When you register for an account, we collect:

• Full name and email address.
• Password (stored in hashed, encrypted form; we never store plaintext passwords).
• Billing information and payment details (processed and stored by our third-party payment processor; we do not store full credit card numbers).
• Account preferences and settings.
• Operator Protocol acceptance records, including timestamp, operator ID, and IP address.

When you create or scan a Power Source, we collect and store:

• Website URLs you submit for scanning.
• Extracted brand intelligence, including: brand voice, selling points, target audience profiles, product descriptions, pricing, and strategic positioning.
• Any brand data you manually enter or edit within the Power Source interface.
• Competitor URLs and the intelligence extracted from competitor scans.

Important: Power Source data tied to your account is your proprietary brand intelligence. It is stored in our database, associated with your account, and used exclusively to deliver the Service to you. We do not share your account-tied Power Source data, your edited brand data, or your custom brand strategy with other users or use it to benefit competing accounts.

Brand-foundation caching: To improve performance and avoid duplicate processing, the publicly-derived brand foundation extracted from a website URL (the brand voice extracted from public copy, public selling points, public positioning, public visual assets) may be cached for up to 30 days and re-used when another Heista user scans the same URL within that window. This cache contains only intelligence derived from publicly accessible web pages and never includes Power Sources you have edited, uploaded documents, or any data tied to your account. You can force a refresh of the cache for a domain you own at any time, subject to a 24-hour rate limit. If you do not want public scans of a URL you control to be cached, contact support@heista.co for a domain-level opt-out.

Through your use of the Service, we collect:

• URLs of videos and content you submit for Scan Intelligence analysis.
• Transcripts generated from scanned video content (see Section 5 for retention periods).
• Outputs generated through the Console, including scripts, copy, and strategic recommendations.
• Custom frameworks created through the Architect module.
• All assets saved to your Vault, including project folders and associated metadata.

When you interact with the Operator (our AI assistant) or the Console, we collect:

• Your prompts, questions, objectives, and instructions.
• The AI-generated responses and outputs.
• Conversation history and session context.

How this data is used: The Operator uses your stored conversation history, Vault activity, and Power Source context to provide personalised strategic recommendations within your account. This is account-level personalisation, not model training. Your conversational data is stored in our database and is used exclusively within your account to improve your experience. It is not shared with other users, and it is not used to train or fine-tune any AI model (ours or any third party's). See Section 3 for details on how data is processed by our AI sub-processors.

We automatically collect data about how you interact with the Service, including:

• Which modules you use and how frequently (Operator, Console, Scan, Architect, Heist Library, Vault, Power Sources).
• Which Heists you browse, run, favourite, and re-run.
• Which Power Sources you create, edit, switch between, and activate.
• Scan activity: URLs scanned, PatternMap views, script generation events.
• Architect activity: framework creation events and input types used.
• Console interactions: session duration, output generation frequency, Creative Director sidebar settings used (tone, audience, style toggles).
• Vault activity: projects created, assets saved, and retrieval patterns.
• Credit consumption patterns across different action types.
• Navigation paths through the platform and feature adoption sequences.
• Session timestamps, duration, and frequency of use.

Why we track this: This behavioural data serves two purposes. First, it enables product analytics so we can understand which features deliver value, identify friction points, and prioritise development. Second, it feeds into the Operator's personalisation layer, allowing the AI to surface relevant recommendations based on your actual usage patterns (for example, suggesting relevant Heists based on your recent Scans or Power Source activity). This data is scoped to your account and is not used to train AI models.

If you choose to connect your Meta (Facebook/Instagram) advertising account to Heista, we collect:

• Your Meta user ID and the advertising account IDs you grant access to.
• Campaign, ad set, and ad metadata (names, statuses, objectives, targeting summaries).
• Ad creative assets accessible via the Meta Marketing API (images, videos, copy, headlines, CTAs).
• Performance metrics and insights (impressions, clicks, spend, CPM, CTR, ROAS, conversions, and other delivery metrics).
• OAuth access tokens and refresh tokens required to maintain the connection (stored encrypted; never shared with third parties).

