Privacy Policy

Last updated: February 22, 2026

This Privacy Policy describes how Heavaa (“Company”, “we”, “us”, or “our”) collects, uses, and protects your information when you use Corti (“Service”).

1. Information We Collect

1.1 Account Information

When you sign up via Google or GitHub OAuth, we collect your name, email address, and profile picture. We do not store your OAuth passwords.

1.2 Workspace Data

When you connect third-party services (GitHub, Slack, Notion, Linear, Jira), we ingest and index content from those services to provide decision tracking and search functionality. This data is stored securely and associated with your workspace.

1.3 Usage Data

We collect usage metrics such as search queries, chat interactions, and feature usage to improve the Service. This data is anonymized where possible.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Index and surface decisions from your connected sources
• Generate AI-powered search results and chat responses
• Send important Service-related communications
• Detect and prevent fraud or abuse

3. Data Storage & Security

Your data is stored on secure cloud infrastructure (Google Cloud Platform). We use encryption in transit (TLS) and at rest. Access to production systems is restricted to authorized personnel only.

4. Third-Party Services

We use third-party services for authentication (Google, GitHub), hosting (GCP, Vercel), and AI processing (Google Gemini, OpenAI). These providers have their own privacy policies. We only share the minimum data necessary for these services to function.

5. Data Retention

We retain your data for as long as your account is active. When you disconnect a source or delete your account, associated data is removed within 30 days. Backups may retain data for up to 90 days.

6. Your Rights

You have the right to:

• Access and export your data
• Request correction of inaccurate data
• Request deletion of your data
• Disconnect third-party sources at any time
• Withdraw consent for data processing

7. BYOM (Bring Your Own Model)

If you provide your own API keys for AI models, those keys are encrypted and stored securely. We do not use your API keys for any purpose other than processing your requests. Your API keys are never shared with other users or third parties.

8. Cookies

We use essential cookies for authentication and session management. We do not use third-party tracking cookies.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the “Last updated” date.

10. Contact Us

If you have questions about this Privacy Policy, please contact us at heavaa@heavaa.com.