start habit.
Log inRegister

Privacy Policy

Last Updated: June 14, 2026

1. Introduction

Welcome to Habit, an AI-powered “personal board of advisors” service operated by StartHabit (“StartHabit,” “we,” “us,” or “our”). Habit lets you create and talk to AI personas — AI representations of real expert knowledge and thinking styles — across the web app and connected messaging channels, and lets those personas use knowledge bases and connected business tools you authorize.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use the Service, and outlines your rights and choices. By using the Service, you agree to the practices described in this Privacy Policy.

We review this Privacy Policy periodically to keep it accurate, complete, and compliant with applicable laws and our internal data-governance standards.

Key definitions

Customer Data means data submitted to or processed by the Service on your behalf, including: account and profile information; connection credentials (e.g., OAuth tokens) for channels and tools you connect; persona definitions (custom prompts, configuration, and versions); knowledge-base content and uploaded files; conversations, messages, and the outputs and tool calls Habit generates; approval decisions; scheduled tasks and automation configuration; and service logs.

2. Information We Collect

We collect only the information necessary to provide, maintain, and secure the Service.

A. Account and profile information

When you register, we store your email address (your primary login identifier), and optionally your first name, username, time zone, and a preferred transcription language. We store a securely hashed password (we never store your password in plain text). If you sign in with Google, we store your Google account identifier and the verified email Google provides. We also issue and store session and authentication records (session tokens, activation/reset token hashes, and API/MCP token metadata).

B. Channel and platform identifiers

When you connect a messaging channel, we store the identifiers needed to route messages and link them to your account — for example Slack user/workspace IDs, Telegram user/chat IDs, the WhatsApp account phone number, and limited display metadata (display name, avatar URL). We also store per-conversation threading context (e.g., Slack thread, Telegram chat, email thread identifiers).

C. Connection credentials

We store the credentials necessary to maintain the integrations you enable, including:

  • Bot/channel credentials (e.g., Slack bot token and signing secret, Telegram bot token and webhook secret, WhatsApp session secret).
  • OAuth access/refresh tokens, scopes, and expiration metadata, or API keys, for the third-party tools you connect.

For some integrations the credential lifecycle is brokered by a third party (Composio); in those cases the authoritative upstream token may be held by that broker, and we store a reference to the connected account.

D. Persona, knowledge-base, and content data

We store the content needed to provide continuity and run the Service, including:

  • Persona definitions: custom system prompts, configuration, version history, and collaborator access grants.
  • Knowledge bases: documents, uploaded files, and content you ingest (including content fetched from connected accounts or crawled from URLs you provide), together with derived representations such as text embeddings stored in our database for search.
  • Conversations and messages between you and your personas (including message content, attachments and their extracted text, summaries, and feedback), and durable per-user “memory” or context you save.

E. Message and media content across channels

When you interact with a persona on the web, in Slack, Telegram, WhatsApp, or by email, we access and process the message content (text, captions, images, documents, and voice/audio) needed to respond, maintain conversation context, and perform the tasks you request. Voice and audio you send are transcribed by a third-party speech-to-text provider.

F. Approvals, automations, and scheduled tasks

We store approval/rejection decisions for actions a persona requests, and the configuration of any scheduled tasks, triggers, or automations you set up.

G. Service logs and usage data

We collect limited operational data, such as service logs and audit/security logs (timestamps, error logs, request/response metadata), traces, and usage events needed to operate and improve reliability.

H. Communications with us

If you contact us (e.g., support requests or email), we collect the information you provide.

I. Website analytics

When you visit our marketing site (starthabit.com) or use the app, we and our analytics providers may collect cookie/identifier data, device and browser metadata, IP address, pages viewed, and interaction events for analytics and attribution.

Sensitive data

We do not knowingly collect special-category or other sensitive personal data unless it is necessary for the Service and provided by you.

3. How We Use Your Information

A. Provide and operate the Service

Authenticate users; maintain the channels and tools you enable; run personas; respond to requests; generate outputs; perform approved tasks; and provide continuity across conversations.

B. AI processing to generate outputs

Relevant portions of Customer Data are processed by automated AI systems — including third-party AI providers — to produce responses, reports, and other outputs at your direction. We do not use Customer Data for advertising. We do not train our own foundation models on Customer Data. Where required, we contract with our AI providers under terms that restrict their use of your content to providing the service and prohibit training of their general-purpose models on it.

