Privacy Policy
Last updated: 2026-06-18
What Heldly is
Data controller
- Org.nr: 559504-0444
- Registered address: Bäckaskiftsvägen 68, 122 42 Enskede, Sweden
- Contact: hello@heldly.io
- Privacy / data subject requests: hello@heldly.io
What we collect
Your account. When you connect Heldly to Claude you sign in with Google, and we receive your email address, name, and Google account ID. That is your entire account record. We keep the email address so we can recognise you on future sign-ins, contact you about your account, and respond to data-subject requests. We do not collect a password — authentication is handled by Google.
Your tasks. The tasks you create through Claude: a title, an optional free-text note, whether the task is done, and the manual order you've put your list in, plus timestamps. That's the whole data model. Your notes are free text, so please don't put anything in them you wouldn't want stored — but they are visible only to you (and to Claude when you ask it to read your list).
Technical data. A session cookie (heldly_session) issued when you sign in; your IP address (used transiently for rate limiting and abuse detection); and standard server logs (paths, status codes, timestamps), retained 90 days. We do not use Google Analytics, advertising pixels, product-analytics tools, or any third-party tracking cookies.
Connector tokens. When you connect Heldly to Claude, we store the access token and authorization records that let Claude call Heldly on your behalf. Access tokens and authorization codes are stored as SHA-256 hashes — never in plaintext.
Error reports. When Heldly's server or client code throws an exception, we capture a stack trace, the route path, and your anonymous user identifier via Sentry (EU, Frankfurt). Before any event leaves our runtime, a redaction hook strips email-shaped strings and removes auto-captured user fields, so Sentry never receives your email address. Error events are retained per Sentry's default schedule (90 days).
How we use it (purposes and legal bases)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the to-do service you signed up for (store and return your tasks) | Contract (Art. 6(1)(b)) |
| Recognise you across sessions and contact you about your account | Contract |
| Detect abuse, rate-limit, and secure the service | Legitimate interest (Art. 6(1)(f)) |
| Diagnose errors (Sentry) to keep the service working | Legitimate interest (Art. 6(1)(f)) |
We do not sell your data, share it for advertising, or use it to train machine-learning models.
Google data — Limited Use disclosure
Heldly's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
We request only these Google OAuth scopes, and only to identify you at sign-in:
userinfo.email— your email address, used as your account identifier and contact.userinfo.profile— your name, used to address you.
Heldly does not request access to your Google Calendar, Gmail, Drive, contacts, or any other Google service. Specifically:
- We do not transfer Google user data to third parties except as necessary to provide the service, to comply with applicable law, or with your explicit consent.
- We do not use Google user data for advertising, advertising profiling, credit-worthiness, or any unrelated purpose.
- We do not allow humans to read Google user data unless we have your explicit consent, it is required for security or by law, or the data has been aggregated and anonymized.
- We do not use Google user data to develop, improve, or train generalized AI or ML models.
To revoke Heldly's Google sign-in access at any time, visit your Google Account permissions page.
Sharing and subprocessors
We share data only with the subprocessors needed to run the service. Each is bound by a Data Processing Agreement.
| Subprocessor | Purpose | Region / transfer |
|---|---|---|
| Supabase | Primary database (your account + your tasks) | EU (Dublin) |
| Vercel | Hosting and serverless runtime | EU (Stockholm) |
| OAuth sign-in (identity only — email, name, account ID) | Global — SCCs | |
| Sentry | Server + client error tracking — stack traces, route paths, anonymous user uuid. A before-send hook strips email addresses before transmission. | EU (Frankfurt) |
| Anthropic | Claude — only when you connect Heldly to Claude. Your task data returned to a tool call becomes part of your Claude conversation. | US — SCCs |
Where personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) issued by the European Commission. We do not sell personal data and have not done so in the preceding 12 months.
Claude connection
Heldly is published as a Claude connector — Heldly's entire experience runs inside Claude (Claude.ai, Claude Desktop, or Claude Code). Connecting Heldly to Claude is an opt-in setup step on the Connect page; until you do, no data flows to Anthropic from us.
When you ask Claude to call a Heldly tool (for example, “what's on my list?”), Heldly returns the requested data — your task titles, notes, and status — to Claude. That response becomes part of your conversation and is visible to Anthropic under their own privacy policy. Anthropic becomes a separate data controller for that conversation context.
Heldly's tools only operate on your own tasks; we never read Claude's chat history, memory, system prompts, attachments, or other tools (per Anthropic's Software Directory Policy §1.F).
To stop the data flow, disconnect Heldly from Claude's Connectors settings (remove the connector). Access is revoked immediately. You should also review Anthropic's Privacy Policy before connecting.
Retention
| Category | Retention period |
|---|---|
| Account (email, name, Google ID) | Lifetime of account + 30 days after deletion |
| Your tasks (title, note, status, order) | Lifetime of account + 30 days after deletion |
| Error reports (Sentry) | 90 days, then deleted (Sentry default) |
| Server logs (paths, IPs, status codes) | 90 days |
| Session cookie (heldly_session) | 30 days; refreshed on sign-in |
Your rights (GDPR Chapter III)
You have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erasure (“right to be forgotten”) — disconnect the connector and email us, and we delete your account and tasks
- Restrict processing
- Portability — request a structured export of your data
- Object to processing based on legitimate interest
- Withdraw consent at any time (does not affect prior lawful processing)
- Lodge a complaint with a supervisory authority. In Sweden this is the Integritetsskyddsmyndigheten (IMY).
To exercise any right, email hello@heldly.io from the address associated with your account. We respond within 30 days (extendable by 60 days for complex requests, per Art. 12(3)).
Security
Transport is TLS-only. Connector access tokens and authorization codes are stored as SHA-256 hashes — never plaintext. Authentication is via Google OAuth; Heldly does not store passwords.
Reporting vulnerabilities. Send security reports to security@heldly.io. Our advisory is at /.well-known/security.txt (RFC 9116). We acknowledge reports within 5 business days.
Children
Changes to this policy
Contact
- General: hello@heldly.io
- Privacy / data subject requests: hello@heldly.io
- Data controller: Capable Agents AB, Bäckaskiftsvägen 68, 122 42 Enskede, Sweden — Org.nr 559504-0444