Privacy Policy

Last updated: 27 May 2026

This is the plain-language version. Heardley is an indie B2B SaaS run by one person. There is no ad network, no data resale, no behavioral retargeting. The goal of this page is for you to understand exactly what we store, why, and how to get rid of it.

What we collect

Account data

Email + password hash. Argon2id, salted. We never see the plaintext password.
Stripe customer ID + subscription state. So we know whether your account is paid. We don't store your card; Stripe does.
Login timestamps + IP at signup for fraud/abuse review.

Project data you create

Project descriptions, watched subreddits, keywords, competitor URLs, personas, draft replies, and knowledge-bank links you add.
Reddit threads we surface to you, with our relevance scores and your reply status (replied, dismissed, flagged).

Encrypted credentials (at rest)

Your OpenRouter API key if you choose to save it. Encrypted with Fernet (AES-128-CBC + HMAC) before being written to the database. Used only to make LLM calls on your behalf.
Reddit OAuth credentials if you connect a personal Reddit account. Same encryption.

What we don't collect: contacts, browser history, location, device fingerprints, or any data from other tabs. There is no third-party analytics SDK in the dashboard. Vercel's anonymous Web Analytics runs on the marketing pages only.

Why we collect it

To run the product. Project data is what we score and search against.
To bill you. Stripe IDs let us tell whether you're paid.
To send the daily digest. Your email goes through Resend if you've opted into digest emails.
To catch bugs. Sentry captures errors (stack traces + URL + user id reference); it does not capture form values, passwords, API keys, or message bodies.

Where it's stored

Database: Neon Postgres, US East region.
App hosting: Vercel serverless functions, US region.
Email delivery: Resend (US).
Payments: Stripe.
Error monitoring: Sentry.

All three sub-processors above (Resend, Stripe, Sentry) have their own privacy policies and DPAs you can review on their sites.

Who can read it

The operator of Heardley (one person). No employees, no contractors, no investors. We don't sell, rent, or share your project data with anyone. If a law enforcement request ever arrives, we'll require a valid subpoena and notify you unless prohibited.

How long we keep it

Active accounts: as long as your account exists.
Cancelled accounts: data is retained for 30 days in case you reactivate, then permanently deleted.
Hard-deleted accounts (via email request): wiped within 7 days of confirmation.
Stripe records: retained per Stripe's policy + applicable tax law (usually 7 years).

Your rights

You can:

Export everything from Settings as CSV/JSON, any time.
Delete your account by emailing support@heardley.com. We'll confirm and wipe within 7 days.
Ask what we know about you at the same address; we'll respond within 7 days.
Object to processing or restrict it (GDPR rights). Same email.

Cookies

Heardley uses one essential cookie (your login session) and one essential localStorage object (your in-progress drafts and UI state). No tracking cookies. Full detail at cookies.

Children

Heardley is for businesses. We don't knowingly collect data from anyone under 16. If you believe we have, email support@heardley.com and we'll delete it.

Changes

If this policy changes materially, we'll email all active users 30 days before the change takes effect. Minor wording fixes get noted via the Last updated date.

Contact

Privacy questions: support@heardley.com
Security disclosure: see security.txt