Privacy Policy

HeartStack AI (“HeartStack,” “we,” “our,” or “us”) is a product of Heart Engineer LLC. We provide an AI-powered content creation platform that helps professionals create authentic personal brand content for LinkedIn and other platforms.

This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our website (heartstack.ai), our web application, and related services (collectively, the “Service”).

By using HeartStack, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

We use the information we collect to:

• Provide the Service: process your content captures, generate AI-powered drafts, score content quality, deliver personalized content recommendations, and surface previously extracted insights into your vault on a periodic basis.
• Build and refine your voice profile: analyze the voice samples you provide and the edits you make to drafts to generate a “voice fingerprint” (a structured profile of your tone, sentence style, hooks, vocabulary, and patterns to avoid) and to learn from your corrections over time so future drafts sound more like you.
• Generate prompts and questions: use your identity data, vault contents, and recent activity to generate daily writing prompts and targeted questions (from our Mika agent) that help fill gaps in your captured content.
• Generate strategy briefs: periodically analyze your vault, drafts, and analytics (where connected) to produce a written strategy brief from our Sage agent recommending what to post, when, and why.
• Improve content recommendations: analyze your published-post performance (where connected) to help our AI agents learn what resonates with your specific audience and refine future suggestions accordingly.
• Personalize your experience: use your identity data (pillars, audience, voice preferences) to ensure AI-generated content sounds like you, not generic AI output.
• Generate analytics: provide you with dashboards showing post performance, audience engagement trends, and content strategy insights.
• Maintain and improve the Service: monitor performance, fix bugs, and develop new features.
• Understand product usage: with your consent, collect anonymized analytics to understand which features are used, how users navigate the platform, and where we can improve. We never track the content of your captures, drafts, or published posts for this purpose.
• Communicate with you: send transactional emails (password resets, account confirmations, billing notifications, credit-related notifications, and onboarding nudges) and, with your consent, product updates and weekly digests. You can opt out of non-transactional emails at any time from your settings.
• Account credits and billing: track your AI credit usage across trial, paid, beta, and free-window periods, and reconcile estimated versus actual processing cost for bulk operations such as Second Brain uploads.
• Ensure security: detect and prevent fraud, abuse, and unauthorized access, including by enforcing rate limits and inspecting webhook payloads from third-party providers.
• Monitor errors: use error tracking to identify and fix bugs. Error reports may include technical context about the request that triggered the error but are configured to exclude personal content and sensitive data.

We do not use your information for advertising. We do not sell your data. We do not use your content to train AI models outside of providing the Service to you.

HeartStack uses artificial intelligence to process your content captures and generate recommendations. Here is how AI interacts with your data:

• Content extraction: when you submit a voice memo, text note, document, image, audio file, or URL, our AI analyzes it to extract core insights. For larger source documents we use a multi-pass pipeline: a fast first pass identifies the relevant sections of the source, and a second pass extracts insights and verbatim supporting quotes from those sections. This processing uses Anthropic's Claude API.
• Image and document understanding: images you upload (through the main app, Second Brain, or WhatsApp) and scanned PDFs are analyzed using a vision-capable AI model to generate a textual description and to extract any insights they contain.
• URL fetching and parsing: when you submit a URL, our servers fetch the publicly accessible contents of that URL and pass them to our AI for extraction. We do not attempt to access content behind authentication, paywalls, or other access controls.
• Draft generation: our AI generates post drafts based on your captured insights and identity profile. The AI uses your voice preferences and past content to match your authentic style. Drafts can target multiple platforms (currently LinkedIn, with X and Substack support planned).
• Quality scoring and slop detection: our AI evaluates draft quality across multiple dimensions (voice match, audience fit, authenticity, conviction, clarity) and provides improvement suggestions. We also run deterministic, pattern-based checks to flag generic AI “slop” phrasing in drafts.
• Strategic recommendations: our AI analyzes your content vault and performance data to recommend what to post and when, and to generate periodic written strategy briefs.
• Voice learning: when you edit a draft, we may store the resulting corrections (including a numerical embedding of the change) so future drafts more closely match your voice.
• Background processing: some AI tasks (such as bulk extraction, weekly strategy brief generation, daily prompt generation, voice fingerprint recomputation, and analytics syncs) run asynchronously in the background through our background-job provider. The data passed to those jobs is the same data described above and is subject to the same protections.
• Semantic search: when you add content to your Second Brain, the text is sent to OpenAI's embeddings API to generate a mathematical vector representation. This enables semantic search within your vault, allowing you to find related content by meaning, not just keywords. Only the text of your vault entries (title and extracted insight) and your voice corrections are sent; no personal account information is included.

