Legal

Privacy Policy

Last updated: April 22, 2026

Heapr is a home inventory app. The short version: we store the items and photos you add, and the account info needed to keep them yours. We don't sell data, we don't run ads, and we don't share your inventory with third parties. This page explains the details.

1. Who we are

Heapr is operated by Renu Design Inc., a corporation incorporated in the Province of Ontario, Canada. In this policy “we,” “our,” and “us” refer to Renu Design Inc.

We are subject to Canada's federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Ontario privacy legislation. We have designated a Privacy Officer who is responsible for compliance with this policy and with applicable privacy law. You can reach the Privacy Officer at hello@heapr.app with any privacy question, access request, or complaint.

2. What we collect

Information you give us

Account details. Your name and email address when you sign up. We use email for login, password reset, and occasional service notices.
Inventory content. Everything you add to Heapr — item names, descriptions, conditions, locations, categories, tags, and the photos you attach.
Waitlist info (this website only). If you join the waitlist, we store your name, email, and platform preference so we can notify you when Heapr opens to you.

Information we do not collect

No analytics, tracking pixels, advertising IDs, or third-party SDKs that profile you.
No location data, contacts, calendars, or microphone access.
No device fingerprinting beyond the auth session token needed to keep you signed in.

Photo analysis runs on your device. When you snap a photo to get name and category suggestions, the image is analyzed locally by Apple Vision (iOS) or Google ML Kit (Android). The photo itself is uploaded to our storage only so you can see it in your own inventory later — it is never sent to a third-party ML service for analysis, and no human at Heapr reviews your photos.

3. How we use your data

To run the app. We store your account, inventory, and photos so you can access them across sessions and devices.
To keep access invite-only. Heapr is currently early access. An administrator reviews new sign-ups and flips your account to approved; until then you can sign in but cannot read or write inventory data.
To reach you when necessary. Email confirmation, password resets, and critical service notices. We do not send marketing email without explicit opt-in.

4. Who we share it with

We share only with the infrastructure providers required to run the service, and only to the extent each one needs to do its job:

Supabase — our database, authentication, and photo storage provider. Your inventory, account, and images are stored in a Supabase project we control. Supabase acts as a data processor, not a data consumer. See Supabase's privacy policy.
Cloudflare — serves this website and stores the waitlist entries. Cloudflare does not receive inventory or account data from the mobile app. See Cloudflare's privacy policy.

We do not sell, rent, or license your personal information to anyone. We do not share it with advertisers, data brokers, or analytics companies.

5. How your data is protected

Row-level security. Every row in our database is tagged with a user ID, and database policies enforce that only you can read or modify your own data — even if another user were to guess an internal ID.
TLS everywhere. All traffic between the app, this website, and our servers uses HTTPS.
At-rest encryption. Storage on Supabase is encrypted at rest.
Least privilege. Only a small number of operators have access to production infrastructure, and only for service maintenance.

6. Sharing features

Heapr may let you share specific items with specific friends you invite. When you do, the recipient sees only the items you chose to share — not your full inventory. Sharing is always opt-in, item by item. You can revoke access at any time.

7. Data retention

While your account is active: we keep your data as long as you use the service.
When you delete an item or a photo: it is removed from our database and storage within a short period (usually seconds; up to 30 days for backups to expire).
When you delete your account: all of your inventory, photos, and personal information are deleted within 30 days. Backups containing the data expire on their own rolling schedule (also within 30 days).

8. Your rights

You can:

Access & export. Email us and we will send you a copy of your data in a portable format.
Correct. Edit any item or account field directly in the app.
Delete your account. Open the app and go to Profile → Delete Account. Your items, photos, and personal information are removed immediately; backups expire within 30 days. If you can't access the app, you can instead email hello@heapr.app from the address on your account.
Withdraw consent. Stop using the app and request account deletion as above.

If you are in Canada, you have rights under PIPEDA and applicable provincial legislation, including the right to access the personal information we hold about you, to request correction, and to withdraw consent (subject to legal or contractual restrictions). If you are unsatisfied with how we have handled a privacy concern after contacting our Privacy Officer, you may file a complaint with the Office of the Privacy Commissioner of Canada. If you reside in Quebec, you have additional rights under Law 25, including data portability and the right to be informed of automated decision-making.

If you are outside Canada — in the EU, the UK, California, or another jurisdiction with specific data-subject rights (GDPR, UK GDPR, CCPA, etc.) — you have additional rights including the right to lodge a complaint with your local supervisory authority. We honour all such requests.

9. Children

Heapr is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has created an account, please contact us and we will delete it.

10. Cross-border storage & transfers

We are a Canadian company, but the infrastructure we use to store your data is physically located in the United States — specifically in the us-east-2 region (Ohio) operated by our database provider, Supabase. This means:

Your account information, inventory content, and photos are stored on servers in the United States.
While stored there, your data may be subject to US law, including lawful access requests by US government agencies (for example, under the US CLOUD Act), in addition to Canadian law.
The same security protections described above (TLS in transit, encryption at rest, row-level security, contractual safeguards with Supabase) apply regardless of where the data is stored.

By creating an account, you consent to the transfer of your personal information to the United States for storage and processing as described here. If you are not comfortable with this transfer, please do not create an account, and contact us if you would like your waitlist entry removed.

11. Changes to this policy

We may update this policy as Heapr evolves. When we make material changes, we will revise the “Last updated” date above and, for significant changes, notify signed-in users by email or in-app notice. Continued use after an update means you accept the revised policy.

12. Contact

Questions, requests, or concerns? Email hello@heapr.app. We respond personally, usually within a few business days.