Privacy Policy

Updated April 28, 2026 · Effective April 28, 2026

1. Introduction

This Privacy Policy explains how HeyDaily Inc. (“HeyDaily,” “we,” “us,” “our”) collects, uses, discloses, and protects personal data when you use Sauna™, available at app.sauna.ai and through related surfaces (the “Service”). It applies to users of the Service worldwide. Specific rights for residents of the EU/EEA, the UK, California, and other jurisdictions are described in Sections 13–14.

If you are using the Service on behalf of an organization, that organization may have its own privacy notice that also applies.

2. Data Controller

For users of the Service, HeyDaily Inc. is the controller of your personal data, except where we act as a processor for a business customer under a Data Processing Addendum.

Contact: privacy@sauna.ai — HeyDaily Inc., San Francisco, California, USA

3. Personal Data We Collect

We collect the following categories of personal data:

a. Account data. Name, email address, password (hashed), profile photo, phone number (if you connect iMessage or SMS), Slack user ID (if you use Slack), Google account ID (if you sign in with Google), and account preferences.

b. Billing data. Billing name, address, last four digits of your card, billing email, subscription history. Full card numbers are handled by Stripe and not stored by us.

c. Content from connected accounts. With your authorization (via OAuth or API key), the Service ingests content from accounts you connect, which may include:

  • email content and metadata (Gmail);
  • calendar events and metadata (Google Calendar);
  • documents, sheets, slides, and files (Google Drive, Notion, Granola, Dropbox, etc.);
  • messages and channel data (Slack);
  • tickets and issues (Linear);
  • candidates and roles (Ashby);
  • bookmarks (Raindrop);
  • voice/transcripts (Granola);
  • billing and customer data (Stripe);
  • other sources you authorize.

d. OAuth tokens and credentials. Access and refresh tokens for connected services and API keys you provide. These are encrypted at rest and used only to access the services on your behalf.

e. User Content. Prompts, attachments, drafts, files, code, and other content you submit to the Service, plus the Outputs the Service generates for you.

f. Voice data. Audio you submit (e.g., voice messages) and audio outputs the Service generates for you using third-party text-to-speech.

g. Browser session data. When you use Browser Use, cookies, localStorage, and login state we maintain on your behalf to operate a browser session.

h. Memory and learnings. Patterns and preferences the Service infers from your interactions and that you approve for retention. You can view, edit, and delete Memory items at any time from your workspace.

i. Device and log data. IP address, user-agent, device identifiers, timestamps, referrer URLs, error logs, request and response metadata.

j. Cookies and similar technologies. See Section 9.

k. Marketing data. If you opt in, your preferences and engagement with our marketing communications.

l. Onboarding research data. When you create a Sauna account, we perform automated public-web research on you to bootstrap context for your first session and any proactive features you enable (for example, scheduled briefings). The research uses only publicly accessible sources — such as your professional profile pages, company pages tied to your work email domain, public publications, and other content an open web search would surface — and may generate inferences about your role, employer, industry, publications, and public professional activity. The resulting dossier is saved to a file in your own Sauna workspace, visible to you, and you can edit or delete it at any time. We do not run this research on users under 18, and we do not use it to make decisions under Art. 22 GDPR. See §6.bis for details and §13 for your rights.

We do not knowingly collect data from anyone under 18.

4. Sources

We collect data:

  • (a) directly from you when you sign up, configure the Service, or contact us;
  • (b) automatically when you use the Service;
  • (c) from third parties whose services you connect, on your authorization;
  • (d) from payment, identity, and fraud-prevention providers;
  • (e) from publicly available sources, in two circumstances: (i) at account creation, when we perform onboarding research about you to bootstrap context (see §3(l) and §6.bis); and (ii) when the Service performs web research on your instruction as part of fulfilling a request you have made.

5. How We Use Personal Data

We use personal data to:

  • provide, operate, secure, and improve the Service;
  • authenticate you and prevent fraud or abuse;
  • process payments and manage subscriptions;
  • route your prompts and content to AI models and other sub-processors necessary to fulfill your requests;
  • generate Outputs and execute actions on your behalf, whether after your explicit approval or under agentic, scheduled, or autonomous features you have enabled;
  • provide support;
  • communicate with you about the Service (security, updates, billing, transactional notices);
  • with your consent, send you marketing communications (you can opt out at any time);
  • bootstrap context for new accounts by running automated public-web research about you at signup, saving the result to a file in your Sauna workspace, and using it as context for your first session and for proactive features you enable (see §6.bis);
  • comply with law and enforce our Terms.

