Privacy Policy

Hiro Analytics Inc.
Last updated: November 21, 2024

Introduction

Hiro Analytics Inc. (“Hiro Analytics,” “we,” “us,” or “our”) provides retention marketing analytics services that help agencies and brands analyze their marketing performance across channels and platforms. This Privacy Policy explains how we collect, use, store, and protect information in connection with our services.

We never sell your data—never have, never will.

Scope and Application

This Privacy Policy applies to:

Account Holders: Businesses and agencies that sign up for and use Hiro Analytics services
Authorized Users: Individuals granted access to Hiro Analytics by Account Holders
Website Visitors: Anyone who visits hiroanalytics.com

Important Distinction: Our Dual Role

Hiro Analytics operates in two distinct capacities:

As a Data Controller: For information we collect directly about you (account information, billing details, website interactions)

As a Data Processor: For marketing and e-commerce data we process on your behalf from integrated platforms (Klaviyo, Attentive, Postscript, Sendlane, Yotpo, and similar services)

What This Policy Does Not Cover

This policy does not govern the data practices of the third-party platforms you integrate with Hiro Analytics (such as Klaviyo, Shopify, Attentive, etc.). Please refer to those platforms’ privacy policies for information about their data practices.

For detailed information about how we process data from your integrations on your behalf, please refer to our Data Processing Agreement.

Information We Collect

1. Account and Business Information (We are the Controller)

When you sign up for Hiro Analytics, we collect:

Contact Information: Name, email address, company name
Account Credentials: Login information and authentication data
Billing Information: Payment details, billing address, tax identification (processed through our payment processor)
Company Information: Business type, industry, company size
Communication Records: Support tickets, feedback, and correspondence with our team

Why we collect this: To create and manage your account, provide customer support, process payments, and communicate about service updates and changes.

2. Platform Integration Data (We are the Processor)

When you connect third-party platforms to Hiro Analytics, we collect and process data through their official APIs:

Messaging Engagement Data

Message metadata (campaign names, IDs, send times, subject lines, template HTML)
Engagement metrics (opens, clicks, unsubscribes)
Message performance data across email, SMS, WhatsApp, and push channels

Profile Data (Anonymized)

Profile ID (anonymized identifier—not linked to PII)
Email and SMS subscription consent status (subscription date, unsubscribe date)
Channel preferences
Source properties (e.g., referring source)
Custom properties and behavioral tags (e.g., last active, last updated)

Order and Transaction Data

Order ID
Profile ID (anonymized)
Order value and currency
Order date and time
Discount and shipping amounts
Product line items and metadata

Why we collect this: To provide analytics, generate reports, track marketing attribution, analyze campaign performance, and deliver the retention marketing insights you contracted for.

Data Retention for Integration Data: - Email and SMS engagement data: From January 1, 2023 to present - Order data: From the beginning of your integration to present (to determine first-time vs. returning customer patterns)

What We Do NOT Collect from Integrations

To protect end-user privacy and maintain data minimization principles, Hiro Analytics does not collect, process, or store the following personally identifiable information (PII) from your integrated platforms:

Email addresses of end users
Phone numbers
Customer names
Physical addresses (billing or shipping)
Date of birth
Government-issued identifiers (SSN, passport numbers, etc.)
Payment processing metadata or credit card information
Order notes or customer comments
Return or refund reasons

All profile data is processed using anonymized identifiers, ensuring we can provide analytics without accessing or storing personal information about your customers.

3. Usage and Technical Information

We automatically collect:

Log Data: IP addresses, browser type, operating system, access times
Usage Data: Features used, pages viewed, actions taken within the platform
Device Information: Device type, unique device identifiers
Performance Data: System performance metrics, error logs

Why we collect this: To maintain platform security, prevent fraud, troubleshoot technical issues, and improve service performance.

4. Cookies and Similar Technologies

We use cookies and similar tracking technologies to:

Maintain your login session
Remember your preferences and settings
Analyze platform usage and optimize user experience
Perform conversion rate testing and A/B testing

You can control cookies through your browser settings. Note that disabling cookies may limit some platform functionality.

5. Voluntary Communications

If you contact us with questions, feedback, or support requests, we retain:

Email correspondence
Chat transcripts
Support ticket information
Feedback and feature requests

Why we collect this: To provide customer support, improve our services, and maintain records for quality assurance.

