Privacy Policy

Last updated: May 2026

This Privacy Policy explains how Hearthflow ("we", "us", "our") collects, uses, and protects your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU GDPR where applicable.

1. Who We Are

Hearthflow is a household planning and scheduling service. Our contact email is hearthflowltd@gmail.com.

2. What Data We Collect

Account data

Name and email address provided during sign-up
Hashed password (we never store your password in plain text)
Sign-in method (email/password or Google OAuth)
Device session tokens for "Keep me signed in" functionality

Household data

Family member names and household configuration you enter
Calendar events, dinner plans, and parking preferences you create

Payment data

Payments are processed by Stripe. We do not store your card details. We receive and store your Stripe customer ID and subscription status to manage your account.

Usage data

Daily AI chat message counts (number only, not content after processing)
IP addresses associated with login attempts (held in memory only, cleared on restart)

3. How We Use Your Data

To provide the service — managing your calendar, parking, and dinner plans
To manage your account — authentication, session management, email verification
To process payments — managing your Hearthflow Premium subscription via Stripe
To send transactional emails — account verification and important service notices
To enforce fair use — daily AI chat rate limits

We do not use your data for advertising, profiling, or sell it to third parties.

4. Legal Basis for Processing (UK/EU GDPR)

Contract performance — processing necessary to provide the service you signed up for
Legal obligation — maintaining records required by law
Legitimate interests — security, fraud prevention, service improvement

5. Data Sharing

We share data only with:

Stripe — payment processing. Stripe acts as a data processor under a Data Processing Agreement. See Stripe's Privacy Policy.
Google — if you sign in with Google, subject to Google's Privacy Policy.

We do not share your data with any other third parties.

6. Data Retention

Account and household data is retained until you delete your account
When you delete your account, all associated data is permanently removed from our systems
Payment records may be retained for up to 7 years to comply with UK financial regulations

7. Your Rights

Under UK/EU GDPR you have the right to:

Access — request a copy of the data we hold about you
Erasure — delete your account and all associated data (via Settings → Delete Account)
Rectification — correct inaccurate data
Restriction — limit how we process your data
Portability — receive your data in a portable format
Object — object to processing based on legitimate interests

To exercise any right, contact us at hearthflowltd@gmail.com. You also have the right to lodge a complaint with the ICO (UK) or your local supervisory authority.

8. Cookies and Storage

We use a single session cookie to keep you logged in. No advertising or tracking cookies are used. If you choose "Keep me signed in", an authentication token is stored in a cookie for up to 90 days.

9. Security

Passwords are hashed using industry-standard algorithms. Payment data never touches our servers. We use reCAPTCHA on login forms to prevent automated abuse.

10. Changes to This Policy

We will notify users of material changes via email. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact

Questions about this policy: hearthflowltd@gmail.com