HeySergeserge

Legal

Privacy Policy

Last updated: February 18, 2026

This Privacy Policy describes how Superstellar Projects, operating as HeySerge, collects, uses, discloses, and protects personal data when you visit heyserge.ai or use our platform. It applies to all users worldwide — whether you are in the European Union, Switzerland, the United States, or elsewhere. We have written it to be thorough and transparent. If anything is unclear, contact us at privacy@heyserge.ai.

01

Who we are

  • HeySerge is operated by Superstellar Projects (“we”, “us”, “our”). We are the data controller for account information and usage data processed through the HeySerge platform.
  • When you connect third-party tools (Linear, Jira, Slack) to your HeySerge workspace, we act as a data processor on behalf of your organization for ticket metadata and workspace data. A Data Processing Agreement (DPA) conforming to GDPR Article 28 is available upon request for customers who require one.
  • For all privacy inquiries, contact us at privacy@heyserge.ai.
02

Information we collect

  • Account information — When you sign up via Google OAuth, we receive your name, email address, and profile picture from your identity provider (Auth0). We do not receive or store your Google password.
  • Workspace data — Workspace name, member list, role assignments (admin or member), and invitation records.
  • Integration data — When you connect Linear, we read ticket metadata via GraphQL: titles, statuses, labels, assignees, project names, and cycle information. When you connect Jira, we read equivalent metadata via REST API: summaries, statuses, labels, project names, assignees, and sprint data. When you connect Slack, we access your workspace ID, user IDs, and DM channel IDs for briefing delivery. We operate in read-only mode and do not modify data in any connected tool.
  • Goals — The quarterly goals you enter into HeySerge, including the original text and AI-parsed structured goal items with associated keywords.
  • Classification and briefing data — AI-generated alignment classifications, confidence scores, reasoning text, manual corrections you submit, weekly alignment scores, and generated briefing content.
  • Technical and usage data — Anonymized page views and feature usage (via Amplitude), IP addresses for rate limiting (not stored persistently), browser and device information for analytics, and error data for debugging (via Sentry, with personally identifiable information scrubbed before transmission).
03

How we use your information

  • Service delivery — We use your account, workspace, integration, and goal data to provide the core HeySerge service: ticket classification, alignment dashboards, and weekly briefings. Legal basis: performance of our contract with you (GDPR Art. 6(1)(b)).
  • AI-powered classification — We analyze ticket metadata against your stated goals using AI (Anthropic Claude) to generate alignment classifications and briefings. Personally identifiable information is redacted before processing. Legal basis: performance of contract (Art. 6(1)(b)) and legitimate interest in providing the agreed service (Art. 6(1)(f)).
  • Communication — We send transactional emails (workspace invitations, briefing email fallback) and Slack messages (weekly briefings, conversational replies). We do not send marketing emails unless you separately opt in. Legal basis: performance of contract (Art. 6(1)(b)).
  • Security and abuse prevention — We use IP-based rate limiting, session management, and audit logging to protect the platform and your data. Legal basis: legitimate interest in platform security (Art. 6(1)(f)).
  • Product improvement — We use anonymized, aggregated usage analytics to understand how teams use HeySerge and to improve the product. We do not use your workspace data, ticket data, or classification results for product analytics. Legal basis: legitimate interest (Art. 6(1)(f)), balanced against your privacy through strict anonymization.
  • Legal compliance — We may process data to comply with applicable laws, respond to lawful requests from public authorities, or establish, exercise, or defend legal claims. Legal basis: legal obligation (Art. 6(1)(c)) or legitimate interest (Art. 6(1)(f)).
04

AI-powered analysis and safeguards

  • HeySerge uses Anthropic Claude to classify tickets against your goals and generate alignment briefings. We send ticket metadata (title, labels, project name, status) and your goal descriptions to the AI model. Full ticket descriptions are only included when shorter than 200 characters, and are always redacted first.
  • Before any data reaches the AI model, we apply automated PII redaction that removes email addresses, phone numbers, URLs containing authentication tokens, IP addresses, credit card numbers, and social security numbers. Redacted values are replaced with category placeholders (e.g., [EMAIL], [PHONE]).
  • Anthropic does not retain data sent via their commercial API and does not use it for model training, in accordance with their Commercial Terms of Service.
  • AI-generated classifications are advisory and informational. They do not constitute automated individual decision-making with legal or similarly significant effects within the meaning of GDPR Article 22. You can review and manually correct any classification at any time through the dashboard.
  • We log AI API call metadata (model name, token count, latency) for cost tracking and audit purposes. We do not log the input content or output content of AI calls.
05

