Privacy Policy

Haven is operated by Haven Lab Inc. ("Haven," "we," "us"). This policy explains what we collect, why, who we share it with, and what rights you have. We aim for plain language; if anything here is unclear, email support@heyhavens.com.

1. What We Collect

Haven collects only what is necessary to operate the service.

Account and identity

• Email address, your first name (required), and your last name (optional)
• Family name (your "org") and the family role you set for yourself, or that the family admin sets for you
• Optional profile fields: profession, age, gender, date of birth, income bracket, income currency

Family data you create

• Tasks and recurring task templates (their full edit history is captured in the audit log below)
• Family documents and uploaded attachments (stored in Cloudflare R2)
• Financial transactions
• Issue or bug reports you submit, plus any screenshots you attach. To help us reproduce issues we also store the page URL you submitted from and the user-agent string of your browser.
• AI assistant conversation history — see §4 for what is sent to AI providers

Messaging credentials (only if you choose to link a channel)

• Telegram user ID; SMS phone number; LINE user ID
• WhatsApp phone number; WeChat OpenID (channels coming soon)
• Per-channel link tokens and one-time codes used to verify the link

Sign-in and security data

• Email OTP codes (BCrypt-hashed; expire within 10 minutes)
• SMS OTP codes used to verify a phone number you are linking (BCrypt-hashed; 10-minute expiry)
• Email-change verification codes (BCrypt-hashed; 15-minute expiry)
• Browser session cookies (used for HTTP requests and the in-app AI chat WebSocket); JWT bearer tokens (7-day expiry) used by the in-app Vue components and the iOS app

Operational metadata

• Timestamps of actions (task created, document uploaded, message sent)
• Audit log entries — which member created, updated, destroyed, or copied which record (and for updates, which attribute), and when
• Notification preferences and quiet-hour settings stored on your member record
• Usage counters for sub-processor cost and abuse prevention (Anthropic API calls and input/output tokens, OpenAI Whisper transcription seconds and request count, Tavily search queries, Twilio SMS sends, Postmark email sends)
• Subscription status (free or paid; current period and renewal date) and the third-party billing identifiers needed to reconcile with our payment processors — for web: Stripe customer ID, subscription ID, and price ID; for iOS: the Apple original-transaction ID and product ID

We do not run behavioural analytics, third-party trackers, or cross-site advertising pixels.

2. Sensitive Personal Information

Some fields above may be considered sensitive personal information under California (CPRA) and similar laws — specifically date of birth, OTP codes, and channel identifiers used for authentication.

Haven uses sensitive personal information only to operate the service, authenticate you, send notifications you have opted into, and for legal/security purposes. We do not use it to infer characteristics about you, build advertising profiles, or sell or share it with third parties for marketing.

3. What We Do Not Collect

• Advertising profiles, behavioural tracking, or cross-site cookies
• Passwords for member accounts (sign-in is passwordless email OTP — no member password is stored). Internal Haven staff accounts use a separate, password-protected admin tool that is not part of the consumer service.
• Payment card numbers (Stripe and Apple handle card data directly; we never see it)
• Precise device location (we do not request the GPS permission)
• Biometrics or contact-list data

4. How We Use Your Data

Your data is used exclusively to:

• Operate Haven — show you your tasks, docs, and financial picture
• Send notifications you have requested (daily digest, reminders, task alerts, channel replies)
• Power AI features by sending the relevant content to our AI providers
• Bill paid subscriptions and prevent abuse
• Respond to support requests

What we send to AI providers

When you use AI features (the chat assistant, task parsing from natural language, voice transcription, screenshot-to-finance import, and the agent's web-search tool), we send the relevant input to our AI sub-processors so they can return a result. This typically includes:

• Your first and last name and family role, so the assistant can address you and disambiguate "who" in messages
• The family context the agent needs to answer (member names, the task / document / transaction the agent is acting on, including amounts and currencies)
• The voice clip, image, or text you submit
• A capped rolling history of your recent assistant turns (the most recent twenty exchanges; see §11)

We do not use your content to train AI models, and our AI providers do not either by default. Anthropic's commercial API does not train on customer inputs. OpenAI's API (used only for voice transcription via Whisper) does not train on API data for business or commercial customers. Tavily processes the search query you submit through the agent and returns public web results.

