1. Who We Are
beside Co. (“we”, “us”) is the operator of the horog Service available at horog.app. For privacy inquiries, contact hello@horog.app.
2. Information We Collect
Account & authentication
- Email, Google account ID, display name (via Google OAuth)
- Login timestamps, IP address (security only)
Optional, when you provide it
- Day-job hourly rate, currency, language preference
- Project memos and weekly retrospective notes
- Your Anthropic API key (BYOK) — AES-256-GCM encrypted
- Third-party integration credentials (API tokens, OAuth refresh tokens) — AES-256-GCM encrypted
Data pulled from integrations you authorize
- Payment platforms (Stripe, LemonSqueezy, Polar, App Store Connect, Google Play): revenue amount, currency, transaction time, product/subscription IDs, refunds
- Time trackers (Toggl, WakaTime, Google Calendar): task duration, project name, start/end timestamps
Billing
Card details are handled directly by Polar Software Inc. (our Merchant of Record). We only store metadata (plan, status, current period, customer ID).
3. How We Use Your Information
- Authenticate you and operate the Service
- Calculate per-project hourly rates and dashboards
- Generate weekly/monthly AI insights and answer natural-language queries
- Process subscription payments and handle refunds
- Respond to support requests
- Monitor service health and respond to security incidents
- Comply with legal obligations (e.g., tax records)
4. Legal Bases (GDPR)
- Contract performance — providing the Service you signed up for
- Legitimate interests — security monitoring, fraud prevention, product improvement (assessed as not overriding your rights)
- Consent — optional features (BYOK, marketing emails); you may withdraw at any time
- Legal obligation — tax and accounting record retention
5. Sharing & Sub-processors
We do not sell personal data. We share with the following sub-processors strictly to provide the Service:
| Vendor | Purpose | Region |
|---|---|---|
| Supabase Inc. | Database, auth, storage | US (AWS us-east-1) |
| Vercel Inc. | Web hosting, serverless | US (Global Edge) |
| Anthropic, PBC | AI insights, natural-language Q&A | US |
| Polar Software Inc. | Subscription billing (Merchant of Record) | US |
| Resend Inc. | Transactional email | US |
| Functional Software Inc. (Sentry) | Error monitoring | US |
| PostHog Inc. | Product analytics (event-level) | US |
International transfers from the EU/UK rely on Standard Contractual Clauses (SCCs) where applicable.
6. Data Retention
- Account data: until you delete your account, then erased within 30 days
- Integration credentials: erased on disconnect or account deletion (CASCADE)
- Payment records: 5 years (Korean Electronic Commerce Act and equivalent tax retention rules in other jurisdictions)
- Access logs (IP, timestamps): 3 months (Korean Communications Privacy Act)
- AI usage logs (prompts & responses): anonymized after 6 months
7. Your Rights
Depending on your jurisdiction (e.g., EU/UK GDPR, California CCPA), you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data (right to erasure / right to delete)
- Restrict or object to processing
- Data portability (we provide CSV/JSON export in-app)
- Withdraw consent (e.g., marketing emails)
- CCPA (California residents): right to know, right to delete, right to opt out of sale (we do not sell), and right to non-discrimination
- Lodge a complaint with a supervisory authority (e.g., your local EU DPA, or the UK ICO)
Exercise these rights by emailing hello@horog.app. We respond within 30 days.
8. Security
- Encryption: third-party API credentials and BYOK keys are AES-256-GCM encrypted at rest. All transit uses TLS 1.3.
- Access control: Supabase Row Level Security (RLS) enforces per-user data isolation. Admin access is restricted to a whitelisted email and audit-logged.
- No passwords stored: we use Google OAuth only.
- Breach notification: we will notify affected users without undue delay (within 72 hours where required by GDPR), and notify regulators where required.
9. Cookies & Tracking
- Essential: session cookies (Supabase Auth), language preference (horog_locale)
- Analytics: PostHog event-level analytics. We configure it not to capture session replays or auto-PII.
- We respect Do Not Track (DNT) signals. Browser cookie blocking may affect optional features.
10. Children
The Service is not directed to children under 16 (under 14 where local law permits, e.g., Korea). We do not knowingly collect their personal data; if discovered, we delete it promptly.
11. International Transfers
Most of our sub-processors are located in the United States. If you access the Service from the EU/UK, your data may be transferred outside the EEA. We rely on Standard Contractual Clauses (SCCs) and equivalent safeguards.
12. Changes to This Policy
We may update this Policy. We will post the new version with a new effective date and notify registered users via email at least 7 days in advance (30 days for unfavorable changes).
13. Contact
Privacy Contact
Email: hello@horog.app
We aim to respond within 3 business days; legal requests within 30 days.