Skip to content
hey annahey anna

Privacy Policy

Last updated: March 26, 2026

1. Scope

This Privacy Policy explains how Hey Anna collects, uses, discloses, and stores personal information when you use our website, product, and APIs.

2. Information We Collect

We collect information you provide directly, including:

  • account data (name, email, hashed password);
  • waitlist submissions (email);
  • content you upload or create (datasets, workspace edits, chat messages, feedback, published reports).

Connected data sources

You can connect external platforms so our AI analyst can pull your data for analysis. All connections are read-only — we never modify, delete, or write to your connected accounts. Depending on the integrations you enable, we may receive:

Google

  • your Google account email address (used to identify the connected account);
  • Google Sheets content and metadata (read-only) for spreadsheets you select for analysis;
  • Google Analytics reporting data (read-only) for properties you select for analysis;
  • Google Search Console search performance data (read-only) for sites you select;
  • Google Ads campaign and performance data. Google does not offer a read-only API scope for Ads; the full API scope is requested but Hey Anna only performs read operations.

Shopify

  • store data including orders, products, customers, inventory levels, and analytics (read-only);
  • your store domain (used to identify the connected store).

HubSpot

  • CRM data including contacts, deals, companies, and pipeline stages (read-only).

Stripe

  • payment data including charges, customers, subscriptions, refunds, and account balance (read-only).

Meta/Facebook Ads

  • ad campaign data including ad sets and performance metrics (read-only).

TikTok Ads

  • campaign data including ad groups and performance metrics (read-only).

Airtable

  • bases, tables, and records (read-only).

Notion

  • databases, pages, and properties (read-only).

WooCommerce

  • order, product, and customer data (read-only).

Access tokens for all connected sources are encrypted at rest using AES-256-GCM. You can disconnect any integration at any time from your account settings, which revokes access at the provider and stops further data retrieval.

We also collect technical and usage information, including:

  • session metadata (refresh-session identifiers, user agent, IP address for session records);
  • application events, request paths, errors, and performance telemetry;
  • device/browser and interaction analytics via cookies and local storage technologies.

3. How We Use Information

We use information to:

  • provide and operate the Services, including authentication and data storage;
  • run AI-assisted functionality and return requested outputs;
  • secure accounts, prevent abuse, investigate incidents, and enforce terms;
  • measure reliability, performance, and product usage;
  • respond to support requests and user feedback;
  • comply with legal obligations.

Use of connected data source information

Data from connected sources (Google, Shopify, HubSpot, Stripe, Google Ads, Google Search Console, Meta Ads, TikTok Ads, Airtable, Notion, WooCommerce, and any other platform you connect) is used solely to provide the analysis features you requested. We do not use connected source data for advertising, to build user profiles unrelated to the service, to sell or broker data, to determine creditworthiness, or to train AI models.

Google API Services User Data Policy

hey anna's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

You may request deletion of any data accessed through Google APIs by disconnecting the data source in Settings (which triggers immediate token revocation) and deleting any datasets created from that source. HeyAnna staff do not access your Google data except with your explicit consent, for security investigations, or as required by law.

4. Legal Basis for Processing

We process personal information under the following legal bases:

  • Contract performance — to provide the Services you have signed up for, including authentication, data storage, AI-assisted features, and billing.
  • Consent — for analytics cookies placed on anonymous visitors, which you can accept or decline via our cookie banner.
  • Legitimate interest — to improve the product through analytics for authenticated users and to record conversion events (such as sign-ups and plan changes) for all users. We have assessed that these interests do not override your rights, given the limited data collected and our active PII redaction practices.
  • Legal obligation — to comply with applicable laws and regulations.

5. AI Processing

Prompts and related context may be processed by AI model providers to generate requested outputs. We use provider API offerings configured so API customer content is not used for model training, and we do not use your Customer Content to train our own models.

Thread context is retained so Anna can continue your conversation and work. This context stays within your account and thread history.

6. Cookies, Analytics, and Consent

We use cookies, local storage, and similar technologies to:

  • maintain secure authentication sessions (strictly necessary);
  • remember product and monitoring state (strictly necessary);
  • understand usage and improve performance (analytics).

Analytics providers

We use PostHog (via a first-party reverse proxy) and Google Analytics 4 for product analytics. These services help us understand how the product is used so we can improve it. We actively strip personally identifiable information — including email addresses, authentication tokens, and uploaded data content — from analytics events before they are sent.

How consent works

When you first visit, a cookie consent banner lets you accept or decline analytics cookies. Analytics tracking for anonymous visitors is off by default until you make a choice. Dismissing the banner (closing it) is treated as acceptance.

What we track regardless of cookie consent

Certain business events — such as account registration, checkout initiation, and plan changes — are recorded regardless of your cookie preference. These are user-initiated actions tied to your use of the service, not passive browsing surveillance. We rely on legitimate interest as the legal basis for these events.

Authenticated users

When you are signed in, we collect product analytics under our legitimate interest in improving the service you actively use. This includes feature usage, performance metrics, and interaction patterns. You can object to this processing by contacting us (see section 14).

7. Sharing and Disclosure

We may share information with:

  • infrastructure and storage providers (for application hosting and file storage);
  • AI model providers used to process your prompts and generate outputs;
  • analytics providers (PostHog, Google Analytics) used to understand product usage and improve the service;
  • legal authorities where required by law or to protect rights and safety;
  • successors in a merger, acquisition, or asset transfer.

We do not share data from connected sources (Google, Shopify, HubSpot, Stripe, or any other platform you connect) with third parties except as necessary to provide the Services — for example, passing imported data to AI model providers to generate the analysis you requested. We do not transfer or disclose connected source data for advertising, data brokerage, or any purpose unrelated to providing or improving the Services.

Published reports expose the report content you chose to publish. They do not grant direct access to your private workspace or source files.

8. Data Retention

We retain personal information and Customer Content for as long as needed to provide the Services, meet legal obligations, resolve disputes, and enforce agreements. Temporary chat attachments are designed for short-lived storage (currently 24 hours). If you delete a dataset, we remove related stored dataset artifacts and dataset-linked published report records from active service systems.

For connected data sources: you can disconnect any integration at any time from your account settings. Disconnecting revokes access tokens at the provider (where supported), marks the connection as revoked in our systems, and stops further data retrieval. Datasets created from connected sources persist after disconnection and must be deleted separately if you wish to remove imported data.

9. Security

We use technical and organizational safeguards intended to protect information, including access controls, authentication protections, encryption in transit, and encryption at rest. However, no system is completely secure.

10. International Processing

We and our service providers may process information in multiple countries, including the United States. By using the Services, you understand your information may be transferred across borders subject to applicable safeguards.

11. Your Choices and Rights

You may have rights under applicable privacy law, including rights to:

  • access, correct, or delete personal information;
  • receive a copy of certain data;
  • object to processing based on legitimate interest (including analytics for authenticated users and conversion tracking);
  • restrict certain processing;
  • withdraw consent where processing is based on consent.

You can delete datasets and unpublish published reports through product controls. To object to legitimate interest processing or for other data requests, contact us at the address below.

12. Children's Privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13.

13. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be posted here with a revised "Last updated" date.

14. Contact

For privacy questions or requests, contact privacy@heyanna.studio.

Read our Terms and Conditions.