Herald - Newsletter Management

1. Introduction

Herald ("we," "us," or "our") is committed to protecting your privacy and safeguarding your personal information. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our AI-powered newsletter creation and management platform.

Herald enables communities, HOAs, organizations, and individuals to create professional newsletters featuring polls, games, events, contact directories, and more. We process various types of data to deliver these services while maintaining the highest standards of data protection.

By using our Service, you consent to the data practices described in this policy. We encourage you to read this document carefully and contact us if you have any questions.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Registration Data: Name, email address, and password (securely hashed)
Profile Information: Organization name, team details, and preferences
Authentication Data: OAuth tokens if you sign in via Google or other providers
Billing Information: Payment details for premium subscriptions (processed securely by our payment provider)

2.2 Newsletter Content

The content you create and manage includes:

Newsletter Data: Titles, text content, publication dates, and settings
Media Files: Images, PDFs, and videos uploaded to our storage
Section Content: Updates, events, polls, games, discounts, and contact information
Custom Branding: Logos, colors, and theme preferences

2.3 Recipient and Contact Data

For email distribution features:

Email Addresses: Subscriber and recipient email addresses you provide
Contact Groups: Recipient lists and group memberships
Email Engagement: Delivery status, open rates, and click tracking

2.4 Automatically Collected Information

Usage Analytics: Pages visited, features used, session duration, and interaction patterns
Device Information: Browser type, operating system, screen resolution, and device identifiers
Log Data: IP addresses, access timestamps, referring URLs, and error logs
Newsletter Metrics: View counts, shares, downloads, and poll responses
Cookies and Local Storage: See our Cookie Policy for details

2.5 AI-Generated Content

When you use our AI features (powered by Google Gemini), we process:

Text submitted for enhancement, summarization, or generation
PDF documents uploaded for automatic newsletter creation
Content context for AI suggestions and improvements

3. How We Use Your Information

3.1 Service Delivery

Creating, editing, and publishing your newsletters
Storing and serving your media files and content
Sending email campaigns to your recipients
Processing poll votes and game responses
Tracking newsletter views, shares, and downloads

3.2 AI and Automation Features

Generating newsletter content from uploaded PDFs
Enhancing and improving your written content
Creating AI summaries of newsletter content
Suggesting event details from external sources

3.3 Communication

Sending account-related notifications and updates
Responding to support requests and inquiries
Providing service announcements and feature updates

3.4 Analytics and Improvement

Analyzing usage patterns to improve our Service
Generating aggregate statistics and reports
Identifying and fixing bugs and performance issues
Developing new features based on user needs

3.5 Security and Compliance

Detecting and preventing fraud, abuse, and security threats
Enforcing our Terms of Service and acceptable use policies
Complying with legal obligations and responding to lawful requests

4. Third-Party Services and Data Processors

We use carefully selected third-party services to operate Herald. Each provider has their own privacy policy and security practices. We ensure appropriate data processing agreements are in place.

4.1 Infrastructure and Hosting

Service	Purpose	Data Processed
Supabase	Database and authentication	All user and newsletter data
Vercel	Application hosting and deployment	Request logs, IP addresses
Cloudflare R2	File storage (images, PDFs, media)	Uploaded media files

4.2 Email Delivery

Service	Purpose	Data Processed
Resend	Transactional and campaign emails	Recipient emails, email content
AWS SES	Email sending infrastructure	Email addresses, delivery status
AWS SNS	Email event notifications	Bounce/complaint notifications

4.3 AI and Translation

Service	Purpose	Data Processed
Google Gemini API	AI content generation and enhancement	Text content, PDF content
Google Translate	Page translation (reader-initiated)	Page content for translation

Each of these providers maintains their own privacy policies and security certifications. We recommend reviewing their respective policies for detailed information about their data practices.

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions requiring a legal basis for processing, we rely on the following:

Contractual Necessity: Processing required to provide the Service you requested (account management, newsletter creation, email delivery)
Consent: When you explicitly opt-in to optional features (AI processing, translation, analytics)
Legitimate Interests: For service improvement, security, fraud prevention, and business operations
Legal Obligation: To comply with applicable laws, regulations, and legal processes

6. Data Sharing and Disclosure

6.1 Public Newsletter Content

When you publish a newsletter, the following content becomes publicly accessible:

Newsletter title, content, and published date
Media files (images, videos) included in the newsletter
Public events, polls, games, and contact information you choose to include
Your organization name and branding (if configured)

You can control newsletter visibility through expiry dates and unpublishing features.

