Privacy Policy

Effective Date: January 18, 2026
Last Updated: January 18, 2026

Headwater AI Group (“Headwater,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

1. Information We Collect

1.1 Information You Provide

  • Contact Information: Name, email, phone number, company name
  • Account Information: Login credentials, billing details, payment information
  • Business Data: Data you upload or provide for processing (e.g., documents, files, lists)
  • Communications: Messages, support requests, feedback

1.2 Information We Collect Automatically

  • Usage Data: Pages visited, features used, time spent, click patterns
  • Technical Data: IP address, browser type, device information, operating system
  • Log Data: Access times, error logs, system events

1.3 Information from Third Parties

  • Data Sources: Public records, databases, APIs, and websites we access on your behalf
  • Integration Data: Information from systems you connect (Google Sheets, CRMs, etc.)

2. How We Use Your Information

We use collected information to:

  • Provide Services: Process data, run automations, deliver results
  • Improve Services: Analyze usage, identify bugs, develop new features
  • Communicate: Send service updates, respond to inquiries, provide support
  • Billing: Process payments, send invoices, manage subscriptions
  • Security: Detect fraud, prevent abuse, ensure system integrity
  • Legal Compliance: Meet regulatory requirements, respond to legal requests

3. Data Processing & Third-Party Services

3.1 AI/ML Processing

We use third-party AI services to process your data:

Anthropic (Claude API)

  • Purpose: Data extraction, text analysis, document processing, workflow automation
  • What They See: Text content, documents, and data you upload for processing
  • Data Retention: Anthropic does not retain or train on API data (per their Commercial Terms)
  • Security: SOC 2 Type II certified
  • Privacy Policy: Anthropic Privacy Policy

OpenAI (if used)

  • Purpose: Data enrichment, classification, generation
  • What They See: Text data submitted for processing
  • Data Retention: API data is not used for model training (per their API Data Usage)
  • Privacy Policy: OpenAI Privacy Policy

3.2 Cloud Infrastructure

We use cloud hosting providers:

Railway / Render / AWS / GCP

  • Purpose: Application hosting, computation, temporary storage
  • What They See: System logs (we sanitize sensitive data), application code
  • Data Retention: Logs typically retained 7-30 days
  • Security: SOC 2 certified, encrypted infrastructure

3.3 Data Storage & Integration

Google Workspace APIs

  • Purpose: Store extracted data in YOUR Google Sheets/Drive
  • What They See: Data we write to your Google account
  • Data Control: You control access and can revoke permissions anytime
  • Privacy: Data lives in your Google account, not ours

Other Integrations When we connect to your CRMs, databases, or other platforms, we access only what you authorize. Refer to those platforms’ privacy policies for their data handling practices.

3.4 Data Scraping & Collection

When we collect data from public sources on your behalf:

  • We access publicly available information (websites, APIs, public records)
  • We comply with robots.txt and terms of service where applicable
  • Collected data is delivered to you; we don’t retain it permanently (see Section 4)

4. Data Storage & Retention

4.1 Client Data Storage

For Automation Projects:

  • Data is processed in-memory during execution
  • Temporary files (if any) are deleted immediately after processing
  • Results are delivered to your designated systems (Google Sheets, APIs, etc.)
  • We do not permanently store your business data on our servers

For API Products:

  • Underlying datasets are stored and maintained by us
  • Your API usage logs are retained for billing and analytics
  • We may cache your API requests temporarily for performance

4.2 Retention Periods

  • Business Data: Processed and deleted (or stored only in your systems)
  • Account Information: Retained while you maintain an account
  • Usage Logs: Retained 90 days for debugging and analytics (sensitive data sanitized)
  • Billing Records: Retained 7 years for tax compliance
  • Support Communications: Retained 2 years

4.3 Data Deletion

Upon account termination or request:

  • We delete your account information within 30 days
  • Business data you uploaded is already deleted (processed in-memory)
  • Backups are overwritten within 90 days
  • Some data may be retained longer for legal compliance

