Heidi

Privacy Policy

Effective July 11, 2026 · Last updated July 11, 2026 · Version 2026.07.11

This Privacy Policy describes how Heidi Dev, Inc. ("Heidi Dev, Inc.," "we," "us," or "our") collects, uses, stores, shares, and otherwise processes personal information in connection with the Heidi product and related websites, APIs, and services available at heidi.dev and customer sites delivered via heidi.site and custom domains (collectively, the "Services").

By using the Services, you acknowledge this Privacy Policy. If you do not agree, do not use the Services. Our Terms of Service (heidi.dev/terms) govern your contractual relationship with us.

Effective date: July 11, 2026. Last updated: July 11, 2026. Document version: 2026.07.11.

1. Who we are

The controller of personal information processed for the Heidi platform (accounts on heidi.dev, billing, agent runs, and related platform operations) is:

For personal information that customers store in generated apps (including Heidi App Auth end users, CMS/data records, customer transactional email, and customer-site analytics), the customer is typically the controller and Heidi Dev, Inc. acts as a processor / service provider under the customer's instructions, except where we determine purposes and means independently (for example, platform security, abuse prevention, and billing).

2. Scope and roles

This Policy covers:

  • Platform users who create or manage workspaces on heidi.dev
  • Operators and administrators of Heidi workspaces
  • Visitors to our public marketing and legal pages
  • End users of customer applications that use Heidi Auth, Heidi Data/CMS, Heidi Payments, Heidi Email, or Heidi hosting (processed primarily as a processor)
  • Registrant and billing contacts collected for domain purchases

This Policy does not govern third-party websites you clone, connect, or link to, or model providers' own consumer products outside Heidi's processing instructions.

3. Categories of personal information we collect

Depending on how you use the Services, we may collect:

  • Identifiers: name, email address, account IDs, workspace IDs, IP address (transiently at the edge; see analytics), cookie/session identifiers
  • Commercial information: plan, subscription status, Stripe customer/subscription identifiers, payment event metadata (card numbers are handled by Stripe and are not stored in Heidi's databases)
  • Internet / network activity: pages viewed on customer published sites (path + counts), approximate unique visitors via salted hashes (no raw IP retained), device/user-agent signals used only to derive the hash, security and abuse logs
  • Professional / account profile data: display name, avatar URL, connected workspace integrations
  • User content: prompts, messages, plans, project files, commits, previews, CMS records, uploaded assets, clone artifacts, browser-test evidence
  • Authentication data: email one-time codes (stored hashed), OAuth tokens/grants (encrypted where applicable), session tokens (hashed where applicable)
  • Domain registrant contact: name, email, phone, postal address, and optional company (required by registrars)
  • Sensitive personal information: we do not seek to collect government IDs, precise geolocation, or similar sensitive categories for platform accounts. Customer apps may store additional categories under the customer's control — customers must provide their own notices where required
  • Inferences: limited operational inferences for security, fraud prevention, and product reliability (not for advertising profiles)

4. Sources of personal information

  • Directly from you (account forms, prompts, settings, support requests, domain registrant forms)
  • Automatically from your browser or device when you use the Services
  • Identity providers you choose (Google, GitHub, and enterprise SSO/SCIM directories)
  • Payment processors (Stripe) for billing status and payment confirmations
  • Workspace connections you authorize (for example GitHub, Linear, Figma, Notion)
  • Public or customer-provided URLs when you use clone or browser-test features (third-party site content may be fetched and stored as project artifacts)

5. Google user data (Google Sign-In / Google OAuth)

When you sign in with Google to Heidi (platform login on heidi.dev) or when a customer app enables Heidi App Auth with Google, we access Google user data through Google's OAuth / Sign-In APIs. This section is intended to satisfy the Google API Services User Data Policy and Google Cloud OAuth branding / verification requirements.

Google OAuth scopes we use for sign-in: openid, email, profile.

Google user data we may receive:

  • Google account unique identifier (subject / sub)
  • Verified email address
  • Display name
  • Profile picture URL (when provided by Google)

How we use Google user data:

  • Authenticate you and create or sign in to your Heidi platform account
  • Authenticate end users of customer apps that enable Heidi App Auth with Google
  • Display your name and avatar in the Heidi product interface
  • Communicate account-related notices to your verified email address
  • Secure accounts (fraud, abuse, and unauthorized-access prevention)

How we store and share Google user data:

  • Stored in our application database (Convex) as part of your Heidi user or app-user profile and linked auth accounts
  • Processed by infrastructure subprocessors listed in this Policy solely to operate authentication and the Services
  • Not combined with advertising profiles
  • Retained for as long as your account remains active and as needed for security, dispute resolution, and legal obligations; deleted or anonymized when you delete your account subject to lawful retention needs

What we do not do with Google user data:

  • We do not sell Google user data
  • We do not use Google user data for advertising, retargeting, or cross-context behavioral advertising
  • We do not use Google user data to train foundation models for unrelated products
  • We do not transfer Google user data to data brokers or information resellers
  • Human access to Google user data is limited to security, support you request, legal compliance, and operating the features you use

Our use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. If we ever request additional Google scopes or use Google user data for a new purpose, we will update this Privacy Policy and obtain any consent required before doing so.

