Legal
Privacy Policy
Effective date: May 31, 2026 · Last updated: May 31, 2026
This Privacy Policy describes how Heros Consulting Inc. ("Heros Consulting," "we," "us," or "our") collects, uses, shares, and protects information about you when you use the CleanOS website at herosconsulting.ai and the CleanOS web application (collectively, the "Services").
If you do not agree with this policy, do not use the Services.
1. Who we are
Heros Consulting Inc. is a California corporation headquartered at:
Heros Consulting Inc.
980 9th Street, Floor 16
Sacramento, CA 95814
United States
For privacy questions, contact oscar@herosconsulting.com.
2. Information we collect
2.1 Information you give us
- Account information. Email address, business name, password (hashed), and any access code you redeem.
- Business inputs. Information you type into CleanOS — building square footage, pricing assumptions, prospect lists, walkthrough notes, proposal text, email templates.
- Payment information. Billing details are collected and processed directly by Stripe, Inc. We do not store full card numbers on our servers; we receive only a Stripe customer ID, the last four digits, card brand, and billing email.
- Support communications. Anything you send to oscar@herosconsulting.com.
2.2 Information collected automatically
- Log data. IP address, browser type, pages viewed, timestamps, and referring URL. Used for security, debugging, and rate-limiting.
- Cookies and local storage. Small files stored in your browser to keep you signed in, remember your preferences, and operate the app. See our Cookie Policy.
- Device information. Operating system and browser version, used to deliver a working experience and detect abuse.
3. How we use information
- Provide, operate, and maintain the Services.
- Process payments and manage subscriptions through Stripe.
- Send transactional emails (sign-in confirmations, receipts, password resets, service notices).
- Respond to your support requests.
- Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service.
- Comply with legal obligations.
- Improve the Services in aggregate, non-identifiable form.
We do not sell your personal information. See Do Not Sell or Share My Personal Information.
We do not use your business inputs to train AI models. When you use CleanOS features powered by OpenAI or Anthropic, the prompts you send are processed under those providers' API terms, which prohibit training on API content by default.
4. Sub-processors we use
To operate the Services, we share limited information with the following sub-processors. Each is contractually bound to handle your information consistent with this policy.
| Sub-processor | Purpose | Data shared |
| Supabase, Inc. (US) | Database and authentication | Account data, business inputs |
| Netlify, Inc. (US) | Website hosting and serverless functions | Request metadata, IP address |
| Stripe, Inc. (US) | Payment processing and subscription billing | Email, billing details, payment method |
| OpenAI, L.L.C. (US) | AI assistant (CLEO), text-to-speech, translation | Prompts you submit; not used to train models |
| Anthropic, PBC (US) | AI features (lead research, proposal drafting) | Prompts you submit; not used to train models |
| Licensed B2B data provider (US) | Commercial-property prospect database used by the Lead Finder | City, state, industry, role, and company-size filters you select |
| Instantly.ai (US) | Outbound email sending (when you enable it) | Sender identity, recipient list you upload, email content |
| Google LLC (US) | Gmail API (sending emails from your connected Gmail account) | OAuth tokens, sender email address, recipient list you compose, message content. See §5.5 for full Gmail scope details. |
An updated list is available on request to oscar@herosconsulting.com.
5. How we share information
We share information only as described in this policy, including:
- With sub-processors as listed above, solely to operate the Services.
- With your consent for any purpose disclosed at the time you give consent.
- For legal reasons — to comply with a subpoena, court order, or other legal process, or to protect the rights, property, or safety of Heros Consulting, our users, or the public.
- In a business transfer — if Heros Consulting is involved in a merger, acquisition, or sale of assets, your information may transfer as part of that transaction. You will be notified before your information becomes subject to a different privacy policy.
We do not sell or rent personal information to third parties for their marketing.
5.5 Google user data (Gmail connection)
If you connect a Google account to CleanOS (the “Connect Gmail” feature in our Send Emails and Outreach Campaigns tabs), the following terms apply to the limited Google user data we receive:
- Scopes we request, and only these:
https://www.googleapis.com/auth/gmail.send — permission to send messages on your behalf via the Gmail API.
https://www.googleapis.com/auth/userinfo.email — your Google account’s primary email address, used to identify which inbox is connected and to display it in the CleanOS UI.
https://www.googleapis.com/auth/userinfo.profile — your full name, used in the From: header of outgoing messages.
