Privacy Policy

1. Who we are

Herald (“Herald,” “we,” “us”) operates withherald.co and the Herald product at app.withherald.co. Herald is a product-intelligence service for founders: we read your product events, revenue, support conversations, and sales calls, and compose a weekly briefing plus an ask-anything chat. This Privacy Policy explains how we handle data across the marketing site, the application, and the integrations you connect.

For questions about this policy, data access, deletion, or anything else privacy-related, write to privacy@withherald.co.

2. The short version

• Tenant isolation is structural. Each product you connect gets its own Cloudflare Durable Object with its own SQLite database. There is no shared tenant database; there are no cross-tenant queries.
• Cloudflare-only data plane. Your data is stored on Cloudflare (Durable Objects, Analytics Engine, R2, Vectorize, Workers AI). We do not use Postgres, Redis, Kafka, Pinecone, or any non-Cloudflare storage for tenant data.
• LLM calls go through Cloudflare AI Gateway. When we need Anthropic’s Claude for briefing narrative or complex diagnostics, the request is proxied through Cloudflare AI Gateway. We send summarized, structured context — not raw events, full message bodies, or call transcripts — to the LLM.
• You can delete everything. Deleting a product deletes its Durable Object, its R2 objects, and its Vectorize namespace. Raw events in Analytics Engine age out on the schedule we describe below.
• You own your data. We process it to deliver the service you paid for. We don’t sell it, we don’t train third-party models on it, and we don’t share it outside the subprocessors listed below.

3. What we collect

3.1 Marketing site (withherald.co)

The marketing site is intentionally light. We use no third-party analytics scripts by default, no advertising cookies, and no cross-site tracking pixels. The site does not write to localStorage at all.

Our blog and changelog are served from Cloudflare’s edge. Standard web server logs (IP address, user agent, referring URL, request path, response code, timestamp) are retained by Cloudflare for up to three days for abuse prevention and debugging, and then discarded.

If you submit a form (for example, an early-access request or a contact message), we keep what you sent us and use it to reply.

3.2 Account data (app.withherald.co)

Authentication is handled by Better Auth, an open-source library running on our own infrastructure. Your credentials and session data are stored in Cloudflare D1 — Herald’s own database, listed under the Cloudflare row of the subprocessors table below. No third-party authentication provider has access to your account or credentials.

Herald maintains, per Account, the list of Products you own, your plan, your billing state, your in-app settings, and the chat history you have with your Products’ agents.

3.3 Product data you send us

A “Product” in Herald is a SaaS application you’ve connected. For each Product, we ingest whatever you direct us to ingest. Typical categories:

• Events from our JavaScript and server SDKs. Names, properties, and identifiers you emit. You decide what to send; we validate and store it.
• Revenue data from Stripe. Subscriptions, invoices, charges, disputes, and customer records. On connect, we backfill the previous 90 days by default; afterwards we receive webhooks.
• Support conversations from Intercom (and, as we roll them out, Plain, Crisp, Help Scout, and similar). Conversations, messages, tags, and CSAT scores. On connect, we backfill the previous 60 days by default; afterwards we receive webhooks.
• Issues from Linear, GitHub, and Jira. Titles, bodies, labels, state, comments — used to understand engineering context surfacing in feedback and calls.
• Forwarded email. Each Product gets an auto-provisioned inbox (fwd+{product_id}@inbox.withherald.co). When you forward sales transcripts, support escalations, or internal notes to that address, we parse the message and route it to the right place. Attachments are stored in R2 on Cloudflare.
• Sales-call transcripts. Pasted or emailed transcripts (plain text, VTT, SRT, or Fathom/Fireflies-style exports). Transcripts live in R2 as blobs; metadata (participants, duration, inferred outcome, summary) lives in the tenant database.
• Public reviews. If enabled, we fetch reviews from G2, the App Store, Play Store, or Capterra on a schedule you configure.
• Slack and Notion. If connected, messages and documents you explicitly share with Herald.

In all cases: you choose what to connect, and you can disconnect at any time from Settings. Disconnection stops future ingestion. To remove already-ingested data, use the delete or export controls described in §8.

3.4 End-user data (your customers’ data)

Much of what you send Herald is, by nature, data about your end-users — the people who use your Product. Herald treats that data as yours; you are the “data controller” and Herald is the “data processor” under GDPR and analogous laws. We process that data only to deliver the Herald service to you and under your instructions. Our Data Processing Addendum is available on request at legal@withherald.co.

3.5 Usage telemetry

We keep minimal operational logs to run the service: request timings, error traces, briefing generation latency, LLM token counts (no contents), and webhook verification outcomes. Errors and stack traces go to Sentry with personally identifying fields redacted. We do not log full event payloads, full LLM prompts or responses, or chat messages to any observability pipeline.

