Skip to main content
Hone stores conversations so it can surface signal from them, which means the text you send may contain real user data. Hone does not scrub that content for you. Redaction and pseudonymization happen in your application, before anything is sent. This page describes the practices that keep that data safe.
Hone does not remove personal or sensitive data at ingestion. Whatever you send is what gets stored. Treat every field as if it will be retained, and clean it on your side first.

Use pseudonymous user ids

A user_id should be an opaque handle, not a piece of personal information. Map your real users to stable random identifiers and send only the handle.
An opaque id still lets you group a user’s conversations and follow a thread across turns. It just does not hand Hone an email or a name to store.

Allowlist your metadata

Metadata and user traits are useful as filter and chart dimensions, but they are also an easy place for sensitive fields to leak in by accident. Decide explicitly which keys you send, and drop everything else.
Register the keys you intend to send under Settings → Metadata Keys so they become selectable dimensions, and keep that list as the single definition of what is allowed to flow.

Redact before you send

The input and output you capture are free text and often the highest-risk fields. Run them through a scrubber that masks the categories of data you know appear in your product, such as email addresses, phone numbers, and payment details.
A regex scrubber is a floor, not a ceiling. Tune the categories to your domain, and pair it with any structured redaction you already run elsewhere.

What not to send

Do not send secrets or regulated data through Hone without an appropriate agreement in place. That includes:
  • API keys, passwords, and access tokens.
  • Regulated categories such as health records, full payment card data, or government-issued identifiers.
  • Documents that carry someone else’s personal data, such as resumes.

Transport

All traffic to Hone travels over HTTPS. Combined with pseudonymous ids, allowlisted metadata, and redacted text, that keeps the data both encrypted in transit and stripped of what it never needed to contain.