[ HEADORA ]
Get started
Back to home

Privacy Policy

Effective Date: May 8, 2026 Last Updated: May 8, 2026

This Privacy Policy describes how ТОО "BY Solution" ("Headora", "we", "us", or "our") collects, uses, and discloses information when you use our service available at https://headora.ai (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Policy.

1. Information We Collect

1.1 Information You Provide

  • Account Information: When you sign up, we collect your name, email address, and password (stored as a hash, never in plaintext).
  • Brand Profile Information: During onboarding, you provide details about your business: niche, location, target audience, brand values, taboo topics, content preferences, and communication tone. This information is used to generate personalized content.
  • Payment Information: When you subscribe to a paid plan, payment details are processed by Stripe. We do not store full credit card numbers — only a Stripe customer ID and the last four digits for receipts.
  • Communication: If you contact us via support@headora.ai, we retain that correspondence.

1.2 Information Generated by the Service

  • Generated Content: Posts, captions, hashtags, and image briefs created by our AI agents based on your Brand Profile.
  • Usage Data: Records of which posts you approve, reject, or publish; dates and times of generation; AI cost telemetry.
  • Conversation Logs: Onboarding chat transcripts and any feedback you provide on generated content.

1.3 Information Collected Automatically

  • Technical Data: IP address, browser type and version, operating system, referring URLs, pages viewed, and timestamps.
  • Cookies: We use essential cookies for authentication (session tokens) and may use analytics cookies (anonymized) to improve the Service.

1.4 Phase 2 — Instagram Authorization (Optional, Future)

When automatic publishing to Instagram becomes available, you may optionally authorize Headora to post on your behalf via Meta's Instagram Graph API. In that case:

  • We receive an OAuth access token from Meta, which we encrypt at rest using AES-256.
  • We never receive or store your Instagram password.
  • You can revoke this authorization at any time via your Instagram settings or by contacting us.
  • We only use the token to publish content you have explicitly approved.

2. How We Use Your Information

We use the information we collect for:

  1. Service Delivery: Generating content tailored to your Brand Profile, displaying it in the dashboard, and (with your consent) publishing it to your social channels.
  2. AI Processing: Sending Brand Profile fragments and conversation context to our AI providers (Anthropic, OpenAI) to generate text content. See Section 3 for details on third-party processors.
  3. Account Management: Authenticating you, processing payments, and providing customer support.
  4. Service Improvement: Aggregated, anonymized usage data helps us improve our AI prompts and product features. We never sell or share identifiable user data for marketing purposes.
  5. Legal Compliance: Complying with applicable laws and responding to lawful requests from authorities.
  6. Security: Detecting and preventing fraud, abuse, and unauthorized access.

3. Data Processors and Sub-processors

To deliver the Service, we share certain data with the following sub-processors. Each operates under their own privacy policies and data protection commitments.

| Sub-processor | Purpose | Data Shared | Region | |---------------|---------|-------------|--------| | Anthropic, PBC | AI content generation (Claude models) | Brand profile excerpts, prompts, generated text | United States | | OpenAI, L.L.C. | Semantic search embeddings | Brand profile summary text | United States | | Supabase Inc. | Database hosting (Postgres) | All account, profile, and content data | European Union (Frankfurt) | | Stripe, Inc. | Payment processing | Email, name, subscription tier, payment method tokens | United States | | Upstash Inc. | Caching and rate limiting | Anonymous request identifiers, cached AI responses | United States / European Union | | Vercel Inc. | Application hosting | Network metadata, request logs | United States / European Union | | Cloudflare, Inc. | CDN, DNS, DDoS protection | Network metadata, IP addresses | Global edge network | | Sentry (Functional Software, Inc.) | Error monitoring | Error logs (with PII scrubbing) | United States / European Union | | Unsplash, Inc. | Stock image search | Search queries derived from generated content | United States | | Meta Platforms, Inc. (Phase 2 only, with your consent) | Instagram publishing | OAuth token, post content, scheduling metadata | United States |

We have or will execute Data Processing Addendums (DPAs) with each sub-processor as required.

4. Data Storage and Security

  • Storage Location: Primary data is stored in Supabase's European Union region (Frankfurt, Germany).
  • Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Access Control: Database access is restricted via Row-Level Security (RLS) policies — each user can access only their own data.
  • Authentication: Passwords are hashed using industry-standard algorithms (bcrypt/Argon2). We support strong password requirements.
  • Backup: Encrypted backups are retained for 30 days for disaster recovery.
  • Incident Response: In the event of a data breach affecting your personal data, we will notify you and the relevant authorities within 72 hours, in accordance with applicable law.

5. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Update or correct inaccurate information through your account settings or by contacting us.
  • Deletion: Request deletion of your account and associated data. Note that some data may be retained for legal or accounting purposes (e.g., transaction records).
  • Portability: Request a machine-readable export of your data.
  • Objection: Object to processing based on legitimate interests.
  • Withdrawal of Consent: Withdraw consent for any processing that requires it (e.g., Phase 2 Instagram authorization).
  • Complaint: Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at support@headora.ai. We will respond within 30 days.

6. Data Retention

  • Active Account Data: Retained while your account is active.
  • After Account Deletion: Personal data is deleted within 90 days. Some data may be retained longer for:
  • Legal obligations (tax records: up to 5 years per Kazakhstan law).
  • Fraud prevention and security audits.
  • Anonymized analytics that cannot be tied back to you.
  • Generated Content: Posts you generated remain accessible to you while your account is active. After deletion, they are removed within 90 days.
  • AI Conversation Logs: Onboarding transcripts and feedback are retained for the duration of your account, then deleted within 90 days of account closure.

7. International Data Transfers

If you are located outside Kazakhstan or the European Union, your data may be transferred to and processed in countries that have different data protection laws. We use Standard Contractual Clauses (SCCs) and other lawful transfer mechanisms to ensure your data is adequately protected.

8. Children's Privacy

The Service is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us immediately at support@headora.ai and we will delete it.

9. Cookies and Similar Technologies

We use:

  • Strictly Necessary Cookies: Required for authentication and security. Cannot be disabled.
  • Functional Cookies: Remember your preferences (e.g., interface language).
  • Analytics Cookies (Anonymized): Help us understand how the Service is used.

You can control cookies via your browser settings. Disabling strictly necessary cookies will prevent the Service from functioning.

10. Third-Party Links

The Service may contain links to third-party websites (e.g., Unsplash photographer profiles, Meta Help Center). We are not responsible for the privacy practices of those sites.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or in-app notification at least 30 days before they take effect. The "Last Updated" date at the top of this Policy reflects the most recent revision.

12. Contact Us

For questions about this Privacy Policy or to exercise your rights:

Email: support@headora.ai Legal Entity: Товарищество с ограниченной ответственностью "BY Solution" Address: Республика Казахстан, г. Алматы, Бостандыкский район, ул. Розыбакиева, д. 156, кв. 173, индекс 050046 Tax ID (BIN): 160340003244

*This Privacy Policy is governed by the laws of the Republic of Kazakhstan. For users in the European Economic Area, certain provisions of the General Data Protection Regulation (GDPR) apply. For users in California, certain provisions of the California Consumer Privacy Act (CCPA) apply.*