5. Legal Bases for Processing (EU/UK/Switzerland)

If you live in the EEA, UK, or Switzerland, we rely on the following GDPR legal bases:

• Contract: to provide Haven once you sign up
• Legitimate interest: to keep the service secure, prevent abuse, and improve the product
• Consent: for optional channel links (Telegram, SMS, LINE, WhatsApp, WeChat) and marketing emails — withdrawable at any time
• Legal obligation: to retain billing records held by our payment processor and to respond to lawful requests

6. SMS Messaging

If you choose to link an SMS phone number, Haven Lab Inc. sends recurring task reminders, daily and weekly summaries, and AI assistant replies as text messages from +1 (518) 628-2189. Message and data rates may apply. Message frequency varies (typically 5–30 messages per week) based on your notification preferences and family activity.

• Reply STOP on any Haven SMS to unsubscribe — Twilio handles the opt-out at the carrier level and you will not receive further messages.
• Reply HELP and Haven will reply with support information.
• Phone numbers and message content are used solely to operate Haven. We do not share your phone number or SMS message content with third parties for marketing, advertising, or any purpose unrelated to providing the service.

SMS service is provided through Twilio. See the Third-Party Services table below for what is shared with Twilio for delivery.

7. Third-Party Services and Sub-processors

Haven uses the following third-party services to operate. Each is contractually limited to processing data on our instructions for the purposes described.

Sub-processors for channels that are not yet live to users. Haven has integrations built but inactive for two messaging channels. No user data flows to these processors today; when a channel goes live, this table will be updated and we will give the 14-day notice of material change described in §13:

• Meta (WhatsApp Business API) — if you ever choose to link WhatsApp, Meta will receive your WhatsApp phone number and the messages you send to the Haven bot. Region: United States / Ireland.
• Tencent (WeChat Official Account) — if you ever choose to link WeChat, Tencent will receive your WeChat OpenID and the messages you send to the Haven Official Account. Region: China / Singapore.

8. International Transfers

Haven is operated from Canada and most of our sub-processors are based in the United States, with one (LINE) in Japan and several Cloudflare services on a global edge network. When personal data is transferred outside your country of residence, we rely on appropriate safeguards — standard contractual clauses, the EU-US Data Privacy Framework where applicable, and the recipient's own contractual commitments not to use your data beyond the documented purpose.

9. Data Storage and Security

Haven runs on Hetzner Cloud servers in Ashburn, Virginia. Your account and family data live in PostgreSQL on that infrastructure; uploaded files live in Cloudflare R2.

All connections to Haven (web, iOS, and webhook traffic from messaging platforms) use TLS. Database access is restricted to a small number of operations staff and is audited. Internal access to production data is used only to operate the service or respond to support requests.

We are still hardening our security posture. We do not currently provide a formal warranty about the encryption-at-rest configuration of every sub-processor's storage layer. If you have specific security questions for a regulated workload, contact us before storing such data.

10. Your Rights

Regardless of where you live, you have these baseline rights:

• Access: request a copy of all data Haven holds about you
• Correction: update your name, email, profile, and family data in Settings
• Deletion (two paths):
  • Delete account (Settings → Profile): clears your personal data and disables sign-in. Your member row stays as a tombstone so the family's task history, audit log, and previously-submitted issue reports still attribute correctly. See §11 for the exact field-level list of what is cleared and what is preserved. To remove the row entirely, ask the family admin to delete the family.
  • Delete family (Settings → Family, admin only): permanent and immediate cascade — every family-level record is destroyed (see §11 for the full list).
• Portability: download a structured JSON copy of all data Haven holds for you any time. Sign in on the web at heyhavens.com and open Settings → Profile → Privacy & data → Export my data. (The export is only available on the web; the iOS app does not currently surface it. iOS users can sign in to heyhavens.com from any browser to download.) The export includes your profile, family record, tasks (assigned + created), recurring templates, documents, transactions, audit log entries, AI conversation history, issue reports, subscription status, and linked channel identifiers. Excludes credentials (OTP codes, channel-link tokens) and third-party billing identifiers (Stripe customer/subscription/price IDs and, for iOS users, the Apple original-transaction and product IDs) — that billing-side data is held by Stripe and Apple respectively and you can manage and export it through their customer portals. If the export does not work for you, email support@heyhavens.com
• Objection / restriction: contact us to object to or restrict any specific processing
• Withdrawal of consent: unsubscribe from notification SMS by replying STOP. Haven sends only transactional email today (sign-in codes, email-change verification, family invitations) — there is no marketing email list to unsubscribe from. Notification preferences (daily digest, reminders, quiet hours) are managed in Settings → Profile.

Response timing

We respond to access, deletion, correction, and portability requests within 30 days of receipt (45 days for California residents under CPRA). For self-serve actions like account deletion or data export, the action is immediate.

California (CPRA) and other US state privacy laws

California residents additionally have the right to know, the right to delete, the right to correct, the right to limit use of sensitive personal information, and the right to non-discrimination. We do not sell your personal information and we do not share it with third parties for cross-context behavioural advertising.

