Last Updated: June 14, 2026
Welcome to Habit, an AI-powered “personal board of advisors” service operated by StartHabit (“StartHabit,” “we,” “us,” or “our”). Habit lets you create and talk to AI personas — AI representations of real expert knowledge and thinking styles — across the web app and connected messaging channels, and lets those personas use knowledge bases and connected business tools you authorize.
This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use the Service, and outlines your rights and choices. By using the Service, you agree to the practices described in this Privacy Policy.
We review this Privacy Policy periodically to keep it accurate, complete, and compliant with applicable laws and our internal data-governance standards.
Key definitions
Customer Data means data submitted to or processed by the Service on your behalf, including: account and profile information; connection credentials (e.g., OAuth tokens) for channels and tools you connect; persona definitions (custom prompts, configuration, and versions); knowledge-base content and uploaded files; conversations, messages, and the outputs and tool calls Habit generates; approval decisions; scheduled tasks and automation configuration; and service logs.
We collect only the information necessary to provide, maintain, and secure the Service.
When you register, we store your email address (your primary login identifier), and optionally your first name, username, time zone, and a preferred transcription language. We store a securely hashed password (we never store your password in plain text). If you sign in with Google, we store your Google account identifier and the verified email Google provides. We also issue and store session and authentication records (session tokens, activation/reset token hashes, and API/MCP token metadata).
When you connect a messaging channel, we store the identifiers needed to route messages and link them to your account — for example Slack user/workspace IDs, Telegram user/chat IDs, the WhatsApp account phone number, and limited display metadata (display name, avatar URL). We also store per-conversation threading context (e.g., Slack thread, Telegram chat, email thread identifiers).
We store the credentials necessary to maintain the integrations you enable, including:
For some integrations the credential lifecycle is brokered by a third party (Composio); in those cases the authoritative upstream token may be held by that broker, and we store a reference to the connected account.
We store the content needed to provide continuity and run the Service, including:
When you interact with a persona on the web, in Slack, Telegram, WhatsApp, or by email, we access and process the message content (text, captions, images, documents, and voice/audio) needed to respond, maintain conversation context, and perform the tasks you request. Voice and audio you send are transcribed by a third-party speech-to-text provider.
We store approval/rejection decisions for actions a persona requests, and the configuration of any scheduled tasks, triggers, or automations you set up.
We collect limited operational data, such as service logs and audit/security logs (timestamps, error logs, request/response metadata), traces, and usage events needed to operate and improve reliability.
If you contact us (e.g., support requests or email), we collect the information you provide.
When you visit our marketing site (starthabit.com) or use the app, we and our analytics providers may collect cookie/identifier data, device and browser metadata, IP address, pages viewed, and interaction events for analytics and attribution.
We do not knowingly collect special-category or other sensitive personal data unless it is necessary for the Service and provided by you.
Authenticate users; maintain the channels and tools you enable; run personas; respond to requests; generate outputs; perform approved tasks; and provide continuity across conversations.
Relevant portions of Customer Data are processed by automated AI systems — including third-party AI providers — to produce responses, reports, and other outputs at your direction. We do not use Customer Data for advertising. We do not train our own foundation models on Customer Data. Where required, we contract with our AI providers under terms that restrict their use of your content to providing the service and prohibit training of their general-purpose models on it.
Detect and prevent fraud, abuse, and unauthorized access; investigate incidents; and maintain audit trails where appropriate.
We may use aggregated or de-identified data that cannot reasonably identify you to understand usage patterns and improve reliability and product experience.
Send service-related communications (product updates, security notices, administrative messages) and provide customer support.
Measure product and website usage and attribute signups using the analytics tools described below. We do not use the content of your conversations, knowledge bases, or connected accounts for advertising.
Comply with legal obligations, enforce our Terms of Service, and protect the rights, safety, and property of our users and StartHabit.
We do not sell your personal data for monetary consideration. We may share limited online identifiers and usage data with analytics and attribution partners; depending on your jurisdiction this may be considered “sharing” or “targeted advertising,” and you may have the right to opt out (see §7).
We share information only as necessary to provide and support the Service, subject to appropriate safeguards.
