Heddle Studio Privacy Policy

Effective Date: 2026-05-01 Last Updated: 2026-05-01

This Privacy Policy describes how Actify Automations LLC ("Heddle Studio," "we," "us," or "our") collects, uses, discloses, and protects personal information in connection with the Heddle Studio service (the "Service") and the heddlestudio.com and actifyautomations.com websites (collectively, the "Sites").

This Policy is governed by the laws of the United States and applies to U.S. residents only. The Service is not directed to and may not be used by individuals located in the European Economic Area, the United Kingdom, or other jurisdictions outside the United States.

If you have questions, contact us at privacy@actifyautomations.com.

1. Who We Are

The Service is operated by Actify Automations LLC, a Texas limited liability company, with its principal address at PO Box 91, Thompsons, TX 77481.

For privacy-related inquiries, requests to exercise rights, or other privacy matters: privacy@actifyautomations.com.

Hierarchy of documents. This Policy is the authoritative privacy disclosure for the Service. In the event of any conflict between this Policy and Termly-generated cookie consent or "Do Not Sell or Share" disclosures appearing on our Sites, this Policy controls.

2. Scope

This Policy applies to:

• Visitors to our Sites
• Users who join our waitlist or referral program
• Users who create accounts and use the Service (free trial or paid)
• Individuals whose information we may receive through cold outreach or business development activities

3. Information We Collect

California Notice at Collection

For California residents: at or before the time we collect personal information from you, we are required to disclose what personal information we collect and how we use it. The summary below satisfies this requirement; full details appear in the sections that follow.

• What we collect: Identifiers (name, email, IP, account ID), commercial information (subscription, billing, transactions), internet activity (analytics, cookies, session events), approximate geolocation (IP-based), professional information (job title, company, industry), inferences (segment-level usage patterns), and — incidental to Customer Data uploads — sensitive personal information (account credentials; Social Security numbers that may appear in uploaded invoices). Full statutory category mapping appears in Section 3.6.
• How we use it: To provide and operate the Service, authenticate accounts, bill and collect payment, send marketing and transactional communications, conduct analytics, comply with law, and operate our referral program. Full purposes are listed in Section 4.
• Sale or sharing: We do not sell personal information for monetary consideration. We do share personal information for cross-context behavioral advertising via Meta Pixel and Google Ads. To opt out, see Section 8.3 ("Do Not Sell or Share My Personal Information").
• Retention: We retain personal information for the periods described in Section 11. Customer Data retention is tier-dependent.
• Sources: From you directly (forms, account creation, support communications), automatically through Site/Service use (cookies, analytics, server logs), and from limited third-party sources (Apollo, Stripe, referrers — see Section 3.4).
• Your rights: Described in detail in Section 9. To exercise rights, use the privacy request portal at https://app.termly.io/dsar/033db7df-ff84-48cd-8488-dc2416805042 or email privacy@actifyautomations.com.
• Financial incentive (referral program): Our waitlist referral program is a "financial incentive program" under California law. The required disclosures appear in Section 9.6.

3.1 Information you provide

Waitlist signup (entry form, via KickoffLabs):

• Name
• Email address
• Company name

Waitlist signup (optional thank-you-page form):

• Industry
• Approximate monthly invoice volume
• Automation priorities
• Tools currently used to handle invoices

Referral participation:

• Email of friend referred (we receive this when a friend submits the referral form)
• Referral chain: who referred whom, points earned, leaderboard position

Account creation and use of the Service:

• Name
• Email address
• Company name
• Authentication credentials (handled by Supabase Auth; passwords are hashed and we do not access plaintext passwords)
• Optional Google OAuth identifiers if you sign in with Google (when available)

Billing and payment (handled by Stripe; we do not store full payment card numbers):

• Billing name and address
• Last 4 digits of payment card and card brand (provided by Stripe)
• Tax identification number (where required for invoicing)

Communications:

• Support tickets and email correspondence
• Feedback and survey responses

Authorized integrations (if enabled by you):

You may optionally connect third-party accounts to the Service to automate document intake. When you authorize an integration, we receive data from the connected account based on the scope you grant. The Google APIs we may access include:

• Google Sign-In (OAuth): name, email address, Google account ID, and profile photo (optional). Used solely for authentication.
• Gmail API: message metadata (sender, recipient, subject, date) and message contents (body and attached files) for emails matching filters you configure. Used solely to ingest emails and attachments for processing within the Service.
• Google Drive API: file metadata and file contents for files in folders, labels, or shared drives you authorize. Used solely to ingest documents for processing within the Service.
• Google Sheets API: read/write access to spreadsheets you authorize. Used solely to deliver Service outputs to your designated spreadsheet.

