How we protect your data.
The engineering and operational commitments behind every conversation you have with us.
Last updated: April 21, 2026
Our commitments, at a glance
Data encrypted in transit and at rest
Your conversations are never used to train anyone else's AI
You can export or delete everything, any time
Authentication via Auth0 (SOC 2, ISO 27001)
1Encryption
All traffic to and from our services uses TLS 1.2 or higher. Your data is encrypted at rest using industry-standard protocols, including backups.
Secrets (API keys, third-party credentials, session tokens) are stored in a hardened secrets manager and never written to source control, logs, or client-side code.
2Authentication
Sign-in is handled by Auth0 (a SOC 2 Type II and ISO 27001 certified identity provider). We don't store your password, ever. Auth0 provides session management, MFA, and breach-credential detection.
Sessions use short-lived tokens. You stay signed in only when you opt in, and you can revoke a session at any time.
3Your data and AI training
Your conversations with Blue (or HeartWeave's mediator) are not used to train general-purpose AI models, ours or anyone else's. Your data powers only your experience.
When we use third-party LLM providers to process your messages at runtime, we enable their zero-data-retention / no-training settings where available.
4Your control over your data
You can:
- Export your account data and conversation history at any time.
- Delete your account. Personal data is queued for deletion and fully removed within 90 days.
- Revoke any integration (Google Calendar, Todoist, Notion, Telegram, WhatsApp, Discord) in one click. The corresponding access token is destroyed on our side.
- Disconnect bridges between Activated Human products at any time. Opt-in, visible, revocable.
See our Privacy Policy for retention details per subscription tier.
5Sub-processors
We use a short list of vetted third parties to run the service. Each is held to SOC 2 or equivalent security standards.
| Provider | Purpose |
|---|---|
| Auth0 | Authentication & identity |
| Stripe | Payment processing |
| SendGrid | Transactional email |
| PostHog | Product analytics (anonymized) |
| Sentry | Error monitoring |
| Cloud infrastructure provider | Hosting, database, object storage |
We'll update this list as our infrastructure evolves. Material changes will be surfaced in-product and via email to account holders.
6Compliance & posture
We operate in line with GDPR and CCPA/CPRA expectations. Data-subject requests (access, rectification, deletion, portability) are honored within 30 days.
Every third-party sub-processor that touches personal data is held to SOC 2 Type II or equivalent security standards.
7Incident response
We run continuous monitoring on our services with Sentry and infrastructure-level alerting. If we detect a security incident that affects your data, we will:
- Notify affected users within 72 hours of confirmation, as required by GDPR.
- Publish a post-incident write-up describing scope, root cause, and remediation.
- Coordinate with regulators where applicable.
8Responsible disclosure
If you've found a vulnerability in our products or infrastructure, we want to hear from you.
Email: [email protected]
Please include reproduction steps, affected endpoints, and the impact you observed. We commit to:
- Acknowledging your report within 24 hours on business days (weekend reports answered Monday morning).
- A clear initial triage and severity assessment within 5 business days.
- Communicating a remediation plan once the issue is triaged. We don't pre-commit a fix timeline because it depends on severity and complexity.
- Crediting you in our post-remediation notes (unless you prefer anonymity).
We don't yet run a paid bug bounty, but we take reports seriously and will reach out directly to researchers who meaningfully help us.
9Contact
For security or privacy questions that aren't a vulnerability report, reach us at:
Security: [email protected]
Privacy: [email protected]