C. Maintain security, safety, and integrity

Detect and prevent fraud, abuse, and unauthorized access; investigate incidents; and maintain audit trails where appropriate.

D. Service improvement (aggregated or de-identified)

We may use aggregated or de-identified data that cannot reasonably identify you to understand usage patterns and improve reliability and product experience.

E. Communications

Send service-related communications (product updates, security notices, administrative messages) and provide customer support.

F. Analytics and attribution

Measure product and website usage and attribute signups using the analytics tools described below. We do not use the content of your conversations, knowledge bases, or connected accounts for advertising.

G. Compliance and protection

Comply with legal obligations, enforce our Terms of Service, and protect the rights, safety, and property of our users and StartHabit.

4. How We Disclose or Share Information

We do not sell your personal data for monetary consideration. We may share limited online identifiers and usage data with analytics and attribution partners; depending on your jurisdiction this may be considered “sharing” or “targeted advertising,” and you may have the right to opt out (see §7).

We share information only as necessary to provide and support the Service, subject to appropriate safeguards.

A. Service providers (subprocessors)

We use vendors to host and operate the Service. They may process Customer Data on our behalf solely to provide, secure, and support the Service.

Subprocessor What we use it for
Amazon Web Services (AWS) Cloud hosting and infrastructure
Neon Managed database
Upstash Managed cache and realtime messaging
Cloudflare Edge network, app delivery, and file storage
Composio Connecting and running the external tools you authorize
Anthropic AI model provider (chat)
OpenRouter AI model routing
Google (Gemini) AI text embeddings for search
OpenAI Speech-to-text transcription
Resend Email delivery
Stripe Payments and billing
PostHog Product analytics
Grafana Cloud Logging and monitoring
Google Analytics Website analytics (marketing site only)

The following are processed only if you connect them, and only as permitted by the scopes you authorize: Slack, Telegram, WhatsApp, email; and tools including ClickUp, LinkedIn, Meta Ads, Google Ads, Gmail, Google Calendar/Drive/Sheets/Slides/Meet, TikTok, HubSpot, GitHub, Linear, Notion, and other tools available in our catalog. See §10–§12 for platform-specific commitments.

B. AI technology partners

When you invoke AI features, the prompt/context needed to generate an output is sent to third-party AI providers (Anthropic, OpenAI, Google, and OpenRouter as a router for non-Anthropic chat models). We require these providers to use your data only to provide the requested service and not for advertising. Your data is processed in isolated API requests. We do not use your data to train our models, and we do not authorize these providers to train their general-purpose models on your data.

C. Analytics and attribution

We use analytics tools (PostHog in the app; Google Analytics on the marketing site) to understand usage and attribute signups. These tools may receive online identifiers, event metadata, and referral/campaign data. We do not use your conversation, knowledge-base, or connected-account content for advertising. Non-essential/analytics cookies are opt-in: they are off by default, and we ask for your consent through our cookie banner before enabling them. You can change your choice at any time through the in-app cookie preferences (Settings → Privacy & Cookies) or through your browser settings. Essential cookies needed to sign you in and run the Service remain active.

D. Legal compliance and protection

We may disclose information if required by law or valid legal process, or where we believe disclosure is necessary to comply with legal obligations, protect the rights and safety of users and the public, prevent fraud or abuse, or enforce our Terms of Service.

E. Business transfers

If StartHabit is involved in a merger, acquisition, restructuring, financing due diligence, bankruptcy, or sale of assets, information may be disclosed to advisors and successor entities, subject to appropriate confidentiality protections.

F. Third-party links

The Service may link to third-party websites/services; we are not responsible for their privacy practices.

5. Data Storage and Security

Data center location. Our core application data is stored with cloud providers in the European Union (primarily AWS eu-central-1 / Frankfurt). Certain subprocessors — notably AI/LLM providers, payments, email, and some integration brokers — process data in the United States or globally; see §4 and §9.

Security measures. We maintain industry-standard safeguards, including:

  • Encryption in transit (TLS 1.2+/1.3);
  • Encryption at rest provided by our cloud database, cache, and object-storage providers;
  • Access controls and least-privilege access;
  • Audit logging and monitoring;
  • Incident-response processes, including notification to affected customers and/or authorities where required by applicable law.

You are responsible for maintaining appropriate security in your own accounts and connected workspaces (e.g., limiting channel access and managing admin permissions).