Legal bases (EU/EEA and UK)

We rely on the following GDPR/UK GDPR bases:

  • Contract (Art. 6(1)(b)): to provide the Service you signed up for, including processing connected-account content, generating Outputs, billing, and support.
  • Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent abuse and fraud, conduct aggregated analytics, improve the Service, communicate with our users about important updates, and perform onboarding public-web research on new users so that Sauna can be useful from the first session. We have balanced this interest against your rights and concluded that (i) the research uses only publicly available sources, (ii) the resulting dossier is stored only in your own Sauna workspace where you can see, edit, or delete it, (iii) the dossier is not sold, not shared with third parties for their own purposes, and not used to make decisions under Art. 22, and (iv) you may object to this processing at any time under Art. 21 by emailing privacy@sauna.ai or by deleting the file in your workspace, which will cause us to stop generating it for your account.
  • Consent (Art. 6(1)(a)): for marketing communications, optional cookies, and any processing where we ask for your permission. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, anti-fraud, and other laws.

We do not use automated decision-making producing legal or similarly significant effects under Art. 22.

6. AI Model Providers and Training

The Service routes your prompts and content to third-party AI model providers (listed in Section 8). We have configured each provider to opt out of training on your content; we do not knowingly route your content to providers that train on it. For data accessed via connected services’ APIs, we operate in accordance with those services’ API terms, including prohibitions on using that data to train AI/ML models and on creating persistent copies, archives, or indexes prohibited by those terms.

We do not build long-term behavioral profiles of you for advertising, underwriting, or third-party-benefit purposes. Context and memory we retain are for operating Sauna on your behalf only.

6.bis. Onboarding public-web research

What it is. When a new account is created on Sauna, we automatically run a public-web research pass on the account holder. This is a core part of the Service: Sauna is designed to be immediately useful, and that requires a minimum baseline of context about you.

Sources. Only publicly accessible content: professional profile pages (such as LinkedIn-style profiles), public publications and papers, company pages tied to your work email domain, public professional directories, and other content that an open web search returns for your name and email.

What we generate. A dossier that may include your likely employer, role, industry, recent publications and public work, professional affiliations, and other public professional context. The dossier is inferential: some items may be wrong. You are the primary reader and editor of this file.

Where it lives. In a file inside your own Sauna workspace (currently documents/onboarding/web-research.md). You can open it, edit it, delete it, or ask Sauna to regenerate it at any time.

How it is used. The dossier is used as context for your first session and for proactive features you enable (such as scheduled briefings and proactive suggestions). It is stored alongside your other User Content and is covered by the same retention, security, and sub-processor terms as the rest of your workspace. It is not sold and not shared with third parties for their own purposes.

What we do not do. We do not access private or access-controlled content. We do not buy data about you from data brokers. We do not use this dossier to make decisions about you that produce legal or similarly significant effects under Art. 22 GDPR. We do not run this research on users under 18.

Legal basis (EU/EEA/UK). Legitimate interests under Art. 6(1)(f) GDPR. Our balancing assessment is summarized in §5. You have the right to object to this processing under Art. 21 at any time by emailing privacy@sauna.ai, and you have the right to delete the dossier at any time from your Sauna workspace.

If the research is wrong. You can correct the file directly, ask Sauna to regenerate it, or exercise your right to rectification under §13.

7. Sharing and Disclosure

We do not sell your personal data, and we do not share it for cross-context behavioral advertising.

We disclose personal data to:

  • a. Sub-processors (listed in Section 8) that provide infrastructure, AI model inference, payments, observability, communications, integrations, and other services necessary to operate the Service.
  • b. Connected services you authorize. When you instruct Sauna to send an email, post a message, create a ticket, etc. — including under agentic, scheduled, or autonomous features you have enabled — we transmit the relevant data to the applicable service.
  • c. Professional advisors and corporate transactions. Lawyers, accountants, auditors, insurers, and parties to a corporate transaction (merger, acquisition, financing, sale of assets), under appropriate confidentiality.
  • d. Legal and safety. When we believe in good faith that disclosure is required by law, court order, or government request, or is necessary to protect rights, safety, property, or to investigate fraud or abuse.
  • e. With your direction or consent. When you ask us to share data with a third party, or when you make data public through the Service.

8. Sub-processors

The third parties below help us provide the Service. We require each sub-processor to enter into a written agreement that contains data protection terms substantially similar to those in this Policy, including, where applicable, the EU Standard Contractual Clauses and the UK International Data Transfer Addendum.

We will provide reasonable advance notice of new sub-processors to customers who have requested notification at privacy@sauna.ai.

