Privacy Policy

Last updated: April 7, 2026

HeardFrom is operated by Alchemy Partners Pty Ltd (ABN pending), an Australian company (“we”, “us”, “our”). This policy explains how we collect, use, and protect your data when you use HeardFrom (“the Service”).

1. Information We Collect

Account Information

When you create an account, we collect your email address, name, and organisation name. If you sign in with Google, we receive your name and email from Google’s OAuth service.

Integration Data

When you connect third-party services (Shopify, Gorgias, Judge.me, Yotpo, Okendo), we access and store:

  • Order and return data from Shopify
  • Support ticket data from Gorgias
  • Product review data from Judge.me, Yotpo, or Okendo
  • Product catalogue data from Shopify

This data is used to generate intelligence briefings and run experiments. We store it in our database, encrypted at rest.

API Credentials

OAuth tokens and API keys for your connected integrations are encrypted using AES-256-GCM before storage. We never store credentials in plaintext.

Usage Data

We collect basic usage analytics (page views, feature usage) via Vercel Analytics to improve the Service. We do not sell this data.

2. How We Use Your Data

  • To generate weekly operational briefings from your customer signals
  • To generate marketing voice reports extracting customer language
  • To run autonomous product page experiments (Autoresearch) on your Shopify store, with your explicit approval
  • To send you email briefings and experiment approval requests
  • To improve the Service and fix bugs

3. AI Processing

Your customer signals (tickets, reviews, orders, returns) are processed by Anthropic’s Claude AI to generate insights, briefings, and experiment hypotheses. This data is sent to Anthropic’s API for processing. Anthropic does not use your data to train their models. See Anthropic’s privacy policy for details.

4. Data Storage and Security

  • Database: Supabase (PostgreSQL), hosted in AWS Singapore region
  • Encryption: API credentials encrypted with AES-256-GCM at rest
  • Tenant isolation: All queries are scoped to your organisation — you can never access another organisation’s data
  • Email tracking: Briefing emails include a tracking pixel to record opens. These use HMAC-signed tokens — no personally identifiable information is in the URL
  • Hosting: Vercel (application), Supabase (database), Inngest (background jobs)

5. Data Sharing

We do not sell your data. We share data only with:

  • Anthropic — for AI processing (as described above)
  • Resend — for email delivery
  • Vercel — for application hosting and analytics
  • Supabase — for database hosting and authentication
  • Inngest — for background job execution
  • Sentry — for error monitoring (no customer data, only error metadata)

6. Data Retention

We retain your data for as long as your account is active. If you disconnect an integration, we clear the stored credentials immediately. If you delete your account, we delete all associated data within 30 days.

7. Your Rights

Under Australian privacy law and GDPR (if applicable), you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data
  • Withdraw consent for data processing

To exercise these rights, email privacy@heardfrom.app.

8. Cookies

We use the following cookies:

  • Authentication cookies — to keep you signed in (essential, cannot be disabled)
  • Onboarding cookie (hf_onboarded) — to remember you’ve completed setup
  • Vercel Analytics — anonymous page view tracking

9. Changes to This Policy

We may update this policy from time to time. We’ll notify you of significant changes via email or a notice in the Service. Continued use after changes constitutes acceptance.

10. Contact

Alchemy Partners Pty Ltd
Trading as HeardFrom
Email: privacy@heardfrom.app