Privacy Policy

Last updated: June 14, 2026

HQ ("HQ," "we," "us") operates the HQ creative-operations platform at use-hq.com (the "Service"). This Privacy Policy explains what personal and organizational data we collect, how we use it, who we share it with, and your rights. It applies to everyone who visits our website or uses the Service.


1. What data we collect

1a. Account and identity data

When you sign up, we collect your name, email address, and (optionally) a profile photo. We store this in our database, linked to your account.

1b. Organization / team data

When you create or join a team workspace, we store: the team name, your role within the team, and team-level settings (task destination, intake form configuration, brand guidelines, feature flags).

1c. Content you submit

We store the content you put into the Service: intake-form responses (creative requests), generated brief text, template entries, brand assets (colors, tagline, uploaded logo/images), and other content you create or upload. This content is owned by you and is scoped to your team — no other team can see it.

1d. Integration connection data

When you connect a third-party tool (Google, Slack, Monday.com, Asana, Linear, Canva, Figma), we store:

  • A reference identifier (connection ID) pointing to the OAuth token held by our sub-processor Pipedream.
  • Tool configuration you provide (e.g. your Slack channel name, Google Drive folder, Asana project).

We do not store the OAuth token itself in our database; it lives in Pipedream (see §3).

1e. Usage and log data

We automatically collect: IP address, browser/device type, pages visited, timestamps of actions, and error logs. This is standard web-service telemetry used to operate and improve the Service.

1f. Payment data

We use Stripe to process payments. When you subscribe, you provide payment information directly to Stripe — we never see or store your raw card data. We do store your Stripe customer ID, subscription status, and billing history to manage your account.

1g. Cookies

We use minimal cookies: session cookies to keep you logged in, and functional cookies set by our hosting stack. We do not use advertising or tracking cookies.


2. How we use your data

We use the data we collect to:

  • Provide and operate the Service (process intake submissions, create artifacts in connected tools)
  • Manage your account and subscription
  • Send transactional emails (confirmation, billing receipts, submission notifications)
  • Improve and debug the Service (logs, error reports)
  • Comply with legal obligations (tax records, law-enforcement requests)
  • Communicate about product updates (based on our legitimate interest for existing customers)

We do not use your data to train AI models, sell it to third parties, or use it for advertising.


3. Who we share your data with

We share data only as described below. We do not sell your data.

Sub-processors

These are companies that process data on our behalf to deliver the Service:

Sub-processorRoleLocation
Supabase, Inc.Database, authentication, and file storageUS
Vercel, Inc.Web hosting and CDNUS and edge
Pipedream, Inc.Stores and manages OAuth tokens for your connected tools (Google, Slack, Monday, Asana, Linear, Canva, Figma) — encrypted at restUS
Stripe, Inc.Payment processingUS
Resend, Inc.Transactional email deliveryUS

Connected third-party platforms

When you connect Google, Slack, Monday.com, Asana, Linear, Canva, or Figma to HQ, the Service reads from and writes to those platforms on your behalf (creating documents, tasks, and messages). The data sent to or received from those platforms is governed by their own privacy policies. We access only the data required to perform the action you requested.

Legal and safety

We may disclose your data if required by law, court order, or government request, or when necessary to protect the safety of our users or the integrity of the Service. We will notify you where legally permitted.

Business transfers

If HQ is involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will notify you by email and/or a prominent notice in the Service before your data becomes subject to a different privacy policy.


4. How we protect your data

  • Encryption in transit: all data between your browser and our servers uses HTTPS.
  • Encryption at rest: your database is encrypted at rest. Sensitive secrets and OAuth tokens are stored in an encrypted vault.
  • Tenant isolation: every piece of your team's data is strictly separated from other teams' data using database-level row-level security — enforced at the database layer, not just in application code.
  • Access controls: only personnel who need access to operate the Service can access customer data.
  • No token exposure to the browser: OAuth tokens for your connected tools are never sent to your browser; they stay server-side.

5. Data retention

Data typeRetention period
Account and team dataRetained while active + 90 days after deletion request or subscription lapse
Intake submissions and artifactsLife of subscription + 30 days after cancellation or termination
Usage logs and telemetry90 days rolling
Payment records7 years (tax/legal compliance)
Backups30 days rolling

You may request deletion of your data at any time by emailing hello@use-hq.com. Upon a verified deletion request, we will delete your personal data within 30 days, except where retention is required by law.


6. Your rights

Depending on where you are located, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Correction: ask us to correct inaccurate or incomplete data.
  • Deletion: ask us to delete your personal data, subject to legal retention requirements.
  • Portability: receive your data in a machine-readable format.
  • Restriction / objection: restrict how we process your data or object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email hello@use-hq.com. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.


7. Cookies

We use cookies to keep you logged in and to make the Service function properly. We do not use cookies for advertising tracking. You can clear cookies in your browser settings; note that doing so will log you out of the Service.


8. Children

The Service is not directed to anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us at hello@use-hq.com and we will delete it.


9. International transfers

Our sub-processors are primarily located in the United States. If you are accessing the Service from outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses or other lawful transfer mechanisms where required.


10. Changes to this policy

We may update this Privacy Policy. If a change is material, we will give at least 30 days' notice by email and/or a prominent notice in the Service. Your continued use after the notice period constitutes acceptance.


11. Contact us

For privacy questions, data requests, or to report a concern, email us at hello@use-hq.com.