Documentation Index
Fetch the complete documentation index at: https://help.heydenada.com/llms.txt
Use this file to discover all available pages before exploring further.
Effective date: June 20, 2024 · Last updated: May 1, 2026
- The Denada platform at app.heydenada.com
- The Denada marketing website at heydenada.com
- Our admin and support tools
- Communications you have with us by email or other channels
1. Information we collect
1.1 Information you provide
- Account information: name, email address, password (hashed), profile picture, and team affiliation.
- Billing information: company name, billing email, and payment method. Payment card data is processed by our payment processor and is not stored on Denada systems.
- Content: templates, libraries, blocks, brand information, uploaded assets, and any other content you create, upload, or generate within the platform.
- Assistant inputs: messages you send to the Denada AI assistant and any URLs or files you provide for it to process.
- Support communications: any information you share with us when contacting support.
1.2 Information collected automatically
- Usage data: pages visited, features used, clicks, scrolls, and similar interaction telemetry.
- Device and connection information: browser type, operating system, IP address, approximate geolocation derived from IP, time zone, and referring URLs.
- Cookies and similar technologies: session cookies for authentication and a small number of functional cookies. We do not use advertising cookies. See our cookie disclosures in Section 9.
1.3 Information from third parties
- Single sign-on: if you sign in with Google or another identity provider, we receive your name, email, and profile picture from that provider.
- Integrations: when you connect Denada to a third-party service (e.g., an email service provider), we receive the information necessary to operate the integration.
2. How we use information
We use personal information to:- Provide the service: authenticate you, render the application, save your content, and run AI-assisted generation.
- Operate AI features: process your inputs through third-party LLM providers as described in Section 4.
- Support and communicate: respond to your questions and send service notices (e.g., billing, security, policy updates).
- Improve the service: analyze aggregated usage patterns to fix bugs, prioritize features, and improve reliability and performance.
- Secure the service: detect and prevent fraud, abuse, and security incidents.
- Meet legal obligations: comply with applicable law, including tax, accounting, and law-enforcement obligations.
3. Legal bases for processing (EEA, UK, Switzerland)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under Article 6 of the GDPR:- Performance of a contract (Art. 6(1)(b)): to deliver the platform you have subscribed to.
- Legitimate interests (Art. 6(1)(f)): to secure the service, prevent abuse, improve the product, and communicate with you about your account. We balance these interests against your rights and freedoms.
- Consent (Art. 6(1)(a)): where we explicitly ask for it, such as for optional marketing communications. You may withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)): to comply with applicable law.
4. AI processing
Denada is an AI-powered creative platform. When you interact with our assistant or generate templates, libraries, or blocks, your input is processed by large language models (“LLMs”) operated by third-party providers. This section describes how that processing works.4.1 What we send to LLM providers
To fulfill your requests, we transmit the following to LLM providers:- Messages you send to the assistant.
- Brand, template, library, and block content that you have created or uploaded and that is relevant to your request.
- URLs you ask the assistant to fetch, and the content retrieved from those URLs.
- System instructions that govern assistant behavior.
4.2 Which LLM providers we use
We currently use the following LLM providers as sub-processors:- Anthropic (United States)
- OpenAI (United States)
- Google Vertex AI (United States)
- Fireworks AI (United States)
- Groq (United States)
4.3 Retention and training
We have configured our integrations with each LLM provider so that:- Customer content is not used to train the providers’ foundation models. We rely on API-tier or enterprise agreements that contractually exclude inference inputs and outputs from model training.
- Customer content is not retained by providers after inference, except for short-term retention permitted under each provider’s standard abuse-monitoring policy (typically up to 30 days).
- We do not sell customer content to LLM providers or any third party.
4.4 Automated decision-making
The assistant’s outputs are creative drafts that you review and approve before any business use. Denada does not make solely automated decisions about you that produce legal or similarly significant effects within the meaning of Article 22 of the GDPR. You remain in control of which outputs are kept, edited, exported, or sent to your downstream channels. If you would like a human to review how the assistant generated a particular output, contact privacy@heydenada.com.4.5 Your choices
You can:- Delete any assistant chat or generated content at any time from within the application.
- Request export of your AI-generated content under the portability process in Section 6.
- Request that we cease processing your content with LLMs by contacting privacy@heydenada.com. Note that disabling LLM processing will substantially limit Denada’s functionality, since AI generation is a core feature of the service.
