Privacy Policy

Updated April 27, 2026 · Effective April 27, 2026

1. Introduction

This Privacy Policy explains how HeyDaily Inc. (“HeyDaily,” “we,” “us,” “our”) collects, uses, discloses, and protects personal data when you use Sauna™, available at app.sauna.ai and through related surfaces (the “Service”). It applies to users of the Service worldwide. Specific rights for residents of the EU/EEA, the UK, California, and other jurisdictions are described in Sections 13–14.

If you are using the Service on behalf of an organization, that organization may have its own privacy notice that also applies.

2. Data Controller

For users of the Service, HeyDaily Inc. is the controller of your personal data, except where we act as a processor for a business customer under a Data Processing Addendum.

Contact: privacy@sauna.ai — HeyDaily Inc., San Francisco, California, USA

3. Personal Data We Collect

We collect the following categories of personal data:

a. Account data. Name, email address, password (hashed), profile photo, phone number (if you connect iMessage or SMS), Slack user ID (if you use Slack), Google account ID (if you sign in with Google), and account preferences.

b. Billing data. Billing name, address, last four digits of your card, billing email, subscription history. Full card numbers are handled by Stripe and not stored by us.

c. Content from connected accounts. With your authorization (via OAuth or API key), the Service ingests content from accounts you connect, which may include:

  • email content and metadata (Gmail);
  • calendar events and metadata (Google Calendar);
  • documents, sheets, slides, and files (Google Drive, Notion, Granola, Dropbox, etc.);
  • messages and channel data (Slack);
  • tickets and issues (Linear);
  • candidates and roles (Ashby);
  • bookmarks (Raindrop);
  • voice/transcripts (Granola);
  • billing and customer data (Stripe);
  • other sources you authorize.

d. OAuth tokens and credentials. Access and refresh tokens for connected services and API keys you provide. These are encrypted at rest and used only to access the services on your behalf.

e. User Content. Prompts, attachments, drafts, files, code, and other content you submit to the Service, plus the Outputs the Service generates for you.

f. Voice data. Audio you submit (e.g., voice messages) and audio outputs the Service generates for you using third-party text-to-speech.

g. Browser session data. When you use Browser Use, cookies, localStorage, and login state we maintain on your behalf to operate a browser session.

h. Memory and learnings. Patterns and preferences the Service infers from your interactions and that you approve for retention.

i. Device and log data. IP address, user-agent, device identifiers, timestamps, referrer URLs, error logs, request and response metadata.

j. Cookies and similar technologies. See Section 9.

k. Marketing data. If you opt in, your preferences and engagement with our marketing communications.

We do not knowingly collect data from anyone under 18.

4. Sources

We collect data:

  • (a) directly from you when you sign up, configure the Service, or contact us;
  • (b) automatically when you use the Service;
  • (c) from third parties whose services you connect, on your authorization;
  • (d) from payment, identity, and fraud-prevention providers;
  • (e) from publicly available sources to the limited extent the Service performs research on your behalf.

5. How We Use Personal Data

We use personal data to:

  • provide, operate, secure, and improve the Service;
  • authenticate you and prevent fraud or abuse;
  • process payments and manage subscriptions;
  • route your prompts and content to AI models and other sub-processors necessary to fulfill your requests;
  • generate Outputs and execute actions on your behalf, whether after your explicit approval or under agentic, scheduled, or autonomous features you have enabled;
  • provide support;
  • communicate with you about the Service (security, updates, billing, transactional notices);
  • with your consent, send you marketing communications (you can opt out at any time);
  • comply with law and enforce our Terms.

Legal bases (EU/EEA and UK)

We rely on the following GDPR/UK GDPR bases:

  • Contract (Art. 6(1)(b)): to provide the Service you signed up for, including processing connected-account content, generating Outputs, billing, and support.
  • Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent abuse and fraud, conduct aggregated analytics, improve the Service, and communicate with our users about important updates.
  • Consent (Art. 6(1)(a)): for marketing communications, optional cookies, and any processing where we ask for your permission. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, anti-fraud, and other laws.

We do not use automated decision-making producing legal or similarly significant effects under Art. 22.

6. AI Model Providers and Training

The Service routes your prompts and content to third-party AI model providers (listed in Section 8). We have configured each provider to opt out of training on your content; we do not knowingly route your content to providers that train on it. For data accessed via connected services’ APIs, we operate in accordance with those services’ API terms, including prohibitions on using that data to train AI/ML models and on creating persistent copies, archives, or indexes prohibited by those terms.

7. Sharing and Disclosure

We do not sell your personal data, and we do not share it for cross-context behavioral advertising.

