Privacy Policy — Heimcore

1. Introduction

Welcome to Heimcore (“Heimcore,” “we,” “us,” or “our”). Heimcore is an AI Business Operating System that provides multi-agent AI assistants, voice interaction, and integrations with third-party services such as Google, Meta Ads, and Stripe. The service is accessible at heimcore.ai.

This Privacy Policy explains what personal data we collect about you, how we use it, who we share it with, and what rights you have over your data. We've written it in plain language so you can actually understand what happens to your information.

Data Controller:
Individual Entrepreneur Danila Manko, operating as Heimcore
Registration / Individual Entrepreneur (Tax) ID No. 324087215
Angisa 78, Batumi, Georgia
Email: heimcoreai@gmail.com
Phone: +995 595 332 177

If you have questions about this policy or how we handle your data, contact us at heimcoreai@gmail.com.

2. Who This Policy Applies To

This policy applies to anyone who:

• Creates an account on heimcore.ai
• Uses our AI assistants, voice features, or integrations
• Visits our website (even without an account)
• Communicates with us via email or support channels

We serve users worldwide, including users in the European Union, the United Kingdom, and the United States. If you're in the EU/UK, you have specific rights under the General Data Protection Regulation (GDPR) — see Section 7.

3. Data We Collect

We collect data in three main ways: data you give us directly, data generated when you use the service, and data we receive from third-party integrations you connect.

3.1 Account & Identity Data

• Name and email address (when you sign up)
• Password (stored as a hashed value — we never see your plaintext password)
• Profile information you optionally add (display name, avatar, preferences)
• Billing information: your billing and payment-method data (including card details and billing address) are collected and stored by our third-party payment provider, which acts as our Merchant of Record, not by Heimcore. We receive only a customer reference and your subscription status from that provider.

3.2 Vault & Content Data

Heimcore lets you build a personal “Vault” of notes — Memory, Identity, and Preferences entries that your AI assistants use as context. We store:

• Memory notes: facts, history, projects, and contextual information you save
• Identity notes: descriptions of who you are, your goals, your style
• Preferences notes: how you want the AI to respond, tone, format
• Uploaded files via the Memory Import feature (documents, transcripts, exports)
• Conversation logs: your chats with AI assistants, including voice transcripts

3.3 Third-Party Integration Data

When you connect external services, we receive and store:

• Google OAuth tokens (with scopes for YouTube, Google Drive, and other services you authorize)
• Meta Ads API tokens and ad account identifiers for managing campaigns on your behalf
• Payment-provider customer ID and subscription status (we don't store full card numbers — our payment provider handles that)

We only request the minimum OAuth scopes needed for the features you use. You can revoke any integration at any time from your account settings.

3.4 Technical & Usage Data

• IP address (collected at login and during sessions for security and abuse prevention)
• Browser type, device type, operating system
• Pages visited, features used, time spent
• Error logs and diagnostic data (which features failed, stack traces — without sensitive content)
• Voice interaction metadata (duration, voice model used, transcript length — the audio itself is processed in real time and not retained unless you explicitly save it)

3.5 Communications Data

• Emails you send to support
• Feedback and survey responses
• Bug reports and feature requests

4. How We Use Your Data

We use your data for the following purposes:

4.1 To Deliver the Service

• Authenticate you and keep your account secure
• Run AI assistants that respond using your Vault content as context
• Process voice input and generate voice output
• Execute integrations you've authorized (post to YouTube, manage Meta ads, read Drive files)
• Generate documents and reports you request

4.2 To Bill You (Paid Plans)

• Process payments via our third-party payment provider (our Merchant of Record)
• Send invoices and receipts
• Manage subscription renewals, upgrades, and cancellations
• Handle refunds

4.3 To Improve the Service

• Analyze aggregate usage patterns (which features get used, where users get stuck)
• Debug errors and improve reliability
• Test new features

We do not train AI models on your private content. Your conversations and Vault data are not used to improve Anthropic's Claude models or any other ML system, unless you explicitly opt in to a future feedback program.

4.4 To Communicate With You

• Service-related emails (security alerts, billing notices, downtime notifications)
• Product updates (you can opt out of non-essential announcements)
• Responses to your support requests

4.5 To Comply With Law and Protect the Service

• Investigate fraud, abuse, and Terms of Service violations
• Respond to lawful requests from authorities (we'll notify you when legally permitted)
• Enforce our Terms of Service

4.6 Legal Bases for Processing (GDPR)

For users in the EU/UK, we rely on these legal bases under GDPR Article 6:

• Contract — to deliver the service you signed up for
• Legitimate interest — for security, fraud prevention, and product improvement
• Consent — for optional features (marketing emails, future model training programs)
• Legal obligation — to keep records required by tax, accounting, or law enforcement

5. Third-Party Services We Use

Heimcore relies on the following sub-processors and service providers. Each has its own privacy policy, and we recommend reviewing them.

