Legal
Privacy Policy
Last updated: 18 June 2026
This policy explains what personal data Heron collects, how it is used, and the rights you have over it. Heron is operated from Norway and processes data in accordance with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act.
1. Who we are
The data controller is the operator of Heron, reachable at hello@useheron.app. If you have questions about how your data is handled, this is the right address.
2. What we collect
Account data
When you create an account we collect your email address, first name, and a hashed password.
Usage data
We store the habits you create (name, colour, schedule), your daily habit logs, and brain-dump entries (text and expiry time). This is the core content of the service — without it, Heron cannot function.
Billing data
If you subscribe to Heron Pro, payment is processed by Stripe. We receive a Stripe customer ID and subscription status. We do not store card numbers.
Technical data
Server logs record request timestamps, HTTP status codes, and authentication events (identified by internal user ID only, never by email) for security and debugging purposes. These are rotated and deleted within 30 days.
When an application error occurs, a technical error report is sent to Flare (our error-monitoring service). These reports contain stack traces and request metadata but never user-generated content (e.g. brain-dump text or habit names). IP addresses are anonymised before transmission.
Analytics data
We use Pirsch, a privacy-friendly, cookieless analytics service, to understand aggregate traffic to Heron (e.g. page views and referrers). Pirsch does not use cookies or persistent identifiers and does not track individual users across sessions.
3. Why we collect it
| Data | Purpose | Lawful basis |
|---|---|---|
| Account data | Authentication and account management | Contract |
| Habit & log data | Delivering the core service | Contract |
| Billing data | Processing payments and managing subscription | Contract + legal obligation |
| Server logs | Security monitoring and debugging | Legitimate interest |
4. Data retention
- Account and habit data — kept for the lifetime of your account.
- Brain-dump entries — automatically deleted when their chosen TTL expires (4 h, 1 d, 3 d, or 1 w).
- Deleted accounts — all personal data is purged within 30 days of account deletion.
- Server logs — rotated and deleted within 30 days.
- Billing records — retained for 5 years as required by Norwegian accounting law.
5. Third-party services
- Stripe — payment processing. Data sent to Stripe is governed by Stripe's Privacy Policy.
- Flare — error monitoring. When the application throws an exception, a technical report (stack trace and request metadata, no user content, anonymised IP) is sent to Flare and retained according to Flare's Privacy Policy. The lawful basis is legitimate interest in maintaining a stable, secure service.
- Pirsch — privacy-friendly, cookieless website analytics. No personal data or persistent identifiers are collected. See Pirsch's Privacy Policy. The lawful basis is legitimate interest in understanding aggregate site usage.
- We use no advertising networks or social media pixels.
- We do not sell or rent your data to any third party.
6. Cookies
Heron uses one session cookie to keep you logged in. No tracking cookies, no third-party analytics cookies, no advertising cookies. Our analytics provider, Pirsch, does not use cookies at all. If you use the app as a guest, a session token is stored in your browser to persist your data within that session.
7. Your rights (GDPR)
As a resident of the EEA you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data in Settings or by contacting us.
- Erasure — delete your account and all associated data from Settings → Profile.
- Portability — request an export of your data in a machine-readable format.
- Restriction & objection — restrict or object to certain processing. Contact us and we will assess your request.
- Lodge a complaint — you may complain to the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no.
To exercise any right, email hello@useheron.app. We respond within 30 days.
8. Children
Heron is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has created an account, contact us and we will delete it promptly.
9. Changes to this policy
We may update this policy to reflect changes in the service or applicable law. Material changes will be communicated by email at least 14 days before taking effect. The "Last updated" date at the top of this page always reflects the current version.
10. Contact
Data protection questions or requests: hello@useheron.app