6. Data Retention

We retain Customer Data only as long as needed to provide the Service, meet contractual obligations, and comply with law.

  • Active production systems. When an account is closed or we receive a validated deletion request, we delete Customer Data from active production systems within approximately 30 days.
  • Backups. Encrypted backups are used only for business continuity; remaining copies are removed as backups age out on their normal rotation (approximately 35 days).
  • Operational logs and traces. Service logs, traces, and similar operational records are retained for limited windows (for example, traces ~30 days; other operational records up to ~90–180 days) and then deleted.
  • Derived data. Derived or transformed data (such as indexes and embeddings) is deleted or disassociated when the underlying Customer Data is deleted, subject to backup retention and legal obligations.
  • Exports. Where legally permitted, you may request an export prior to deletion.

7. Your Rights and Choices

Depending on your location, you may have the following rights:

A. Access and correction

You can request access to the personal data we hold about you and request correction of inaccurate or incomplete data. You can also export your data in a machine-readable format directly from the app (Settings → Export your data); the export deliberately excludes secrets such as stored credentials, access tokens, and password hashes.

B. Deletion

You may request deletion of your personal data (including persona definitions, knowledge bases, conversations, and related records). For workspace- or organization-level data, we may require the request to come from an authorized administrator or account owner. Upon a verifiable request we delete Customer Data in accordance with §6. You may request deletion by emailing privacy@starthabit.com, or follow our Data Deletion page.

C. Withdrawal of consent / disconnecting

You can disconnect any channel or tool at any time from within the app, or revoke access from the third-party platform’s own settings. After revocation we stop collecting new data from that source. Disconnecting or revoking does not by itself delete previously stored data; if your account is closed or we receive a verifiable deletion request, we delete previously stored data in accordance with §6.

You can also manage or withdraw your consent for analytics and session-replay cookies at any time through the in-app cookie preferences (Settings → Privacy & Cookies) or our cookie banner. Withdrawing consent stops further non-essential processing going forward but does not by itself delete data already collected.

D. Marketing preferences

If you opt in to marketing communications, you can opt out at any time via unsubscribe links or by contacting us. You will still receive essential service communications.

E. Data portability (where applicable)

Where required by law, you may request a copy of your data in a machine-readable format.

F. Authorized agents (where applicable)

Where permitted by law, you may designate an authorized agent to submit requests on your behalf; we will verify identity and authority as required.

G. U.S. state privacy rights (where applicable)

Residents of certain U.S. states may have rights to know, access, delete, correct, and opt out of certain data uses, including “sale,” “sharing,” or targeted advertising as defined under applicable law. Contact us at privacy@starthabit.com. We will not discriminate against you for exercising applicable rights. We respond within the timeframe required by applicable law (typically within 45 days, with a permitted extension where allowed). If we deny a request, you may appeal by contacting privacy@starthabit.com with “Privacy Appeal” in the subject line.

H. EEA/UK rights (where applicable)

If you are in the EEA or UK, you may also have the right to object to certain processing, request restriction of processing, and lodge a complaint with your local supervisory authority.

To exercise any of these rights, contact us at privacy@starthabit.com.

8. Children’s Privacy

The Service is not intended for children, and we do not knowingly collect personal data from anyone under the age of 18 (or the age of majority in their jurisdiction, if higher). If we learn we have collected such data, we will delete it promptly. Contact privacy@starthabit.com if you believe a child has provided personal data.

9. International Users and GDPR / UK GDPR

StartHabit processes core application data in the European Union. If you are located in the EEA/UK, we process personal data under one or more legal bases, including:

  • Performance of a contract (providing the Service you request);
  • Consent (e.g., connecting channels/tools via OAuth and certain non-essential cookies/analytics where required);
  • Legitimate interests (security, fraud prevention, and improving reliability and product analytics where permitted), balanced against your rights.

Some subprocessors process data in the United States or globally (see §4). Where required for cross-border transfers, we use appropriate safeguards such as the Standard Contractual Clauses. If required by applicable law, we will appoint an EU/UK representative and update this Policy with their details.

Privacy and data-protection contact: privacy@starthabit.com.

