Privacy Policy
How we handle your personal data
This Policy explains how Mykhailo Sheludiakov (private entrepreneur (ФОП), Ukraine) (“we”, “us”) processes personal data when you use Hephaestus. We process data lawfully, transparently, and with privacy by design.
Draft for legal review. This is not legal advice. Counsel must approve before App Store / Play submission.
Last updated: 2026-07-03
1. Data controller
Controller: Mykhailo Sheludiakov, private entrepreneur (ФОП), Ukraine
Contact for privacy requests: mykhailo.sheludiakov@gmail.com
Registered address: {{LEGAL_REGISTERED_ADDRESS}} · Registration: {{LEGAL_REGISTRATION_ID}}
2. What we collect
Depending on features you use, we may process:
- Account data: email, authentication identifiers, preferences, language.
- Capture data: text notes, voice transcripts (not permanent raw audio per our architecture), image-derived text.
- Life context: goals, habits, relationships, documents, reflections, AI-generated summaries.
- Usage metadata: token usage, feature usage counts, crash/error diagnostics (no capture content in logs).
- Payment metadata: subscription status via payment providers (we do not store full card numbers).
3. Why we process data
Purposes and typical legal bases:
- Provide the service (contract).
- AI transcription, extraction, and assistance (contract + your in-app consents).
- Security, fraud prevention, and abuse detection (legitimate interests).
- Waitlist or marketing email only with your separate opt-in (consent).
- Legal compliance and responding to requests (legal obligation).
4. AI processing
AI features send minimized/redacted content to orchestrated providers (e.g. OpenAI) to transcribe, extract structure, and assist you. We do not use your content to train public models without your explicit consent.
You can review in-app consents for AI processing, transcription, and related features.
5. Regional storage
Personal data is processed on Google Cloud Platform. Target regions by market: default {{GCP_REGION_DEFAULT}}; EU users {{GCP_REGION_EU}}; India users {{GCP_REGION_INDIA}}. We update this section as regional deployment is finalized.
6. Sub-processors
We use trusted processors including:
- Google Cloud Platform (hosting, infrastructure)
- OpenAI (AI inference, transcription when configured)
- Google (Sign-In OAuth)
- Stripe / Razorpay / Paystack (payments, by region)
- MailerSend (transactional and waitlist email)
- Expo (push notification delivery)
7. Retention
We retain personal data while your account is active and as needed to provide the service. Raw audio/images are not permanently stored. On account deletion, we erase personal data subject to lawful retention limits.
8. International transfers
Some processors are located outside your country (including the United States). We use appropriate safeguards such as Standard Contractual Clauses where required.
9. Your rights (GDPR / Ukraine)
Depending on your location, you may have the right to access, rectify, erase, restrict, object, and port your data, and to withdraw consent. Use in-app export/delete or email us.
You may lodge a complaint with a supervisory authority (e.g. Ukraine DPA or your EU member state authority).
10. India — DPDP 2023
For users in India, Mykhailo Sheludiakov acts as Data Fiduciary. Grievance Officer: Mykhailo Sheludiakov, mykhailo.sheludiakov@gmail.com.
You may contact the Grievance Officer for complaints regarding processing of your personal data. We will respond within timelines required by applicable Indian law.
Rights may include access, correction, erasure, grievance redressal, and nomination of another person to exercise rights on your behalf where applicable.
11. Children
The service is not intended for anyone under 18.
12. Changes
Last updated: 2026-07-03. We will post material changes on this page.