Privacy Policy

We collect three categories of data:

• Your account data — your name, email, age confirmation and its timestamp, settings, and billing records.
• Partner data you upload — text-message exports, photos, voice clips, and notes you provide to build a persona of your real partner.
• Usage data — your sessions, messages, scores, and basic technical logs needed to run and secure the service.

When you upload a source file (a chat export, photo, or voice clip), we process it to extract the speech patterns, tone, and details that make up your persona. We then delete the original file from storage within 60 seconds of processing. We do not keep your partner’s raw photos, audio, or chat logs.

What remains is the derived persona model — the learned patterns, summarized traits, and text embeddings that let the persona respond in character. This derived data is tied to your account and is deleted when you delete the persona or your account.

Because partner data concerns a third party, we minimize what we process, never use it to build cross-user models, and never sell it. Voice clips may constitute biometric data under laws such as the Illinois Biometric Information Privacy Act (BIPA); we process them only to derive vocal characteristics for your persona and delete the underlying audio on the same 60-second timeline.

Where the GDPR or similar laws apply, we rely on: performance of our contract with you (to provide the service); your consent (which you can withdraw); and our legitimate interests in operating, securing, and improving Reheart, balanced against your rights. For partner data, you are responsible for ensuring you have a lawful basis to upload it, as described in our Terms of Service.

We use a small set of named service providers. Each processes only the data needed for its function, under contractual data-protection obligations:

• OpenAI

  Generates persona personalities and session responses, creates embeddings, runs content moderation, and generates the optional still-portrait avatar via OpenAI image generation.

  Processed text, images, and audio transcripts; session messages; persona attributes used to generate the avatar portrait.

• Supabase

  Hosts our database, authentication, and temporary file storage.

  Account data, personas, sessions, and uploaded source files (until deletion).

• Stripe

  Processes payments and subscriptions.

  Billing details and payment tokens (we never store full card numbers).

• Resend

  Sends transactional and notification email.

  Email address and message content.

Reheart is an AI product. Your messages and uploaded content are sent to OpenAI to generate persona responses and run moderation. We disclose this AI processing before any data is transmitted and again during sessions. See our AI Disclosure for the full detail.

Source files: deleted within 60 seconds of processing. Personas and derived data: retained while your account is active, deleted on a 24-hour cooldown when you delete a persona. Account data: deleted on a 48-hour cooldown when you request account deletion. Billing records may be retained where required by tax and accounting law.

Depending on where you live, you may have the right to access, correct, export, or delete your data, to object to or restrict processing, and to withdraw consent. You can export your data and request deletion from within the app, or by emailing privacy@reheart.app. If you believe a persona was built from your data without a lawful basis, contact us at the same address and we will investigate.

We use encryption in transit, row-level access controls so users can only reach their own data, scoped service credentials, and rate-limiting on sensitive endpoints. No system is perfectly secure, but partner data is held only as long as strictly necessary by design.

Privacy questions or requests go to privacy@reheart.app.