We disclose personal data to:

  • a. Sub-processors (listed in Section 8) that provide infrastructure, AI model inference, payments, observability, communications, integrations, and other services necessary to operate the Service.
  • b. Connected services you authorize. When you instruct Sauna to send an email, post a message, create a ticket, etc. — including under agentic, scheduled, or autonomous features you have enabled — we transmit the relevant data to the applicable service.
  • c. Professional advisors and corporate transactions. Lawyers, accountants, auditors, insurers, and parties to a corporate transaction (merger, acquisition, financing, sale of assets), under appropriate confidentiality.
  • d. Legal and safety. When we believe in good faith that disclosure is required by law, court order, or government request, or is necessary to protect rights, safety, property, or to investigate fraud or abuse.
  • e. With your direction or consent. When you ask us to share data with a third party, or when you make data public through the Service.

8. Sub-processors

The third parties below help us provide the Service. We require each sub-processor to enter into a written agreement that contains data protection terms substantially similar to those in this Policy, including, where applicable, the EU Standard Contractual Clauses and the UK International Data Transfer Addendum.

We will provide reasonable advance notice of new sub-processors to customers who have requested notification at privacy@sauna.ai.

AI model inference

  • Anthropic — Claude
  • OpenAI — GPT, Whisper
  • Google — Gemini
  • Groq — fast inference
  • Perplexity — research-oriented LLM
  • Cerebras — fast inference
  • Together AI — LLM inference
  • Mistral — LLM inference
  • Amazon Bedrock — hosted LLM inference

We have configured each provider to opt out of training on your content where opt-out is available.

Cloud and infrastructure

  • Amazon Web Services — storage (S3), email (SES), queues (SQS)
  • Cloudflare — CDN, DNS, edge compute
  • Fly.io — sandbox / browser execution containers
  • Neon — serverless Postgres
  • Turso — serverless SQLite

Authentication and payments

  • Stripe — payments and billing
  • Google OAuth — sign in with Google

Observability and analytics

  • Sentry — error monitoring and optional session replay
  • PostHog — product analytics
  • Langfuse — LLM tracing
  • Honeycomb — telemetry backend

Messaging and queues

  • Slack — in-app and team notifications
  • Upstash QStash — async task queue

Vector search

  • Weaviate — vector database

Integration brokers

  • Pipedream — OAuth broker for connected apps (Linear, Notion, Gmail, Drive, Calendar, Sheets, Docs, and others you authorize)
  • Airweave — integration platform

Web and browser automation

  • Jina AI — web content extraction
  • Browser Use — cloud browser automation

Voice

  • ElevenLabs — text-to-speech synthesis (Sauna does not offer end-user voice cloning)

Other

  • Raindrop — bookmark management features
  • Linq — iMessage gateway for SMS surface

Connected services are not sub-processors. When you connect a third-party service to Sauna (such as Gmail, Calendar, Notion, Linear, Slack, GitHub, Ashby, Granola, Stripe, Mercury, or others), that service is not a sub-processor of HeyDaily. It is a service you use directly under your own agreement with that provider. Sauna sends data to those services on your instruction. Their handling of your data is governed by their own terms and privacy policy.

9. Cookies and Similar Technologies

Cookies are small text files placed on your device when you visit a website. We also use similar technologies (localStorage, sessionStorage, pixels, web beacons, and SDKs); we refer to all of them as “cookies” in this Policy.

We use:

  • Strictly necessary cookies (always on) — for authentication, session, CSRF protection, bot mitigation, and to remember your cookie preferences.
  • Functional cookies (on by default; can be disabled) — to remember UI preferences such as theme, sidebar, and language.
  • Analytics cookies (PostHog and optional Sentry session replay; off by default in the EU/EEA/UK and other regions where consent is required; opt-in) — to understand usage and improve the Service.

We do not use advertising cookies and do not allow third parties to use our cookies for cross-site advertising.

Managing your preferences. When you first visit app.sauna.ai from regions where consent is required, a cookie banner lets you accept all, reject all, or customize. Reject-all is one click and has parity with accept-all. You can change your choices at any time from “Cookie preferences” in the footer.

Global Privacy Control. We honor a valid Global Privacy Control (GPC) signal as a “do not sell or share” opt-out for residents of California and other states that recognize it.

Do Not Track. Browser DNT signals do not have a uniform standard; we do not respond to DNT but do honor GPC as described above.

10. International Data Transfers

We are based in the United States. Personal data we collect may be processed in the U.S. and other countries where our sub-processors operate. For transfers from the EU/EEA, UK, or Switzerland to countries that do not offer an equivalent level of protection, we rely on:

  • the EU Standard Contractual Clauses (Module 2 or 3 as appropriate) and, where applicable, the UK International Data Transfer Addendum;
  • where applicable, our and our sub-processors’ certifications under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework.

Where personal data is transferred internationally, we apply the safeguards described above.