Limited Use commitment. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google API data to train generalized AI/ML models, to serve advertising, or for any purpose unrelated to the Service features for which you authorized access. You may revoke any Google integration at any time through your Google account settings or by disconnecting it in your Heddle Studio account.

3.2 Information collected automatically

On the Sites:

• IP address (collected by KickoffLabs and our hosting providers)
• Device and browser metadata (user agent, screen size, language)
• Referring URL and UTM parameters
• Pages visited, clicks, scrolls, and form interactions
• Cookies and similar technologies (see Section 8)

During Service use:

• Account activity and usage telemetry (events, feature engagement, session duration)
• Error logs and stack traces (via Sentry)
• API call logs (rate limits, request metadata)

3.3 Customer Data

When you use the Service, you may submit documents (typically invoices and related accounting documents) for processing. Documents may be submitted via:

• Direct upload through the Service's web interface or API
• Email forwarding to a Heddle Studio intake address you configure (e.g., by setting up an auto-forward rule from your inbox to a designated Heddle Studio address)
• Authorized Google integrations (Gmail, Drive) — see Section 3.1
• Customer-configured webhooks or similar mechanisms

Documents submitted through any of these methods may contain:

• Vendor and customer business names, addresses, and contact information
• Invoice and transaction details (amounts, line items, dates)
• Tax identifiers (e.g., EINs)
• In rare cases, sensitive personal identifiers (e.g., Social Security numbers in 1099 invoices) — prohibited content categories are described in our Acceptable Use Policy

When you forward emails to the Service or authorize Gmail integration, we additionally receive email metadata (sender/recipient addresses, subject lines, dates) and any non-document message-body content that accompanies the forwarded or filter-matched email. You are responsible for configuring forwarding rules and Gmail filters to send only emails relevant to the Service. If you forward content you did not intend to share with us, disable the rule and contact privacy@actifyautomations.com.

We treat all submitted document and email content as Customer Data subject to the confidentiality and ownership provisions in our Terms of Service.

3.4 Information from third parties

• Apollo (data source for cold outreach): We may use Apollo's professional contact database to identify business contacts for outbound communications. Information may include name, company, business email, job title, and other publicly available business information.
• Stripe: subscription and payment status, billing events.
• Referrers: when an existing user refers you, we receive the email address you were referred with and the referrer's identity.

3.5 Sensitive Personal Information

Under the California Privacy Rights Act ("CPRA") and similar state laws, certain categories of personal information are designated as "sensitive personal information" ("SPI"). The following SPI may be processed by the Service:

• Account log-in credentials — usernames and passwords used to authenticate to the Service. Passwords are hashed at rest by Supabase Auth; we do not access plaintext passwords.
• Social Security numbers and other government-issued identifiers — these may appear in Customer Data you upload (for example, on 1099 invoices or other accounting documents). We do not solicit SSNs from users directly. We treat any such data as your confidential information, processed under your direction.
• Financial account information — last four digits of payment cards (provided by Stripe; we do not store full card numbers, CVVs, or full account numbers).

Right to limit use of SPI. California residents have the right to limit our use of sensitive personal information to purposes that are necessary to provide the Service or otherwise specifically permitted by law. We do not use SPI to infer characteristics about you, do not use SPI for advertising or marketing, and do not sell or share SPI for cross-context behavioral advertising. Because of this, we believe the right-to-limit requirement is already satisfied by our default practices. To submit a formal limit request, use the privacy request portal at https://app.termly.io/dsar/033db7df-ff84-48cd-8488-dc2416805042 or email privacy@actifyautomations.com.

