1. Introduction
Welcome to Heroworks.ai (“Service”, “Platform”, “we”, “us”, or “our”). This Privacy Policy explains how Smash Media Inc, a Puerto Rico Corporation (“Company”), collects, uses, discloses, and protects your personal information when you use our knowledge base platform.
Company Information:
- Legal Entity: Smash Media Inc
- DBA: Heroworks.ai
- Address: 53 Palmeras Street Suite 601, San Juan PR 00901-2410
- Jurisdiction: San Juan, Puerto Rico (U.S. Territory)
By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use our Service.
2. Information We Collect
2.1 Information You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, password (hashed) | Account creation and authentication |
| Profile Information | Avatar image, display preferences | Personalization |
| Content | Articles, documents, images, files | Service delivery |
| Communications | Support requests, feedback | Customer support |
| Payment Information | Billing address, payment method (processed by third-party) | Subscription management |
2.2 Information Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Usage Data | Pages visited, features used, timestamps | Service improvement |
| Device Information | Browser type, operating system, device type | Compatibility and optimization |
| Log Data | IP address, access times, referring URLs | Security and analytics |
| Cookies | Session cookies, preference cookies | See our Cookie Policy |
2.3 Information from Third Parties
We may receive information from:
- Authentication Providers: If you sign in with Google or SSO, we receive your name and email
- Your Organization: If your employer provides your account, they may provide your information
3. How We Use Your Information
We use your personal information for the following purposes:
3.1 Service Delivery
- Create and manage your account
- Store and organize your knowledge base content
- Enable collaboration within your organization
- Provide customer support
3.2 AI-Powered Features
Our Service includes artificial intelligence features that process your content:
| Feature | What It Does | Data Processed |
|---|---|---|
| AI Chat | Answers questions about your knowledge base | Published article content, your queries |
| Semantic Search | Finds content by meaning, not just keywords | Article content (converted to embeddings) |
| Image Search | Finds visually similar images | Uploaded images (converted to embeddings) |
| Auto-Translation | Translates articles to other languages | Article text content |
Important: Your data is processed by third-party AI services. See Section 6 (Sub-processors) for details.
3.3 Service Improvement
- Analyze usage patterns to improve features
- Debug and fix issues
- Develop new functionality
3.4 Communication
- Send service-related notifications
- Respond to your inquiries
- Send product updates (with your consent)
3.5 Security and Compliance
- Detect and prevent fraud
- Enforce our Terms of Service
- Comply with legal obligations
4. Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA), we process your personal data based on:
| Legal Basis | When It Applies |
|---|---|
| Contract | Processing necessary to provide the Service you requested |
| Consent | When you opt-in to marketing communications or optional features |
| Legitimate Interest | Analytics, security, service improvement (balanced against your rights) |
| Legal Obligation | When required by law (e.g., tax records, court orders) |
You may withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.
5. AI and Automated Processing
5.1 What We Use
Our Service uses the following AI and automated processing:
| Technology | Provider | Purpose |
|---|---|---|
| Gemini API | AI chat responses, file search | |
| Cloud Translation | Automatic article translation | |
| Vector Embeddings | Upstash | Semantic similarity search |
| Image Embeddings | CLIP (processed locally) | Visual image search |
5.2 How Your Data Is Processed
When you use AI features:
-
AI Chat: Your published articles are indexed by Google Gemini. When you ask a question, your query and relevant article content are sent to Gemini to generate a response.
-
Semantic Search: Article content is converted to mathematical vectors (embeddings) and stored in Upstash for similarity matching.
-
Image Search: Uploaded images are converted to visual embeddings locally on our servers using open-source CLIP models. No images are sent to third-party AI services for this processing.
-
Translation: When you enable multi-language publishing, article text is sent to Google Cloud Translation.
5.3 Data Training
Your data is NOT used to train AI models.
We use API-based services where:
- Google Gemini API data is not used for model training (per Google’s API terms)
- Upstash stores only embeddings (mathematical representations), not your original content meaning
- Translation requests are processed but not retained for training
5.4 AI Limitations
AI-generated responses may:
- Contain inaccuracies or outdated information
- Not reflect your organization’s official policies
- Require human verification for important decisions
We recommend verifying AI responses before relying on them for critical matters.
5.5 Opting Out
You can control AI processing:
- Per Article: Exclude specific articles from AI/search indexing
- Per Workspace: Administrators can disable AI features for their workspace
- Account Deletion: Removes all your data from AI indexes
6. Data Sharing and Sub-processors
6.1 Who We Share Data With
We share your data only as necessary to provide the Service:
| Category | Purpose | Examples |
|---|---|---|
| Infrastructure Providers | Hosting, storage, database | Google Cloud, Firebase, Vercel |
| AI Service Providers | AI features, semantic search | Google Gemini, Upstash |
| Analytics | Usage analytics | Vercel Analytics |
6.2 Sub-processor List
For a complete list of our sub-processors, including their purpose and location, see our Sub-processor List.
