Privacy Policy

Last updated: February 2026

1. Information We Collect

When you use Heartbeat AI, we collect:

Account information: Name, email address, and company name provided during signup via Google Sign-In.
Documents: Files you upload for AI-powered search and analysis. These are processed to generate vector embeddings.
Usage data: Queries, chat history, form submissions, and feature usage to provide and improve the service.
Payment information: Processed securely by Stripe. We do not store credit card numbers.

2. How We Use Your Information

Provide AI-powered document search and retrieval (RAG) services
Process and store vector embeddings of your documents
Manage your account, subscription, and billing
Send transactional emails (welcome, receipts, notifications)
Monitor system health and prevent abuse

3. Data Isolation

Heartbeat AI is a multi-tenant platform with strict data isolation. Each company's documents, embeddings, chat history, and form data are completely separated. No data is shared between companies.

4. Third-Party Services

We use the following sub-processors:

Google Cloud Platform: Infrastructure hosting (Cloud Run, Cloud SQL)
Stripe: Payment processing
AI providers (as configured by you): OpenAI, Google Gemini, Anthropic, or self-hosted Ollama for language model and embedding inference. Your API keys are stored server-side and never exposed to browsers.

5. Data Retention

Account data is retained while your account is active
Documents and embeddings are retained until you delete them
Usage logs are retained for up to 12 months
Email logs are retained for up to 90 days
Session data expires after 8 hours and is automatically purged

6. Your Rights

You have the right to:

Access: Export all your personal data via Settings or the data export feature
Rectification: Update your name and email through your account settings
Deletion: Request deletion of your account and all associated data by contacting your company admin or our support team
Portability: Download your data in machine-readable JSON format

7. Security

All data transmitted over HTTPS/TLS encryption
Authentication via Google OAuth 2.0 (no passwords stored)
Database encrypted at rest (Google Cloud SQL)
Rate limiting on all public endpoints
Session tokens use cryptographically secure random generation

8. Cookies

Heartbeat AI uses minimal cookies:

Session token: Stored in browser localStorage (not cookies) for authentication
Google Sign-In: Google's authentication cookies as required by their OAuth flow

We do not use tracking cookies, advertising cookies, or analytics cookies.

9. Contact

For privacy-related questions or data requests, use the contact form on our homepage or email the platform administrator.

10. Changes

We may update this policy from time to time. Material changes will be communicated via the platform or email.

11. Data Processing on Behalf of Customers

Heartbeat AI processes data on behalf of its customers ("Data Controllers"). This includes documents, form submissions, chat history, and any other data uploaded by the customer's users. This data is:

Processed only according to the customer's instructions and our contractual obligations
Never used for advertising, model training, or shared across tenants
Subject to the terms of our Data Processing Agreement (DPA)
Deleted or returned upon account termination at the customer's request

For full details on our security practices, compliance frameworks, and legal agreements, visit our Trust Center.