Hero's Path

Privacy Policy

Effective April 18, 2026

Hero's Path LLC, a Texas limited liability company ("Hero's Path", "we", "us", "our"), builds a personal growth app and web dashboard where people track their beliefs, behaviors, emotions, goals, and reflections. Because this app holds some of your most personal thinking, we've tried to write this policy to be specific and readable rather than vague. It explains what we collect, why, who we share it with, and how to delete it. If anything here is unclear, email us at support@herospath.tech and we'll answer directly.

The short version

We collect only what the app needs to work: your account, the content you create, and usage basics.
We never sell your data. We never use your content to train AI models.
Your AI chats are processed by Anthropic and OpenAI under commercial API terms, no training, 30-day provider retention.
You can delete your account from inside the app. Your data is purged within 30 days.
Questions: support@herospath.tech.

1. Who the policy covers

This policy applies to everyone who uses the Hero's Path mobile app (iOS), the Hero's Path web dashboard at herospath.tech, and related services. It covers account holders, trial users, and visitors to the marketing site.

2. What we collect

Information you give us directly

Account details: email address, a name if you provide one, and a password (or an Apple or Google identity token if you sign in with those providers).
Content you create: reminders, notes, beliefs, behaviors, emotions, personal qualities, goals, projects, future-self descriptions, and related metadata you enter in the app.
Chat and coaching transcripts: messages you exchange with our AI coach, onboarding prompts, and feedback you submit.
Optional profile context: age, city, country, current role, skills, and similar fields you choose to fill in.
Billing details: if you subscribe to a paid plan, our payment processor (Stripe) collects and stores your payment information. We never see your full card number.

Information we collect automatically

Device and app info: app version, operating system, push-notification tokens (so we can deliver reminders you set), and basic device identifiers.
Usage data: which features you use and how often, so we can enforce fair-use limits on free plans and improve the product.
Server logs: our hosting providers record standard request logs (IP address, timestamp, endpoint, error codes). These are used to debug issues and prevent abuse and are typically retained for about 30 days.
Cookies and local storage: the web dashboard uses essential authentication cookies to keep you signed in. We do not use advertising or tracking cookies. The mobile app uses local storage only to cache your data for offline use.
Web analytics: for the marketing site and dashboard, we use Vercel Analytics, which records anonymised page visits and does not use cookies or personal identifiers.

Information from sign-in providers

Sign in with Apple: we receive a unique Apple user ID, your email (which may be a private relay address you choose), and, on your first sign-in only, your first and last name if you share them.
Sign in with Google: we receive your email address and basic profile fields (name, profile picture URL) after you consent.

A note on push notifications

Reminders and coaching nudges you set up may include text you've entered (for example, the title of a reminder). When these are delivered as push notifications, Apple's push service and our notification provider (Expo) process that text to route it to your device. Do not enter information in reminder titles that you wouldn't want visible on a lock screen.

3. How we use your data

To provide the app's core features (reminders, notes, coaching).
To authenticate you and keep your account secure.
To deliver push notifications for reminders you schedule.
To send AI-generated coaching responses, extractions, and insights based on your content.
To operate subscriptions and process payments.
To enforce rate limits on free-tier features and prevent abuse.
To improve the product: debug issues, measure feature usage in aggregate, and prioritise roadmap work.
To communicate with you: transactional email (account, billing, password resets) and, if you opt in, occasional product updates.

We do not sell your personal information. We do not use your content to train third-party AI models, and our AI providers are contractually prohibited from doing so with data we send them.

4. Who we share it with

We share data only with service providers that help us run Hero's Path. These providers are contractually bound to use your data only to deliver their service.

Supabase (Supabase, Inc.): authentication, database, and edge functions. Hosts almost all data you create in the app.
Vercel (Vercel Inc.): website, dashboard, and API hosting, plus anonymised analytics.
Apple (Apple Inc.): Sign in with Apple and push notification delivery.
Google (Google LLC): Sign in with Google.
Expo (650 Industries, Inc.): push notification infrastructure for the mobile app.
Anthropic and OpenAI: large language model providers used for coaching responses, idea extraction, and transcription. See the detail below.
Stripe (Stripe, Inc.): payment processing for paid plans.
Resend (Resend, Inc.): transactional email delivery (account notifications, password resets, billing receipts).

What the AI actually sees

When you use an AI feature in Hero's Path, we send Anthropic or OpenAI only the content relevant to the request:

The specific message or entry you are asking about.
Recent context from the current chat (for example, the last several messages in a coaching thread).
Specific items you have explicitly referenced or that the feature requires to produce a useful response (for example, a belief or goal you have tagged).