We use vendors to host and operate the Service. They may process Customer Data on our behalf solely to provide, secure, and support the Service.
| Subprocessor | What we use it for |
|---|---|
| Amazon Web Services (AWS) | Cloud hosting and infrastructure |
| Neon | Managed database |
| Upstash | Managed cache and realtime messaging |
| Cloudflare | Edge network, app delivery, and file storage |
| Composio | Connecting and running the external tools you authorize |
| Anthropic | AI model provider (chat) |
| OpenRouter | AI model routing |
| Google (Gemini) | AI text embeddings for search |
| OpenAI | Speech-to-text transcription |
| Resend | Email delivery |
| Stripe | Payments and billing |
| PostHog | Product analytics |
| Grafana Cloud | Logging and monitoring |
| Google Analytics | Website analytics (marketing site only) |
The following are processed only if you connect them, and only as permitted by the scopes you authorize: Slack, Telegram, WhatsApp, email; and tools including ClickUp, LinkedIn, Meta Ads, Google Ads, Gmail, Google Calendar/Drive/Sheets/Slides/Meet, TikTok, HubSpot, GitHub, Linear, Notion, and other tools available in our catalog. See §10–§12 for platform-specific commitments.
When you invoke AI features, the prompt/context needed to generate an output is sent to third-party AI providers (Anthropic, OpenAI, Google, and OpenRouter as a router for non-Anthropic chat models). We require these providers to use your data only to provide the requested service and not for advertising. Your data is processed in isolated API requests. We do not use your data to train our models, and we do not authorize these providers to train their general-purpose models on your data.
We use analytics tools (PostHog in the app; Google Analytics on the marketing site) to understand usage and attribute signups. These tools may receive online identifiers, event metadata, and referral/campaign data. We do not use your conversation, knowledge-base, or connected-account content for advertising. Non-essential/analytics cookies are opt-in: they are off by default, and we ask for your consent through our cookie banner before enabling them. You can change your choice at any time through the in-app cookie preferences (Settings → Privacy & Cookies) or through your browser settings. Essential cookies needed to sign you in and run the Service remain active.
We may disclose information if required by law or valid legal process, or where we believe disclosure is necessary to comply with legal obligations, protect the rights and safety of users and the public, prevent fraud or abuse, or enforce our Terms of Service.
If StartHabit is involved in a merger, acquisition, restructuring, financing due diligence, bankruptcy, or sale of assets, information may be disclosed to advisors and successor entities, subject to appropriate confidentiality protections.
The Service may link to third-party websites/services; we are not responsible for their privacy practices.
Data center location. Our core application data is stored with cloud providers in the European Union (primarily AWS eu-central-1 / Frankfurt). Certain subprocessors — notably AI/LLM providers, payments, email, and some integration brokers — process data in the United States or globally; see §4 and §9.
Security measures. We maintain industry-standard safeguards, including:
You are responsible for maintaining appropriate security in your own accounts and connected workspaces (e.g., limiting channel access and managing admin permissions).
We retain Customer Data only as long as needed to provide the Service, meet contractual obligations, and comply with law.
Depending on your location, you may have the following rights:
You can request access to the personal data we hold about you and request correction of inaccurate or incomplete data. You can also export your data in a machine-readable format directly from the app (Settings → Export your data); the export deliberately excludes secrets such as stored credentials, access tokens, and password hashes.
You may request deletion of your personal data (including persona definitions, knowledge bases, conversations, and related records). For workspace- or organization-level data, we may require the request to come from an authorized administrator or account owner. Upon a verifiable request we delete Customer Data in accordance with §6. You may request deletion by emailing privacy@starthabit.com, or follow our Data Deletion page.
You can disconnect any channel or tool at any time from within the app, or revoke access from the third-party platform’s own settings. After revocation we stop collecting new data from that source. Disconnecting or revoking does not by itself delete previously stored data; if your account is closed or we receive a verifiable deletion request, we delete previously stored data in accordance with §6.
You can also manage or withdraw your consent for analytics and session-replay cookies at any time through the in-app cookie preferences (Settings → Privacy & Cookies) or our cookie banner. Withdrawing consent stops further non-essential processing going forward but does not by itself delete data already collected.
If you opt in to marketing communications, you can opt out at any time via unsubscribe links or by contacting us. You will still receive essential service communications.
Where required by law, you may request a copy of your data in a machine-readable format.