Important: We only access the ad accounts and data you explicitly authorise. We use this data exclusively to decode your ad creatives, compare performance against category benchmarks, and generate strategic briefs. We do not modify, create, or manage ads on your behalf unless you explicitly instruct us to do so. We do not share your Meta ads data with other users.

You can disconnect your Meta account at any time from your Heista account settings or by removing the Heista app from your Facebook Settings > Business Integrations. Upon disconnection, we delete your stored Meta data within 30 days (see Section 5).

We automatically collect standard technical information:

• IP address and approximate geographic location.
• Browser type, version, and language settings.
• Operating system and device type.
• Referring URL and pages visited within the Service.
• Error logs and performance data.

When you use the Heista API, we collect:

• URLs and video content submitted for decoding through the API.
• API key metadata, including creation date, last used timestamp, and assigned scopes.
• Request logs, including: endpoint called, HTTP method, response status code, cost in credits, request duration, request ID, and IP address.
• Rate limit events and error logs.
• Idempotency keys (if provided) for duplicate request prevention.

Important: API keys are stored as one-way cryptographic hashes (SHA-256). The full plaintext key is displayed once at creation and is never stored by Heista. We cannot recover your API key if you lose it.

When you use Heista Skills through third-party AI platforms, we collect:

• Authentication tokens exchanged during the Skill setup process (browser redirect to Heista for sign-in).
• Actions performed through Skills, which fall into the same categories as Shop usage data (decodes, generations, etc.).
• Credit consumption events triggered by Skill usage.

We do not collect personal data from the third-party AI platform itself. The platform may have its own data practices, which are governed by its own privacy policy.

Structural intelligence derived from decoded content (submitted through any surface: Shop, API, or Skills) is stored in our database and incorporated into the Heista Decoded Library. This decoded intelligence consists of:

• PatternMap analysis (hooks, beats, structural segments).
• Psychological classifications and behavioural mechanics.
• Format, style, and taxonomy classifications.
• Ad formula data and structural patterns.

This intelligence is derived from the analysis of publicly available content. It does not include your account information, API key, proprietary brand data, Power Source data, or any personally identifiable information. Other Heista users may access this structural intelligence through the Decoded Library and Intelligence features.

When you connect Heista to a third-party AI client (such as Claude Desktop, Claude Code, ChatGPT, Cursor, or VS Code) using the Heista MCP server, we collect and store:

• The OAuth client identifier and registered redirect URI of the connecting application.
• The authorisation code (short-lived, single-use, hashed at rest), the access token (24-hour TTL), and the refresh token (30-day TTL).
• The OAuth scopes you grant during consent (for example, mcp:account, mcp:intelligence, mcp:tools).
• A consent record with timestamp, IP address, and user agent of the device that approved the grant.
• Tool-call audit events: which MCP tool was invoked, when, the request ID, the resulting status, and any failure reason. These events are written to an audit log used for incident investigation and billing reconciliation.

Important: You can revoke any MCP grant at any time from your account console. Revocation propagates within 60 seconds and prevents any further tool calls from the disconnected client. Tokens are bound to the specific MCP resource (RFC 8707 audience binding) so a token issued for the Heista MCP cannot be replayed against any other resource server.

When you upload documents through the Files API or via the create_powersource_docs / create_powersource_full MCP tools, we collect and store:

• The file content (PDF, DOCX, DOC, TXT, or MD), stored in encrypted object storage scoped to your organisation.
• The filename you supplied (sanitised to remove path components and control characters), the declared MIME type, and the verified content type.
• File metadata: size, upload timestamp, expiry timestamp, and the API key that initiated the upload.
• Text extracted from the file by our document parser, which is then passed to our AI sub-processors (see Section 3) for brand intelligence extraction.