We sign Data Processing Agreements (DPAs) with sub-processors that handle EU personal data when required by GDPR.

6. International Data Transfers

Heimcore operates from Georgia, our primary backend infrastructure runs on Hetzner servers in Germany (EU), and several sub-processors are based in the United States. This means your data crosses borders.

For transfers from the EU/UK to non-adequate countries (such as the US), we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• The sub-processor's own GDPR safeguards (e.g., our payment provider, Anthropic, and Cloudflare have established cross-border transfer frameworks)

If you're concerned about a specific transfer, contact us at heimcoreai@gmail.com and we'll explain the safeguards for your situation.

7. Your Rights

You have the following rights regarding your personal data. Most can be exercised directly from your account settings or by emailing us.

7.1 Rights Available to All Users

• Access: Get a copy of the data we hold about you
• Correction: Fix inaccurate or outdated data
• Deletion: Delete your account and associated data
• Export: Download your Vault contents and conversation history in a portable format (JSON or Markdown)

7.2 Additional Rights for EU/UK Users (GDPR)

• Right to restrict processing while a dispute is resolved
• Right to object to processing based on legitimate interest
• Right to data portability in machine-readable form
• Right to withdraw consent for any consent-based processing
• Right not to be subject to automated decisions with legal effect (we don't make such decisions — AI assistants generate suggestions, but humans make final decisions)
• Right to lodge a complaint with a supervisory authority (e.g., your national data protection authority)

7.3 How to Exercise Your Rights

Email heimcoreai@gmail.com with your request. We'll respond within 30 days (extendable by 60 days for complex cases, with notice). We may ask you to verify your identity to protect against impersonation.

There is no cost for exercising your rights, unless requests are excessive or repetitive — in which case we may charge a reasonable fee or refuse.

8. Data Retention

We keep your data only as long as needed:

When you delete your account:

• Active data is removed from our production systems within 7 days
• Backups containing your data are purged on the next backup rotation (within 30 days)
• Some data may be retained longer if required by law (e.g., invoices for tax purposes)

9. Security

We take security seriously, but no system is perfectly secure. Our measures include:

• Encryption in transit (HTTPS/TLS for all connections)
• Encryption at rest for sensitive data (OAuth tokens, vault contents)
• Hashed passwords (bcrypt or equivalent)
• Access controls — only authorized personnel can access production systems (currently: only Daniel Manko as sole operator)
• Regular backups with automatic expiration
• Sub-processor vetting for security posture

If a data breach occurs that affects your data, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of it, as required by GDPR.

10. Cookies and Tracking

Heimcore uses a minimal set of cookies and similar technologies:

• Essential cookies: keep you logged in, remember your session, protect against CSRF attacks. These cannot be disabled because the service won't work without them.
• Preference cookies: remember your UI settings (theme, language).
• Analytics: we use first-party usage logging only. We do not currently use Google Analytics, Facebook Pixel, or other third-party tracking cookies on heimcore.ai.

We do not sell your data or share it with advertisers. We do not use cross-site tracking.

11. Children's Privacy

Heimcore is not intended for children under 13 years old (or under 16 in jurisdictions where that is the digital consent age, including some EU countries).

We do not knowingly collect personal data from children. If you believe a child has created an account, contact us at heimcoreai@gmail.com and we will delete the account and associated data promptly.

12. Third-Party Links and Integrations

Heimcore lets you connect external services (Google, Meta, Stripe, etc.) and may link to third-party websites. We are not responsible for the privacy practices of those services. Review their policies before connecting them:

• Google: https://policies.google.com/privacy
• Meta: https://www.facebook.com/privacy/policy
• Anthropic: https://www.anthropic.com/legal/privacy
• ElevenLabs: https://elevenlabs.io/privacy

13. Automated Decision-Making and AI

Heimcore uses AI to generate suggestions, drafts, and recommendations. These are not legally binding automated decisions — you remain in control of every action taken on your accounts and integrations.

You should treat AI outputs as starting points, not final answers. We make no warranty that AI-generated content is accurate, complete, or appropriate for your specific situation. See our Terms of Service for the full AI disclaimer.

14. Changes to This Policy

We may update this Privacy Policy as our service evolves or as laws change. When we make material changes:

• We'll update the “Last Updated” date at the top
• We'll send an email to all active users at least 14 days before changes take effect
• We'll post a notice in the app

If you don't agree with changes, you can delete your account before they take effect. Continued use of Heimcore after changes take effect means you accept the updated policy.

15. Contact Us

Questions, requests, or complaints about your data:

Email: heimcoreai@gmail.com
Phone: +995 595 332 177
Subject line: Privacy — your request

Owner / Data Controller:
Individual Entrepreneur Danila Manko, operating as Heimcore
Registration / Individual Entrepreneur (Tax) ID No. 324087215
Angisa 78, Batumi, Georgia