6. How we use personal information

  • Provide, operate, secure, and improve the Services
  • Authenticate users and maintain sessions
  • Process prompts and project content with AI model providers to generate code, plans, previews, and related outputs
  • Host, build, preview, version, and publish customer projects
  • Process subscriptions, domain purchases, and customer-app payments
  • Deliver transactional email (sign-in codes, magic links, product notices)
  • Provide owner Insights (pageviews, approximate uniques, and approximate bounce) on published customer sites
  • Detect, investigate, and prevent fraud, abuse, and security incidents
  • Comply with law, enforce terms, and protect rights, safety, and property
  • Communicate service-related notices; marketing only where permitted and with opt-out

7. Artificial intelligence and automated processing

Heidi is an AI-assisted building platform. When you submit prompts, plans, files, URLs, or other project content, that content (and derived context needed to perform the task) may be transmitted to large language model and related AI providers to generate outputs. Default agent models are provided by xAI (Grok) via Vercel AI Gateway. Customer-enabled hosted AI purposes may also route to: Anthropic, Google (Gemini), OpenAI, Perplexity, xAI.

Clone and browser-test features may load third-party or customer URLs in a cloud browser (Kernel), capture screenshots, HTML, network/console evidence, and store artifacts for debugging and review.

You should not submit secrets, regulated health data, or other highly sensitive personal data in prompts unless you have a lawful basis and appropriate contractual protections. AI outputs may be inaccurate; see our Terms of Service.

8. How we share personal information

Heidi Dev, Inc. does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (as amended by the CPRA) and similar U.S. state privacy laws.

We disclose personal information to:

  • Service providers / subprocessors that process data on our instructions (see Section 9)
  • Identity and payment providers you choose to interact with (Google, GitHub, Stripe, enterprise IdPs)
  • Registrars and DNS providers as required to register and operate domains
  • Workspace connection providers you authorize (including Figma, Linear, Notion)
  • Professional advisors (lawyers, accountants) under confidentiality
  • Authorities when required by law or to protect rights and safety
  • A successor entity in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate protections

We do not disclose personal information for cross-context behavioral advertising.

9. Subprocessors and service providers

We use the following categories of service providers to operate the Services. Names and purposes may be updated as our infrastructure evolves; material changes will be reflected in an updated version of this Policy.

  • Convex, Inc. — Application database, platform authentication sessions, and realtime product state (processing location: United States)
  • Vercel Inc. — Hosting for heidi.dev, edge/runtime compute, AI Gateway routing, and domain registration pathways (processing location: United States)
  • Cloudflare, Inc. — CDN, DNS, object storage (R2), edge workers, and customer-site delivery on heidi.site / custom hostnames (processing location: United States / global edge)
  • Stripe, Inc. — Payment processing for Heidi subscriptions, domain checkout, and Stripe Connect for customer-app payments (processing location: United States)
  • Resend, Inc. — Transactional email delivery (sign-in codes, magic links, product notifications) (processing location: United States)
  • xAI Corp. (via Vercel AI Gateway) — Large language model inference for Heidi's agent (default Grok models) (processing location: United States)
  • Google LLC — Google Sign-In / OAuth identity; optional Google Places API for hosted customer apps; font delivery on heidi.dev (processing location: United States)
  • GitHub, Inc. — Optional GitHub Sign-In and workspace GitHub connections (processing location: United States)
  • OnKernel (Kernel) — Cloud browser infrastructure for site clone capture and automated browser testing (processing location: United States)

10. Cookies and similar technologies

We use cookies and similar technologies that are necessary to operate the Services:

  • HttpOnly session cookies for platform authentication (Convex Auth)
  • Operator session cookies for privileged operator tooling (internal)
  • Short-lived cookies for OAuth / connection CSRF protection
  • Local storage for theme preference (light/dark) and PKCE verifiers during App Auth flows

We do not operate third-party advertising cookies or marketing analytics pixels on heidi.dev as of the effective date of this Policy. Customer sites may include scripts the customer chooses to deploy (including scripts captured during clone workflows); customers are responsible for their own notices and consent where required.