Files are retained for 30 days from upload, after which the original file is permanently deleted from object storage. Brand intelligence derived from the file remains in your Power Source until you delete it. You can delete a file before the 30-day expiry at any time from the API console or via DELETE /v1/files/{id}.

Sensitive content notice: Do not upload files containing personal data of third parties unless you have a lawful basis to do so. Do not upload regulated personal information (health records, financial account credentials, government identifiers) — Heista is not certified for processing those categories.

When you configure a webhook URL on a paid API call (for example, create_powersource_url), we send a signed HTTP POST to your URL when relevant events occur. The payload contains the brand intelligence or other result data for the job you initiated.

• Each webhook payload is signed with HMAC-SHA256 using a secret you control. The signature is sent in the X-Heista-Signature header. Verify this signature on every request to defend against forgery and replay.
• Webhook delivery is retried with exponential backoff for up to 24 hours on transient failure. Failed deliveries are logged for 30 days.
• You are the data controller for the receiving endpoint. You are responsible for the security, availability, lawful basis, and retention of any data your endpoint receives or stores.

• Processing your Power Sources to extract brand intelligence and load it into the Console.
• Running Scan Intelligence analysis on URLs you submit, whether through the Shop or API.
• Generating Outputs by combining Heist frameworks with your brand context.
• Processing API requests and returning decoded intelligence.
• Executing Skill actions and returning results to the third-party AI platform.
• Maintaining your Vault, projects, and saved assets.
• Managing your Credit balance, API Credit balance, and subscriptions.

The Operator uses your stored conversation history, usage patterns, and Power Source data to:

• Provide contextually relevant strategic recommendations.
• Suggest Heists and frameworks aligned with your business objectives.
• Remember your preferences within your account context (communication style, preferred frameworks, audience segments).
• Surface relevant intelligence based on your recent activity.

This personalisation is scoped to your individual account. Your data does not inform the Operator experience for other users and is not used for model training.

• Analysing aggregate, anonymised usage patterns to improve platform features and user experience.
• Identifying popular frameworks, common workflows, and areas of friction.
• Developing new Heists, modules, and capabilities based on aggregate demand signals.
• Monitoring system performance, uptime, and error rates.
• Analysing aggregate API usage patterns to improve endpoints and documentation.
• Building the Decoded Library from structural intelligence derived from decoded content across all surfaces.

• Sending transactional emails (account confirmation, password resets, billing receipts).
• Providing technical notices, security alerts, and support messages.
• Sending product updates, new feature announcements, and usage tips (you may opt out at any time).
• Responding to your support requests and feedback.

• Detecting and preventing fraud, abuse, and unauthorised access.
• Enforcing our Terms of Service and Operator Protocol.
• Monitoring API usage for rate limit compliance and abuse detection.
• Maintaining audit trails, including Operator Protocol acceptance logs.
• Complying with applicable legal obligations.

Heista uses AI models to perform several core functions:

• Scan Intelligence: Deconstructing video and content structure into PatternMap visualisations.
• Power Source Extraction: Analysing websites to extract brand voice, selling points, audience data, and strategic positioning.
• Console Generation: Producing scripts, copy, and strategic outputs by combining Heist frameworks with your brand context.
• Operator Assistant: Providing strategic recommendations, answering questions, and suggesting workflows.
• Architect: Building custom frameworks from user-provided inputs.
• API Processing: Decoding content submitted through the API using the same intelligence pipeline as the Shop.
• Skills Processing: Executing Heista capabilities through third-party AI platforms using the same intelligence pipeline.

To deliver AI-powered capabilities, we use third-party AI infrastructure providers as sub-processors. Our current sub-processors include:

• OpenAI: Primary language model provider for text generation, analysis, and strategic intelligence.
• Google (Gemini/Vertex AI): Image generation, visual analysis, and supplementary language model capabilities.
• Anthropic (Claude): Language model provider for specific intelligence and analysis tasks.

We will update this section if we add or change AI sub-processors. If we make a material change that affects how your data is processed, we will notify you at least 14 days in advance via email or in-platform notification.

