Privacy Policy
Effective Date: March 16, 2026 · Last Updated: April 14, 2026
1. Who We Are
Heurista is operated by Heurista LLC, a wholly-owned subsidiary of Development Institute LLC (“we,” “us,” “our”). We are the data controller for account, billing, and platform data, and the data processor for research data uploaded or generated by our customers.
| Registered Entity | Heurista LLC |
| Address | Heurista LLC, 1834 Connecticut Ave NW, Washington, DC 20002, United States. For registered address details, contact legal@heurista.com. |
| Privacy Contact | privacy@heurista.com |
| Data Protection Officer | dpo@heurista.com |
| EU Representative | Heurista LLC, Rudjera Boskovica 16/47, 21000 Split, Croatia. For EU data protection inquiries, contact dpo@heurista.com. |
| Data Protection Inquiries | For data protection inquiries, contact our privacy team at privacy@heurista.com. |
2. Data We Collect
The personal data we collect falls into three categories: data you provide directly, data collected automatically, and data received from third parties.
2.1 Data You Provide Directly
| Category | Data Elements | When Collected |
|---|---|---|
| Account Data | Email address, username, display name, password (hashed with scrypt; never stored in plain text), avatar | Registration |
| Survey Responses | Session identifiers, conversation messages (role, content), extracted answers (question text, answer text, confidence, sentiment, language), form responses | When respondents complete surveys you create |
| Qualitative Analysis Data | Codes, coded segments (direct quotes from responses), memos, coding audit trail (action, old/new values, timestamps) | During research analysis |
| Documents & Uploads | Filename, file size, MIME type, page count, file content. This may include research documents, transcripts, and CSV files. | When you upload files |
| Feedback & Bug Reports | Report type, subject, description, page context, browser user-agent. Submitted-by field is nullable for anonymous reports. | When you submit feedback |
| Team & Collaboration | Team member email, role, invited-by reference, invite token, organization name and slug | When you create or join a team |
| Gift Data | Sender email and name, recipient email and name, personal message, gift code | When you purchase or redeem a gift |
| Consent Records | Session ID, consent template ID, consent version, timestamp, IP hash, consent text hash | When survey respondents provide consent |
| Saved Analytics | Statistical test configurations, summary reports, analysis results | When you run and save analyses |
2.2 Data Collected Automatically
| Category | Data Elements | Details |
|---|---|---|
| Session Cookies | Encrypted session token containing: login state, role, username, organization ID | AES-256 encrypted (iron-session), httpOnly, 7-day TTL. Strictly necessary for authentication. |
| OAuth Cookies | OAuth state and PKCE verifier values | Temporary (600-second TTL), deleted after authentication completes |
| Activity Logs | Username, action type, detail (page path, survey ID, user-agent), hashed IP address (SHA-256, truncated to 16 characters), timestamps | Logged for security auditing. Full IP addresses are never stored. |
| Client-Side Storage | Hue AI assistant state (recent chat history, approximately 30 messages), welcome modal state | Stored in your browser's localStorage. Never transmitted to our servers unless you initiate an AI conversation. |
| Share Links | Unique token, creator reference, expiration date, label | Generated when you create a shareable link to a survey or report |
2.3 Data From Third Parties
| Source | Data Elements | Details |
|---|---|---|
| OAuth Providers | Auth provider name (Google, Microsoft, or GitHub), provider account ID, email, display name, avatar URL | Received when you sign in with a third-party account |
| KoboToolbox (optional) | Form metadata, survey responses imported from your KoboToolbox account | Only if you choose to connect your KoboToolbox account |
| Stripe | Subscription ID, customer ID, payment status, plan selection, trial dates | We receive subscription metadata via webhooks. We never receive or store card numbers. |
2.4 Geolocation Data (Opt-In)
Some surveys may request your location. This uses your browser's geolocation API and requires your explicit permission. If granted, we collect latitude, longitude, accuracy, country, region, and city. You can deny this request, and the survey will continue without location data.
2.5 Special Categories of Personal Data
Research data uploaded by customers may contain special categories of personal data as defined under GDPR Article 9, including but not limited to health information, racial or ethnic origin, political opinions, religious or philosophical beliefs, or data concerning sex life or sexual orientation. Where Heurista processes such data, it does so solely as a processor on behalf of the researcher (controller). The researcher is responsible for ensuring a valid legal basis under Article 9 of the GDPR for any special category data submitted to the Platform. Heurista does not knowingly collect or process special category data in its capacity as a controller.
