Privacy Policy
Last updated: May 25, 2026
1. Who We Are
HewnTree is a product definition tool that helps you turn ideas into structured requirements. When we say "we", "us", or "HewnTree", we mean the operator of this service. When we say "you", we mean you as a user of HewnTree.
2. What Data We Collect
Account information: Your email address, first name, and password (hashed — we never store or see your actual password).
Idea content: The ideas you create, your answers to questions, comments on tree nodes, and the resulting requirements tree. This is the core content you produce while using HewnTree.
Payment information: If you subscribe to a paid plan, your payment details are processed by Stripe. We store only your Stripe customer ID — never your card number, CVV, or billing address.
Usage data: We track product events (e.g., "idea created", "batch committed") to understand how HewnTree is used and to improve the product. This data is stored in our own database, not shared with third parties.
Error data: If something breaks, we collect error reports (stack traces, browser info) via Sentry to fix bugs. This does not include your personal information or idea content.
3. Why We Collect It (and Legal Basis)
Each processing activity below maps to a legal basis under Article 6 of the GDPR:
- Account info → contractual necessity (Article 6(1)(b)). We can't run your account otherwise.
- Idea content → contractual necessity (Article 6(1)(b)). The product doesn't function without your content.
- Payment info → contractual necessity (Article 6(1)(b)) for subscription billing.
- Usage analytics → legitimate interest (Article 6(1)(f)) in improving the product. You can object via the cookie preferences on our marketing pages.
- Error data → legitimate interest (Article 6(1)(f)) in maintaining service quality.
- Optional nudge emails → consent (Article 6(1)(a)). Granular opt-in/opt-out from your account page.
- Transactional emails (password resets, email verification, billing receipts) → contractual necessity (Article 6(1)(b)). These cannot be opted out of while your account is active.
4. Sub-Processors
We use the following third-party services to operate HewnTree. Each of them processes your personal data on our behalf for the purpose listed:
| Service | Purpose | Data shared | Location | Transfer mechanism |
|---|---|---|---|---|
| Supabase | Database + auth | All account + idea data | AWS (region per project) | Standard Contractual Clauses (Supabase DPA) |
| Stripe | Payment processing | Email, Stripe customer ID, subscription metadata | US | Standard Contractual Clauses (Stripe DPA) |
| OpenRouter | AI inference routing | Idea descriptions, answers, comments (transient) | US | Standard Contractual Clauses; we route to no-train providers |
| Resend | Transactional + nudge email | Email address + message body | US/EU | Standard Contractual Clauses (Resend DPA) |
| Sentry | Error monitoring | Stack traces, browser metadata, user ID (no PII bodies) | EU (de.ingest region) | Hosted in EU |
| Vercel | Web hosting + CDN | All HTTP traffic (encrypted in transit) | Global edge | Standard Contractual Clauses (Vercel DPA) |
| Upstash | Redis (rate-limit + idempotency keys) | User IDs, request hashes (no content) | AWS US East | Standard Contractual Clauses |
We do not sell your data to anyone. We do not use advertising networks. We do not share your idea content with other users.
Updates to this list: we update the table above when we add or change a sub-processor. For material changes, we notify active subscribers via email at least 30 days before the change takes effect, giving you time to raise concerns or close your account before it applies.
5. AI Processing
When you use HewnTree, your idea descriptions, answers, and comments are processed by AI models via OpenRouter. This is necessary to generate questions, build your requirements tree, and provide suggestions.
We route to AI providers that do not train on user data. Your content is used only to produce your results and is not retained by the AI provider after processing.
6. Cookies
We use essential cookies to keep you signed in (Supabase authentication session). These are required for the service to work.
We offer optional analytics via Sentry for error tracking and performance monitoring. You can control this through our cookie preferences.
We do not use marketing or advertising cookies.
7. Your Rights
Under the GDPR (Articles 12-22) you have the following rights with respect to your personal data:
- Right of access: everything you've created is visible in your HewnTree account.
- Right to data portability: request a full data export from your account settings. We'll email you a secure download link immediately. The link works only for you (you must be signed in) and expires after 7 days.
- Right to erasure ("right to be forgotten"): request account deletion from your account settings. For paid users, deletion occurs at the end of the billing cycle. For free users, it's immediate.
- Right to rectification: you can edit your idea content + profile directly. For anything you can't edit yourself (e.g. an email-change typo blocked by deletion records), contact support and we'll correct it.
- Right to restriction of processing: contact us if you want processing paused while a dispute is open. We'll keep your data but stop using it until the dispute is resolved.
- Right to object: for processing based on legitimate interest (usage analytics, error tracking), you can object at any time via cookie preferences. We'll stop unless we have overriding grounds (e.g. fraud prevention).
- Right to withdraw consent: for processing based on consent (nudge emails, optional analytics), you can withdraw at any time from your account page or cookie preferences. Withdrawal doesn't affect processing already done.
- Right to lodge a complaint: if you believe we're mishandling your data, you can complain to your local data protection authority. EU residents can find their national authority via the European Data Protection Board.
To exercise any of these rights, contact us at support@hewntree.com. We respond within 30 days.
8. Data Retention
We keep your personal data only as long as needed for the purpose it was collected. Retention by category:
- Account info + idea content: kept while your account is active. Deleted within 7 days of an account-deletion request — immediately for free users; at the end of the billing cycle for paid users (so you retain access for what you paid for).
- Payment metadata (Stripe customer ID, invoice records): kept for 7 years after the last payment, per tax + accounting requirements. We do not keep card numbers.
- Error logs (Sentry): 90 days rolling retention (Sentry default).
- Analytics events: kept while your account is active; purged when the account is deleted.
- Deleted-account email records: 7 days after the deletion completes — only the email address, kept to prevent immediate re-registration with the same email.
- Backups: Supabase keeps daily backups for 7 days. Deleted account data is purged from active tables immediately on the schedule above; backup copies expire within 7 days of the purge.
9. International Data Transfers
Several sub-processors store data outside the EU/UK (Stripe + OpenRouter + Upstash in the US; Vercel on a global edge network). For these transfers we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism, supplemented by encryption in transit (HTTPS/TLS) and at rest.
Sentry is hosted in the EU (the de.ingest region). Supabase project regions are configured per project — see the Supabase dashboard for the current data residency of your account.
If you're in the EU/UK and want the SCC details for a specific transfer, email support@hewntree.com.
10. Security
Your password is hashed with bcrypt — we never store it in plaintext. All data in transit is encrypted via HTTPS/TLS. Database access is protected by row-level security policies ensuring users can only access their own data.
We follow security best practices for our infrastructure (security headers, CSP, signed webhooks, signed cookies, rate-limited auth endpoints, MFA support). We run a pre-launch security audit and re-audit periodically. We can't guarantee that no incident will ever occur — see also our Terms of Service, §10 Service Dependencies.
11. Children
HewnTree is not intended for users under 16. We do not knowingly collect personal data from anyone under 16. If you become aware that a child under 16 has provided us with personal data, contact us and we'll delete it.
12. Changes to This Policy
We may update this policy from time to time. The "Last updated" date at the top reflects when the policy was last revised.
For material changes affecting how we process your data (new sub-processors, new categories of data collected, expanded retention windows), we notify active subscribers by email at least 30 days before the change takes effect. You can close your account before the change applies if you object.
Non-material changes (rewording for clarity, typo fixes) take effect when posted.
13. Contact
If you have questions about this privacy policy or your data, contact us at support@hewntree.com.