What this means in practice: When you run a Heist, scan a URL, interact with the Operator, submit an API request, use a Skill, or generate any output through the Service, the data required to produce that output (which may include your Power Source data, your prompts, and relevant Heist framework logic) is sent to our AI provider's API for processing.

The following details apply to our primary AI sub-processor (OpenAI) as of the date of this policy:

• Model training restrictions: Under our current API agreement with OpenAI, data submitted via the API is not used by OpenAI to train or improve their general-purpose models. Your inputs and outputs are processed for inference only. Sub-processor terms may change over time; we will update this policy if there are material changes to how your data is handled.
• Abuse monitoring retention: OpenAI retains API inputs and outputs for up to 30 days for the purpose of abuse and safety monitoring, unless a longer period is required by law. These abuse monitoring logs may include prompts, responses, and derived metadata. After the retention period, this data is deleted.
• Zero-data-retention: Certain OpenAI API endpoints offer zero-data-retention options. We will disclose in this policy if and when we use such endpoints. As of the date of this policy, standard API retention terms apply.
• Human review: Your data is not routinely reviewed by humans at OpenAI. Human review may occur only where required to investigate a specific safety or abuse concern flagged by automated systems.
• Encryption: All data transmitted to OpenAI is encrypted using TLS 1.2 or higher.

If you connect your Meta advertising account, additional data processing occurs:

• OAuth authentication: We use the Meta Login SDK to authenticate your identity and obtain authorised access tokens. These tokens are stored encrypted in our database and used exclusively to make authorised API requests on your behalf.
• Meta Marketing API: We use the Meta Marketing API to retrieve your ad account data, campaign structures, ad creatives, and performance insights. All API requests are made server-side from our infrastructure.
• Data processing: Your ad creatives are processed through our Scan Intelligence and decode pipelines to extract structural patterns, identify winning formulas, and generate comparative briefs. This processing uses the same AI sub-processors described in Section 3.2.
• No write access: By default, we request read-only access to your ad accounts. We do not create, modify, pause, or delete any campaigns, ad sets, or ads unless you explicitly grant additional permissions and instruct us to do so.

Meta's own data handling practices are governed by the Meta Platform Terms and Meta Privacy Policy. Our use of Meta Platform Data complies with Meta's Platform Terms, including data use restrictions, data security requirements, and the prohibition on selling or licensing Platform Data to third parties.

In addition to AI sub-processors, we use the following categories of service providers:

• Cloud hosting and infrastructure: Vercel (application hosting, edge functions), Supabase (database, authentication).
• Payment processing: Stripe (subscription billing, API credit purchases).
• Rate limiting: Upstash (Redis-based rate limiting for API endpoints).
• Analytics: PostHog (product analytics, event tracking).
• Ad library data: Third-party providers for accessing publicly available ad library data.

All service providers are bound by contractual obligations to process your data only as instructed by us and to maintain appropriate security measures.

We may use anonymised and aggregated data across our user base to develop platform-level intelligence, such as identifying trending content frameworks or popular strategic patterns. This aggregated data cannot be used to identify you or your brand and does not include any personally identifiable information or specific Power Source data.

We share data with trusted third-party service providers who assist us in operating the platform. These providers are listed in Section 3. All service providers are bound by contractual obligations to process your data only as instructed by us and to maintain appropriate security measures.

Structural intelligence derived from decoded content (PatternMap analysis, beat structures, psychological classifications, format data, ad formulas) is incorporated into the Decoded Library and may be accessible to other Heista users. This intelligence is derived from publicly available content and does not contain your personal data, account information, brand data, or API key information.

We may disclose your information if required to do so by law, or if we believe in good faith that such action is necessary to:

• Comply with a legal obligation, court order, or government request.
• Protect and defend the rights, property, or safety of Heista, our users, or the public.
• Detect, prevent, or address fraud, security issues, or technical problems.
• Enforce our Terms of Service.

If Heista is involved in a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the platform before your information becomes subject to a different privacy policy.