3. How We Use Your Data
| Purpose | Data Categories Used | Legal Basis (GDPR) |
|---|---|---|
| Service delivery — hosting surveys, collecting responses, generating analyses and reports | Account data, survey responses, qualitative analysis data, documents, saved analytics | Performance of contract (Art. 6(1)(b)) |
| AI-powered analysis — sending survey context, questions, and response text to our AI provider for automated coding, thematic analysis, and insight generation | Survey context, questions, respondent answers | Performance of contract (Art. 6(1)(b)) |
| Account management — authentication, session management, team collaboration | Account data, session cookies, OAuth data, team data | Performance of contract (Art. 6(1)(b)) |
| Billing and payments — processing subscriptions, managing credits, gift redemption | Billing data (Stripe IDs, plan info), gift data | Performance of contract (Art. 6(1)(b)) |
| Security and fraud prevention — monitoring for unauthorized access, rate limiting, audit trails | Activity logs, hashed IP addresses | Legitimate interest (Art. 6(1)(f)). Our legitimate interest is protecting the platform, our users, and their data from unauthorized access, fraud, and abuse. This interest is not overridden by your rights given the minimal data involved (hashed IPs, action types) and the significant security benefit. |
| Service improvement — understanding usage patterns, diagnosing bugs, improving reliability | Activity logs, feedback and bug reports | Legitimate interest (Art. 6(1)(f)). Our legitimate interest is improving the reliability, performance, and usability of the platform. We use aggregated, non-identifying usage patterns for this purpose. |
| Transactional communication — account verification, password resets, billing receipts, team invitations | Email address | Performance of contract (Art. 6(1)(b)) |
| Marketing communication — product updates, feature announcements (if you opt in) | Email address | Consent (Art. 6(1)(a)) |
4. AI Data Processing
Heurista uses artificial intelligence to help researchers analyze survey responses, code qualitative data, identify themes, and generate insights. This section explains exactly what data is involved and how it is handled.
4.1 What Data Is Sent to AI Providers
When you use AI-powered features, the following data is transmitted to the configured AI provider via their API. By default, Heurista uses Anthropic, Inc. Organizations may configure alternative providers based on their data governance requirements.
- Survey context and structure (questions, instructions, metadata)
- Respondent answers and conversation messages
- Text content from uploaded documents when you use document analysis features
- Text content provided for text-to-speech synthesis (sent to Microsoft Edge TTS)
4.2 How AI Providers Handle Your Data
By default, Heurista uses the Anthropic Claude API for AI analysis. Our AI providers commit to the following:
- Limited data retention: Under commercial API terms, inputs and outputs are not used for model training and are not retained beyond the immediate processing window. Providers may retain data for limited periods as required for safety monitoring, abuse detection, or compliance with legal obligations.
- No model training: Your data is never used to train, fine-tune, or improve AI models.
- By default, data is processed in the United States under the provider's API terms of service and data processing agreement.
- Enterprise private deployment: Organizations requiring full data sovereignty can deploy Heurista with AI processing running within their own AWS (Amazon Bedrock) or Google Cloud (Vertex AI) infrastructure. In this configuration, no research data leaves the organization's environment. Contact enterprise@heurista.app for details.
4.3 Sensitive Data in AI Processing
If research participants include personal identifiers or sensitive information in open-text responses, that text may be sent to our AI provider as part of normal AI processing. We recommend anonymizing or pseudonymizing response data before using AI features on datasets containing sensitive personal information.
4.4 Automated Decision-Making
AI-generated analyses (codes, themes, sentiment scores, confidence ratings) are presented as suggestions to assist researchers. They do not constitute automated decisions with legal or similarly significant effects. Researchers retain full control to accept, modify, or reject all AI-generated outputs.
5. How We Share Data
We do not sell your personal information. We share data only with the sub-processors listed below, as required by law, or in connection with a business transfer.
