Privacy Policy

Hesed.love takes the privacy of our users — and especially of children who use our Service — seriously enough to build it into the architecture, not just promise it in a policy. This Privacy Policy explains what we collect, what we don't, and how we use, store, and protect your information.

This policy applies to the Hesed.love coaching application and related services operated by Ayodeji Samuels and Olawumi Samuels (sole proprietors), doing business as Hesed.love, based in Calgary, Alberta, Canada.

1. The short version

• Your conversations live on your device, not on our server. When you write to the Coach, our server hands the message to the AI and forgets it. We keep only the bare bones of each visit — the date and time, a scrambled fingerprint of your account, how long the call took, and the size in computing units. Never the words you wrote. Never the Coach's reply.
• We do not use your content to train AI models. Ever.
• We do not sell your data, share it for advertising, or run analytics that profile you.
• Children's data gets extra protection. A child's journal entries and Coach conversations are private by default — even from their parent. The parent receives wellbeing flags (a category and a date — never the words), not message text.
• You can export everything and delete everything. Both are one click from Settings.
• The code that handles your conversations is published — you can read it yourself on our Privacy by Architecture page.

2. Information we collect

Account information

When you sign up, we collect your email address. That's it for required information. You can optionally add your name and a profile photo.

Family profile information

When you set up child sub-accounts on a Family plan, we store the information you enter during onboarding: child's name (or chosen name), age, school name and location, current grade, curriculum board, the tracks you've enabled, and the goals you've set together. This information is necessary to make the Coach school- and child-specific.

Coaching message metadata (not content)

Each time you or a member of your family talks to the Coach, our server records: the date and time, a scrambled fingerprint of your account (the kind of one-way scramble that means we can tell two calls came from the same account but can't reverse it back to your email), which AI vendor handled the call, whether the call succeeded or failed, how long it took, and the size of the message in tokens (the unit AI vendors use for billing). We do not record the text of your message, the text of the Coach's reply, or any of the instructions we send the AI alongside it.

You don't have to take our word for this. The exact code that handles your messages is published at /privacy-by-architecture — read it line by line if you want to.

Usage analytics

Aggregate, privacy-respecting analytics — what pages get visited, what features get used, how many sessions per week — are collected via Plausible Analytics (cookieless, GDPR-friendly, no individual user tracking). No personally identifiable information leaves your browser through analytics.

Payment information

If you subscribe to a paid plan, payment is handled by Stripe. We do not see, store, or process your card number. Stripe stores card data on PCI-compliant infrastructure. We receive only your billing email, subscription status, and the last four digits of your card for reference.

Voice recordings (for voice clones)

If you choose to create a voice clone of yourself, we collect the audio sample you record. That recording is uploaded to ElevenLabs to train a private voice model that only your account can use. We do not share your voice clone with anyone else. You can delete your voice clone at any time from Settings.

Uploaded documents (report cards, school letters)

When you upload a report card for the Coach to read, the image or PDF is processed for grade extraction. The structured grades are stored in your child's Tracker. The original image is stored in your account's Document Library only if you ask to keep it; otherwise it is discarded after processing.

3. What we do not collect

• We do not log or store the text of your coaching prompts or the Coach's responses.
• We do not collect your home address (we collect your billing address only if Stripe requires it for sales tax).
• We do not access your contacts, your calendar, or any data outside the Service.
• We do not track you across the web. We do not embed third-party trackers or advertising pixels.
• We do not request unnecessary permissions on your device.

4. How we use the information we do collect

We use your information solely to provide and improve the Service:

• To deliver Coach responses (by forwarding your prompt to Anthropic's API and streaming the reply back to your browser);
• To meter your daily message usage against your free-tier cap or paid plan;
• To send you transactional emails — sign-in codes, receipts, and important account notices;
• To detect safety concerns in children's accounts (wellbeing flags — see Minors Safety);
• To bill you for paid plans, via Stripe;
• To respond to your support requests when you email us;
• To debug, monitor, and improve the Service in aggregate, never by reading individual conversations.

5. Who we share your information with

We use a small number of trusted sub-processors to run the Service. Each is bound by its own privacy and security commitments:

• Anthropic (San Francisco, USA): runs the AI behind the Coach. Receives your conversations from our server, replies with the Coach's response. Anthropic does not keep your conversations to train their models (per their published API terms). We have committed to Anthropic's Guidelines for Organizations Serving Minors.
• ElevenLabs (USA): if you create a voice clone, this is where the voice model lives and where audio is generated.
• Resend (USA): delivers transactional email (sign-in codes, receipts, consent codes).
• Stripe (USA/Canada): processes payments. They store the card data; we never see it.
• Cloudflare (USA, with EU regions available): hosts our website and the small server that passes your messages between your browser and Anthropic; routes inbound email; handles secure connections.

We do not sell, rent, or otherwise share your personal information for marketing or advertising.

We may disclose information if compelled by a valid legal process (subpoena, court order). Where the law permits, we will give you advance notice so you can challenge the request.

6. International transfers

Our sub-processors are primarily based in the United States. By using the Service, you understand that your account information and metadata may be transferred to and processed in the United States and other countries. For EU and UK users, we rely on Standard Contractual Clauses where applicable to provide an adequate level of protection.

7. Children's privacy

Hesed.love is directed at minors with verifiable parental consent. Children under 13 in the US are protected by COPPA; we follow COPPA's requirements. UK children are protected by the ICO's Children's Code (Age Appropriate Design Code); we follow its requirements. EU children are protected by GDPR-K; we follow its requirements. Our full posture is described on the Minors Safety page.

Children's journal entries and Coach conversations are private by default — they are not visible to the parent. Parents see goal progress and wellbeing flags (see Minors Safety), not the raw text of their child's conversations.

8. Cookies

Hesed.love does not set tracking cookies. We use only essential cookies required for the Service to function (sign-in session, preference storage). Stripe checkout, when active, may set cookies subject to Stripe's own policy.

9. Data retention

Account information and family profiles are retained while your account is active. If you cancel a paid subscription, your account is paused for 90 days (so you can resubscribe without losing your history), then permanently deleted unless you request immediate deletion.

Coaching message metadata (timestamps, hashed user ID, token counts) is retained for 90 days for billing reconciliation, then deleted.

Voice clones are retained until you delete them or until 30 days after account deletion, whichever comes first.

10. Your rights

You have the right to:

• Access the personal information we hold about you;
• Correct any inaccurate information;
• Export your data in a portable file (a single JSON file you can read in any text editor or import elsewhere) from Settings;
• Delete your account and your data;
• Restrict or object to certain processing;
• Withdraw consent (especially relevant for voice clones and child accounts);
• Lodge a complaint with your local data protection authority — in Canada, the Office of the Privacy Commissioner; in the UK, the Information Commissioner's Office; in the EU, your national authority.

To exercise any of these rights, use the relevant control in Settings or email [email protected]. We respond within 30 days.

11. Security

We protect your information with the security measures the industry standard expects of consumer services: connections between your browser and our server are encrypted in transit (the lock icon next to the URL), the small amount of data we store is encrypted at rest, your account identifier in our operational logs is scrambled (we don't keep your raw email address in places where engineers need to look at logs), API keys and other secrets are kept in encrypted vaults, and only the founders have access to operational systems. No system is perfectly secure; if a security incident affects your data, we will notify you and the relevant data protection authority promptly, in line with our legal obligations.

12. Changes to this Policy

If we make material changes, we will give you at least 30 days' notice by email and post the updated Policy here with a new "Last updated" date.

13. Contact & data protection

For any privacy question, request, or complaint: [email protected].

Hesed.love · Calgary, Alberta, Canada.