Data sharing and sub-processors

  • We do not sell your personal data. We do not share your data for advertising or cross-context behavioral targeting. We share data only with the sub-processors listed below, strictly for the purposes of operating and maintaining the HeySerge service.
  • Anthropic (Claude API) — AI classification and briefing generation. United States. Data is processed in transit; no retention by provider.
  • Neon — PostgreSQL database hosting. United States and European Union. SOC 2 Type II certified. All data encrypted at rest.
  • Upstash — Redis caching and rate limiting. SOC 2 Type II certified. Used for ephemeral rate-limit counters and session caching only.
  • Vercel — Application hosting and global CDN. United States. SOC 2 Type II certified.
  • Auth0 (Okta) — Authentication and session management. United States. SOC 2 Type II certified.
  • Resend — Transactional email delivery for workspace invitations and briefing fallback. United States.
  • Sentry — Error tracking and monitoring. United States. All PII is scrubbed before data leaves your browser or our servers.
  • Amplitude — Product analytics. United States. Only anonymized, non-personally-identifiable usage data is transmitted.
  • We will notify you at least 30 days before engaging a new sub-processor that handles personal data, giving you the opportunity to object.
06

International data transfers

  • HeySerge is hosted primarily in the United States. If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States.
  • For transfers from the EEA, we rely on the European Commission’s Standard Contractual Clauses (SCCs) as the primary transfer mechanism, supplemented by technical safeguards including encryption in transit (TLS 1.2+) and at rest (AES-256-GCM for sensitive fields).
  • For transfers from Switzerland, we rely on the Swiss Federal Data Protection and Information Commissioner (FDPIC)-approved Standard Contractual Clauses. Where applicable, we rely on the Swiss-US Data Privacy Framework for transfers to certified sub-processors.
  • For transfers from the United Kingdom, we use the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs, as appropriate.
  • Copies of the applicable transfer mechanisms are available upon request at privacy@heyserge.ai.
07

Data retention

  • Account data — Retained for the duration of your active account. Upon account deletion, permanently erased within 30 days.
  • Integration tokens — OAuth access and refresh tokens are encrypted at rest (AES-256-GCM) and deleted immediately when an integration is disconnected or an account is closed.
  • Ticket data — Retained for the duration of your active workspace. Deleted when the workspace is closed.
  • Classifications and briefings — Retained for 12 months from creation, then automatically purged.
  • Audit logs — Retained for 24 months for security, compliance, and dispute resolution purposes.
  • Usage analytics — Anonymized data retained for 12 months via Amplitude. Error tracking data retained for 90 days via Sentry.
  • You may request earlier deletion of your data at any time by contacting privacy@heyserge.ai or by deleting your account through the Settings page.
08

Security measures

  • Encryption — All data in transit is protected by TLS 1.2 or higher. OAuth tokens for third-party integrations are encrypted at rest using AES-256-GCM with unique initialization vectors per record. Database storage is encrypted at rest via Neon’s managed encryption.
  • Authentication and access control — User authentication is managed by Auth0 with rolling sessions (7-day maximum, 24-hour inactivity timeout). Session cookies are HttpOnly, Secure, and SameSite=Lax. All data access is scoped by workspace with role-based authorization (admin or member).
  • Tenant isolation — Strict workspace separation is enforced at the database query layer. Every query is scoped by workspace identifier. No data is accessible across workspace boundaries.
  • Application security — Security headers (Content Security Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options) are enforced on all responses. Server-side input validation is applied at every boundary using Zod schemas. Rate limiting is enforced per endpoint and per workspace.
  • Operational practices — All sensitive operations (integration connections, team membership changes, classification corrections) are recorded in an append-only audit log. We follow OWASP security best practices and conduct regular security reviews of our codebase and infrastructure.
09