6.2 Service Providers

We share data with the third-party service providers listed above solely to operate our Service. These providers are contractually obligated to protect your data and use it only as directed.

6.3 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or government request, or when we believe disclosure is necessary to:

Comply with applicable laws and regulations
Protect our rights, property, or safety
Prevent fraud or other illegal activities
Respond to emergency situations

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

We do NOT sell, rent, or trade your personal information to third parties for marketing purposes.

7. Data Retention

7.1 Account Data

We retain your account information for as long as your account is active. Upon account deletion, we remove your personal data within 30 days, except where retention is required for legal or legitimate business purposes.

7.2 Newsletter Content

Newsletter content is retained according to your settings:

Published Newsletters: Retained until you delete or unpublish them
Auto-Expiry: Newsletters with expiry dates are automatically unpublished but retained in your account
Draft Newsletters: Retained until you delete them
Media Files: Stored until associated content is deleted

7.3 Email and Analytics Data

Email Delivery Logs: Retained for 90 days for troubleshooting
Analytics Data: Aggregated metrics retained indefinitely; detailed logs for 12 months
Recipient Lists: Retained until you delete them

8. Your Rights and Choices

8.1 GDPR Rights (EEA and UK Users)

Under GDPR, you have the right to:

Access: Request a copy of your personal data
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion of your data ("Right to be Forgotten")
Restriction: Limit processing of your data in certain circumstances
Data Portability: Receive your data in a structured, machine-readable format
Objection: Object to processing based on legitimate interests
Withdraw Consent: Withdraw previously given consent at any time
Lodge Complaint: File a complaint with your local supervisory authority

8.2 CCPA Rights (California Residents)

Under CCPA, California residents have the right to:

Know what personal information we collect and how it is used
Request deletion of your personal information
Opt-out of the sale of personal information (we do not sell data)
Non-discrimination for exercising your privacy rights

8.3 How to Exercise Your Rights

You can exercise many of these rights directly through your account settings:

Update profile information in Dashboard > Profile
Download your data from Dashboard > Settings
Delete your account from Dashboard > Profile

For other requests, please contact us. We will respond within 30 days (or sooner as required by applicable law).

9. Data Security

We implement comprehensive security measures to protect your personal information:

9.1 Technical Safeguards

Encryption: TLS/SSL encryption for all data in transit; encryption at rest for sensitive data
Authentication: Secure password hashing, optional OAuth, session management
Access Controls: Role-based access, principle of least privilege
Monitoring: Security logging, intrusion detection, regular audits

9.2 Organizational Safeguards

Limited access to personal data on a need-to-know basis
Security training and awareness
Incident response procedures
Regular security assessments of third-party providers

9.3 Provider Security

Our infrastructure providers maintain industry-standard security certifications:

Supabase: SOC 2 Type II compliant
Vercel: SOC 2 Type II compliant
AWS: ISO 27001, SOC 2, and numerous other certifications
Cloudflare: ISO 27001, SOC 2 Type II

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of your data transmitted to or stored by our Service.

10. International Data Transfers

Herald operates globally, and your information may be transferred to and processed in countries other than your own, including the United States. These countries may have different data protection laws than your jurisdiction.

For transfers from the EEA, UK, or Switzerland to countries without adequate data protection, we implement appropriate safeguards including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with all third-party processors
Verification that recipients maintain adequate security practices

11. PII Protection

We take special care to protect Personally Identifiable Information (PII):

Minimization: We collect only the data necessary for our Service
Purpose Limitation: PII is used only for specified purposes
Accuracy: We provide tools to keep your data accurate and up-to-date
Storage Limitation: PII is retained only as long as necessary
Integrity and Confidentiality: PII is protected against unauthorized access, loss, or damage

12. Children's Privacy

Herald is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

If we discover that we have collected personal information from a child without parental consent, we will take steps to delete that information as quickly as possible.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

We will update the "Last updated" date at the top of this page
We will notify you via email or prominent notice in the Service
We will obtain consent where required by applicable law

Continued use of the Service after changes constitutes acceptance of the updated policy. We encourage you to review this page periodically.

14. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about our data practices, please contact us:

Herald

Contact: herald.xyz/help/contact

Help Center: herald.xyz/help

EEA and UK users may also lodge a complaint with their local data protection supervisory authority.