Residents of other US states with comprehensive privacy laws — including Colorado (CPA), Connecticut (CTDPA), Virginia (CDPA), Utah (UCPA), Texas (TDPSA), Oregon, Tennessee, Florida (FDBR), and Montana — have substantially the same rights described above and may exercise them through the same channels.

EU/UK/Switzerland (GDPR/UK GDPR)

You may lodge a complaint with your local data protection authority. In the UK that is the ICO; in the EU, your national supervisory authority listed at edpb.europa.eu/about-edpb/members.

Canada (PIPEDA)

Canadian users may file a complaint with the Office of the Privacy Commissioner of Canada.

11. Data Retention

Different categories of data are kept for different lengths of time. The rules below describe what the Haven application actually does today.

When you delete the family ("Delete family", admin only)

Family deletion happens immediately when an admin confirms it in Settings → Family. The Haven server cascades the deletion to every family-level record — members, tasks, recurring templates, family docs, audit log entries, invitations, transactions, subscription record, AI conversation history, and issue reports — and queues the corresponding files in Cloudflare R2 for deletion. The data is gone from live systems at that point.

When you delete your own account ("Delete account")

Account deletion is a member-level action, not a family-level one. Your personal data is cleared (see the deactivation paragraph below for the exact field list), your sign-in is disabled, and your member row is preserved as a tombstone so the family's tasks, audit log entries, and previously-submitted issue reports still attribute correctly — every read renders the original member as "deleted user". The row contains no personal information after deletion. To remove the row entirely, ask the family admin to delete the family.

For disaster recovery, the production database is backed up daily. Backups are encrypted with AES-256-GCM before leaving the database host, uploaded to a separate Cloudflare R2 bucket, and automatically deleted after 30 days. If you delete your account, the live record is gone immediately; any references in encrypted backups roll off within the 30-day window without manual action.

When another family member removes you, or you "leave"

Your member record stays in place so the family's task history and audit log still render correctly, but the rest of your profile is cleared: last name, email (replaced with a non-routable deactivated-UUID@haven.internal placeholder), profession, age, date of birth, income, and every channel identifier (Telegram, SMS, LINE, WhatsApp, WeChat). First name is suffixed with "(deactivated)" so the UI labels are honest rather than blank. Gender is reset to "prefer not to say" because the schema requires a value. Your account can no longer sign in. To delete the record entirely rather than deactivating it, the family admin (or you, before leaving) can use "Delete account" instead.

AI assistant conversation history

The AI agent keeps a short rolling memory of your most recent twenty exchanges (combined across all channels) so it can stay in context. Older turns are dropped automatically as new ones come in. The full history is also wiped when you delete your account.

Family-configured retention

Your family admin can set per-category retention windows in Settings → Family. Each setting accepts an integer between 1 and 365 days, or "off" to keep records indefinitely. A nightly job permanently deletes records older than the configured threshold:

• Closed tasks
• Archived tasks
• Paused recurring templates and closed recurring templates
• Documents that are no longer marked "kept"

Issue / bug reports

Issue reports you submit are kept until they are marked resolved by the Haven team, then permanently deleted 60 days after resolution. Attachments stored in R2 are removed in the same step.

Billing records

Subscription records linked to your family are deleted when you delete the family. Invoice records held by Stripe (our payment processor) are retained by Stripe per its own policy and applicable tax law; Haven does not maintain a separate copy of invoice or card data.

12. Children's Privacy

Haven supports family member profiles for children. The family admin creates each member profile, including profiles for children, and provides the personal information that profile contains. By creating a profile for a child, the family admin is acting on the child's behalf and is responsible for any consents required by their local law (for example, US COPPA for children under 13, or GDPR Article 8 for children under 16 in the EEA, where the family admin's verifiable consent stands in for the child's).

We do not knowingly accept direct sign-ups from children, and we do not market the service to children. If you believe a child has signed up directly without parental consent, contact us and we will delete the account.

Inside Haven, all family members — adult or child — currently use the same features. The family-role label on a member profile (mom, dad, son, daughter, wife, husband, or other) is a self-identification used for display in the family; it is not used to enable or restrict features.

13. Changes to This Policy

We will give at least 14 days' notice by email before any material change to this policy. The "Last updated" date at the top of this page reflects the most recent version.

14. Contact

Haven is operated by:

Haven Lab Inc.
3011 Max Khan Blvd
Oakville, Ontario L6H 3P5
Canada

Phone: +1 (365) 351-1671

Privacy questions, rights requests, and complaints: support@heyhavens.com