This Privacy Policy explains how Herstia ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our web application at app.herstia.com ("the Service"). We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
Herstia is operated by [YOUR FULL LEGAL NAME OR COMPANY NAME], registered in England and Wales.
Data controller contact: hello@herstia.com
Registered address: [YOUR REGISTERED ADDRESS]
2. What Data We Collect
Account data
- Email address — collected when you sign in via Google or magic link
Property data
- Postcode
- Property type (e.g. House, Flat, Terrace, Bungalow)
- Approximate year the property was built
Task data
- Descriptions of home maintenance issues you log
- Photos you upload in connection with maintenance tasks
- Room and system categories, priority, and resolution status of tasks
Usage and analytics data
- Pages visited and features used within the Service
- Device type, browser type, and approximate location (country/region)
- Interaction events captured via PostHog
AI interaction data
- Task descriptions and photos submitted for AI analysis are processed by Anthropic's Claude API
- AI-generated guidance responses are stored against your account
- Thumbs up/down feedback you provide on AI responses
3. How We Use Your Data
- To provide the Service — creating and managing your account, processing tasks, and delivering AI-powered guidance
- To personalise AI responses — your property profile is included in prompts to improve the relevance of guidance
- To improve the product — anonymised analytics data helps us understand usage and identify improvements
- To communicate with you — sending authentication emails via Resend
- To comply with legal obligations where required by applicable law
4. Legal Basis for Processing
- Contract performance — processing your email address and account data to provide the Service
- Legitimate interests — processing analytics data to improve the Service
- Legal obligation — retaining data where required by law
5. Who We Share Your Data With
We do not sell your personal data. We share data only with the following third-party service providers, strictly as necessary to operate the Service:
- Supabase — database, authentication, and file storage. Data hosted in the EU (West Ireland).
- Anthropic — AI processing of task descriptions and photos via the Claude API.
- Vercel — web application hosting and deployment.
- Resend — transactional email delivery for authentication emails.
- PostHog — product analytics. Data hosted in the EU.
6. Data Retention
- Account and task data is retained for as long as your account is active
- If you delete your account, all associated data is permanently deleted from our systems
- Analytics data may be retained in anonymised form for up to 24 months
- Authentication logs may be retained for up to 90 days for security purposes
7. International Data Transfers
Some of our third-party providers process data outside the UK or EEA. Where this occurs, we ensure appropriate safeguards are in place, including UK adequacy regulations or Standard Contractual Clauses (SCCs) where required.
8. Your Rights
Under UK GDPR, you have the following rights:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — ask us to correct inaccurate data
- Right to erasure — request deletion of your data (or delete your account directly in the app)
- Right to restrict processing — ask us to limit how we use your data
- Right to data portability — request your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
To exercise any of these rights, contact us at hello@herstia.com. We will respond within 30 days.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
9. Cookies and Tracking
Herstia uses PostHog for product analytics. PostHog may set cookies or use similar tracking technologies to identify your session and record interactions with the Service. We do not use advertising cookies or share data with advertisers.
10. Security
- All data transmitted between your device and our servers is encrypted in transit via HTTPS
- Photos are stored in private Supabase Storage buckets, accessible only to your account
- Row-level security policies ensure users can only access their own data
- API keys and service credentials are never exposed to client-side code
11. Children
Herstia is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the 'Last updated' date at the top of this document.
13. Contact
For any privacy-related questions or to exercise your rights, contact us at hello@herstia.com or write to us at [YOUR REGISTERED ADDRESS].