5.1 Sub-Processors
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Anthropic, Inc. (default) | AI analysis (Claude API) | Survey context, questions, response text | USA (enterprise: configurable region) |
| Stripe, Inc. | Payment processing | Email, plan selection, payment details | San Francisco, CA, USA |
| Microsoft Corporation | Text-to-speech (Edge TTS) | Survey question text only (no respondent data) | USA |
| Resend, Inc. | Transactional email | Recipient email, message content | USA |
| Supabase, Inc. | Database hosting | All platform data (encrypted in transit and at rest) | Frankfurt, Germany (EU) |
| Fly.io, Inc. | Application hosting | Application runtime (encrypted in transit) | United States |
| KoboToolbox (optional) | Data import integration | API token, form metadata | User-configured server |
5.2 Legal Obligations
We may disclose personal data if required by law, regulation, subpoena, court order, or other governmental request. We will attempt to notify you where legally permitted before responding to legal process that requires disclosure of your data.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will provide notice before your data is transferred and becomes subject to a different privacy policy.
6. International Data Transfers
Heurista is hosted in the United States on Fly.io infrastructure. All data is processed and stored in the USA. If you are located outside the United States, your data will be transferred to and processed in the United States.
For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational measures where appropriate.
7. Data Retention
We retain data for as long as necessary to provide our services and comply with legal obligations. The table below outlines our retention practices per category.
| Data Category | Retention Period | Notes |
|---|---|---|
| Account data | Until account deletion | Deleted within 30 days of account deletion request |
| Survey responses | Until deleted by researcher | Researchers control their own research data lifecycle |
| Qualitative analysis data | Until deleted by researcher | Includes codes, segments, memos, and audit trails |
| Documents and uploads | Until deleted by researcher | Stored on encrypted infrastructure with server-level access controls |
| Activity logs | 12 months | Retained for security auditing, then purged |
| Billing data | Duration of subscription + 7 years | Financial record-keeping obligations |
| Session cookies | 7 days | Automatically expire; not persisted server-side |
| OAuth cookies | 600 seconds | Deleted immediately after authentication |
| Feedback and bug reports | Until resolved + 12 months | Retained for trend analysis and follow-up |
| Consent records | Duration of related data + 5 years | Retained to demonstrate lawful processing and the conditions of consent as required by GDPR Article 7(1) |
| AI processing data | Not retained beyond immediate processing window | Under Anthropic's commercial API terms, inputs and outputs are not retained beyond the immediate processing window. Limited retention may apply for safety monitoring, abuse detection, or legal compliance. |
We are committed to implementing automated data retention limits and purge schedules for all categories. Where specific automated retention enforcement is not yet in place, data is retained indefinitely until manually deleted by the user or upon account deletion request.
8. Your Rights Under GDPR
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:
- Access — Request a copy of the personal data we hold about you.
- Rectification — Request correction of inaccurate or incomplete data.
- Erasure — Request deletion of your personal data (“right to be forgotten”).
- Restriction — Request that we limit processing of your data in certain circumstances.
- Portability — Receive your data in a structured, commonly used, and machine-readable format (such as CSV or JSON).
- Objection — Object to processing based on legitimate interest, including profiling.
- Withdraw consent — Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
- Automated decision-making — You have the right not to be subject to decisions based solely on automated processing. As noted in Section 4.3, our AI features produce suggestions, not binding decisions.
- Lodge a complaint — File a complaint with your local data protection supervisory authority.
To exercise any of these rights, contact us at privacy@heurista.com. We will respond within 30 days.
9. Your Rights Under CCPA/CPRA
If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to know — Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the purposes, and the third parties with whom we share it.
- Right to delete — Request deletion of your personal information.
- Right to correct — Request correction of inaccurate personal information.
- Right to opt out of sale or sharing — We do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of.
- Right to limit use of sensitive personal information — You may request that we limit our use of sensitive personal information to what is necessary to provide the service.
- Non-discrimination — We will not discriminate against you for exercising any of these rights.
To exercise your rights, contact privacy@heurista.com or use the contact form on our website. We will verify your identity before fulfilling your request and respond within 45 days.
