Privacy Policy
Effective May 9, 2026. This policy applies to Hortz, a brand of Wannabe Press, operated at hortz.co.
1. What this policy covers
Hortz is a multi-tenant SaaS platform. Communities ("tenants") run their own private spaces on top of our infrastructure. This policy describes what Hortz the platform does with personal data; each tenant operates their own community and may have additional terms specific to their space. When you join a community on Hortz, you generally have a relationship with the community operator (controller) and with Hortz (processor on their behalf, plus controller for some platform-level data).
2. What data we collect
2.1 From people who use a Hortz-hosted community as members
- Account info: name, email, password hash, profile fields you choose to fill in.
- Conversation content: messages you send, journal entries you write, locks/keys/commitments the AI extracts from your activity, daily scores, mirror moments, year receipts.
- Activity events: agency events the platform records to compute things like memory depth, streaks, badges.
- Queued framework surfaces: when the platform notices you've named a block, entered a new stage, or completed a commitment, it queues relevant framework material (an exercise, a principle, a reflection) to your "For you" feed. These rows record which surface was queued, when, and whether you marked it shown / dismissed / consumed.
- Cached translations: when the platform rewrites framework material into the language of your specific practice (based on what you're building, your identity anchors, patterns you've named), the rewritten version is cached so it doesn't need to be regenerated on every visit. The cache is keyed to your account and your community; it is wiped on account deletion.
- Person-knowings (cross-tenant): identity anchors, patterns, voice traits, and durable expertise the AI has named from your activity. Each entry carries a share_scope you control: visible across all your Hortz communities, visible only in specific ones, or private to the community it was first named in.
- Usage data: pages viewed, features used, IP address (for rate-limiting and abuse detection), timestamps.
- Device data: user agent, screen resolution, timezone (browser-supplied).
2.1.1 Mobile app data (iOS and Android only)
If you use our mobile apps, we additionally collect:
- Push notification token. Apple's APNs or Google's FCM issues a unique token to each install of the app. We store it so we can deliver push notifications for things you opted into (introductions, AMA answers, recognitions). The token rotates periodically; old tokens are invalidated. Sign-out clears it.
- Device identifier. A stable per-install device ID provided by the OS, used to distinguish the same member's iPhone from their iPad so push preferences can be set per-device.
- App + OS version, device model, locale, timezone. Captured at sign-in for compatibility debugging and to render times in your local format.
- Audio recordings you choose to upload (AMA audio answers). Stored in the tenant's storage bucket; never sent to advertisers; deleted when you delete the question or your account.
- Microphone access, only when you tap the record button for an AMA answer. We do not record without your explicit action.
- Crash reports + performance data (no personal content; just stack traces and aggregate metrics).
The mobile app does not collect: your location (no GPS), contacts, calendar, photos (unless you explicitly attach one), browsing history outside Hortz, or any data for advertising tracking. The app does not trigger Apple's App Tracking Transparency prompt because we don't track across other apps or websites.
2.2 From people who run a community as a Hortz tenant admin
- Account info as above, plus billing details (handled by Stripe — we don't see card numbers).
- Community configuration: brand settings, advisor configurations, frameworks you upload, member rosters.
- Tenant-level analytics on your community's usage.
2.3 From visitors who haven't signed up yet
- Conversations with the public HAPI chat (anonymized, IP-rate-limited at 8 questions/day).
- Standard web analytics (page views, referrer, user agent).
- Application form submissions if you apply for a Pegasus account.
3. How we use this data
- To run the platform. Authentication, hosting your conversations and content, computing platform features, billing.
- To operate AI advisors. Your conversation content is sent to language model providers (see section 6) so the advisors can respond to you.
- To improve service quality. Aggregate, de-identified analytics on platform usage; Sentry error reporting; performance monitoring.
- To prevent abuse. Rate-limiting, fraud detection, security monitoring.
- For legal compliance. Responding to lawful requests, enforcing terms.
