Good Ventures Lab Inc. operates the Heroa managed runtime. This policy describes what data the managed plane collects, the lawful bases for processing, retention, and your rights.
Good Ventures Lab Inc. (Canada) is the data controller for the Heroa managed runtime. Subprocessors (cloud infrastructure, KMS, observability, support) act as processors under data-processing agreements that mirror our obligations to you.
Account data. Name, email address, billing contact, billing address, and payment method reference (tokenized; we do not store raw card data). Used to operate your account and invoice you.
Task execution metadata. For each task: workspace ID, task ID, template name, region, start and end timestamps, exit code, CPU minutes consumed, and status. We do not collect the content of task inputs or outputs. The task container writes its own logs to the workspace-scoped log store; those logs belong to you and are deletable on request.
Vault secret names. The names (not values) of secrets stored in your workspace vault. Values are encrypted and not readable by Heroa staff outside a formal key-escrow process you explicitly authorize.
Support interactions. When you contact us, we retain the content of those interactions for the duration of the support relationship plus three years.
Marketing site. Standard server-side request logs (IP address, user agent, requested URL) retained for 30 days. We do not run third-party advertising trackers on heroa.ai.
We do not collect task input or output data. We do not store container filesystem contents after task completion. We do not run advertising trackers. We do not sell or rent user data.
Task execution metadata. Retained for the contractual window in your order form, default seven years. Exportable and deletable on request except where retention is mandated by law.
Task logs. Retained per your plan (30 days on Developer, 365 days on Workspace, custom on Enterprise and Sovereign). You can delete your own logs at any time from the dashboard.
Account data. Duration of the account plus seven years after closure for tax and audit purposes.
Server logs. 30 days. Aggregated telemetry. 13 months. Support tickets. 3 years from resolution.
We share with cloud infrastructure providers (Google Cloud Platform for the managed plan), and with government bodies where required by lawful process. We do not sell. We do not share with marketing third parties.
BYOC deployments. When you use BYOC, the Heroa agent runs inside your own cloud account. Heroa does not receive the contents of your workloads; only task-lifecycle webhook events (start, complete, error) pass over the control channel. Your cloud provider's policies govern the data in your account.
Cross-border transfer. Managed plan data is processed in Canada and the United States by default. Sovereign BC customers receive a contractual guarantee that no data leaves Canada.
You may access, correct, export, or delete your personal data by writing to [email protected]. We respond within 30 days. EU residents have rights under GDPR; California residents under CCPA/CPRA; Canadian residents under PIPEDA. We honor all of them.
Material changes are announced on the changelog and emailed to billing contacts at least 30 days in advance.
Questions: [email protected].
Last updated 2026-04-26.