11. Customer-site analytics

For published customer sites, Heidi may record pageview counts by path and approximate unique visitors using an edge-salted hash derived from network and device signals. Raw IP addresses are not retained in Heidi's analytics stores. Draft and preview surfaces are excluded from production Insights. This analytics processing is provided to the customer as part of the Services; customers should disclose it in their own privacy notices where required.

12. Retention

We retain personal information only as long as needed for the purposes described in this Policy, including:

  • Account and workspace data: for the life of the account, then deletion or anonymization within a reasonable period after closure unless longer retention is required
  • Auth challenges, OTPs, and short-lived tokens: minutes to days per security design
  • App Auth access tokens: short-lived (minutes); refresh tokens: rotating, on the order of weeks
  • Agent runs, messages, files, commits, and artifacts: for the life of the project / workspace unless deleted earlier
  • Billing and domain records: as required for tax, accounting, registrar, and dispute obligations
  • Security and audit logs: for a limited period appropriate to investigation and compliance

13. Security

We implement administrative, technical, and organizational measures designed to protect personal information, including encryption in transit (TLS), access controls, hashed credentials/tokens where applicable, tenancy isolation in application logic, and least-privilege operator access. No method of transmission or storage is perfectly secure; you use the Services at your own risk subject to our Terms.

14. International transfers

We are based in the United States (Delaware entity). If you access the Services from outside the United States, your information may be transferred to, stored, and processed in the United States and other countries where our subprocessors operate. Where required, we rely on appropriate transfer mechanisms (such as standard contractual clauses) and contractual protections with processors.

15. Children

The Services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. Consistent with Google's policies for Google Sign-In, Heidi is not a child-directed service. If you believe a child has provided personal information, contact privacy@heidi.dev and we will take appropriate steps to delete it.

16. U.S. state privacy rights (including California and Delaware)

Depending on your state of residence, you may have rights to access, correct, delete, or obtain a portable copy of personal information; to opt out of sale, sharing for cross-context behavioral advertising, or certain profiling; to limit use of sensitive personal information; and to appeal a denied request. Heidi Dev, Inc. does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (as amended by the CPRA) and similar U.S. state privacy laws.

Categories collected, sources, purposes, and disclosures for business purposes in the preceding 12 months are described in Sections 3–9. We disclose personal information to service providers for business purposes such as hosting, authentication, payments, email, AI inference, security, and customer support.

Delaware Personal Data Privacy Act (DPDPA): where we are a controller subject to the DPDPA, we provide this notice, honor applicable consumer rights, maintain contracts with processors, and practice data minimization. As of January 1, 2026, where we sell personal data or process it for targeted advertising, we would honor universal opt-out preference signals (such as Global Privacy Control). Because we do not sell personal information or process it for targeted advertising, GPC signals do not currently change an advertising profile — but we still honor deletion and other applicable rights requests.

California residents: you have the rights described under the CCPA/CPRA. We will not discriminate against you for exercising privacy rights. To submit a request, email privacy@heidi.dev with the subject line "Privacy Request" and sufficient information for us to verify your identity. Authorized agents may submit requests with proof of authority. We will respond within the time required by law (generally 45 days, extendable where permitted). If we deny your request, you may appeal by replying to our decision email within a reasonable time; we will inform you of the outcome of the appeal within the period required by applicable law.

17. EEA / UK / Switzerland rights (where applicable)

If the GDPR or UK GDPR applies to our processing of your personal data, you may have rights of access, rectification, erasure, restriction, portability, and objection, and the right to withdraw consent where processing is consent-based. Legal bases may include contract performance, legitimate interests (security, product improvement, fraud prevention), consent, and legal obligation. Contact privacy@heidi.dev. You may lodge a complaint with your local supervisory authority.

18. Customer applications and end-user data

If you are an end user of a website or app built on Heidi, the customer that operates that app is generally responsible for its privacy notice and for responding to your requests. Heidi provides infrastructure (including optional Heidi Auth, data APIs, email, payments, and hosting). We process end-user data to provide those features to the customer, to secure the platform, and as otherwise described in our customer agreements. End users may also contact us at the privacy email above; we may redirect you to the customer or assist the customer as a processor.

19. Do Not Track and preference signals

There is no industry-standard response to browser Do Not Track signals. Where legally required for sale/sharing opt-out, we will treat universal opt-out preference signals as described in Section 16. We do not currently sell or share personal information for cross-context behavioral advertising.

20. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated Policy at heidi.dev/privacy and change the "Last updated" date and document version. Material changes may also be communicated by email or in-product notice. Continued use after the effective date of changes constitutes acceptance where permitted by law. For material changes to Google user data practices, we will obtain any additional consent required by Google's policies and applicable law before new uses.

21. Contact us