We do not sell your personal data. We do not use your conversation content to train shared AI models without explicit opt-in.
4. How we share data
We share data only as needed to operate the platform:
- With your community operator (tenant admin). The admin running the community you joined can see member rosters, aggregate analytics, and (where you've consented) certain coaching summaries. Admins cannot read your private journal entries or 1:1 conversations with the AI by default.
- With subprocessors. See section 6.
- For legal reasons. Court orders, subpoenas, lawful government requests, with notice to you when permitted.
- Federation (opt-in). If you opt into federation in your community, certain non-private signals (like keys you've offered) become discoverable across federated communities. You control this in settings.
5. How long we keep data
| Type | Retention |
|---|
| Account info | While your account is active; deleted on request |
| Conversation content + journal entries | While your account is active; deleted on request (7-day soft-delete window for accidental deletion recovery) |
| Audit logs | 2 years (compliance, abuse investigation) |
| Backups | Up to 28 days (Supabase platform-level) |
| Anonymized analytics | Indefinitely |
| Stripe invoices | 7 years (tax compliance) |
You can export everything we hold about you and request deletion at any time (settings -> Account -> Export / Delete).
6. Subprocessors
We use the following third-party services to operate Hortz. Each handles your data under their own privacy terms; we have data processing agreements with each where required.
| Service | Purpose | Data shared |
|---|
| Supabase | Database, auth, storage | All platform data |
| Netlify | Hosting, edge functions, CDN | Request data, no persistent storage |
| Anthropic | Claude language model | Conversation content for AI responses |
| OpenAI | Embeddings + occasional model fallback | Conversation content (when used) |
| Resend | Transactional email | Email address, message content |
| Stripe | Billing | Customer email + payment metadata; we never see card numbers |
| Sentry | Error monitoring | Error context, redacted of secrets |
| Apple Push Notification service | iOS push delivery | Device push token + notification body (no member content beyond what's in the push title/body) |
| Google Firebase Cloud Messaging | Android push delivery | Device push token + notification body (no member content beyond what's in the push title/body) |
We update this list when we add or change subprocessors. For business customers (Pegasus tenants), notable changes are emailed 30 days in advance.
7. Your rights
Regardless of where you live, you can:
- Access the data we hold about you (settings -> Account -> Export your data).
- Delete your account and the personal data attached (settings -> Account -> Delete account). The sweep covers 35+ tables including your messages, journal, daily scores, locks, keys, commitments, coach memory, queued framework surfaces, and cached translations. Messages in shared rooms are anonymized to preserve thread continuity for others. Person-knowings marked share_scope='private' to a single tenant are deleted with that tenant's data; others travel under your control.
- Correct inaccurate data by editing your profile.
- Restrict processing of your data (turn off AI tracking in settings -> Data).
- Port your data — the export is structured JSON.
- Object to processing for marketing (we don't market to you, but if we did).
- Withdraw consent at any time for any feature you opted into.
If you're in the EU/UK, these rights are guaranteed by GDPR. To exercise them, use the in-app tools or email privacy@hortz.co. We respond within 30 days.
8. Data residency
Hortz data is stored in US-East by default (Supabase US infrastructure). Tenants on Pro plans can request EU residency; we'll provision a tenant-isolated Supabase project in EU-West and migrate. Contact us for the formal request.
9. Children
Hortz is not intended for use by anyone under 16. We don't knowingly collect data from children under 16. If you believe a minor has signed up, tell us and we'll delete the account.
10. Cookies
We use only essential cookies: a session cookie to keep you signed in, and a CSRF token. We don't use tracking cookies or third-party analytics that follow you across sites. Communities you join may set their own cookies for their custom domains.
11. Changes to this policy
We update this when our practices change. Material changes are emailed to active accounts with 30 days' notice. The "Effective" date at the top reflects the most recent revision.
12. Contact
Questions, requests, complaints: privacy@hortz.co.