3.6 California Statutory Categories of Personal Information

The following table maps the personal information we collect to the categories enumerated in California Civil Code §1798.140(v):

Sources of personal information: As described in Sections 3.1–3.4 above.

Purposes for each category: As described in Section 4 (How We Use Information).

Retention periods: As described in Section 11 (Data Retention).

Sale or sharing: We do not sell personal information for monetary consideration. We do share certain Category A (identifiers) and Category F (internet activity) data for cross-context behavioral advertising via Meta Pixel and Google Ads. Opt out via Section 8.3.

4. How We Use Information

We use the information described above to:

• Operate and provide the Service — including processing your documents, generating extractions, classifications, and transformations, and delivering results;
• Authenticate and secure accounts and prevent fraud, abuse, or unauthorized access;
• Bill and collect payment for paid subscriptions;
• Communicate with you about your account, the Service, billing, security, support, and updates;
• Send marketing and lifecycle emails (e.g., trial reminders, feature announcements, beta-launch notifications) — you may opt out of marketing emails at any time via the unsubscribe link in each email;
• Operate our waitlist and referral program, including running anti-fraud checks, awarding rewards, and notifying winners;
• Conduct business development and outreach to potential customers, including via email outreach to publicly available business contacts;
• Improve the Service, including improving extraction, classification, and transformation suggestions for your account only (see Section 6);
• Conduct analytics on Site and Service usage to understand which features are used and how;
• Comply with legal obligations and respond to lawful requests from authorities;
• Enforce our Terms of Service and protect our rights and the rights of others.

5. Sub-Processors and Service Providers

We engage third-party service providers ("sub-processors") to support the Service. The following table reflects our current sub-processors. The list may change; material updates will be reflected in this Policy.

KickoffLabs uses its own sub-processors to operate the waitlist platform, including Amazon Web Services (AWS), SendGrid, Heroku, and Elastic. KickoffLabs's processing is governed by its own Data Processing Addendum.

We require sub-processors to maintain appropriate security and confidentiality protections, and to use information only as needed to provide their services to us.

6. AI / Machine Learning and Customer Data

6.1 Third-party AI processing

When you use the Service, document content may be transmitted to the AI sub-processors listed in Section 5 (LlamaCloud, AWS Textract, Anthropic, OpenAI, Google Gemini) for purposes of OCR, extraction, classification, transform code generation, and embedding. We rely on each provider's default policies regarding data retention and use, which (as of this Policy's effective date) do not train their general-purpose models on submitted content for paid API usage. We do not opt these providers in to model improvement programs that would use Customer Data.

6.2 Per-account learning loop

When you approve or correct an extraction, classification, or transformation, we retain a copy of the document content, your corrected output, and a vector embedding to improve future suggestions for your account. This data is enforced as tenant-isolated at the database level: cross-account retrieval is blocked by row-level security policies.

6.3 No shared / global model training

We do not use one customer's data to train models that benefit other customers. Your data improves only outputs delivered to your account.

6.4 Future changes to training scope

If we ever decide to introduce shared or global model training, we will:

(a) provide at least thirty (30) days' written notice by email to all affected customers; (b) provide an opt-out mechanism before the change takes effect; (c) update this Policy with the revised practices and effective date.

6.5 Training data residency

We do not currently train models on Customer Data outside the per-account learning loop described in Section 6.2. If training expands beyond this scope, sub-processors performing such training will be disclosed in Section 5 prior to commencement.

7. Sharing of Personal Information

We may share information as follows:

• Sub-processors and service providers as described in Section 5;
• Customer-configured destinations — when you configure outbound webhooks, Zapier zaps, Google Sheets exports, QuickBooks integrations, Slack notifications, or similar integrations, your data flows to those destinations under your control;
• Business transfers — if we are acquired, merge with another company, or sell substantially all of our assets, your information may be transferred to the successor;
• Legal compliance and protection — we may disclose information when required by law, court order, or other legal process, or where we believe disclosure is necessary to (a) protect our rights or property, (b) protect the safety of others, (c) investigate fraud, or (d) respond to a government request;
• With your consent — for any other purpose disclosed at the time of collection or with your consent.