Your content is sent to Anthropic's Claude API for processing. As of the effective date of this policy, Anthropic does not use API inputs or outputs to train its models. We encourage you to review Anthropic's privacy policy and usage policy at anthropic.com for the most current information.

Vault entry text is sent to OpenAI's embeddings API for semantic search functionality. As of the effective date of this policy, OpenAI does not use API inputs or outputs to train its models when accessed through their API. We encourage you to review OpenAI's API data usage policy at openai.com for the most current information.

Voice memos are transcribed using Deepgram, a speech-to-text service. Audio is sent to Deepgram solely for transcription and is not retained by Deepgram after processing is complete. Only the resulting transcription text is stored by HeartStack.

We do not use your content, captures, or personal data to train any general-purpose AI model. Your data is used exclusively to provide the Service to you.

HeartStack lets you upload a wide range of source material, including voice recordings, audio files, documents (PDF, DOCX, TXT, MD, RTF and similar), images, screenshots, web pages, pasted text, and WhatsApp messages. You decide what to upload and you are solely responsible for the content of every upload.

Do not upload content that you are not authorized to share, or that you would not want processed by an AI system and stored on our servers. In particular, you should not upload:

• Government-issued identification numbers, financial account numbers, full payment card numbers, or other sensitive personal identifiers belonging to you or any third party.
• Protected health information, medical records, or any other data subject to HIPAA, HITECH, or similar health-data regulations.
• Personal data of other individuals (employees, customers, clients, patients, or anyone else) for whom you do not have a lawful basis and the necessary permissions to share with a third-party AI processor.
• Confidential business information, trade secrets, attorney-client privileged material, board materials, or other information that you are contractually or legally obligated to keep confidential.
• Copyrighted material that you do not own or have a license to use, including paywalled articles, books, research papers, internal corporate documents, and competitor materials obtained without permission.
• Login credentials, API keys, private encryption keys, security tokens, or any other secrets.
• Content that is unlawful, defamatory, harassing, sexually explicit, or otherwise prohibited under our Terms of Service.

By uploading content to HeartStack, you represent and warrant that you have all rights, licenses, consents, and permissions necessary to upload that content and to authorize HeartStack and our subprocessors (including the AI providers listed in Section 6) to process it for the purposes described in this Privacy Policy.

HeartStack is not responsible for any sensitive, confidential, regulated, third-party, or otherwise protected data that you choose to upload. We do not pre-screen, monitor, or filter uploads to detect sensitive content, and our AI providers may briefly process uploaded content in order to generate the outputs you have requested. Any consequences arising from your decision to upload such material, including regulatory penalties, contractual claims, intellectual property claims, or claims by third parties, are your sole responsibility, and you agree to indemnify HeartStack against any such claims as set out in our Terms of Service.

If you accidentally upload sensitive material, you can delete the relevant capture, vault entry, source, or draft from within the app at any time. You can also contact us at hello@heartstack.ai to request expedited deletion. Once deleted, content is removed from our live systems within a reasonable period and will no longer be sent to AI providers, although residual copies may persist temporarily in backups or in third-party provider logs in accordance with their respective retention policies.

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

Your data is stored on secure cloud infrastructure in the United States. We implement the following security measures:

• All data is encrypted in transit using TLS/SSL.
• All data is encrypted at rest by our database provider.
• Database access is restricted by row-level security policies ensuring users can only access their own data.
• LinkedIn OAuth tokens are encrypted at rest using application-level encryption.
• API keys and credentials are stored in secure environment variables, never in source code.
• All AI processing occurs server-side; sensitive credentials are never exposed to client browsers.
• We enforce rate limiting and daily usage limits on API endpoints to prevent abuse.
• We conduct regular security audits as part of our development process.