How We Use Your Information

For Account Holders and Users

We use your account information to:

Provide and maintain our services: Create accounts, authenticate users, process payments
Communicate with you: Send service updates, security alerts, billing notifications, and respond to inquiries
Improve our platform: Analyze usage patterns, identify bugs, develop new features
Ensure security: Detect and prevent fraud, abuse, and security incidents
Comply with legal obligations: Maintain records, respond to legal requests, enforce our Terms of Service

For Integration Data (Data Processing)

We process integration data solely to provide analytics services contracted by you:

Generate reports and dashboards: Campaign performance, attribution analysis, revenue tracking
Calculate metrics: Customer lifetime value, cohort analysis, retention rates
Provide insights: Marketing channel effectiveness, customer journey analysis
Support decision-making: Data-driven recommendations for marketing optimization

Data is never used for: - Training AI or machine learning models (except for your specific analytics) - Marketing our services to your customers - Sharing with other Hiro Analytics customers - Any purpose other than providing services to you

We Do Not Sell Your Data

Hiro Analytics has never sold customer data and never will. We do not share, rent, or sell your information to third parties for their marketing purposes.

We share data only with trusted service providers who help us deliver our services:

Sub-processor	Purpose	Data Access
Amazon Web Services (AWS)	Cloud infrastructure and data storage	Integration data, account data
Retool	Internal tools for data access and reporting	Limited access for support and analysis
Stripe	Payment processing	Billing information only

All sub-processors are contractually obligated to: - Use data only for specified purposes - Implement appropriate security measures - Comply with applicable data protection laws - Not share data with unauthorized parties

Legal Obligations

We may disclose information when required to:

Comply with valid legal process (subpoenas, court orders)
Enforce our Terms of Service
Protect the rights, property, or safety of Hiro Analytics, our customers, or others
Investigate potential violations or security incidents
Respond to government or regulatory inquiries

In such cases, we will make reasonable efforts to notify you unless prohibited by law.

Business Transfers

If Hiro Analytics is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

Data Processing Principles

Hiro Analytics adheres to the following principles when processing data:

1. Data Minimization

We collect only the data necessary to provide our analytics services. We do not collect PII from end users and use anonymized identifiers wherever possible.

2. Purpose Limitation

Data is used solely for analytics, reporting, and insight generation. Integration data is processed exclusively to deliver services to you and is never shared with third parties for unrelated purposes.

3. Anonymization

All customer profile data is processed using anonymized identifiers rather than personal identifiers, ensuring privacy by design.

4. Retention Limitation

We retain data only as long as necessary for service provision and in accordance with our data retention policies: - Active accounts: Data retained for the duration of your subscription - Canceled accounts: Data made inaccessible immediately; permanently deleted within 60 days - Legal requirements: Some data may be retained longer to comply with legal, tax, or regulatory obligations

5. Security

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). We implement appropriate technical and organizational measures including: - Role-based access controls - Multi-factor authentication - Regular security audits - Incident response procedures - Continuous monitoring and logging

6. Transparency

We are committed to being transparent about our data practices and providing you with control over your information.

Legal Basis for Processing

Our data processing activities are conducted under the following legal bases:

For Account Data (We are Controller)

Contract: Processing necessary to provide services you’ve requested
Legitimate Interest: Improving our services, preventing fraud, ensuring security
Consent: Where explicitly provided (e.g., marketing communications)
Legal Obligation: Compliance with applicable laws and regulations

For Integration Data (We are Processor)

Contract: Processing on your behalf as specified in our Data Processing Agreement
Legitimate Interest: Your legitimate interest in business analytics
Consent: Where you have obtained consent from data subjects

Your responsibility: As the data controller for integration data, you are responsible for ensuring you have a lawful basis to share data with Hiro Analytics and that your customers are appropriately informed about this processing.

Your Rights and Choices

Access and Control

You have the right to:

Access: Request a copy of the information we hold about you
Rectification: Correct inaccurate or incomplete information
Erasure: Request deletion of your information (subject to legal retention requirements)
Restriction: Request that we limit how we use your information
Portability: Receive your data in a structured, machine-readable format
Object: Object to certain processing activities
Withdraw Consent: Where processing is based on consent, withdraw it at any time

How to Exercise Your Rights

To exercise any of these rights, contact us at: - Email: brendan@hiroanalytics.com - Subject Line: “Data Subject Rights Request”

We will respond to your request within 30 days and may require verification of your identity to protect your information.