4. How we use it

• Composing the briefing. Every week (or daily, if you’ve configured it), a set of Herald sub-agents runs over your Product’s data — revenue, usage, feedback, people, anomalies, watchlists — and produces structured outputs. A composer model turns those into the briefing narrative.
• Answering your chat questions. When you ask a question, an agent translates it to SQL, runs it inside a read-only sandbox with no network access and a five-second CPU budget, and composes an answer from the rows it gets back.
• Keeping watchlists live. Standing queries are evaluated daily and trigger a Slack or email note if they trip.
• Running the service. Authentication, billing, delivery of briefings by email or Slack, abuse prevention, security monitoring, product improvements, and customer support.
• Aggregate improvements. We keep a log of natural-language questions and the SQL we generated for them, in order to evaluate and improve Herald’s reasoning quality. The SQL we log is derived from your schema; we do not log the row results, and we do not use your data to train any third-party model.

We do not sell your data. We do not share it with advertisers. We do not use Customer Data to train machine-learning models — neither our own nor any third party’s. The one exception, on our side, is that we retain natural-language questions and the SQL we generated in response (no row results) as an evaluation corpus for improving Herald’s reasoning; this is operational telemetry, not model training, and it stays inside Herald’s infrastructure.

5. What we send to LLM providers

Herald uses large language models to draft briefing narrative, generate SQL, classify sentiment, and answer diagnostic questions. Every LLM call is routed through Cloudflare AI Gateway, which gives us per-tenant cost controls, caching, and a single audit log. The models we use today:

• Cloudflare Workers AI (runs on Cloudflare infrastructure): small Llama models for event-property enrichment and sentiment classification; BGE for embeddings used in feedback clustering and similarity search.
• Anthropic Claude (via AI Gateway): Claude Haiku for structured SQL generation; Claude Sonnet for briefing narrative; Claude Opus for complex diagnostic chat.

What we send to these models per call is deliberately narrow: your schema shape, your semantic annotations, structured sub-agent outputs, and the question or task at hand. We do not send raw event payloads, full customer records, full email bodies, or full call transcripts as LLM context. When a model needs a specific row — for example, a feedback quote to put in the briefing — we pass only that row, with identifiers we don’t need redacted.

Under the terms of service that govern our use of Cloudflare AI Gateway, Cloudflare Workers AI, and the Anthropic API, data we send through these channels is not used to train the underlying foundation models. If the commercial terms we rely on change, we will update this policy and give paid customers advance notice.

6. Where your data lives

Your data is stored on Cloudflare:

• Durable Object SQLite — one Durable Object per Product, holding tenant state (settings, rollups, feedback clusters, semantics, briefings, watchlists, agent memory).
• Analytics Engine — append-only storage for raw product events and operational telemetry.
• R2 — object storage for large blobs (sales-call transcripts, email attachments, chat attachments, future briefing PDFs). Every R2 key is prefixed by your product_id.
• Vectorize — one namespace per Product for embeddings of feedback, calls, reviews, and team notes.
• Workers KV — shared, non-tenant lookups (SDK key to product mapping, feature flags, price lists).
• Cloudflare Secrets Store — platform secrets. Per-Product secrets (for example, Stripe OAuth tokens) are encrypted with AES-GCM using a key from Secrets Store and stored inside the Product’s own Durable Object SQLite. They are decrypted only in memory, only when making the outbound API call, and never written to any log.

Durable Objects are assigned a primary region by Cloudflare on first write; they remain in that region for their lifetime. Today we don’t offer a customer-selectable region. Contact us if data residency is a requirement — this is on our roadmap.

7. Sub-processors

Herald engages a small number of sub-processors to deliver the service — infrastructure (Cloudflare), AI providers (Anthropic, OpenAI, Cloudflare AI Gateway), payments (Stripe), email delivery (Cloudflare Email Workers), and error tracking (Sentry). The full public list — including each provider’s purpose, data accessed, region, no-training pledge for AI providers, and privacy policy — is at withherald.co/legal/subprocessors/. We update it when the list changes; material additions are announced at least 30 days before they take effect. For customers who require a contractual sub-processor notification mechanism, see the Data Processing Addendum.

The third-party systems you authorize Herald to read from — Stripe, Intercom, Linear, GitHub, Jira, Slack, Notion, Fathom, Fireflies, G2, Apple, Google, and similar — are your data sources, not Herald’s sub-processors. You have a direct relationship with each of them under their own terms. Herald only reads the data you authorize it to read.