10. Meta Platform Compliance

For users who connect a Meta (Facebook/Instagram) ads account, Habit accesses the following on your authorization:

Data type Purpose
Ad accounts, campaigns, ad sets, ads, and creatives Answer your questions and produce the reporting/analysis you request
Ads insights and performance metrics Reporting and analysis you request
Connected pages/business assets and user identifiers Identify the assets your request applies to

Our commitments

  • We use Meta Platform Data only to provide and operate the Service for you, and only as described in this policy.
  • We do not sell, rent, or license Meta Platform Data, and we do not transfer it to any ad network, ad exchange, data broker, or other monetization service (including in aggregated, anonymized, or derived form).
  • We do not use Meta data to build profiles of individuals, for surveillance, for discrimination, or to make eligibility decisions.
  • Our subprocessors process Meta data only on our instructions and must cease use and delete it when they stop providing services to us.
  • Our use of information received from Meta APIs adheres to the Meta Platform Terms and Meta Developer Policies, including their data-use restrictions.

Revoking access and deletion. You can disconnect Meta at any time from within Habit, or remove the app from your Meta settings (Settings → Apps and Websites). You may request deletion of your Meta data by emailing privacy@starthabit.com or via our Data Deletion page; we delete your Meta data upon disconnection or upon a verifiable request, in accordance with §6.

11. Google API Services Compliance (Limited Use)

For users who connect Google services (e.g., Google Ads, Gmail, Google Calendar, Drive, Sheets, Slides, or Meet), Habit accesses only the data covered by the specific scopes you authorize, and uses it only to provide the user-facing features you request (for example, retrieving Google Ads reporting, reading or drafting email, or working with your calendar and documents).

Habit’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular:

  • We limit our use of Google user data to providing or improving user-facing features that are prominent in Habit’s user interface.
  • We do not transfer or sell Google user data to third parties such as advertising platforms, data brokers, or information resellers.
  • We do not use Google user data for serving advertising, including retargeting or personalized/interest-based advertising, or to determine credit-worthiness or for lending purposes.
  • We do not allow humans to read your Google user data except: with your affirmative consent for specific items; as necessary for security (e.g., investigating abuse); to comply with applicable law; or where data is aggregated/anonymized and used for internal operations consistent with applicable requirements.
  • We do not use Google user data to develop, improve, or train generalized/non-personalized AI or machine-learning models.
  • These restrictions apply to the raw data and to data aggregated, anonymized, or derived from it, and we require our employees, agents, contractors, and successors to comply with the Google API Services User Data Policy.

Revoking access and deletion. You can disconnect Google at any time from within Habit, or revoke access at myaccount.google.com/permissions. You may request deletion of your Google user data at privacy@starthabit.com; we delete it upon disconnection or a verifiable request, in accordance with §6.

12. Messaging Channels (Slack, Telegram, WhatsApp, Email)

When you connect a messaging channel, Habit processes the message content and identifiers needed to operate that channel:

Channel What we access Notes
Slack Messages in channels where the bot is invited and DMs to the bot; Slack user/workspace IDs; interaction (approval) payloads Your use of Slack is subject to Slack’s terms and privacy policy. We affirm Slack APIs are not used to develop, improve, or train generalized AI/ML models.
Telegram Messages, captions, and media you send the bot; Telegram user/chat IDs; callback payloads Your use of Telegram is subject to Telegram’s terms.
WhatsApp Messages and media sent to/from the connected number; the connected account’s phone number; session status Connection uses a WhatsApp Web session and requires your explicit acknowledgment of the associated risks; subject to WhatsApp’s terms.
Email Inbound email content, subject, sender address, and threading IDs; outbound email we send on your behalf; sender allowlist/suppression entries Per-persona email addresses are provided on our domain; senders not on your allowlist do not reach the persona.

Our commitments. We use channel data only to provide and operate the Service; we do not sell channel data; and we do not use channel data for advertising. You can disconnect any channel or remove the bot at any time; after that we stop collecting new data from that channel, and previously stored data is handled per §6.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by appropriate means (e.g., notifying account administrators and/or emailing the address associated with the account). The “Last Updated” date reflects the most recent revision. Your continued use of the Service after changes become effective indicates acceptance of the revised policy.

14. Contact

If you have questions about this Privacy Policy or our data practices, contact us:

  • Email: privacy@starthabit.com
  • StartHabit

Habit — a service of StartHabit. See also our Terms of Service and Data Deletion.

Habit
Privacy PolicyTerms of ServiceData Deletion

We use essential cookies to run the site and, with your consent, analytics cookies to understand usage. See our Privacy Policy.