Legal

Privacy Policy

How we process personal data, support the product, and protect the information you share with heap.

Effective date: March 13, 2026

1. Overview

heap is a AI-Powered finance tracker. You manually record accounts and transactions for budgeting and analytics.

This Privacy Policy explains what personal data we process, why we process it, which providers we use, and what rights you have.

2. Data we process

We process the following categories of data when you use heap.

2.1 Sign-in data

  • name (as provided by the provider)
  • email address
  • provider account identifier (to link and maintain your account)

2.2 Product analytics data (Amplitude)

We use Amplitude to understand app usage and improve reliability and performance. This may include:

  • app events (feature usage, screen views, performance metrics)
  • device/app instance identifiers (used to measure usage and prevent duplicate counts)
  • approximate region (may be inferred depending on device/network and SDK behavior)

2.3 Content you provide (finance records + AI inputs)

You may input or upload:

Storage model:

Parts of your finance content may be stored on your device.

Some content is processed on our servers only when needed to provide features (for example, AI processing) and retained only as long as necessary for operation, security, and debugging.

  • finance data you type (transactions, categories, notes, dates, account names)
  • messages you send to heap AI
  • images/files (e.g., receipts, screenshots) when you choose to attach them

2.4 AI processing (OpenAI)

If you use heap AI features, we send to OpenAI the content you submit for processing (such as text and/or images). If you use voice input, we send the transcribed text.

3. Why we process data (purposes)

We process data to:

  • authenticate and operate your account
  • provide core app features and customer support
  • deliver AI features you initiate
  • measure and improve product performance and reliability (analytics)
  • protect the service (security, abuse prevention, debugging)

4. Legal bases (GDPR/EEA users)

Where GDPR applies, we rely on:

  • Contract (Art. 6(1)(b)) - to provide the features you request (sign-in, app functionality, AI features you use)
  • Legitimate interests (Art. 6(1)(f)) - to improve the product and ensure reliability and security (analytics, diagnostics, abuse prevention)
  • Consent (Art. 6(1)(a)) - only where required by law (for example, if in the future specific tracking requires opt-in)

5. Providers (processors) we use

We use the following providers to run heap:

We share personal data with these providers only as needed to provide the service.

  • Apple / Google - authentication
  • Amplitude - product analytics
  • OpenAI - AI processing (text/images you submit for AI features)
  • Railway - hosting / backend infrastructure

6. Tracking / attribution (only if enabled)

We may add install attribution/marketing measurement in the future (e.g., Meta/Facebook SDK).

If this involves tracking under applicable Apple rules and/or law, we will request the required user permission on iOS (App Tracking Transparency) before enabling such tracking, and provide applicable choices to users.

7. International transfers

Some providers may process data outside your country. Where GDPR applies and transfers require safeguards, we use appropriate transfer mechanisms (such as Standard Contractual Clauses) and rely on provider security measures.

8. Data retention

We retain data only for as long as needed:

  • account identifiers: while your account is active and for a limited period after deletion for security and dispute handling
  • analytics data: according to our configured retention settings and operational needs
  • AI inputs: processed to provide the feature; limited logs may be retained for security/debugging

9. Security

We use reasonable security measures (for example, encryption in transit, access controls, and secure hosting practices). No system is 100% secure, but we work to protect your data.

10. Your rights

Depending on your location (including GDPR), you may have rights to:

You also have the right to lodge a complaint with a supervisory authority in your country/EEA member state where you live or work, or where you believe an infringement occurred.

To exercise rights, contact: support@heapai.org

  • access, correct, delete your personal data
  • object to or restrict processing
  • request portability (where applicable)
  • withdraw consent where processing is based on consent

11. Account deletion

To delete your account and personal data we control, contact: support@heapai.org

We may retain limited data where required for legal, security, or dispute resolution reasons.

12. Changes

We may update this Privacy Policy. If changes are material, we will provide notice in the app. The effective date shows the latest revision.