Privacy Policy
Last updated: July 2, 2026 · Effective: July 2, 2026
1. Scope & Roles
Heron is a continuous-transparency layer for AI agents, developed and operated by Theona, Inc., a Delaware corporation, remote-first ("Heron", "we", "us"). Heron connects to a customer's agent platform, evaluates agent actions against policy and session context before they execute, enforces the resulting decisions, and records them as signed receipts. The service is provided at heron.ing and is offered to companies, not consumers.
We act in two distinct roles. For data collected through our websites, demo bookings, accounts, and communications, Theona, Inc. is the data controller. For personal data contained in the records of actions taken by a customer's AI agents (see §3), the customer is the controller and Theona, Inc. acts as a data processor on the customer's instructions.
2. Data We Collect as Controller
- Account data: Google account email, name, avatar (via OAuth sign-in), if you create an account or sign in to the Heron dashboard
- Profile data: role, company, and other onboarding fields you provide
- Demo-booking data: the name, email, and any notes you submit when booking a call with us
- Usage data: page views, feature interactions, timestamps, error logs
- Device & log data: IP address, browser type, OS version
- Cookies & local storage: Supabase auth tokens, UI preferences, analytics identifiers (see §10)
Demo bookings use Google Calendar appointment scheduling, embedded on or linked from our site. The information you enter in the booking flow is submitted to Google and handled under Google's own privacy policy and terms; we receive the resulting booking details.
3. Customer Agent Action Records (Processor Role)
When a customer connects Heron to its agent platform, Heron receives and processes records of the actions the customer's agents attempt: action parameters, accumulated session context (such as the originating request and action history), the policy decision, and the resulting receipt. Receipts are cryptographically signed and the session context log is hash-chained, so records are designed to be tamper-evident.
These records may contain personal data that the customer's agents handle in the course of their work. For that data, the customer is the data controller and we process it only to provide the service and on the customer's instructions. If your personal data has been processed by a Heron customer's agents, please direct requests to that customer; we will assist the customer in responding as required by our agreement with them and by applicable law.
4. How We Use Data
- Provide the service: evaluate intercepted agent actions against policy and session context, enforce decisions, write receipts, and maintain the customer's evidence record
- Authenticate you and associate platform connections and records with the right customer account
- Schedule and hold demo calls you book with us
- Improve features, evaluation quality, and reliability (using aggregated, non-identifying signals)
- Communicate product updates, security alerts, and account notices
- Protect platform integrity and prevent abuse
- Comply with legal obligations
We do not sell personal data. We do not use customer agent action records to train AI models. We do not share customer records with third parties except the sub-processors listed in §6.
5. Legal Bases for Processing (GDPR Art. 6)
Where we act as controller for users in the EEA, UK, or Switzerland, we rely on the following legal bases:
- Contract performance (Art. 6(1)(b)): account creation, operating the platform connection, action evaluation and enforcement, receipt generation, payment processing
- Legitimate interests (Art. 6(1)(f)): service improvement, security, fraud prevention, aggregate analytics
- Consent (Art. 6(1)(a)): non-essential cookies, marketing communications — withdrawable at any time
- Legal obligation (Art. 6(1)(c)): tax records, lawful requests, breach notification
Where we act as processor for personal data inside customer agent action records, the customer is responsible for establishing its own legal basis for that processing.
6. Sub-processors
We engage the following sub-processors to deliver the hosted service. Each is bound by a data-processing agreement and processes data only on our instructions.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication | US |
| Railway | Application hosting | US |
| OpenAI | LLM-assisted action evaluation (zero-retention API) | US |
| Anthropic | LLM-assisted action evaluation (Claude) | US |
| Google (Gemini, OAuth, Calendar) | LLM-assisted action evaluation, sign-in, demo booking | US |
| PostHog | Product analytics | US |
We will notify customers of material changes to this list. Customers may request a detailed sub-processor disclosure as part of their DPA via [email protected].