8. Cookies, Tracking Technologies, and Advertising

8.1 Categories of cookies and trackers

We use cookies and similar technologies in the following categories, managed via Termly:

• Strictly necessary — required for the Sites to function (authentication, session management).
• Performance / analytics — Google Analytics 4 and PostHog. Help us understand how the Sites are used.
• Targeting and advertising — Meta Pixel and Google Ads. Used for retargeting visitors and measuring advertising effectiveness.

8.2 Consent and control

When you visit our Sites, you will see a cookie consent banner managed by Termly. You can accept all, reject non-essential, or customize your choices. Targeting and advertising cookies are blocked until you provide consent.

8.3 Do Not Sell or Share My Personal Information

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), the use of certain advertising cookies and pixels (such as Meta Pixel and Google Ads remarketing) may be considered "sharing" of personal information for cross-context behavioral advertising.

To opt out, click the "Do Not Sell or Share My Personal Information" link in our Site footer, or adjust your preferences in the cookie consent banner. We honor Global Privacy Control (GPC) signals as an opt-out for California residents.

We do not sell personal information for monetary consideration.

9. Your Privacy Rights

9.1 Rights under California law (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know / Access — request information about what personal information we have collected, used, disclosed, and shared in the prior 12 months;
• Delete — request deletion of personal information we have collected from you, subject to legal exceptions;
• Correct — request correction of inaccurate personal information;
• Opt out of sale or sharing — see Section 8.3;
• Limit use of sensitive personal information — to the extent we collect and use sensitive categories (we generally do not, except where you upload such categories as Customer Data);
• Non-discrimination — we will not discriminate against you for exercising these rights.

9.2 How to exercise your rights

You may exercise these rights by:

• Email: privacy@actifyautomations.com
• Web form: https://app.termly.io/dsar/033db7df-ff84-48cd-8488-dc2416805042

9.3 Verification

To protect your information, we will verify your identity before fulfilling rights requests. Verification typically requires confirmation of the email address on file plus one or two account-specific questions.

9.4 Authorized agents

You may designate an authorized agent to make a request on your behalf. We will require written authorization and verification of the agent's identity.

9.5 Response time

We will respond to verifiable requests within forty-five (45) days, or up to ninety (90) days if extended (with notice to you). Our internal target is thirty (30) days.

9.6 California Financial Incentive Notice (Referral Program)

Our Heddle Studio Waitlist Referral Program (the "Program") offers eligible participants the opportunity to earn subscription discounts and beta access in exchange for joining our waitlist and referring others. Because the Program offers rewards in exchange for personal information, it constitutes a "financial incentive program" under California Civil Code §1798.125(b). This Section provides the disclosures required for such programs.

Material terms of the Program. Detailed terms, including eligibility, point structure, qualified referrals, anti-fraud rules, reward forfeiture, and termination, are set forth in the Heddle Studio Referral Program Terms at https://heddlestudio.com/referral-terms.

Categories of personal information used in the Program. Participation involves the collection and use of: (a) name; (b) email address; (c) company name; (d) IP address (for fraud prevention and unique-referral verification); and (e) referral chain metadata (who referred whom, points earned, leaderboard position).

How to opt in. Participation in the Program is voluntary and opt-in. By submitting the waitlist signup form, you consent to participate. You may participate without referring anyone (you receive 1 point for joining the waitlist).

How to withdraw. You may withdraw from the Program at any time by emailing privacy@actifyautomations.com and requesting deletion of your waitlist entry. Withdrawing forfeits any unredeemed points and rewards.

Good-faith estimate of the value of personal information. We estimate the value of personal information provided through the Program based on its contribution to our customer-acquisition costs. The reward structure is:

• Top 50 participants: Beta access + founder-led onboarding + 20% off Year 1 on Starter ($237.60 value) or Pro ($477.60 value) tier, OR 10% off Year 1 on Team tier (~$598.80 value).
• Top 51–100 participants: Beta access + priority for founder-led onboarding (estimated value ~$100, representing the time-value of personalized onboarding).
• Top 101–200 participants: Beta access (no monetary value beyond product access).

The maximum monetary reward to any single participant is approximately $598.80 (10% off Year 1 on the Team tier, awarded to a Top 50 winner who chooses the Team tier).

