Privacy Policy

Heimer is an AI-powered financial data intelligence and integration platform operated by Colin Stremlau, doing business as Heimer (“Heimer,” “we,” “us,” or “our”). We are based in San Diego, California, USA.

Contact: privacy@heimerhq.com

We use your data to:

• Provide, operate, and maintain the Service.
• Generate AI-powered integration suggestions and financial data insights.
• Analyze usage patterns and improve the performance, features, and reliability of the Service.
• Communicate with you about the Service, including transactional emails and material notices.
• Comply with applicable legal obligations.

We do not sell your personal or financial data.

We do not use your data to train or fine-tune any artificial intelligence model. Analytics performed to operate and improve Heimer may use aggregated or de-identified data derived from usage patterns.

To deliver AI features, your data is processed by trusted third-party service providers. The providers that handle your financial or AI-processed data are:

Additional service providers handle application hosting, database storage, authentication, and transactional email on our behalf. These providers access only the minimum data necessary to perform their functions and are contractually prohibited from using your data for any other purpose.

Our connected platforms (such as QuickBooks, Xero, Stripe, and Google Sheets) are governed by their own privacy policies. Heimer accesses these platforms only at your direction and only with the permissions you grant.

We will notify you of any material changes to the sub-processors that handle your financial or AI-processed data per Section 10.

When you connect a third-party platform:

• We store OAuth access and refresh tokens encrypted at rest using industry-standard encryption.
• We never access or store your third-party platform account passwords.
• Token access is restricted by row-level security — you can only access your own data.
• Tokens are used solely to retrieve and sync data on your behalf within the Service.

You may revoke Heimer’s access at any time from your Heimer account settings or directly in the third-party platform’s OAuth authorization settings.

Revoking access stops all future data sync from that platform. Previously synced data is subject to the retention and deletion terms in Section 6.

Account and business context data is retained while your account is active.

You may request deletion of your account and associated personal data at any time by emailing privacy@heimerhq.com. We will delete or anonymize your data within 30 days, except where retention is required by applicable law.

You are responsible for maintaining your own independent backups of data important to your business.

Depending on your location, you may have rights under applicable law (including CCPA/CPRA for California residents), including the right to:

• Access a copy of the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request deletion of your personal data (subject to Section 6 exceptions).
• Data portability — receive your data in a structured, machine-readable format.
• Opt out of sale or sharing of personal information (we do not sell or share personal data).

To exercise any of these rights, contact us at privacy@heimerhq.com. We will respond within 30 days. We will not discriminate against you for exercising your privacy rights.

Your data is processed and stored in the United States. By using the Service, you consent to this transfer and processing.

The Service is intended for users 18 years of age and older. We do not knowingly collect personal data from anyone under 18. If we learn we have collected data from a minor, we will delete it promptly.

We will post changes to this Privacy Policy at heimerhq.com/privacy. For material changes, we will notify registered users by email at least 14 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.