Your privacy rights

  • Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data. We honor these rights for all users regardless of location, to the extent permitted by applicable law.
  • Right of access — You may request confirmation of whether we process your personal data and, if so, receive a copy of that data in a structured, commonly used format.
  • Right to rectification — You may request correction of inaccurate personal data or completion of incomplete data. You can update your account information at any time through the Settings page.
  • Right to erasure — You may request deletion of your personal data. You can delete your account through the Settings page, or contact us for complete data erasure. We will comply unless retention is required by law.
  • Right to restrict processing — You may request that we limit how we use your data while a dispute or request is being resolved.
  • Right to data portability — You may request your data in a machine-readable format (JSON) for transfer to another service.
  • Right to object — You may object to processing based on our legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
  • Right to withdraw consent — Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.
  • To exercise any of these rights, email privacy@heyserge.ai with your request. We will respond within 30 days. If your request is complex, we may extend this period by up to 60 additional days and will notify you of the extension. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.
  • If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority.
10

Additional rights for California residents

  • If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.
  • Categories of personal information we collect: identifiers (name, email address), internet or other electronic network activity information (anonymized usage data, feature interactions), and professional or employment-related information (workspace role, team membership).
  • We do not sell personal information as defined by the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.
  • Your additional California rights include: the right to know what personal information we collect, use, and disclose; the right to delete your personal information; the right to correct inaccurate personal information; and the right to non-discrimination for exercising your privacy rights.
  • To exercise your California privacy rights, email privacy@heyserge.ai. You may also designate an authorized agent to submit a request on your behalf, provided we can verify the agent’s authorization and your identity.
11

Provisions for Swiss residents

  • For residents of Switzerland, we process personal data in compliance with the Swiss Federal Act on Data Protection (nFADP), which entered into force on September 1, 2023, and its implementing ordinance.
  • Cross-border transfers of your personal data are made only to countries recognized by the Swiss Federal Council as providing adequate data protection, or with appropriate safeguards including Swiss-approved Standard Contractual Clauses or, where applicable, the Swiss-US Data Privacy Framework.
  • You have the right to request your personal data in a commonly used electronic format (Art. 28 nFADP) and to have it transmitted directly to another controller where technically feasible.
  • The competent supervisory authority for data protection matters in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland.
12

Cookies and similar technologies

  • Essential cookies — We use a session cookie managed by Auth0 for authentication. This cookie is strictly necessary for the service to function and is set with HttpOnly, Secure, and SameSite=Lax attributes. It cannot be disabled while using the service.
  • Analytics — We use Amplitude for anonymized product analytics. Amplitude does not place cookies that contain personally identifiable information. You may block analytics via your browser settings or a content blocker without affecting service functionality.
  • We do not use advertising cookies, retargeting pixels, social media tracking pixels, or any third-party tracking cookies. We do not participate in any advertising networks. We do not honor Do Not Track browser signals because we do not engage in the type of tracking that such signals are designed to prevent.
13

Children’s privacy

  • HeySerge is a business-to-business service designed for professional use by adults. The service is not directed at individuals under 18 years of age.
  • We do not knowingly collect personal data from anyone under 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly and terminate the associated account. If you believe a minor has provided us with personal data, please contact us immediately at privacy@heyserge.ai.
14

Data breach notification

  • In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. For Swiss residents, we will notify the FDPIC as quickly as possible in accordance with Article 24 of the nFADP.
  • If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, describing the nature of the breach, the categories of data affected, the likely consequences, and the measures we have taken or propose to take.
  • We maintain an internal breach response procedure that includes immediate containment, impact assessment, root cause analysis, and remediation. All breach events are documented in our audit log.
15

Changes to this policy

  • We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons.
  • Material changes — We will notify you at least 30 days before the changes take effect via email and in-app notification. Material changes include new categories of data collected, new purposes of processing, new sub-processors handling personal data, or changes to your rights.
  • Non-material changes — Minor clarifications or formatting updates will be posted on this page with an updated effective date.
  • Your continued use of HeySerge after the updated policy takes effect constitutes acceptance of the changes. If you do not agree with a material change, you may close your account before the change takes effect.
16

Contact and supervisory authorities

  • Privacy inquiries and rights requests — privacy@heyserge.ai
  • General legal inquiries — legal@heyserge.ai
  • Data Processing Agreement requests — legal@heyserge.ai
  • HeySerge is operated by Superstellar Projects.
  • Supervisory authorities — If you are unsatisfied with our response, you may lodge a complaint with your local data protection authority. For Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern. For the EEA: consult the European Data Protection Board member list at edpb.europa.eu. For the United Kingdom: Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, SK9 5AF.