While we implement commercially reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Account and profile data: retained for the lifetime of your account.
• Content captures and vault entries: retained for the lifetime of your account. You can delete individual entries at any time.
• Drafts: retained for the lifetime of your account. You can delete individual drafts at any time.
• LinkedIn analytics: retained for the lifetime of your account to maintain performance history and trend analysis.
• Voice memo transcriptions: the text transcription of your voice memos is retained for the lifetime of your account as part of your vault entries. You can delete individual entries at any time. For short voice memos captured directly through the web recorder or WhatsApp, the original audio file is not retained after transcription is complete.
• Uploaded documents, images, and audio files: files you upload through the Second Brain bulk-upload feature (PDFs, DOCX, images, longer audio recordings, and similar) are stored in secure cloud storage for the lifetime of your account so that you can replay, re-process, or download them. You can delete individual sources at any time.
• Knowledge sources and extracted insights: records of each Second Brain source (filename, file type, size, status, credit cost, and processing metadata) and the insights extracted from each source are retained for the lifetime of your account. You can delete individual sources or insights at any time.
• Voice profile and voice corrections: your voice fingerprint, voice reference samples, and the corrections we extract from your draft edits (including their embedding vectors) are retained for the lifetime of your account so that future drafts continue to match your voice. You can request deletion of this data at any time.
• Onboarding research data: raw research inputs (LinkedIn profile URL contents, website contents, voice or text dump) collected during signup are retained only for as long as needed to populate your profile and are automatically purged on a regular schedule once your account has been claimed.
• Generated prompts and Mika questions: records of AI-generated prompts and questions shown to you, and your responses to them, are retained for the lifetime of your account so that we do not show you the same prompt twice and so your responses can inform future drafts.
• Strategy briefs: weekly strategy briefs generated by our Sage agent are retained for the lifetime of your account.
• Email activity log: records of emails we send you (type, status, message identifier) are retained for up to 24 months for delivery diagnostics and audit purposes.
• Feedback submissions: bug reports, feature requests, and other feedback you submit are retained for the lifetime of your account or until we resolve the underlying issue.
• WhatsApp connection data: your phone number and connection record are retained while connected. Upon disconnection, the connection record is immediately deleted. Content previously captured via WhatsApp remains in your vault unless you delete it.
• Payment records: retained as required by tax and accounting regulations (typically 7 years for financial records).
• API usage records: records of your AI interaction counts (no content data) are retained for usage tracking and billing purposes.
• Analytics cookies (when enabled): anonymized usage data is retained for up to 12 months.
• Error tracking data (when enabled): error reports are retained for up to 90 days.

Upon account deletion, we will delete or anonymize your personal data within 90 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing agreements).

Depending on your location, you may have the following rights regarding your personal data:

• Access: you can request a copy of the personal data we hold about you.
• Correction: you can update or correct your personal information through your account settings or by contacting us.
• Deletion: you can request deletion of your account and associated data. You can also delete individual captures, vault entries, and drafts at any time within the app.
• Data portability: you can request an export of your data in a structured, machine-readable format.
• Withdraw consent: you can disconnect your LinkedIn account at any time, revoking our access to your LinkedIn data. You can change your cookie preferences at any time. You can also close your account entirely.
• Opt out of communications: you can unsubscribe from non-essential emails at any time.

To exercise any of these rights, contact us at hello@heartstack.ai. We will respond to requests within 30 days.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• The right to know what personal information we collect, use, and disclose.
• The right to request deletion of your personal information.
• The right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information for cross-context behavioral advertising.
• The right to non-discrimination for exercising your privacy rights.
• The right to limit the use of sensitive personal information. We do not use sensitive personal information for purposes beyond providing the Service.

To submit a verifiable consumer request, contact us at hello@heartstack.ai. You may also designate an authorized agent to make a request on your behalf.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have rights under the General Data Protection Regulation (GDPR) and the UK GDPR, respectively. Our legal basis for processing your personal data depends on the specific data and the context in which we collect it:

• Performance of a contract: processing your account information and content captures to provide the Service.
• Consent: connecting your LinkedIn account, enabling analytics cookies, and receiving optional product communications.
• Legitimate interests: improving the Service, preventing fraud, and ensuring security.

Under the GDPR, you have additional rights including: the right to access, rectify, erase, restrict processing of, and port your personal data; the right to object to processing based on legitimate interests; and the right to withdraw consent at any time. You also have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at hello@heartstack.ai. We will respond to requests within 30 days, or within the timeframe required by applicable law.

In the event of a data breach that affects your personal information, we will notify affected users and relevant regulatory authorities as required by applicable law. Where required by the GDPR, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms. For California residents, we will comply with breach notification requirements under California Civil Code Section 1798.82.

HeartStack is designed for professional use and is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly.

HeartStack may contain links to third-party websites or services, including LinkedIn. This Privacy Policy applies only to HeartStack. We are not responsible for the privacy practices of third-party services. We encourage you to review the privacy policies of any third-party services you interact with.

HeartStack uses Meta's WhatsApp Business Cloud API to offer an optional capture feature. This section provides additional details required by Meta's platform policies.

HeartStack is operated from the United States. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We will take reasonable steps to ensure your data is treated securely and in accordance with this Privacy Policy.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting the updated policy on our website and updating the “Last Updated” date at the top of this document. For significant changes, we may also notify you via email.

Your continued use of HeartStack after any changes constitutes your acceptance of the updated Privacy Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For LinkedIn-specific data inquiries, please reference “LinkedIn Data Request” in your email subject line.

© 2026 Heart Engineer LLC. All rights reserved.