We do not send your full journal, your entire note archive, or data from unrelated areas of the app. Both providers retain API data for up to 30 days for their own abuse monitoring, after which it is deleted. Neither provider uses API data to train their models under the commercial terms we operate under. Where the provider offers a setting to minimise retention (for example, OpenAI's store=false parameter), we use it for sensitive calls.

We may also disclose information when required by law, to protect the rights, property, or safety of Hero's Path, our users, or others, or in connection with a business transfer (for example, if the company is acquired, your data would move with the service). Where legally permitted, we will notify affected users before disclosing their data in response to a government or legal request.

5. How long we keep it

We keep your account data for as long as your account is active.

When you delete your account:

Your account is disabled immediately. You lose access, and no further AI processing, notifications, or charges occur.
Your content is purged from our active systems within 30 days. This timeline matches the default retention windows of our infrastructure and AI providers (Supabase, Anthropic, OpenAI).
Database backups are rotated out within 30 days, so deleted records age out of backups within that window.
A minimal set of records is retained longer where legally required, for example, anonymised payment records that Stripe keeps to comply with tax and accounting law.

6. Deleting your account

How to delete your account: open the Hero's Path app, go to Settings → Account → Delete Account, and confirm. Your account is disabled immediately; your data is purged from our systems within 30 days.

When you delete your account:

Your authentication record is deleted from Supabase.
All data linked to your user ID is deleted via cascading database rules: profile, reminders, notes, beliefs, behaviors, emotions, personal qualities, goals, projects, future selves, chat transcripts, usage counters, and anything else you created.
If you signed in with Apple, we revoke your Apple Sign In tokens so your Apple ID no longer has an active connection to Hero's Path.
Any active Stripe subscription is cancelled. No further charges will occur. Historical billing records are retained by Stripe to comply with tax and accounting law.

If you can't access the app for any reason but want your account deleted, email support@herospath.tech from the address on your account and we will delete it manually within 7 business days.

7. Legal basis for processing (EEA, UK, Switzerland)

If you use Hero's Path from the European Economic Area, the United Kingdom, or Switzerland, the GDPR (or equivalent UK/Swiss law) applies. We rely on the following legal bases:

Performance of a contract (Article 6(1)(b)): to provide the core features of the app, accounts, reminders, notes, coaching responses, and billing.
Your explicit consent (Article 6(1)(a) and, where applicable, Article 9(2)(a)): some of the content you enter in Hero's Path may reveal beliefs, emotional states, or other sensitive personal information. When you create an account and use the app's reflection and coaching features, you give explicit consent for us to process this content for the purposes described in this policy. You can withdraw consent at any time by deleting your account or by emailing us.
Legitimate interest (Article 6(1)(f)): to secure the service, prevent abuse, and improve product quality in aggregate. We balance this against your privacy rights and do not use legitimate interest for anything invasive (no advertising, no profiling for marketing, no selling).

Withdrawing consent does not affect the lawfulness of processing that happened before you withdrew it.

8. Your rights

Depending on where you live, you may have rights under laws such as the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), or the UK GDPR. These include the right to:

Access the personal information we hold about you.
Correct inaccurate information.
Delete your account and associated data.
Export a copy of your data in a portable format. If the app doesn't yet offer self-serve export, email us and we'll provide it within 30 days.
Withdraw consent you previously gave.
Object to or restrict certain kinds of processing.
Opt out of any "sale" or "sharing" of personal information (we do not sell or share personal information in the sense defined by CCPA).
Lodge a complaint with your local data protection authority. For the EU, that is your country's supervisory authority. For the UK, that is the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, email support@herospath.tech. We respond within 30 days. We will never retaliate against you for exercising a privacy right.

9. Security

We use TLS for data in transit, encryption at rest via Supabase and Stripe, and Row Level Security on our database so that one user cannot read another user's records. No system is perfectly secure. If we become aware of a breach that affects your account, we will notify you promptly and take the steps required by law.

10. Children

Hero's Path is not intended for users under 16. We do not knowingly collect personal information from anyone under 16. If you believe a younger user has created an account, contact us and we will delete it.

11. International users

Hero's Path is operated from Austin, Texas, USA. If you use it from outside the United States, your data will be transferred to and stored in the United States and other countries where our service providers operate. For transfers out of the EEA, UK, or Switzerland, we rely on appropriate safeguards, including Standard Contractual Clauses where applicable. By using the app you consent to this transfer.

12. Changes to this policy

We may update this policy as the product changes. If we make a material change, we will notify active users by email or in-app at least 7 days before it takes effect. The "Effective" date at the top of this page reflects the latest version.

13. Contact

Hero's Path LLC is an online-only business based in Austin, Texas, USA. The best way to reach us with questions, requests, or complaints is support@herospath.tech. We respond within 30 days.