We may share your information in other circumstances with your explicit consent or at your direction.

If we become aware of a data breach involving your personal information that is likely to result in serious harm, we will:

• Notify affected individuals as soon as practicable, including a description of the breach, the types of information involved, and recommended steps you can take.
• Notify the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).
• Where applicable, notify relevant data protection authorities in other jurisdictions (including EEA/UK supervisory authorities under GDPR).

We assess all suspected breaches against the NDB threshold of "likely to result in serious harm" and take remedial action to mitigate risk wherever possible.

Required for the Service to function. These handle authentication, session management, security, and remembering your active Power Source context. You cannot opt out of essential cookies while using the Service.

Help us understand how users interact with the platform (page views, feature usage, navigation paths). We use this data in aggregate to improve the Service. You may opt out of analytics cookies through your browser settings or our cookie preference centre.

Remember your settings and preferences (such as active Power Source, Console configuration, and display preferences) to provide a consistent experience across sessions.

Heista is operated from Australia. The data flows are:

• Primary storage (Australia): Your account data, Power Sources, brand intelligence, decoded content, API usage logs, MCP audit logs, and uploaded files are stored in our managed PostgreSQL database hosted in Sydney, Australia (AWS ap-southeast-2 region). This is the system of record.
• Sub-processor processing (United States): When you trigger an action that requires AI processing (running a Heist, scanning a URL, generating output through the Console, submitting an API request, using a Skill), the data needed for that specific action is transmitted to our AI sub-processors (OpenAI, Google, Anthropic) for inference. Most of these providers process inference in the United States. Inference is transient — the AI sub-processors do not retain your prompts to train their models (see Section 3).
• Edge and CDN (global): Vercel's global edge network may cache static assets (images, JavaScript bundles, the public marketing site) close to you. Cached content does not include account data, Power Sources, or any personal information.
• Payment processing (United States): Stripe processes payment information in the United States.
• Email delivery (United States): Transactional and marketing emails are delivered via providers operating in the United States.

If we engage sub-processors in additional countries in the future, we will update this policy to reflect those locations, or state why it is impracticable to list all countries.

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles in relation to that information, in accordance with APP 8.1. Our safeguards include:

• Contractual obligations requiring sub-processors to protect your data to a standard substantially similar to the APPs.
• Due diligence on sub-processor privacy and security practices.
• Ongoing monitoring of sub-processor compliance.

We acknowledge that under APP 8.1, if an overseas recipient handles your personal information in breach of the APPs, we may be accountable for that breach under certain circumstances.

If you are located in the European Economic Area (EEA) or United Kingdom, we rely on the following safeguards for international transfers of your personal data:

• Standard Contractual Clauses (SCCs) approved by the European Commission, where required for transfers to countries that have not received an adequacy decision.
• The UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs, as applicable for transfers from the United Kingdom.
• Any applicable adequacy decision by the European Commission or UK Secretary of State.

By using the Service, you acknowledge that your information will be transferred to and processed in the countries identified above.

Regardless of your location, you have the right to:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your account and associated data (subject to our retention requirements for legal compliance).
• Data portability: Request an export of your Power Source data and Vault assets in a commonly used format.
• API data: Request deletion of API usage data, revocation of all API keys, and export of API usage history.
• Opt out of marketing: Unsubscribe from marketing communications at any time via the link in any marketing email or through your account settings.
• Withdraw consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Opt out of Operator personalisation: You may request that we delete your Operator conversation history or disable account-level personalisation by contacting us at support@heista.co.

If you are located in Australia, you have additional rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), including the right to make a complaint to the Office of the Australian Information Commissioner (OAIC). We will respond to access and correction requests within 30 days. See Section 13 for our formal complaints process.

If you are located in the European Economic Area or United Kingdom, you have additional rights under the GDPR or UK GDPR, including:

• The right to object to processing based on legitimate interests.
• The right to restrict processing in certain circumstances.
• The right to lodge a complaint with your local data protection authority.
• The right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you.