For comparison, paid customer-acquisition costs in the B2B SaaS market typically range from approximately $200 to $1,000 per acquired customer, and qualified business-contact lead acquisition through paid channels (cold outreach, paid advertising, content marketing) typically costs approximately $50 to $500 per qualified lead. We believe the rewards offered are reasonably related to the value of personal information provided through Program participation.

Method of calculation. This good-faith estimate is calculated by reference to: (a) industry-standard B2B SaaS customer-acquisition costs; (b) the marginal cost-per-lead of paid acquisition channels we would otherwise use; and (c) the discount value offered, expressed as a percentage of the first-year subscription value at the relevant tier. We have not engaged in formal data-valuation accounting; this estimate is provided in good faith for transparency under Cal. Civ. Code §1798.125(b)(3).

Reasonably related. We believe the discount values offered (a one-time, time-limited, percentage-based discount applicable only to the first twelve months of subscription, capped at 20% on Starter/Pro and 10% on Team) are reasonably related to the value of personal information provided, because the discount represents an investment in customer acquisition that is comparable to or lower than the equivalent paid-acquisition cost we would otherwise incur to acquire similar customers.

Non-discrimination. As required by Cal. Civ. Code §1798.125(a), we will not discriminate against you for exercising your privacy rights, including by denying you the ability to participate in the Program based on your exercise of any privacy right. Withdrawing from the Program for privacy reasons does not affect any other right under this Policy.

Conflict. In the event of any conflict between this Notice and the Heddle Studio Referral Program Terms, this Notice controls with respect to the financial-incentive disclosures required by California law; the Referral Program Terms control with respect to all other operational aspects of the Program.

10. Data Security

We use commercially reasonable security measures appropriate to the sensitivity of the information we hold, including:

• Encryption of Customer Data at rest (AES-256 via Supabase) and in transit (TLS 1.2 or higher)
• Access controls including row-level security at the database layer for Customer Data
• Authentication via Supabase Auth; multi-factor authentication available where supported by your authentication provider
• Sub-processors selected based on their security posture, including SOC 2 Type II certification where applicable

No system is perfectly secure. While we work to protect your information, we cannot guarantee absolute security. In the event of a security incident affecting your information, we will notify you without undue delay and within the timeframes required by applicable law.

11. Data Retention

We retain personal information only as long as necessary for the purposes described in this Policy, subject to the following:

• Trial accounts — Customer Data retained throughout the trial period; after trial expiration, account moves to read-only state for sixty (60) days during which export is available; thereafter, Customer Data may be deleted (see Terms of Service §4.3).
• Starter accounts — Customer Data retained 30 days post-document-upload.
• Pro and Team accounts — Customer Data retained 12 months post-document-upload, with full search.
• Enterprise accounts — custom retention as agreed.
• Account deletion — upon your request to delete your account, we will delete account information within thirty (30) days, subject to a thirty (30) day soft-delete grace period during which the account can be restored.
• Encrypted backups — residual data may persist in encrypted backups for up to thirty (30) days post-deletion before automatic rotation.
• Billing and tax records — retained for seven (7) years as required by U.S. tax law.
• Suppression lists — email addresses on our unsubscribe / suppression lists are retained indefinitely to honor opt-out requests.

12. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected information from a child under 18, we will delete it promptly. Parents or guardians who believe their child has provided information may contact privacy@actifyautomations.com.

13. International Users (United States Only)

The Service is offered to users located in the United States only. By using the Service, you represent that you are located in the United States. If you are located outside the United States, please do not access or use the Service. We do not knowingly process personal information from individuals located in the European Economic Area, the United Kingdom, or other jurisdictions outside the United States.

14. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will notify you by email and post a prominent notice on the Sites at least thirty (30) days before the change takes effect. Non-material changes (e.g., clarifications, sub-processor list updates) take effect upon posting with an updated "Last Updated" date.

15. Contact Us

For privacy questions or to exercise your rights:

• Email: privacy@actifyautomations.com
• Mail: Actify Automations LLC, PO Box 91, Thompsons, TX 77481

For general inquiries:

• Email: hello@heddlestudio.com