AI model inference

  • Anthropic — Claude
  • OpenAI — GPT, Whisper
  • Google — Gemini
  • Groq — fast inference
  • Perplexity — research-oriented LLM
  • Cerebras — fast inference
  • Together AI — LLM inference
  • Mistral — LLM inference
  • Amazon Bedrock — hosted LLM inference

We have configured each provider to opt out of training on your content where opt-out is available.

Cloud and infrastructure

  • Amazon Web Services — storage (S3), email (SES), queues (SQS)
  • Cloudflare — CDN, DNS, edge compute
  • Fly.io — sandbox / browser execution containers
  • Neon — serverless Postgres
  • Turso — serverless SQLite

Authentication and payments

  • Stripe — payments and billing
  • Google OAuth — sign in with Google

Observability and analytics

  • Sentry — error monitoring and optional session replay
  • PostHog — product analytics
  • Langfuse — LLM tracing
  • Honeycomb — telemetry backend

Messaging and queues

  • Slack — in-app and team notifications
  • Upstash QStash — async task queue

Vector search

  • Weaviate — vector database

Integration brokers

  • Pipedream — OAuth broker for connected apps (Linear, Notion, Gmail, Drive, Calendar, Sheets, Docs, and others you authorize)
  • Airweave — integration platform

Web and browser automation

  • Jina AI — web content extraction
  • Browser Use — cloud browser automation

Voice

  • ElevenLabs — text-to-speech synthesis (Sauna does not offer end-user voice cloning)

Other

  • Raindrop — bookmark management features
  • Linq — iMessage gateway for SMS surface

Connected services are not sub-processors. When you connect a third-party service to Sauna (such as Gmail, Calendar, Notion, Linear, Slack, GitHub, Ashby, Granola, Stripe, Mercury, or others), that service is not a sub-processor of HeyDaily. It is a service you use directly under your own agreement with that provider. Sauna sends data to those services on your instruction. Their handling of your data is governed by their own terms and privacy policy.

9. Cookies and Similar Technologies

Cookies are small text files placed on your device when you visit a website. We also use similar technologies (localStorage, sessionStorage, pixels, web beacons, and SDKs); we refer to all of them as “cookies” in this Policy.

We use:

  • Strictly necessary cookies (always on) — for authentication, session, CSRF protection, bot mitigation, and to remember your cookie preferences.
  • Functional cookies (on by default; can be disabled) — to remember UI preferences such as theme, sidebar, and language.
  • Analytics cookies (PostHog and optional Sentry session replay; off by default in the EU/EEA/UK and other regions where consent is required; opt-in) — to understand usage and improve the Service.

We do not use advertising cookies and do not allow third parties to use our cookies for cross-site advertising.

Managing your preferences. When you first visit app.sauna.ai from regions where consent is required, a cookie banner lets you accept all, reject all, or customize. Reject-all is one click and has parity with accept-all. You can change your choices at any time from “Cookie preferences” in the footer.

Global Privacy Control. We honor a valid Global Privacy Control (GPC) signal as a “do not sell or share” opt-out for residents of California and other states that recognize it.

Do Not Track. Browser DNT signals do not have a uniform standard; we do not respond to DNT but do honor GPC as described above.

10. International Data Transfers

We are based in the United States. Personal data we collect may be processed in the U.S. and other countries where our sub-processors operate. For transfers from the EU/EEA, UK, or Switzerland to countries that do not offer an equivalent level of protection, we rely on:

  • the EU Standard Contractual Clauses (Module 2 or 3 as appropriate) and, where applicable, the UK International Data Transfer Addendum;
  • where applicable, our and our sub-processors’ certifications under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework.

Where personal data is transferred internationally, we apply the safeguards described above.

11. Data Retention

We keep personal data only as long as needed for the purposes in Section 5, then delete or anonymize it. Indicative periods:

CategoryRetention
Account dataLifetime of account + 30 days
User Content (prompts, attachments, Outputs, memory)Lifetime of account + 30 days, unless you delete earlier
Onboarding research dossierLifetime of account + 30 days, unless you delete earlier or object under §6.bis
OAuth tokens / API keysUntil you disconnect, then deleted
LLM request/response logs≤ 30 days, longer only if flagged for abuse review
Browser Use session stateLifetime of session unless you save credentials, then until you remove
Voice data (your audio inputs and TTS outputs)Lifetime of account + 30 days, unless you delete earlier
Application logs90 days
BackupsUp to 90 days rolling
Billing recordsAs required by tax/accounting law (typically 7 years)
Marketing dataUntil you opt out + a short suppression window

12. Security

We use administrative, technical, and physical safeguards designed to protect personal data, including: encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent), principle-of-least-privilege access controls, MFA for staff, audit logging, vendor due diligence, and an incident response plan. No system is 100% secure. If we become aware of a security incident affecting your personal data, we will notify you and any required authority without undue delay, consistent with applicable law (within 72 hours for incidents subject to GDPR).

