Heron

Legal

Privacy Policy

Last updated: 18 June 2026

This policy explains what personal data Heron collects, how it is used, and the rights you have over it. Heron is operated from Norway and processes data in accordance with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act.

1. Who we are

The data controller is the operator of Heron, reachable at hello@useheron.app. If you have questions about how your data is handled, this is the right address.

2. What we collect

Account data

When you create an account we collect your email address, first name, and a hashed password.

Usage data

We store the habits you create (name, colour, schedule), your daily habit logs, and brain-dump entries (text and expiry time). This is the core content of the service — without it, Heron cannot function.

Billing data

If you subscribe to Heron Pro, payment is processed by Stripe. We receive a Stripe customer ID and subscription status. We do not store card numbers.

Technical data

Server logs record request timestamps, HTTP status codes, and authentication events (identified by internal user ID only, never by email) for security and debugging purposes. These are rotated and deleted within 30 days.

When an application error occurs, a technical error report is sent to Flare (our error-monitoring service). These reports contain stack traces and request metadata but never user-generated content (e.g. brain-dump text or habit names). IP addresses are anonymised before transmission.

Analytics data

We use Pirsch, a privacy-friendly, cookieless analytics service, to understand aggregate traffic to Heron (e.g. page views and referrers). Pirsch does not use cookies or persistent identifiers and does not track individual users across sessions.

3. Why we collect it

Data Purpose Lawful basis
Account data Authentication and account management Contract
Habit & log data Delivering the core service Contract
Billing data Processing payments and managing subscription Contract + legal obligation
Server logs Security monitoring and debugging Legitimate interest

4. Data retention

  • Account and habit data — kept for the lifetime of your account.
  • Brain-dump entries — automatically deleted when their chosen TTL expires (4 h, 1 d, 3 d, or 1 w).
  • Deleted accounts — all personal data is purged within 30 days of account deletion.
  • Server logs — rotated and deleted within 30 days.
  • Billing records — retained for 5 years as required by Norwegian accounting law.

5. Third-party services

  • Stripe — payment processing. Data sent to Stripe is governed by Stripe's Privacy Policy.
  • Flare — error monitoring. When the application throws an exception, a technical report (stack trace and request metadata, no user content, anonymised IP) is sent to Flare and retained according to Flare's Privacy Policy. The lawful basis is legitimate interest in maintaining a stable, secure service.
  • Pirsch — privacy-friendly, cookieless website analytics. No personal data or persistent identifiers are collected. See Pirsch's Privacy Policy. The lawful basis is legitimate interest in understanding aggregate site usage.
  • We use no advertising networks or social media pixels.
  • We do not sell or rent your data to any third party.

6. Cookies

Heron uses one session cookie to keep you logged in. No tracking cookies, no third-party analytics cookies, no advertising cookies. Our analytics provider, Pirsch, does not use cookies at all. If you use the app as a guest, a session token is stored in your browser to persist your data within that session.

7. Your rights (GDPR)

As a resident of the EEA you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data in Settings or by contacting us.
  • Erasure — delete your account and all associated data from Settings → Profile.
  • Portability — request an export of your data in a machine-readable format.
  • Restriction & objection — restrict or object to certain processing. Contact us and we will assess your request.
  • Lodge a complaint — you may complain to the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no.

To exercise any right, email hello@useheron.app. We respond within 30 days.

8. Children

Heron is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has created an account, contact us and we will delete it promptly.

9. Changes to this policy

We may update this policy to reflect changes in the service or applicable law. Material changes will be communicated by email at least 14 days before taking effect. The "Last updated" date at the top of this page always reflects the current version.

10. Contact

Data protection questions or requests: hello@useheron.app