Privacy Policy

Heimdall is operated by:

Junaid Farooqui
Hitlstr. 11
80997 Munich, Germany
Email: [email protected]

We are the data controller (verantwortliche Stelle) for the personal data processed by Heimdall as defined in Article 4(7) GDPR.

Heimdall is built in Germany, hosted in the EU. Your data does not leave Europe unless you explicitly trigger an action that requires a transfer (e.g., AI text generation, which calls Anthropic's API). We do not sell your data. We do not use your content to train third-party models.

When you use Heimdall, we collect:

• Account data: name, email address, password hash (never the password itself), email verification status.
• Profile data: niches you selected, social platforms you connect, your timezone, locale, brief delivery hour.
• Voice samples: sample posts you paste during onboarding to lock your authentic writing style.
• Content you generate: daily briefs, content pieces, voice profiles, all created in your account.
• Competitor data you add: handles, URLs, and posts you paste manually for competitive analysis.
• Performance data you add: if you manually log post metrics, that data stays with your account.
• Comments you paste: for the Comment-to-Content Loop feature.
• Technical data: IP address (briefly, for security), browser type, session cookies, error logs.

• Art. 6(1)(b) — contract performance: we process your account and content data to deliver the service you signed up for.
• Art. 6(1)(a) — consent: for optional features such as connecting third-party platforms (e.g., via Phyllo), email marketing if enabled.
• Art. 6(1)(f) — legitimate interests: security logging, fraud prevention, service improvement based on aggregated usage metrics.
• Art. 6(1)(c) — legal obligation: tax-related data retention, response to law enforcement requests when legally required.

• While your account is active: until you delete the account.
• After account deletion: account data and content deleted within 30 days. Backups containing residual copies are rotated out within 90 days.
• Server logs: 30 days, then auto-rotated.
• Anonymized usage analytics: retained indefinitely for service improvement (cannot be linked back to you).
• Billing records: retained for 10 years per German Handelsgesetzbuch §257.

We share data with these processors strictly to operate the service. Each is bound by a data processing agreement (Auftragsverarbeitungsvertrag, AVV).

• Hosting infrastructure: our Plesk server in Germany (EU). Your data lives here.
• Cloudflare, Inc. (USA): DNS, CDN, edge caching, DDoS protection. Some metadata (IP, request headers) is processed at Cloudflare's EU edge nodes. Cloudflare is certified under the EU-U.S. Data Privacy Framework (DPF). Standard Contractual Clauses (SCCs) apply.
• Anthropic, PBC (USA): when you trigger AI generation (briefs, content, autopsy, intelligence features), your prompt (which can include your voice samples, niches, and trend data) is sent to Anthropic's Claude API. Anthropic does not train models on API content. DPF-certified, SCCs apply.
• Resend, Inc. (USA, with EU-region SES backend): transactional emails — verification, password reset, daily brief delivery. Your email address and the email body are processed by Resend / AWS SES (Frankfurt region).
• Inngest, Inc. (USA): (if enabled) background job orchestration. Receives minimal job-trigger metadata, not your content.
• Apify Technologies s.r.o. (Czech Republic, EU): (if enabled) public competitor post scraping. We send public handles to Apify; Apify returns public posts. No personal data of yours is sent.
• Phyllo, Inc. (USA): (if enabled) creator account OAuth and analytics ingestion. If you connect a social account, Phyllo holds the OAuth tokens.
• Paddle.com Market Limited (UK / Ireland): (when paid plans launch) payment processor and Merchant of Record. Paddle handles billing data, VAT compliance for all EU member states.

Some subprocessors are located outside the EU/EEA (primarily the United States). We use Standard Contractual Clauses (SCCs) and rely on EU-U.S. Data Privacy Framework (DPF) certification where applicable. You can request the specific transfer mechanism for each subprocessor by contacting us.

You have the right to:

• Access the personal data we hold about you (Art. 15)
• Correct inaccurate data (Art. 16)
• Delete your data — "right to be forgotten" (Art. 17)
• Restrict processing (Art. 18)
• Data portability — export your data in a machine-readable format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time, where consent is the legal basis
• Lodge a complaint with a supervisory authority (Art. 77)

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

Supervisory authority for residents of Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI), or your state DPA. For other EU residents: your national DPA.

Heimdall sets the following cookies:

• Session cookie (heimdall.session_token): required to keep you logged in. Set by our authentication library, expires after 30 days. Cannot be disabled without making the service unusable.
• Cloudflare cookies (__cf_bm, cf_clearance): set by our CDN to distinguish humans from bots and to deliver content efficiently. Strictly necessary.

We do not use third-party tracking, advertising, or analytics cookies. We do not use Google Analytics or similar tools.

Heimdall is not intended for users under 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us — we will delete it.

Heimdall uses generative AI (Anthropic's Claude) to produce daily briefs, content drafts, and analyses. In accordance with Article 50 of the EU AI Act, we disclose that outputs labeled as "Generated," "Brief," or "Analyzed" within the product are produced by AI. You should treat all AI output as a starting point for your own work, not as vetted advice.

We may update this policy as the service evolves. Material changes will be communicated via email and an in-app notification at least 30 days before they take effect.

Questions about your data? Email us at [email protected].