Report suspected vulnerabilities to security@sauna.ai.

13. Your Rights

Subject to applicable law, you may have the right to:

  • access the personal data we hold about you;
  • correct inaccurate or incomplete data;
  • delete personal data;
  • restrict or object to processing;
  • portability of data you provided to us in a structured, machine-readable format;
  • withdraw consent at any time, where processing is based on consent;
  • complain to a supervisory authority.

Specifically regarding onboarding research (§6.bis): you may delete the dossier from your workspace at any time, object to future onboarding research under Art. 21 GDPR by emailing privacy@sauna.ai, or request rectification if the dossier is inaccurate. We will act on these requests promptly and confirm in writing.

To exercise these rights, email privacy@sauna.ai. We will respond within the time required by law (30 days for EU/UK requests and 45 days for California requests, extendable once where permitted by law). We may need to verify your identity. We will not discriminate against you for exercising your rights.

14. Region-Specific Disclosures

14.1 EU/EEA, UK, and Switzerland (GDPR / UK GDPR / FADP)

You have the rights listed in Section 13 plus the right to lodge a complaint with your local supervisory authority. Legal bases are in Section 5. International transfer mechanisms are in Section 10.

14.2 California (CCPA / CPRA)

In the past 12 months we have collected the categories of personal information described in Section 3 (identifiers, customer records, commercial information, internet activity, geolocation derived from IP, audio, professional or employment information, inferences) for the purposes in Section 5. We have disclosed those categories to the sub-processors and recipients in Sections 7 and 8. We do not sell or share personal information for cross-context behavioral advertising.

California residents may:

  • know what personal information we collect, use, disclose, and (if applicable) sell or share;
  • delete personal information;
  • correct inaccurate personal information;
  • limit our use and disclosure of “sensitive personal information” (which may include account credentials and contents of communications routed through connected services);
  • opt out of sale or sharing — although we do not engage in either; this notice is provided for transparency and we honor Global Privacy Control signals;
  • be free from discrimination for exercising rights.

To exercise these rights, email privacy@sauna.ai. You may use an authorized agent; we will require proof of authorization.

14.3 Other U.S. states

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have similar rights. Email privacy@sauna.ai.

14.4 “Shine the Light” (California Civil Code § 1798.83)

We do not share personal information with third parties for their direct marketing.

15. Google API Services User Data Policy — Limited Use

Sauna’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data only to provide and improve user-facing features of the Service.
  • We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features of the Service, to comply with law, or as part of a merger, acquisition, or sale of assets with notice to users.
  • We do not use Google user data to serve advertisements.
  • We do not allow humans to read Google user data, except: (a) with your affirmative consent for specific messages, (b) where necessary for security purposes (such as investigating abuse), (c) to comply with law, or (d) where the data has been aggregated and anonymized for internal operations.
  • We do not use Google user data to train, develop, or improve generalized or non-personalized AI/ML models, including third-party models.

These commitments apply to data obtained from Gmail, Google Calendar, Google Drive, and other Google APIs.

16. Children

The Service is not directed to children under 18 (or under 16 in the EEA). We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact privacy@sauna.ai and we will delete it.

17. Marketing Communications

We send transactional messages (security alerts, billing, support, important Service notices) regardless of marketing preferences. Marketing communications are sent only with your consent (or, in the U.S., with the right to opt out). You can opt out at any time via the unsubscribe link in our emails or by emailing privacy@sauna.ai.

18. Automated Decision-Making and Profiling

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects under Art. 22 GDPR. This includes our onboarding public-web research (§6.bis): the dossier is used to personalize the Service for you, not to make eligibility, pricing, access, or other consequential decisions about you. Outputs of agentic, scheduled, and autonomous features are generated by AI on your instruction and under your monitoring and approval; they are not used by us to make automated decisions about you.

19. Third-Party Sites and Services

The Service connects to third-party services that you authorize. Their use of your data is governed by their own privacy policies. We are not responsible for their practices.

20. Changes to This Policy

We may update this Policy from time to time. The current version is always available at sauna.ai/privacy and the “Last Updated” date above shows when it was last revised. We encourage you to review this Policy periodically. Where required by law, we will notify you of material changes; otherwise, your continued use of the Service after an update constitutes acceptance of the revised Policy.

21. Contact

HeyDaily Inc., San Francisco, California, USA

“Sauna” is a trademark of HeyDaily Inc. (USPTO Serial No. 99285540).

Product

Learn

Pricing

Careers

Terms & ConditionsPrivacy Policy