Privacy Policy

HeartStack AI (“HeartStack,” “we,” “our,” or “us”) is a product of Heart Engineer LLC. We provide an AI-powered content creation platform that helps professionals create authentic personal brand content for LinkedIn and other platforms.

This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our website (heartstack.ai), our web application, and related services (collectively, the “Service”).

By using HeartStack, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

We use the information we collect to:

• Provide the Service: process your content captures, generate AI-powered drafts, score content quality, and deliver personalized content recommendations.
• Improve content recommendations: analyze your LinkedIn post performance to help our AI agents learn what resonates with your specific audience and refine future suggestions accordingly.
• Personalize your experience: use your identity data (pillars, audience, voice preferences) to ensure AI-generated content sounds like you, not generic AI output.
• Generate analytics: provide you with dashboards showing post performance, audience engagement trends, and content strategy insights.
• Maintain and improve the Service: monitor performance, fix bugs, and develop new features.
• Understand product usage: with your consent, collect anonymized analytics to understand which features are used, how users navigate the platform, and where we can improve. We never track the content of your captures, drafts, or published posts for this purpose.
• Communicate with you: send transactional emails (password resets, account confirmations, billing notifications) and, with your consent, product updates.
• Ensure security: detect and prevent fraud, abuse, and unauthorized access.
• Monitor errors: use error tracking to identify and fix bugs. Error reports may include technical context about the request that triggered the error but are configured to exclude personal content and sensitive data.

We do not use your information for advertising. We do not sell your data. We do not use your content to train AI models outside of providing the Service to you.

HeartStack uses artificial intelligence to process your content captures and generate recommendations. Here is how AI interacts with your data:

• Content extraction: when you submit a voice memo, text note, document, or URL reaction, our AI analyzes it to extract core insights. This processing uses Anthropic's Claude API.
• Draft generation: our AI generates LinkedIn post drafts based on your captured insights and identity profile. The AI uses your voice preferences and past content to match your authentic style.
• Quality scoring: our AI evaluates draft quality across multiple dimensions (voice match, audience fit, authenticity, conviction, clarity) and provides improvement suggestions.
• Strategic recommendations: our AI analyzes your content vault and performance data to recommend what to post and when.
• Semantic search: when you add content to your Knowledge Vault, the text is sent to OpenAI's embeddings API to generate a mathematical vector representation. This enables semantic search within your vault — allowing you to find related content by meaning, not just keywords. Only the text of your vault entries (title and extracted insight) is sent; no personal account information is included.

Your content is sent to Anthropic's Claude API for processing. As of the effective date of this policy, Anthropic does not use API inputs or outputs to train its models. We encourage you to review Anthropic's privacy policy and usage policy at anthropic.com for the most current information.

Vault entry text is sent to OpenAI's embeddings API for semantic search functionality. As of the effective date of this policy, OpenAI does not use API inputs or outputs to train its models when accessed through their API. We encourage you to review OpenAI's API data usage policy at openai.com for the most current information.

Voice memos are transcribed using Deepgram, a speech-to-text service. Audio is sent to Deepgram solely for transcription and is not retained by Deepgram after processing is complete. Only the resulting transcription text is stored by HeartStack.

We do not use your content, captures, or personal data to train any general-purpose AI model. Your data is used exclusively to provide the Service to you.

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

Your data is stored on secure cloud infrastructure in the United States. We implement the following security measures:

• All data is encrypted in transit using TLS/SSL.
• All data is encrypted at rest by our database provider.
• Database access is restricted by row-level security policies ensuring users can only access their own data.
• LinkedIn OAuth tokens are encrypted at rest using application-level encryption.
• API keys and credentials are stored in secure environment variables, never in source code.
• All AI processing occurs server-side; sensitive credentials are never exposed to client browsers.
• We enforce rate limiting and daily usage limits on API endpoints to prevent abuse.
• We conduct regular security audits as part of our development process.