5. Data Security

We implement industry-standard security measures:

Technical Safeguards:

  • HTTPS/TLS encryption for all data transmission
  • Encrypted data at rest (where applicable)
  • Secure API authentication (OAuth, API keys)
  • Regular security updates and patches

Operational Safeguards:

  • Access controls and authentication
  • Logging and monitoring for suspicious activity
  • Regular security audits
  • Sanitized logging (no sensitive data in logs)

Limitations: No system is 100% secure. While we use reasonable precautions, we cannot guarantee absolute security.

6. Data Sharing & Disclosure

6.1 We DO NOT sell your data.

6.2 We share data only when:

  • Service Delivery: With third-party providers (AI, cloud hosting) as necessary to provide Services
  • Your Request: To systems you authorize (Google Sheets, CRMs, etc.)
  • Legal Requirement: To comply with laws, court orders, or legal processes
  • Business Transfer: In connection with a merger, acquisition, or sale (with notice)
  • Consent: When you explicitly authorize sharing

7. Your Rights & Choices

7.1 Access & Correction

You can access and update your account information through your account settings or by contacting us.

7.2 Data Portability

You can export data we process for you (it’s typically already in your systems). Contact us for assistance.

7.3 Deletion

You can request deletion of your account and associated data by contacting us. Note: some data may be retained for legal compliance.

7.4 Opt-Out

  • Marketing: Unsubscribe from marketing emails via the link in any message
  • Cookies: Adjust browser settings to refuse cookies (may affect functionality)

7.5 Revoke Access

For integrations (Google Sheets, etc.), you can revoke our access anytime through the respective platform’s permissions settings.

8. International Data Transfers

Our services are operated in the United States. If you are located outside the U.S., your information will be transferred to and processed in the U.S. By using our Services, you consent to this transfer.

For EU/UK users: We process data in compliance with applicable data protection laws and implement appropriate safeguards for international transfers.

9. Children’s Privacy

Our Services are not intended for individuals under 18. We do not knowingly collect information from children. If you believe we have collected information from a child, contact us immediately.

10. California Privacy Rights (CCPA)

California residents have additional rights:

  • Right to Know: What personal information we collect, use, and share
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt-out of sale of personal information (we don’t sell data)
  • Right to Non-Discrimination: Equal service regardless of privacy choices

To exercise these rights, contact us at [contact email].

11. European Privacy Rights (GDPR)

EU/UK residents have additional rights:

  • Access: Obtain a copy of your data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion (“right to be forgotten”)
  • Portability: Receive data in a structured format
  • Restriction: Limit how we process your data
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Where processing is based on consent

Legal Basis for Processing:

  • Contract: To provide Services you requested
  • Legitimate Interests: To improve Services, prevent fraud, ensure security
  • Consent: Where you’ve given explicit consent
  • Legal Obligation: To comply with laws

To exercise these rights or file a complaint, contact us or your local data protection authority.

12. Cookies & Tracking

We use cookies and similar technologies to:

  • Maintain login sessions
  • Remember preferences
  • Analyze usage patterns
  • Improve user experience

Types of Cookies:

  • Essential: Required for core functionality
  • Analytics: Understand how Services are used (Google Analytics, etc.)
  • Preferences: Remember your settings

You can control cookies through browser settings, but disabling may affect functionality.

13. Changes to Privacy Policy

We may update this Privacy Policy periodically. Material changes will be communicated via:

  • Email to registered users
  • Notice on our website
  • In-app notification

Continued use after changes constitutes acceptance of the updated policy.

14. Contact Us

For questions, requests, or concerns about this Privacy Policy or our data practices:

Headwater AI Group
Email: [contact email]
Website: https://headwateraigroup.com/contact/

Data Protection Officer (if applicable): [email]

For EU/UK residents, you may also contact your local data protection authority.

SYS.OPERATIONAL