8. Retention, export, and deletion

8.1 Defaults

• Raw product events — 90 days, configurable by product profile. Business-to-business SaaS defaults to 90 days; product-led growth defaults to 30 days; sales-led defaults to 180 days. Scale-tier customers can extend to 1 year.
• Daily and hourly rollups — retained indefinitely while your account is active.
• Stripe revenue history — retained indefinitely while your account is active.
• Support conversations — 2 years.
• Sales-call transcripts — 1 year.
• Chat history — 1 year. Older messages age out on a rolling window.
• Team context (Slack messages, Notion documents, forwarded internal notes) — 90 days.
• Briefings, semantic annotations, watchlists, and agent memory — retained indefinitely while your account is active.
• Operational logs (Sentry, access logs, AI Gateway logs) — 30 days.
• The natural-language-to-SQL evaluation corpus — up to 1 year. This log stores the question, the SQL we generated, timing, and success or failure. It does not store your row data.

8.2 Export

From Settings, you can request an export of a Product. Herald generates a ZIP containing your configuration, rollups, feedback, conversations, call transcripts, briefings, and chat history, stores it in R2, and gives you a pre-signed URL that expires in 24 hours.

8.3 Deletion

Deleting a Product from Settings triggers a single operation on that Product’s Durable Object. The Durable Object deletes every R2 object under its prefix, deletes its Vectorize namespace, marks its raw events in Analytics Engine for Herald’s retention sweep to purge (because Analytics Engine is append-only, residual rows age out under our 90-day retention policy), drops every row in its SQLite database, and then self-destructs. The Product is then removed from dispatch routing.

After deletion, Herald may retain encrypted operational backups for a commercially reasonable period, not to exceed 30 days, solely for disaster recovery. Backups are not restored except in a recovery event and are not accessible for lookups or support.

Deleting your Account removes your Better Auth session and credentials from our D1 database and triggers deletion of every Product you own.

If you are an end-user of a Product that uses Herald and you want your data removed from that Product’s Herald tenant, please contact the operator of the Product. We will honor verified requests forwarded to us by the operator and, in jurisdictions that require it, by you directly to privacy@withherald.co.

9. Security

• Every tenant lives in a dedicated Durable Object. Cross-tenant queries are structurally impossible.
• Every inbound webhook is signature-verified in middleware before anything else runs. A failed verification returns 401 and never enters the queue.
• Every inbound payload is validated with a Zod schema at the boundary.
• AI-generated analysis code runs in an isolated Dynamic Worker with no network access, no Workers KV, no R2, no Vectorize, and no other bindings. It receives only a read-only SQL view into a sandbox space the parent Durable Object prepares for that question, and it runs under a 5-second CPU budget. It cannot read or write your main tenant state.
• Secrets live in Cloudflare Secrets Store. Per-tenant secrets are encrypted with AES-GCM before being written to tenant storage.
• Transport to and between Cloudflare endpoints is TLS 1.2 or better.
• Access to production systems is limited to Herald personnel who need it to operate the service, gated by single sign-on and hardware keys.

10. Cookies and local storage

The marketing site uses no third-party tracking cookies and no advertising cookies. localStorage holds your theme preference only.

The application uses cookies required to keep you signed in (Better Auth session cookies, stored in Cloudflare D1) and a small number of first-party cookies for CSRF protection and route-level caching. We use no third-party advertising or cross-site tracking cookies in the application.

For the full breakdown of what each cookie is, where it is set, and how to manage it, see the Cookie Policy.

11. International transfers

Cloudflare operates a global network. Your data may be processed in the United States, the European Union, or other regions where Cloudflare has infrastructure. Transfers from the EU, UK, or Switzerland to jurisdictions without an adequacy decision are covered by Cloudflare’s standard contractual clauses. If you require a specific data-residency region, tell us and we’ll work with you.

12. Children

Herald is a business tool and is not directed at children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact privacy@withherald.co and we will delete it.

13. Your rights

Depending on where you live, you may have the right to access, correct, port, or delete your personal data; to restrict or object to processing; and to lodge a complaint with a supervisory authority. Email privacy@withherald.co to exercise any of these rights. We will respond within 30 days.

14. Changes

We’ll update this policy when our practices change. Material changes are announced at least 30 days in advance via email to the Account owner and a notice on this page. The “Effective” date at the top of this page is authoritative.

15. See also

• Sub-processors — the full public list of third parties we engage, with purpose, region, and privacy policy links.
• Data Processing Addendum — available on request; covers EU/UK GDPR, CCPA, and EU Standard Contractual Clauses.
• Cookie Policy — what cookies Herald sets, where, and why.
• Acceptable Use Policy — what you may and may not do with the service.
• Terms & Conditions — the master service agreement.

16. Contact

Herald
Privacy: privacy@withherald.co
Security: security@withherald.co
Legal: legal@withherald.co
Support: help@withherald.co