Privacy Policy

Last updated: June 1, 2026

HeardFrom is operated by Alchemy Partners Pty Ltd (ABN pending), an Australian company (“we”, “us”, “our”). This policy explains how we collect, use, and protect your data when you use HeardFrom (“the Service”).

1. Information We Collect

Account Information

When you create an account, we collect your email address, name, and organisation name. If you sign in with Google, we receive your name and email from Google’s OAuth service.

Integration Data

When you connect third-party services (Shopify, Gorgias, Zendesk, Judge.me, Yotpo, Okendo, Loop Returns, AfterShip Returns), we access and store:

  • Order and return data from Shopify
  • Support ticket data from Gorgias
  • Product review data from Judge.me, Yotpo, or Okendo
  • RMA and return-reason data from Loop Returns
  • Product catalogue data from Shopify

This data is used to generate intelligence briefings and analyse your customer signals. We store it in our database, encrypted at rest.

With your explicit approval, HeardFrom can also write optimised copy to your Shopify product descriptions through the Shopify Admin API (the write_products scope) as part of the optional Autoresearch content-experiment feature. We snapshot the existing content before any change and can revert it. No product content is ever modified without your approval.

Storefront Conversion Events (Web Pixel)

To measure whether an approved Autoresearch change improved conversion, HeardFrom installs a Shopify web pixel that records two aggregate, PII-free storefront events: product page views and completed purchases, each tied only to a product ID. We do not collect customer names, emails, phone numbers, addresses, or any personally identifiable information through the pixel — only anonymous per-product counts used to compute a before/after conversion rate. The pixel runs only with analytics consent.

API Credentials

OAuth tokens and API keys for your connected integrations are encrypted using AES-256-GCM before storage. We never store credentials in plaintext.

Usage Data

We collect basic usage analytics (page views, feature usage) via Vercel Analytics to improve the Service. We do not sell this data.

2. How We Use Your Data

  • To generate weekly operational briefings from your customer signals
  • To generate marketing voice reports extracting customer language
  • To produce a State of Voice quarterly report identifying recurring themes across your signals
  • To run a one-time PDP gap analysis on your top product page when you connect your store
  • To run optional, approval-gated content experiments (Autoresearch) that update your product page copy and measure the impact, keeping changes that help and reverting those that don’t
  • To send you email briefings and reports
  • To improve the Service and fix bugs

3. AI Processing

Your customer signals (tickets, reviews, orders, returns) are processed by Anthropic’s Claude AI to generate insights, briefings, and gap analyses. This data is sent to Anthropic’s API for processing. Anthropic does not use your data to train their models. See Anthropic’s privacy policy for details.

4. Data Storage and Security

  • Database: Supabase (PostgreSQL), hosted in AWS Singapore region
  • Encryption: API credentials encrypted with AES-256-GCM at rest
  • Tenant isolation: All queries are scoped to your organisation — you can never access another organisation’s data
  • Email tracking: Briefing emails include a tracking pixel to record opens. These use HMAC-signed tokens — no personally identifiable information is in the URL
  • Hosting: Vercel (application), Supabase (database), Inngest (background jobs)

5. Data Sharing

We do not sell your data. We share data only with:

  • Anthropic — for AI processing (as described above)
  • Resend — for email delivery
  • Vercel — for application hosting and analytics
  • Supabase — for database hosting and authentication
  • Inngest — for background job execution
  • Sentry — for error monitoring (no customer data, only error metadata)

6. Data Retention

We retain your data for as long as your account is active. If you disconnect an integration, we clear the stored credentials immediately. If you delete your account, we delete all associated data within 30 days.

7. Your Rights

Under Australian privacy law and GDPR (if applicable), you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data
  • Withdraw consent for data processing

To exercise these rights, email privacy@heardfrom.app.

8. Cookies

We use the following cookies:

  • Authentication cookies — to keep you signed in (essential, cannot be disabled)
  • Onboarding cookie (hf_onboarded) — to remember you’ve completed setup
  • Vercel Analytics — anonymous page view tracking

9. Changes to This Policy

We may update this policy from time to time. We’ll notify you of significant changes via email or a notice in the Service. Continued use after changes constitutes acceptance.

10. Contact

Alchemy Partners Pty Ltd
Trading as HeardFrom
Email: privacy@heardfrom.app