Privacy Policy

1. Scope

This Privacy Policy explains how Hey Anna collects, uses, discloses, and stores personal information when you use our website, product, and APIs.

2. Information We Collect

We collect information you provide directly, including:

• account data (name, email, hashed password);
• waitlist submissions (email);
• content you upload or create (datasets, workspace edits, chat messages, feedback, published reports).

Google user data

If you connect a Google account via our data-source integrations, we request limited, read-only access to specific Google services. Depending on the integration you enable, we may receive:

• your Google account email address (used to identify the connected account);
• Google Sheets content and metadata (read-only) for spreadsheets you select for analysis;
• Google Drive file listings (read-only) so you can browse and select spreadsheets to import;
• Google Analytics reporting data (read-only) for properties you select for analysis.

We do not request write access to any Google service. Access tokens are stored securely and can be revoked at any time by disconnecting the integration in your account settings.

We also collect technical and usage information, including:

• session metadata (refresh-session identifiers, user agent, IP address for session records);
• application events, request paths, errors, and performance telemetry;
• device/browser and interaction analytics via cookies and local storage technologies.

3. How We Use Information

We use information to:

• provide and operate the Services, including authentication and data storage;
• run AI-assisted functionality and return requested outputs;
• secure accounts, prevent abuse, investigate incidents, and enforce terms;
• measure reliability, performance, and product usage;
• respond to support requests and user feedback;
• comply with legal obligations.

Use of Google user data

Google user data obtained through our integrations is used solely to provide the features you requested — importing spreadsheet data for analysis, browsing your Drive to select files, or pulling Analytics reports. We do not use Google user data for advertising, to build user profiles unrelated to the service, to sell or broker data, to determine creditworthiness, or to train AI models. Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

4. Legal Basis for Processing

We process personal information under the following legal bases:

• Contract performance — to provide the Services you have signed up for, including authentication, data storage, AI-assisted features, and billing.
• Consent — for analytics cookies placed on anonymous visitors, which you can accept or decline via our cookie banner.
• Legitimate interest — to improve the product through analytics for authenticated users and to record conversion events (such as sign-ups and plan changes) for all users. We have assessed that these interests do not override your rights, given the limited data collected and our active PII redaction practices.
• Legal obligation — to comply with applicable laws and regulations.

5. AI Processing

Prompts and related context may be processed by AI model providers to generate requested outputs. We use provider API offerings configured so API customer content is not used for model training, and we do not use your Customer Content to train our own models.

Thread context is retained so Anna can continue your conversation and work. This context stays within your account and thread history.

6. Cookies, Analytics, and Consent

We use cookies, local storage, and similar technologies to:

• maintain secure authentication sessions (strictly necessary);
• remember product and monitoring state (strictly necessary);
• understand usage and improve performance (analytics).

Analytics providers

We use PostHog (via a first-party reverse proxy) and Google Analytics 4 for product analytics. These services help us understand how the product is used so we can improve it. We actively strip personally identifiable information — including email addresses, authentication tokens, and uploaded data content — from analytics events before they are sent.

How consent works

When you first visit, a cookie consent banner lets you accept or decline analytics cookies. Analytics tracking for anonymous visitors is off by default until you make a choice. Dismissing the banner (closing it) is treated as acceptance.

What we track regardless of cookie consent

Certain business events — such as account registration, checkout initiation, and plan changes — are recorded regardless of your cookie preference. These are user-initiated actions tied to your use of the service, not passive browsing surveillance. We rely on legitimate interest as the legal basis for these events.

Authenticated users

When you are signed in, we collect product analytics under our legitimate interest in improving the service you actively use. This includes feature usage, performance metrics, and interaction patterns. You can object to this processing by contacting us (see section 14).

7. Sharing and Disclosure

We may share information with:

• infrastructure and storage providers (for application hosting and file storage);
• AI model providers used to process your prompts and generate outputs;
• analytics providers (PostHog, Google Analytics) used to understand product usage and improve the service;
• legal authorities where required by law or to protect rights and safety;
• successors in a merger, acquisition, or asset transfer.

We do not share Google user data with third parties except as necessary to provide the Services (for example, passing imported data to AI model providers to generate the analysis you requested). We do not transfer or disclose Google user data for advertising, data brokerage, or any purpose unrelated to providing or improving the Services.

Published reports expose the report content you chose to publish. They do not grant direct access to your private workspace or source files.

8. Data Retention

We retain personal information and Customer Content for as long as needed to provide the Services, meet legal obligations, resolve disputes, and enforce agreements. Temporary chat attachments are designed for short-lived storage (currently 24 hours). If you delete a dataset, we remove related stored dataset artifacts and dataset-linked published report records from active service systems.

For Google user data: you can disconnect a Google integration at any time from your account settings, which revokes our access tokens and stops further data retrieval. Data already imported into your datasets follows the standard dataset deletion process described above.

9. Security

We use technical and organizational safeguards intended to protect information, including access controls, authentication protections, encryption in transit, and encryption at rest. However, no system is completely secure.

10. International Processing

We and our service providers may process information in multiple countries, including the United States. By using the Services, you understand your information may be transferred across borders subject to applicable safeguards.

11. Your Choices and Rights

You may have rights under applicable privacy law, including rights to:

• access, correct, or delete personal information;
• receive a copy of certain data;
• object to processing based on legitimate interest (including analytics for authenticated users and conversion tracking);
• restrict certain processing;
• withdraw consent where processing is based on consent.

You can delete datasets and unpublish published reports through product controls. To object to legitimate interest processing or for other data requests, contact us at the address below.

12. Children's Privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13.

13. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be posted here with a revised "Last updated" date.

14. Contact

For privacy questions or requests, contact [email protected].