While we implement commercially reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Account and profile data: retained for the lifetime of your account.
• Content captures and vault entries: retained for the lifetime of your account. You can delete individual entries at any time.
• Drafts: retained for the lifetime of your account. You can delete individual drafts at any time.
• LinkedIn analytics: retained for the lifetime of your account to maintain performance history and trend analysis.
• Voice memo transcriptions: the text transcription of your voice memos is retained for the lifetime of your account as part of your vault entries. You can delete individual entries at any time. The original audio file is not stored after transcription is complete.
• Uploaded documents and images: files you upload (PDFs, images) are stored in secure cloud storage for the lifetime of your account. You can delete individual entries at any time.
• WhatsApp connection data: your phone number and connection record are retained while connected. Upon disconnection, the connection record is immediately deleted. Content previously captured via WhatsApp remains in your vault unless you delete it.
• Payment records: retained as required by tax and accounting regulations (typically 7 years for financial records).
• API usage records: records of your AI interaction counts (no content data) are retained for usage tracking and billing purposes.
• Analytics cookies (when enabled): anonymized usage data is retained for up to 12 months.
• Error tracking data (when enabled): error reports are retained for up to 90 days.

Upon account deletion, we will delete or anonymize your personal data within 90 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing agreements).

Depending on your location, you may have the following rights regarding your personal data:

• Access: you can request a copy of the personal data we hold about you.
• Correction: you can update or correct your personal information through your account settings or by contacting us.
• Deletion: you can request deletion of your account and associated data. You can also delete individual captures, vault entries, and drafts at any time within the app.
• Data portability: you can request an export of your data in a structured, machine-readable format.
• Withdraw consent: you can disconnect your LinkedIn account at any time, revoking our access to your LinkedIn data. You can change your cookie preferences at any time. You can also close your account entirely.
• Opt out of communications: you can unsubscribe from non-essential emails at any time.

To exercise any of these rights, contact us at hello@heartstack.ai. We will respond to requests within 30 days.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• The right to know what personal information we collect, use, and disclose.
• The right to request deletion of your personal information.
• The right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information for cross-context behavioral advertising.
• The right to non-discrimination for exercising your privacy rights.
• The right to limit the use of sensitive personal information. We do not use sensitive personal information for purposes beyond providing the Service.

To submit a verifiable consumer request, contact us at hello@heartstack.ai. You may also designate an authorized agent to make a request on your behalf.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have rights under the General Data Protection Regulation (GDPR) and the UK GDPR, respectively. Our legal basis for processing your personal data depends on the specific data and the context in which we collect it:

• Performance of a contract: processing your account information and content captures to provide the Service.
• Consent: connecting your LinkedIn account, enabling analytics cookies, and receiving optional product communications.
• Legitimate interests: improving the Service, preventing fraud, and ensuring security.

Under the GDPR, you have additional rights including: the right to access, rectify, erase, restrict processing of, and port your personal data; the right to object to processing based on legitimate interests; and the right to withdraw consent at any time. You also have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at hello@heartstack.ai. We will respond to requests within 30 days, or within the timeframe required by applicable law.

In the event of a data breach that affects your personal information, we will notify affected users and relevant regulatory authorities as required by applicable law. Where required by the GDPR, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms. For California residents, we will comply with breach notification requirements under California Civil Code Section 1798.82.

HeartStack is designed for professional use and is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly.

HeartStack may contain links to third-party websites or services, including LinkedIn. This Privacy Policy applies only to HeartStack. We are not responsible for the privacy practices of third-party services. We encourage you to review the privacy policies of any third-party services you interact with.

HeartStack uses Meta's WhatsApp Business Cloud API to offer an optional capture feature. This section provides additional details required by Meta's platform policies.

HeartStack is operated from the United States. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We will take reasonable steps to ensure your data is treated securely and in accordance with this Privacy Policy.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting the updated policy on our website and updating the “Last Updated” date at the top of this document. For significant changes, we may also notify you via email.

Your continued use of HeartStack after any changes constitutes your acceptance of the updated Privacy Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For LinkedIn-specific data inquiries, please reference “LinkedIn Data Request” in your email subject line.

© 2026 Heart Engineer LLC. All rights reserved.