Privacy Policy
Last updated: April 25, 2026 · Effective: April 25, 2026
1. Scope & Controller
Heron is an AI agent access auditor developed and operated by Theona, Inc., a Delaware corporation, remote-first ("Heron", "we", "us"). Theona, Inc. is the data controller for personal data processed through the hosted Heron service.
This Policy applies when you create a Heron account, run audit sessions, interact with LLM-powered analysis, visit our websites, or communicate with us. Heron is available as open-source software (self-hosted, MIT-licensed) and as a hosted service at heron-audit.com — the hosted-service terms below apply only to the hosted offering.
2. Data We Collect
Hosted dashboard users:
- Account data: Google account email, name, avatar (via OAuth sign-in)
- Profile data: role, company size, and other onboarding fields you provide
- Audit content: interview transcripts, generated reports, risk assessments, session metadata
- Usage data: feature interactions, timestamps, queries, error logs
- Device & log data: IP address, browser type, OS version
- Cookies & local storage: Supabase auth tokens, UI preferences, analytics identifiers (see §10)
Self-hosted (OSS) users:
- No data is sent to Heron or Theona. All data stays on your machine.
- LLM API calls go directly from your machine to your configured provider (Anthropic, OpenAI, or Google).
3. How We Use Your Data
- Provide the audit service: run interviews, generate reports, store session history
- Authenticate you and associate sessions with your account
- Improve features, prompts, and safety systems (using aggregated, non-identifying signals)
- Communicate product updates, security alerts, and account notices
- Protect platform integrity and prevent abuse
- Comply with legal obligations
We do not sell your personal data. We do not use audit content to train AI models. We do not share audit data with third parties except the sub-processors listed in §6.
4. Legal Bases for Processing (GDPR Art. 6)
For users in the EEA, UK, or Switzerland, we rely on the following legal bases:
- Contract performance (Art. 6(1)(b)): account creation, audit-session execution, report generation, payment processing
- Legitimate interests (Art. 6(1)(f)): service improvement, security, fraud prevention, aggregate analytics
- Consent (Art. 6(1)(a)): non-essential cookies, marketing communications — withdrawable at any time
- Legal obligation (Art. 6(1)(c)): tax records, lawful requests, breach notification
5. Data Storage & Security
Hosted-service data is stored in Supabase (PostgreSQL) with AES-256 encryption at rest and TLS encryption in transit. Authentication is handled by Supabase Auth with Google OAuth. Application services are hosted on Railway. Access is restricted by role-based controls and audit logs. We perform regular code review and dependency scanning.
6. Sub-processors
We engage the following sub-processors to deliver the hosted service. Each is bound by a data-processing agreement and processes data only on our instructions.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication | US |
| Railway | Application hosting | US |
| OpenAI | LLM analysis (zero-retention API) | US |
| Anthropic | LLM analysis (Claude) | US |
| Google (Gemini, OAuth) | LLM analysis, sign-in | US |
| PostHog | Product analytics | US |
We will notify customers of material changes to this list. Enterprise customers may request a detailed sub-processor disclosure as part of their DPA via [email protected].
7. International Data Transfers
Theona, Inc. is headquartered in the United States and most sub-processors operate in the US. Where we transfer personal data of EEA, UK, or Swiss users outside their jurisdiction, we rely on (a) European Commission adequacy decisions where available, or (b) Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by technical measures (encryption in transit and at rest) and contractual safeguards. A copy of the SCCs we use is available on request via [email protected].
8. Data Retention
- Account data: retained while your account is active, deleted within 30 days after account deletion
- Audit sessions & reports: retained while your account is active; export available before deletion; deleted within 30 days after account deletion or on request
- LLM prompt/response logs: not retained beyond what is needed to display session history; OpenAI calls use zero-retention endpoints where available
- Analytics: aggregated after 13 months; raw event logs retained no longer than necessary
- Backups: encrypted backups may persist for up to 30 days after deletion before being overwritten
- Legal/tax records: retained for the period required by applicable law
9. Your Rights
Subject to applicable law, you may exercise the following rights:
- Access: obtain a copy of personal data we hold about you
- Rectification: correct inaccurate or incomplete data
- Erasure: request deletion ("right to be forgotten")
- Restriction: limit how we process your data in defined cases
- Portability: receive your data in a structured, machine-readable format
- Objection: object to processing based on legitimate interests or for direct marketing
- Withdraw consent: at any time where processing is based on consent
- Lodge a complaint: with your local data-protection authority (in the EU, your national DPA; in the UK, the ICO)
Submit requests to [email protected]. We respond within 30 days (45 days for CCPA requests).
10. Cookies & Tracking
- Essential cookies: Supabase auth tokens, session state — required for the service to function, cannot be disabled
- Analytics cookies: PostHog (1 year) — used for product analytics; can be opted out
- Local storage: JWT, theme, UI preferences — stored on your device
You can manage non-essential cookies via your browser settings or our cookie consent banner.
11. Children's Privacy
Heron is not directed to children under 16 and we do not knowingly collect personal data from minors. If you believe a minor has provided data to Heron, contact [email protected] and we will delete it.
12. Data Breach Notification
In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it, and notify affected users without undue delay where required by GDPR Art. 33–34 or other applicable law.
13. California Privacy Rights (CCPA/CPRA)
California residents have the right to know what personal information is collected, request deletion, correct inaccurate information, opt out of sale or sharing (we do not sell or share personal information for cross-context behavioral advertising), limit use of sensitive personal information, and not be discriminated against for exercising these rights. Submit requests to [email protected]. We respond within 45 days.
14. Changes to This Policy
We may update this Policy to reflect changes in practice or law. Material changes will be notified at least 30 days in advance via email or a prominent in-product notice. Compliance-mandated changes may be applied sooner.
15. Contact
Theona, Inc. (Delaware, USA — remote-first)
Privacy: [email protected]
Legal & DPA requests: [email protected]
General: [email protected]