Legal bases for processing: We process your personal data on the following legal bases: (a) performance of contract (delivering the Service you have subscribed to); (b) legitimate interests (improving the Service, ensuring security, preventing fraud, and conducting analytics, where these interests are not overridden by your data protection rights); and (c) consent (where we have specifically requested and obtained your consent, such as for marketing communications).

Data controller: Mighty Lucky Ventures Pty Ltd (trading as Heista), ABN 51 653 328 628, contactable at support@heista.co.

To exercise any of these rights, please contact us at support@heista.co with the subject line "Privacy Rights Request." We will acknowledge receipt within 5 business days and respond substantively within 30 days. We may need to verify your identity before processing your request.

The Heista Operator is an AI assistant that provides personalised strategic recommendations and workflow suggestions. It uses your stored conversation history, Power Source data, Vault activity, and usage patterns to tailor its responses to your account context. This constitutes account-level personalisation, not automated decision-making in the legal sense.

The Operator does not make decisions that produce legal effects or similarly significant effects on you. Specifically, it does not:

• Make credit, lending, or financial decisions.
• Make hiring, employment, or HR decisions.
• Make health or medical determinations.
• Determine your eligibility for any service, benefit, or opportunity.
• Perform ad targeting or profiling for third-party advertising purposes.

All Outputs generated by the Operator, Console, API, and Skills are recommendations for your consideration and editorial review. You retain full control over what you publish, and no automated process within Heista takes action on your behalf without your explicit instruction.

You may at any time:

• Request deletion of your Operator conversation history, resetting personalisation.
• Request an export of the data the Operator uses for personalisation.
• Opt out of account-level personalisation by contacting us at support@heista.co.

If we introduce any automated decision-making functionality in the future that could reasonably be expected to significantly affect your rights or interests, we will update this policy, provide clear notice, and offer a mechanism for you to request human review of such decisions. We note that from 10 December 2026, the Australian Privacy Act will require additional disclosure obligations for automated decisions that significantly affect individuals' rights or interests, and we are committed to compliance with those requirements.

If you believe we have breached the Australian Privacy Principles or otherwise mishandled your personal information, you may lodge a complaint by:

Email: Send your complaint to support@heista.co with the subject line "Privacy Complaint."

Your complaint should include:

• Your name and contact details.
• A description of the conduct or practice you are complaining about.
• How you believe your privacy has been affected.
• What outcome you are seeking.

Upon receipt of a complaint, we will:

• Acknowledge receipt within 5 business days.
• Investigate the complaint and assess whether a breach has occurred.
• Provide a written response within 30 days of receipt, including our findings and any remedial action we propose to take.

If you are not satisfied with our response, we will inform you of your options for further review.

If you are not satisfied with our response, or if we have not responded within 30 days, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

If you are located in the EEA or UK, you may also lodge a complaint with your local data protection supervisory authority.

• Authentication tokens: Access and refresh tokens are stored locally in your browser (via chrome.storage.local) to keep you logged in. These tokens are never shared with third parties.
• Ad and post content: When you explicitly click "Heist this Ad" or "Heist It", the extension extracts the ad's text, images, video URLs, author name, and metadata from the page. This data is sent to app.heista.co and saved to your account.
• Page URL and title: The current tab's URL and title are read only when you interact with the extension (clicking the save button or using the right-click menu).

• The extension does not collect browsing history, keystrokes, or any data in the background.
• The extension does not track your activity across websites.
• The extension does not run any analytics or third-party tracking scripts.
• No data is collected unless you explicitly take an action (clicking a save button or using the context menu).

• All data is transmitted over HTTPS (TLS 1.2+) to app.heista.co.
• Authentication tokens are stored locally in your browser and are never sent to any third party.
• Saved items are stored in your Heista account and subject to the same retention and security policies described in Sections 5 and 6 of this policy.

The extension does not load or execute any remote code. All JavaScript is bundled locally at build time. The only remote communication is REST API requests to app.heista.co for authentication and saving data.