11. Data Retention

We keep personal data only as long as needed for the purposes in Section 5, then delete or anonymize it. Indicative periods:

CategoryRetention
Account dataLifetime of account + 30 days
User Content (prompts, attachments, Outputs, memory)Lifetime of account + 30 days, unless you delete earlier
OAuth tokens / API keysUntil you disconnect, then deleted
LLM request/response logs≤ 30 days, longer only if flagged for abuse review
Browser Use session stateLifetime of session unless you save credentials, then until you remove
Voice data (your audio inputs and TTS outputs)Lifetime of account + 30 days, unless you delete earlier
Application logs90 days
BackupsUp to 90 days rolling
Billing recordsAs required by tax/accounting law (typically 7 years)
Marketing dataUntil you opt out + a short suppression window

12. Security

We use administrative, technical, and physical safeguards designed to protect personal data, including: encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent), principle-of-least-privilege access controls, MFA for staff, audit logging, vendor due diligence, and an incident response plan. No system is 100% secure. If we become aware of a security incident affecting your personal data, we will notify you and any required authority without undue delay, consistent with applicable law (within 72 hours for incidents subject to GDPR).

Report suspected vulnerabilities to security@sauna.ai.

13. Your Rights

Subject to applicable law, you may have the right to:

  • access the personal data we hold about you;
  • correct inaccurate or incomplete data;
  • delete personal data;
  • restrict or object to processing;
  • portability of data you provided to us in a structured, machine-readable format;
  • withdraw consent at any time, where processing is based on consent;
  • complain to a supervisory authority.

To exercise these rights, email privacy@sauna.ai. We will respond within the time required by law (typically 30 days). We may need to verify your identity. We will not discriminate against you for exercising your rights.

14. Region-Specific Disclosures

14.1 EU/EEA, UK, and Switzerland (GDPR / UK GDPR / FADP)

You have the rights listed in Section 13 plus the right to lodge a complaint with your local supervisory authority. Legal bases are in Section 5. International transfer mechanisms are in Section 10.

14.2 California (CCPA / CPRA)

In the past 12 months we have collected the categories of personal information described in Section 3 (identifiers, customer records, commercial information, internet activity, geolocation derived from IP, audio, professional or employment information, inferences) for the purposes in Section 5. We have disclosed those categories to the sub-processors and recipients in Sections 7 and 8. We do not sell or share personal information for cross-context behavioral advertising.

California residents may:

  • know what personal information we collect, use, disclose, and (if applicable) sell or share;
  • delete personal information;
  • correct inaccurate personal information;
  • limit our use and disclosure of “sensitive personal information” (which may include account credentials and contents of communications routed through connected services);
  • opt out of sale or sharing — although we do not engage in either; this notice is provided for transparency and we honor Global Privacy Control signals;
  • be free from discrimination for exercising rights.

To exercise these rights, email privacy@sauna.ai. You may use an authorized agent; we will require proof of authorization.

14.3 Other U.S. states

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have similar rights. Email privacy@sauna.ai.

14.4 “Shine the Light” (California Civil Code § 1798.83)

We do not share personal information with third parties for their direct marketing.

15. Google API Services User Data Policy — Limited Use

Sauna’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data only to provide and improve user-facing features of the Service.
  • We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features of the Service, to comply with law, or as part of a merger, acquisition, or sale of assets with notice to users.
  • We do not use Google user data to serve advertisements.
  • We do not allow humans to read Google user data, except: (a) with your affirmative consent for specific messages, (b) where necessary for security purposes (such as investigating abuse), (c) to comply with law, or (d) where the data has been aggregated and anonymized for internal operations.
  • We do not use Google user data to train, develop, or improve generalized or non-personalized AI/ML models, including third-party models.

These commitments apply to data obtained from Gmail, Google Calendar, Google Drive, and other Google APIs.

16. Children

The Service is not directed to children under 18 (or under 16 in the EEA). We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact privacy@sauna.ai and we will delete it.

17. Marketing Communications

We send transactional messages (security alerts, billing, support, important Service notices) regardless of marketing preferences. Marketing communications are sent only with your consent (or, in the U.S., with the right to opt out). You can opt out at any time via the unsubscribe link in our emails or by emailing privacy@sauna.ai.

18. Automated Decision-Making and Profiling

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects. Sauna’s outputs are AI-generated; they are not used by us to make automated decisions about you.

19. Third-Party Sites and Services

The Service connects to third-party services that you authorize. Their use of your data is governed by their own privacy policies. We are not responsible for their practices.

20. Changes to This Policy

We may update this Policy from time to time. The current version is always available at sauna.ai/privacy and the “Last Updated” date above shows when it was last revised. We encourage you to review this Policy periodically. Where required by law, we will notify you of material changes; otherwise, your continued use of the Service after an update constitutes acceptance of the revised Policy.

21. Contact

HeyDaily Inc., San Francisco, California, USA

“Sauna” is a trademark of HeyDaily Inc. (USPTO Serial No. 99285540).

Product

Learn

Pricing

Careers

Terms & ConditionsPrivacy Policy