10. Our Dual Role: Controller and Processor
Heurista operates in two distinct data protection roles depending on the type of data:
| Role | Data Categories | Explanation |
|---|---|---|
| Controller | Account data, billing data, activity logs, session cookies, feedback, platform analytics | We determine the purposes and means of processing this data to operate the platform. |
| Processor | Survey responses, qualitative analysis data, uploaded documents, respondent consent records, geolocation data | You (the researcher) are the controller. You determine what data to collect, why, and how long to keep it. We process it on your behalf according to your instructions. |
When acting as a processor, we process research data solely on the instructions of the researcher (controller). Researchers are responsible for obtaining appropriate consent from their research participants, determining lawful bases for processing, and complying with any applicable ethics board or IRB requirements. Our Data Processing Agreement (DPA) automatically applies to all customers who process personal data through the Platform and is incorporated into our Terms of Service. A countersigned copy is available upon request by contacting legal@heurista.com. View the full DPA at /dpa.
When you collect personal data from research participants using the Platform, you are the data controller for that data. You are responsible for providing appropriate privacy notices to your research participants in accordance with GDPR Article 14, including informing them about any third-party processing (such as AI-assisted analysis) that will be performed on their data.
Privacy Notice for Research Participants
If you collect personal data from research participants using the Platform, we provide a customizable Privacy Notice Template that you can adapt and provide to your participants. This template includes disclosures about AI-assisted analysis, international data transfers, and sub-processor information. Contact privacy@heurista.com to request the current template.
11. Children's Privacy
Heurista is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a person under 18, we will take prompt steps to delete it. If you believe a child has provided us with personal information, please contact us at privacy@heurista.com.
12. Cookies and Local Storage
Heurista uses a minimal set of cookies and browser storage, all of which are strictly necessary for the service to function. We do not use third-party analytics, advertising, or tracking cookies.
| Name / Type | Category | Purpose | Duration |
|---|---|---|---|
| Session cookie | Strictly necessary | Encrypted authentication token (AES-256, httpOnly). Contains login state, role, username, org ID. | 7 days |
| OAuth state cookie | Strictly necessary | CSRF protection during OAuth sign-in flow | 600 seconds |
| OAuth verifier cookie | Strictly necessary | PKCE code verifier for OAuth flow | 600 seconds |
| localStorage | Functional | Hue AI chat history (approximately 30 messages), welcome modal dismissed state | Persistent until cleared by user |
Because all cookies are strictly necessary for the service to function, they do not require consent under the ePrivacy Directive. No cookie consent banner is required.
13. Security Measures
We implement technical and organizational measures to protect your data, including:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS.
- Encryption at rest: All data stored in our database is encrypted at rest using AES-256. Database backups are also encrypted.
- Password security: Passwords are hashed using scrypt with unique salts. We never store plain-text passwords.
- IP address hashing: IP addresses are hashed with SHA-256 and truncated before storage. Full IP addresses are never retained.
- Encrypted API tokens: Third-party integration tokens (e.g., KoboToolbox) are encrypted before storage.
- httpOnly cookies: Session cookies cannot be accessed by client-side JavaScript, mitigating XSS risks.
- CSRF protection: State parameters and PKCE are used for all OAuth flows.
- Rate limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks.
- Encrypted sessions: Session data is encrypted with AES-256 using iron-session.
Our database infrastructure uses encrypted connections and server-level access controls. All other security measures described above remain in effect.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:
- We will provide at least 30 days' notice before the changes take effect.
- Notice will be provided via email to the address associated with your account and/or a prominent notice on our website.
- The “Last Updated” date at the top of this page will be revised.
- Continued use of Heurista after the effective date constitutes acceptance of the updated policy. Where processing relies on your consent, we will seek renewed consent for material changes to those processing activities. Continued use alone does not constitute renewed consent.
15. Contact Us
If you have questions about this Privacy Policy, want to exercise your data protection rights, or have a complaint about how we handle your data, please contact us:
| privacy@heurista.com | |
| Data Protection Inquiries | privacy@heurista.com |
| Heurista LLC, 1834 Connecticut Ave NW, Washington, DC 20002, United States. For registered address details, contact legal@heurista.com. | |
| Supervisory Authority | If you are in the EEA and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority. |
| EU Privacy Representative | For inquiries from European Economic Area residents, contact our EU privacy representative at privacy@heurista.com. We are in the process of formally designating an EU representative under GDPR Article 27. |
This Privacy Policy is provided in plain language to help you understand how your data is handled. If you have questions about any section, please reach out — we are happy to clarify.