Privacy Policy

1. Who we are

HeurChain is a vector memory broker service for AI agents. It is operated by Carlsson Creative LLC, a limited liability company registered in California, USA. When this policy says "HeurChain," "we," "us," or "our," it means Carlsson Creative LLC and the HeurChain service.

Privacy contact: [email protected]. For formal legal demands: [email protected].

2. What we collect

Account data

When you sign in via Google or GitHub OAuth, we receive your email address and display name from that provider. We store those alongside a Supabase user_id (a UUID generated by our auth layer) and, once you subscribe, a Stripe customer_id that links your account to your billing record.

Usage data

Every API call you make is logged so we can enforce plan caps, detect abuse, and debug issues. Logged fields include your tenant_id, a timestamp, your IP address, and your HTTP user-agent string. This data lives in our usage_events and audit_log tables. The vectors you store are encrypted at rest on European cloud infrastructure and are never read by HeurChain staff unless you explicitly grant us access for support purposes.

Billing data

Payments are processed entirely by Stripe, Inc. We never receive, store, or touch your full card number, CVV, or bank details. What we store is your Stripe customer_id and your current subscription plan name, so we can correctly provision your account limits.

3. How we use it

We use your data to operate the service: provisioning your tenant, enforcing the plan caps you've agreed to, sending transactional emails (receipts, limit warnings, policy change notices), and providing support when you contact us.

We use billing data to process payments and detect fraud. We use usage logs to investigate abuse reports and comply with valid legal requests such as court orders or law enforcement demands.

We do not use your data for advertising. We do not sell, rent, or trade your personal information to any third party for marketing purposes.

4. Where it's stored

Production data — including your account record, API usage logs, and stored vectors — resides on professional cloud providers in the EU and US. Backups are encrypted at rest. Authentication is handled by Supabase (hosted on AWS eu-central-1). Payments are handled by Stripe (US). We have a Data Processing Agreement in place with both providers.

We do not store production data on personal laptops or unmanaged devices. Access to production infrastructure is restricted to named engineers with hardware-key-backed SSH.

5. Who we share it with

We share data only with the sub-processors required to run the service:

• Stripe, Inc. — payment processing and subscription management.
• Supabase, Inc. — authentication, relational database hosting, and row-level security enforcement.
• Cloudflare, Inc. — CDN, DDoS protection, and Cloudflare Tunnel for our cluster gateway.
• Resend or equivalent transactional email provider — delivering receipts, account notices, and policy updates to your inbox.

We do not share your data with anyone else without your explicit consent, unless required to do so by a valid legal demand (e.g., a court order or lawful government request), in which case we will notify you to the extent permitted by law.

6. Your rights

Depending on where you live, you may have the right to access the data we hold about you, correct inaccurate data, request deletion of your account and associated data, export your data in a portable format, and object to certain processing (such as automated decision-making).

These rights apply to EU residents under the GDPR and to California residents under the CCPA. We extend them to all users as a matter of policy because it's the right thing to do.

To exercise any of these rights, email [email protected] with the subject line "Privacy Request." We will respond within 30 days. Deletion requests are processed after a 30-day grace period to allow for backup rotation; after that, your data is permanently gone.

7. Cookies and tracking

We use exactly one cookie: the Supabase session cookie, set when you log in, used to authenticate your subsequent requests. It is a first-party, HttpOnly, Secure cookie. It expires when your session ends or when you log out.

We do not use third-party analytics cookies, advertising cookies, or tracking pixels. There is no Google Analytics, Meta Pixel, Intercom, Mixpanel, or similar tool running on HeurChain pages as of the Last updated date above. If we add any analytics tool in the future, we will update this section and notify users.

8. Children's privacy

HeurChain is not directed at children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has created an account, please contact us at [email protected] and we will delete the account promptly.

9. International transfers

HeurChain operates primarily on EU-based infrastructure, but some of our sub-processors (Stripe, Supabase) have infrastructure in the United States. By using HeurChain, EU and EEA customers acknowledge that their data may transit to or be processed in the US. Where required, we rely on standard contractual clauses (SCCs) to cover those transfers. If you have questions about the legal basis for any specific transfer, email [email protected].

10. Changes to this policy

We may update this Privacy Policy as the service evolves. For material changes — anything that meaningfully affects how your data is used — we will send an email to the address on your account and display a banner on the dashboard at least 30 days before the change takes effect. Minor clarifications (typo fixes, formatting) may be made without notice.

The "Last updated" date at the top of this page always reflects the most recent revision.

11. Contact

For any privacy question or concern: [email protected].

For formal legal demands (subpoenas, court orders, law enforcement requests): [email protected].

Mailing address: Carlsson Creative LLC, San Diego, California, USA.