5. How we share information
We share personal information only as described below.- With sub-processors that provide infrastructure, hosting, AI inference, email delivery, and similar functions necessary to operate the service. Each sub-processor is bound by a written data-processing agreement and may use the information only as instructed by Denada. The current list is at Sub-processors.
- Within your team: content and account activity is shared with other members of your Denada team or organization. Team administrators can see member-level data.
- For legal reasons: to comply with subpoenas, court orders, or other legal requirements, or to protect the rights, property, or safety of Denada, our users, or the public.
- In a corporate transaction: if Denada is involved in a merger, acquisition, or sale of assets, your personal information may be transferred. We will notify you before personal information becomes subject to a different privacy policy.
- With your direction: when you connect a third-party integration (e.g., an email service provider) or instruct us to share content with another party.
6. Your rights
This section describes the rights you have over your personal information.6.1 Available to all users
- Access and update your account information from Settings → Account.
- Delete your account, which initiates erasure of your personal information from our active systems. Self-service deletion is available from Settings → Account.
- Export your content by contacting privacy@heydenada.com.
- Contact us at privacy@heydenada.com with any privacy question.
6.2 Residents of the EEA, UK, and Switzerland (GDPR / UK GDPR)
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21), including objection to direct marketing
- Rights related to automated decision-making (Art. 22) — see Section 4.4
- Right to lodge a complaint with a supervisory authority (list at edpb.europa.eu)
6.3 California residents (CCPA / CPRA)
- Right to know, access, delete, and correct personal information
- Right to opt out of sale or sharing — Denada does not sell or share personal information; no opt-out is necessary
- Right to limit use of sensitive personal information — Denada does not use sensitive PI beyond purposes permitted by §1798.121(a)
- Right to non-discrimination for exercising any CCPA right
- Authorized agents may submit requests on your behalf, subject to verification
6.4 Other US states
If you reside in Colorado, Connecticut, Virginia, Utah, Texas, Oregon, or another US state with a comprehensive privacy law, you generally have rights equivalent to those above: access, correction, deletion, portability, and opt-out of targeted advertising or profiling. Denada does not engage in targeted advertising or profiling that produces legal or similarly significant effects. To exercise any of these rights, contact privacy@heydenada.com.6.5 How to exercise your rights
- Email privacy@heydenada.com with your request and the email address on your Denada account.
- We may ask you to verify your identity. We will not ask for more information than necessary.
- We respond within 30 days of a verifiable request. For complex requests we may extend by up to 60 days and will notify you.
- Exercising your rights is free of charge, except for manifestly unfounded or repetitive requests as permitted by law.
- If we decline a request, we will explain why and inform you of your right to appeal or to lodge a complaint.
7. Data retention
We retain personal information for as long as needed to provide the service and for the periods below.| Category | Retention |
|---|---|
| Active account data | Life of the account |
| Customer content after account termination | Marked for deletion immediately; hard-deleted from production within 30 days |
| Encrypted backups containing terminated-account data | Maximum 90 days, after which permanently expunged |
| Audit logs and security records | 1 year in hot storage, plus additional time as required for SOC 2 evidence |
| Billing and tax records | 7 years (US tax-law requirement) |
| Incident-response documentation | Minimum 5 years (per audited Incident Response Policy) |
| Marketing communications (e.g., newsletter) | Until you unsubscribe |
| Aggregated, de-identified analytics | Indefinite |
8. Security and breach notification
8.1 Security program
Denada maintains an information security program audited under SOC 2 Type 2 by Prescient Assurance. Controls include encryption of customer data in transit (TLS) and at rest, role-based access control with multi-factor authentication, vulnerability scanning, third-party penetration testing, formal change management, and 24-hour deprovisioning of terminated personnel. The SOC 2 report is available under NDA via our trust center.8.2 Breach notification
In the event of a personal-data breach affecting customer data:- We notify affected customers without undue delay, and in any event within 72 hours of confirmed discovery, consistent with GDPR Article 33.
- Notification is sent to the designated account administrator by email and includes the nature of the breach, the categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
- We provide reasonable assistance for customers to meet their own regulatory notification obligations.
- Post-incident, we provide a written incident report and a remediation plan.
9. Cookies and similar technologies
We use a small number of cookies:- Strictly necessary cookies for authentication and session management.
- Functional cookies to remember UI preferences.