7. International Data Transfers
Theona, Inc. is headquartered in the United States and most sub-processors operate in the US. Where we transfer personal data of EEA, UK, or Swiss users outside their jurisdiction, we rely on (a) European Commission adequacy decisions where available, or (b) Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by technical measures (encryption in transit and at rest) and contractual safeguards. A copy of the SCCs we use is available on request via [email protected].
8. Data Retention
- Account data: retained while your account is active, deleted within 30 days after account deletion
- Customer agent action records & receipts: retained for the duration of the customer agreement; export available before deletion; deleted within 30 days after termination unless retention is required by law or agreed otherwise with the customer
- LLM prompt/response logs: not retained beyond what is needed to provide the service; we use zero-retention endpoints where available
- Demo-booking data: retained as calendar and correspondence records for as long as needed for the business relationship
- Analytics: aggregated after 13 months; raw event logs retained no longer than necessary
- Backups: encrypted backups may persist for up to 30 days after deletion before being overwritten
- Legal/tax records: retained for the period required by applicable law
9. Your Rights
Subject to applicable law, you may exercise the following rights over personal data for which we are the controller:
- Access: obtain a copy of personal data we hold about you
- Rectification: correct inaccurate or incomplete data
- Erasure: request deletion ("right to be forgotten")
- Restriction: limit how we process your data in defined cases
- Portability: receive your data in a structured, machine-readable format
- Objection: object to processing based on legitimate interests or for direct marketing
- Withdraw consent: at any time where processing is based on consent
- Lodge a complaint: with your local data-protection authority (in the EU, your national DPA; in the UK, the ICO)
Submit requests to [email protected]. We respond within 30 days (45 days for CCPA requests). For personal data contained in a customer's agent action records, we act as processor: direct your request to the relevant customer, and we will assist them in responding.
10. Cookies & Tracking
- Essential cookies: Supabase auth tokens, session state — required for the service to function, cannot be disabled
- Analytics cookies: PostHog (1 year) — set only after you accept them via the cookie banner; without them analytics runs in cookieless mode with nothing stored on your device
- Local storage: JWT, theme, UI preferences — stored on your device
Analytics runs in cookieless mode by default: usage events are collected without storing anything on your device. Accepting analytics cookies via the banner additionally sets PostHog cookies (1 year) so we can recognize repeat visits; declining keeps analytics cookieless. Your banner choice is stored for 1 year, and you can change it at any time: . You can also contact [email protected] with any questions about cookies.
11. Children's Privacy
Heron is a business service, is not directed to children under 16, and we do not knowingly collect personal data from minors. If you believe a minor has provided data to Heron, contact [email protected] and we will delete it.
12. Data Storage, Security & Breach Notification
Hosted-service data is stored in Supabase (PostgreSQL) with AES-256 encryption at rest and TLS encryption in transit. Authentication is handled by Supabase Auth with Google OAuth. Application services are hosted on Railway. Access is restricted by role-based controls and audit logs, and customer records are logically separated per tenant. We perform regular code review and dependency scanning.
In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it, notify affected customers and users without undue delay where required by GDPR Art. 33–34 or other applicable law, and assist customers with their own notification obligations for data we process on their behalf.
13. California Privacy Rights (CCPA/CPRA)
California residents have the right to know what personal information is collected, request deletion, correct inaccurate information, opt out of sale or sharing (we do not sell or share personal information for cross-context behavioral advertising), limit use of sensitive personal information, and not be discriminated against for exercising these rights. Submit requests to [email protected]. We respond within 45 days.
14. Changes to This Policy
We may update this Policy to reflect changes in practice or law. Material changes will be notified at least 30 days in advance via email or a prominent in-product notice. Compliance-mandated changes may be applied sooner.
15. Contact
Theona, Inc. (Delaware, USA — remote-first)
Privacy: [email protected]
Legal & DPA requests: [email protected]
General: [email protected]