For End-User Data Subject Requests

If you receive a data subject rights request from one of your customers regarding data processed by Hiro Analytics on your behalf, please contact us immediately. We will assist you in responding to the request in accordance with applicable data protection laws.

Data Security

Technical Measures

We implement industry-standard security measures including:

Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
Access Controls: Role-based access control (RBAC) with principle of least privilege
Authentication: Multi-factor authentication (MFA) for all user accounts
Network Security: Firewalls, intrusion detection systems, DDoS protection
Monitoring: Continuous security monitoring and logging
Vulnerability Management: Regular security assessments and penetration testing

Organizational Measures

Security Policies: Comprehensive information security policies and procedures
Employee Training: Regular security and privacy training for all team members
Access Management: Strict controls on who can access customer data
Incident Response: Documented procedures for identifying and responding to security incidents
Vendor Management: Due diligence and contractual security requirements for all sub-processors

Data Breach Notification

In the event of a data breach that affects your information, we will:

Notify you within 72 hours of becoming aware of the breach
Provide details about the nature of the breach and data affected
Describe measures taken to address the breach
Advise on steps you should take to protect yourself
Cooperate with you to meet any notification obligations you may have to your customers

Data Location and International Transfers

Primary Data Location

All data processed by Hiro Analytics is stored and managed in the United States using Amazon Web Services (AWS) infrastructure.

International Transfers

By using Hiro Analytics services, you acknowledge and consent to the transfer and storage of data in the United States. If you are located outside the United States, please be aware that:

Data protection laws in the U.S. may differ from those in your jurisdiction
We implement appropriate safeguards to protect transferred data
We comply with applicable international data transfer requirements

For customers in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on: - Standard Contractual Clauses (SCCs) where applicable - Adequacy decisions recognized by the European Commission - Other lawful transfer mechanisms as required

Retention and Deletion

Account Data

Active Accounts: Retained for the duration of your subscription and as needed for service provision
Canceled Accounts: Made inaccessible immediately upon cancellation; permanently deleted within 60 days
Billing Records: May be retained longer to comply with tax and financial regulations (typically 7 years)

Integration Data

Engagement Data: Collected from January 1, 2023 to present; retained during active service
Order Data: Collected from integration start date to present; retained during active service
Upon Cancellation: Deleted within 60 days unless you request immediate deletion or specific retention for business purposes

Legal Holds

In some cases, we may be required to retain data longer due to: - Active litigation or regulatory investigations - Legal preservation requirements - Ongoing security incident investigations

We will notify you if a legal hold affects your data.

Children’s Privacy

Hiro Analytics services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected information from a child under 18, we will take steps to delete that information promptly.

If you believe we have collected information from a child, please contact us at brendan@hiroanalytics.com.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

Changes to our services or business practices
Legal or regulatory requirements
Industry best practices
Customer feedback

Notification of Changes

When we make significant changes to this policy:

We will update the “Last updated” date at the top of this policy
We will notify you via email to the address associated with your account
For material changes affecting your rights, we may require your acknowledgment
The updated policy will be posted at hiroanalytics.com/privacy

Continued use of our services after changes constitutes acceptance of the updated policy.

Additional Information

California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA):

Right to know what personal information is collected
Right to know if personal information is sold or disclosed
Right to say no to the sale of personal information
Right to access your personal information
Right to request deletion of personal information
Right to non-discrimination for exercising your rights

Note: Hiro Analytics does not sell personal information.

To exercise these rights, contact us at brendan@hiroanalytics.com.

European Data Protection Rights

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR), including those outlined in the “Your Rights and Choices” section above.

You also have the right to lodge a complaint with your local data protection authority if you believe we have not handled your information in accordance with applicable law.

Marketing Communications

We may send you emails about: - Service updates and new features - Security alerts and important account information - Tips and best practices for using Hiro Analytics - Company news and product announcements

You can opt out of marketing communications at any time by: - Clicking the “unsubscribe” link in any marketing email - Contacting us at help@hiroanalytics.com - Updating your preferences in your account settings

Note: You cannot opt out of essential service communications (security alerts, billing notices, etc.).

Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

Data Protection Contact

Brendan Uyeshiro
Chief Technology Officer
Email: brendan@hiroanalytics.com

General Inquiries

Email: help@hiroanalytics.com