6.3 When We May Disclose Data
We may disclose your information:
- With Your Consent: When you explicitly agree
- To Your Organization: If your employer manages your account
- Legal Requirements: To comply with laws, regulations, or legal processes
- Safety: To protect rights, safety, or property of users or the public
- Business Transfers: In connection with merger, acquisition, or sale of assets
6.4 We Do NOT
- ❌ Sell your personal data
- ❌ Share data with advertisers
- ❌ Use your content for purposes other than providing the Service
7. International Data Transfers
7.1 Where Data Is Processed
Our Service is operated from the United States. Your data may be processed in:
| Location | Services |
|---|---|
| United States | Firebase, Google Cloud, Gemini, Vercel |
| European Union | Upstash (EU region available) |
| Global CDN | Vercel Edge Network |
7.2 Safeguards for EU Users
If you are in the EEA, UK, or Switzerland, we ensure your data is protected through:
- Standard Contractual Clauses (SCCs): Agreements with sub-processors
- Data Processing Agreements: With all vendors processing personal data
- Adequacy Decisions: Where applicable
You may request a copy of applicable SCCs by contacting us.
8. Data Retention
We retain your data as follows:
| Data Type | Retention Period | Notes |
|---|---|---|
| Account Data | Until deletion + 30 days | Grace period for recovery |
| Content (Articles, Files) | Until deleted by you | Soft delete, then hard delete |
| Chat History | 1 year or until deletion | Whichever comes first |
| Audit Logs | 3 years | Legal/compliance requirement |
| Backups | 30 days | Auto-deleted |
| Analytics | 26 months | Aggregated data |
After the retention period, data is permanently deleted or anonymized.
9. Your Rights
9.1 Rights Under GDPR (EU/EEA Users)
You have the right to:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of your data | Settings → Privacy → Export Data |
| Rectification | Correct inaccurate data | Edit in your account settings |
| Erasure | Request deletion of your data | Settings → Privacy → Delete Account |
| Portability | Receive your data in machine-readable format | Settings → Privacy → Export Data |
| Restriction | Limit how we process your data | Contact us |
| Objection | Object to processing based on legitimate interest | Contact us |
| Withdraw Consent | Revoke previously given consent | Settings or contact us |
| Complaint | Lodge complaint with supervisory authority | Contact your local DPA |
9.2 Rights Under CCPA (California Users)
California residents have the right to:
- Know what personal information is collected
- Delete personal information
- Opt-out of sale of personal information (we do not sell data)
- Non-discrimination for exercising your rights
9.3 How to Exercise Your Rights
Self-Service:
- Log in to your account
- Go to Settings → Privacy
- Use Export Data or Delete Account features
Contact Us:
- Email: privacy@heroworks.ai
- Response within 30 days
We may need to verify your identity before processing requests.
10. Cookies and Tracking
We use cookies and similar technologies. For details on:
- What cookies we use
- How to manage cookie preferences
- Third-party cookies
Please see our Cookie Policy.
11. Data Security
We implement appropriate technical and organizational measures:
| Measure | Description |
|---|---|
| Encryption in Transit | TLS 1.2+ for all connections |
| Encryption at Rest | Data encrypted in databases and storage |
| Access Controls | Role-based access, multi-tenant isolation |
| Authentication | Secure password hashing, optional MFA |
| Monitoring | Security event logging and alerting |
| Vendor Security | Sub-processors maintain security certifications |
No system is 100% secure. If you discover a vulnerability, please contact security@heroworks.ai.
12. Children’s Privacy
Our Service is not intended for children under 16 years of age (or 13 in the United States where COPPA applies). We do not knowingly collect personal information from children.
If you believe we have collected information from a child, please contact us immediately at privacy@heroworks.ai, and we will delete the information.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes:
- Minor Changes: Updated policy posted with new “Last Updated” date
- Material Changes: Email notification and/or in-app notice; may require re-consent
Your continued use of the Service after changes constitutes acceptance of the updated policy.
14. Contact Us
For privacy-related inquiries:
Email: privacy@heroworks.ai
Mail:
Smash Media Inc
Attn: Privacy
53 Palmeras Street Suite 601
San Juan PR 00901-2410
Response Time: Within 30 days
15. Data Protection Officer
For users in the EU/EEA, you may contact our designated representative for data protection matters at:
Email: dpo@heroworks.ai
16. Supervisory Authority
If you are in the EU/EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local Data Protection Authority.
A list of EU DPAs is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
Version History
| Version | Date | Summary of Changes |
|---|---|---|
| 1.0 | December 2025 | Initial version |