Where permitted by law, you may designate an authorized agent to submit requests on your behalf; we will verify identity and authority as required.
Residents of certain U.S. states may have rights to know, access, delete, correct, and opt out of certain data uses, including “sale,” “sharing,” or targeted advertising as defined under applicable law. Contact us at privacy@starthabit.com. We will not discriminate against you for exercising applicable rights. We respond within the timeframe required by applicable law (typically within 45 days, with a permitted extension where allowed). If we deny a request, you may appeal by contacting privacy@starthabit.com with “Privacy Appeal” in the subject line.
If you are in the EEA or UK, you may also have the right to object to certain processing, request restriction of processing, and lodge a complaint with your local supervisory authority.
To exercise any of these rights, contact us at privacy@starthabit.com.
The Service is not intended for children, and we do not knowingly collect personal data from anyone under the age of 18 (or the age of majority in their jurisdiction, if higher). If we learn we have collected such data, we will delete it promptly. Contact privacy@starthabit.com if you believe a child has provided personal data.
StartHabit processes core application data in the European Union. If you are located in the EEA/UK, we process personal data under one or more legal bases, including:
Some subprocessors process data in the United States or globally (see §4). Where required for cross-border transfers, we use appropriate safeguards such as the Standard Contractual Clauses. If required by applicable law, we will appoint an EU/UK representative and update this Policy with their details.
Privacy and data-protection contact: privacy@starthabit.com.
For users who connect a Meta (Facebook/Instagram) ads account, Habit accesses the following on your authorization:
| Data type | Purpose |
|---|---|
| Ad accounts, campaigns, ad sets, ads, and creatives | Answer your questions and produce the reporting/analysis you request |
| Ads insights and performance metrics | Reporting and analysis you request |
| Connected pages/business assets and user identifiers | Identify the assets your request applies to |
Our commitments
Revoking access and deletion. You can disconnect Meta at any time from within Habit, or remove the app from your Meta settings (Settings → Apps and Websites). You may request deletion of your Meta data by emailing privacy@starthabit.com or via our Data Deletion page; we delete your Meta data upon disconnection or upon a verifiable request, in accordance with §6.
For users who connect Google services (e.g., Google Ads, Gmail, Google Calendar, Drive, Sheets, Slides, or Meet), Habit accesses only the data covered by the specific scopes you authorize, and uses it only to provide the user-facing features you request (for example, retrieving Google Ads reporting, reading or drafting email, or working with your calendar and documents).
Habit’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In particular:
Revoking access and deletion. You can disconnect Google at any time from within Habit, or revoke access at myaccount.google.com/permissions. You may request deletion of your Google user data at privacy@starthabit.com; we delete it upon disconnection or a verifiable request, in accordance with §6.
When you connect a messaging channel, Habit processes the message content and identifiers needed to operate that channel:
| Channel | What we access | Notes |
|---|---|---|
| Slack | Messages in channels where the bot is invited and DMs to the bot; Slack user/workspace IDs; interaction (approval) payloads | Your use of Slack is subject to Slack’s terms and privacy policy. We affirm Slack APIs are not used to develop, improve, or train generalized AI/ML models. |
| Telegram | Messages, captions, and media you send the bot; Telegram user/chat IDs; callback payloads | Your use of Telegram is subject to Telegram’s terms. |
| Messages and media sent to/from the connected number; the connected account’s phone number; session status | Connection uses a WhatsApp Web session and requires your explicit acknowledgment of the associated risks; subject to WhatsApp’s terms. | |
| Inbound email content, subject, sender address, and threading IDs; outbound email we send on your behalf; sender allowlist/suppression entries | Per-persona email addresses are provided on our domain; senders not on your allowlist do not reach the persona. |
Our commitments. We use channel data only to provide and operate the Service; we do not sell channel data; and we do not use channel data for advertising. You can disconnect any channel or remove the bot at any time; after that we stop collecting new data from that channel, and previously stored data is handled per §6.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by appropriate means (e.g., notifying account administrators and/or emailing the address associated with the account). The “Last Updated” date reflects the most recent revision. Your continued use of the Service after changes become effective indicates acceptance of the revised policy.
If you have questions about this Privacy Policy or our data practices, contact us:
Habit — a service of StartHabit. See also our Terms of Service and Data Deletion.