Legal

Privacy Policy

Effective April 14, 2026

01

Who We Are

Heartwood is a product of Seven Roots Consulting. Our service is available at heartwood.sevenrootsconsulting.com. This Privacy Policy explains how we collect, use, and protect your information when you use Heartwood.

02

Information We Collect

When you use Heartwood, we collect the following information: your email address (for authentication and Deep Research Brief delivery), your company profile (including industry, company size, annual revenue, your role, current IT environment, IT maturity level, and decision timeline), the questions you submit to the advisory panel, and the Decision Briefs and Deep Research Briefs generated in response to your questions. If you subscribe to Heartwood Pro or purchase a Deep Research Brief, we also store a Stripe customer identifier, transaction identifiers, your current subscription status, and your current billing period end date.

03

How We Use Your Information

We use your information to authenticate your identity and manage your session, personalize advisory responses to your company's context, generate Decision Briefs and Deep Research Briefs tailored to your industry and situation, deliver Deep Research Briefs to your email address as PDF attachments, process subscription and one-time payments and manage access to paid features, and improve the quality and relevance of the Service over time.

04

Third-Party Services

Heartwood relies on the following third-party services to operate: Supabase for data storage and authentication infrastructure, Anthropic's Claude API for AI-powered brief generation, Netlify for application hosting and serverless functions, and Stripe, Inc. for payment processing and subscription billing. Each of these providers maintains their own privacy and data handling policies.

05

Data Sent to AI

When you submit a question, your question text and company profile information are sent to Anthropic's Claude API to generate your Decision Brief. For Deep Research Briefs, the same information is sent along with your initial Decision Brief text; the AI also performs automated web searches to gather current vendor pricing, product details, and market data from publicly available sources. Anthropic's data usage policies apply to this data in transit. We encourage you to review Anthropic's privacy policy for details on how they handle API inputs. We do not send your email address to Anthropic.

06

Payment Information

When you subscribe to Heartwood Pro or purchase a Deep Research Brief, payment card details are collected and processed directly by our payment processor, Stripe, Inc. Heartwood does not see, receive, or store your full payment card number, CVV, or expiration date. What we store on our side is limited to a Stripe customer identifier, transaction identifiers, your current subscription status (e.g. active, past due, canceled), and your current billing period end date. For Deep Research Brief purchases, we also store the Stripe checkout session identifier and payment identifier to track order fulfillment. We receive this information via secure webhook notifications from Stripe. For details on how Stripe handles your payment data, see Stripe's Privacy Policy at https://stripe.com/privacy. Stripe is certified as PCI-DSS Level 1 compliant, the highest level of certification available in the payments industry. Stripe may send you transactional emails related to your billing — receipts and payment confirmations — on our behalf. These emails are operational, not marketing.

07

Data Retention

Your account information is retained for as long as your account remains active. If you would like your data deleted, please contact us at panel@sevenrootsconsulting.com and we will remove your information within a reasonable timeframe. Subscription and payment records — limited to the billing metadata described above — are retained for seven (7) years after account closure to comply with U.S. tax and financial recordkeeping requirements. Your full payment card details are held by Stripe, not by Heartwood; to request deletion from Stripe directly, use Stripe's privacy contacts at https://stripe.com/privacy.

08

Data Sharing

We do not sell, rent, or trade your personal information. Your data is only shared with the third-party service providers listed above, solely for the purpose of operating the Service. We will not disclose your information to other parties unless required by law.

09

Cookies & Local Storage

Heartwood uses browser localStorage to maintain your session state (such as your profile and conversation history) between visits. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

10

Security

Authentication is handled via one-time passcodes sent to your email — we do not store passwords. While we take reasonable measures to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security.

11

Children's Privacy

Heartwood is not intended for use by individuals under the age of 18. We do not knowingly collect information from minors. If you believe a minor has provided us with personal information, please contact us and we will promptly remove it.

12

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected on this page with an updated effective date. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

13

Contact

If you have questions about this Privacy Policy, please contact us at panel@sevenrootsconsulting.com.