Privacy Policy — Heron

1. What Heron Is

Heron is an AI agent access auditor developed by Theona, Inc. It interviews AI agents about their system access, data handling, and permissions, then generates compliance-grade audit reports. Heron is available as open-source software (self-hosted) and as a hosted service.

2. Data We Collect

Hosted dashboard users:

Google account email and name (via OAuth sign-in)
Profile information you provide during onboarding (role, company size)
Audit session data: interview transcripts, generated reports, risk assessments

Self-hosted (OSS) users:

No data is sent to Heron or Theona. All data stays on your machine.
LLM API calls go directly from your machine to your LLM provider (Anthropic, OpenAI, or Google).

3. How We Use Your Data

To provide the audit service: running interviews, generating reports, storing session history
To authenticate you and associate sessions with your account
We do not sell your data or use it to train AI models
We do not share audit data with third parties

4. Data Storage

Hosted service data is stored in Supabase (PostgreSQL) with encryption at rest. Authentication is handled by Supabase Auth with Google OAuth. LLM analysis calls are sent to the configured provider (OpenAI or Anthropic) and are subject to that provider's data handling policies.

5. Data Retention

Audit sessions and reports are retained for as long as your account is active. You can request deletion of your data by contacting us.

6. Your Rights

You can access, export, or delete your audit data at any time. For GDPR, CCPA, or other data rights requests, contact us at [email protected].

7. Contact

Heron is operated by Theona, Inc.
For privacy questions: [email protected]