- What we do NOT request and do NOT access:
- We do not read, search, or scan the contents of your inbox.
- We do not read or download your contacts.
- We do not access your Google Calendar, Drive, Photos, or any other Google service.
- We do not modify, delete, or move any existing message in your Gmail account.
- We do not request the
gmail.readonly, gmail.modify, gmail.compose, gmail.labels, gmail.metadata, or gmail.settings.* scopes.
- How we store your Gmail credentials: Your OAuth access token and refresh token are stored encrypted in our database (Supabase, US region) and accessible only to authenticated CleanOS backend services. Row-Level Security policies prevent any user other than you from reading them.
- What we do with the scope: When you compose a message in CleanOS and click Send (or when a campaign you built and activated reaches its scheduled send time), our backend uses your
gmail.send token to POST one MIME message to the Gmail API. The message is sent through Google’s infrastructure from your own Gmail address. Replies return to your own inbox.
- Daily limits: We enforce a server-side daily quota that matches the Gmail account’s native limit (500/day for personal Gmail, 2,000/day for Google Workspace). We do not attempt to bypass, rotate around, or otherwise circumvent these limits.
- Recipient suppression: Every outgoing message includes a one-click List-Unsubscribe header (RFC 8058) and a visible unsubscribe link. Recipients who unsubscribe are stored in our suppression list and are programmatically blocked from receiving further messages from your account, regardless of which list you later import.
- Sharing with third parties: We do not share, sell, transfer, or otherwise disclose your Google user data to any third party. We do not use Google user data for advertising, AI/ML model training, or any purpose other than the user-initiated send action you triggered.
- Disconnection: You may revoke CleanOS’s access at any time by clicking “Disconnect Gmail” in the Send Emails tab. Upon disconnect, we (1) call Google’s token revocation endpoint at
https://oauth2.googleapis.com/revoke within one second, and (2) delete the row containing your access and refresh tokens from our database. You may additionally revoke access directly from your Google Account at myaccount.google.com/permissions.
- Google API Services User Data Policy. CleanOS’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We affirmatively certify that our app does not transfer Google user data to third parties unless necessary to provide or improve user-facing features that are prominent in the requesting application’s user interface; does not transfer or sell Google user data for advertising or other unrelated purposes; does not use Google user data to develop, improve, or train generalized AI/ML models; and does not allow humans to read user data unless we have obtained the user’s affirmative agreement to view specific messages, doing so is necessary for security purposes, to comply with applicable law, or our use is for internal operations and the data has been aggregated and anonymized.
6. Data retention
- Active accounts. We retain your data while your account is active.
- Cancelled accounts. Within 90 days of cancellation, we delete or anonymize account data, except records we are required to retain by law (e.g., tax records, transaction logs — typically 7 years).
- Backups. Encrypted backups may persist for up to 35 days after deletion before being overwritten.
- Support emails. Retained for up to 3 years for quality and dispute resolution.
7. Your rights
Depending on where you live, you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate information.
- Delete your information (subject to limited legal exceptions).
- Receive a copy of your information in a portable format.
- Opt out of certain processing.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights, email oscar@herosconsulting.com from the email address associated with your account. We will respond within 30 days (or sooner where required by law).
California residents: see your additional rights under the CCPA opt-out page.
EU/EEA/UK residents: see our GDPR information page.
8. Security
We protect your information using industry-standard measures, including TLS encryption in transit, encryption at rest for the database, hashed passwords (never stored in plaintext), per-IP rate limiting, content security policies, and server-side API key handling so third-party credentials are never exposed to your browser.
No system is perfectly secure. If we discover a breach affecting your personal information, we will notify you and applicable regulators as required by law.
9. International transfers
We operate in the United States. If you use the Services from outside the US, your information will be transferred to, stored, and processed in the US. By using the Services you consent to that transfer.
10. Children
The Services are for business use and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, email oscar@herosconsulting.com and we will delete it.
11. Marketing emails
We may send you product updates and tips. You can unsubscribe at any time using the link at the bottom of any marketing email or by emailing oscar@herosconsulting.com. Transactional emails (receipts, password resets, service notices) will continue regardless of marketing preferences.
12. Changes to this policy
We may update this policy. If we make material changes, we will notify you by email and update the "Effective date" above. Continued use of the Services after the effective date constitutes acceptance.
13. Contact