. Code Chapter 541) grants Texas residents the following rights:

  • Right to confirm processing and access personal data;
  • Right to correct inaccurate personal data;
  • Right to delete personal data;
  • Right to portability in a portable, readily usable format;
  • Right to opt out of (a) targeted advertising, (b) sale of personal data, (c) profiling that produces legal or similarly significant effects.

Hikari Blue does not sell personal data, does not engage in targeted advertising, and does not perform profiling that produces legal or similarly significant effects. To exercise other rights or request appeal of a denied request: direct email. We respond within forty-five (45) days, with one possible 45-day extension if reasonably necessary.

9. Your rights. California residents (CCPA / CPRA).

California residents have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

  • Right to know what personal information we collect, use, disclose, or sell.
  • Right to delete personal information.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing of personal information (we do neither).
  • Right to limit use and disclosure of sensitive personal information (we do not collect sensitive personal information as defined in the CCPA).
  • Right to non-discrimination for exercising privacy rights.

To exercise any right: direct email. We respond within forty-five (45) days. You may also contact the California Privacy Protection Agency.

10. Children's privacy (COPPA)

The Site is not directed to children under thirteen (13). We do not knowingly collect personal information from children under thirteen, consistent with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506). If you become aware that a child has provided personal information to us, please contact direct email and we will promptly delete the information.

11. Security

We apply technical and organizational measures designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. These include:

  • TLS 1.3 in transit across all sub-domains;
  • Encryption at rest for stored personal data;
  • Least-privilege access controls and quarterly access review;
  • Multi-factor authentication on all operator accounts;
  • Audit logging of administrative actions;
  • Documented incident response procedure (see Trust Center).

No system is fully secure. In the event of a personal data breach affecting your data, we will notify you and the competent supervisory authority within the timeframes required by applicable law (GDPR: 72 hours to the supervisory authority).

12. Cookies & local storage

This Site does not set tracking cookies. We use only strictly necessary local storage for theme and language preferences. See the dedicated Cookies & Local Storage statement for full detail.

13. Updates to this policy

This Privacy Policy is reviewed quarterly. Material changes (new categories of personal data, new sub-processors, new purposes) will be flagged at the top of this page on their effective date. Minor edits (clarifications, wording) are made without notice.

14. Contact

For any question or to exercise a right under this Privacy Policy:

  • Email: direct email
  • Postal mail: UNITED4 LLC, Attn: Privacy, 14205 N Mopac Expy, Suite 570, Austin, TX 78728, USA
  • For US residents: file a complaint with the Texas Attorney General (TDPSA) or California Privacy Protection Agency (CCPA).
  • For EU/UK residents: lodge a complaint with your national or regional supervisory authority.

Related

For the DPA template, sub-processors list and data residency matrix.

Open the Trust Center→ · Terms of use→ · Cookies & local storage→

Intelligence, engineered forward.

Est. 2016 · A Texas trademark since 2025

Bring the real problem. We will tell you if it is worth building, governing or stopping.

  • 01Map an operating problem→
  • 02Request trust documentation→
  • 03Become a strategic partner→

Follow-the-sun delivery · operators on call

  • Austin --:-- ·
  • Paris --:-- ·
  • Tokyo --:-- ·

Twenty-four hours, three continents, one operating standard. When one team signs off, the next is already on the brief.

Operating promise

  1. We build systems your business depends on.
  2. We sign engagements with our names. Not logos, not juniors.
  3. We retire on a defined timeline. Ownership transfers from day one.
  4. We treat run as the longest phase, not the leftover one.

Build

  • AI-Enabled Operations
  • Custom Software Platforms
  • Legacy Modernization
  • Digital Transformation
  • Run & Cost Optimization
  • Engineering & reference architecture
  • View the capability map

Operate

  • Operating System
  • Hikari Blue Ops
  • Training

Sectors

  • Financial Services
  • Luxury
  • Healthcare
  • Energy
  • Cross-border programs

Trust

  • Trust Center
  • Compliance roadmap (NDA)
  • Sub-processors
  • DPA & data processing
  • Audit trail

Company

  • About
  • Leadership
  • Work
  • Newsroom
  • Careers
  • When to choose us
  • Strategic Partners
  • Official Merch · By relationship only
Tech'Xas
Theme

14205 N Mopac Expy, Suite 570, Austin, TX 78728. United States and Europe delivery.

HIKARI BLUE is a trademark of UNITED4 LLC. © 2026 · Built by operators. Maintained by operators.

Terms of use · Privacy · Cookies · Sitemap

Field signal

Briefings from the field. No newsletter, no drip.

Operator-written. Posted when defensible.