Privacy Policy

Keep ("we," "our," or "us") is a product of Heed, operated by Jordan Valverde. This Privacy Policy explains how we collect, use, protect, and handle your information when you use Keep at keep.takingheed.com.

This policy supplements the Heed Privacy Policy and applies specifically to the Keep product.

1. Information We Collect

Account Information

When you create a Keep account, we collect your name, email address, and password. Passwords are hashed and never stored in plain text.

Workspace & Profile Information

When you set up your workspace, we collect family member names, roles (e.g., husband, wife, child), gender, birth year (optional), and profile photos (optional). Each profile is protected by a PIN that is hashed before storage.

Feedback Data

Keep collects two types of feedback during weekly check-ins:

• Numerical ratings: Scores (1–10) across biblical feedback dimensions. These are stored as structured data in our database.
• Written responses: Open-ended text feedback (e.g., "what is this person doing well," "where could they grow"). These responses are encrypted at rest using AES-256-GCM authenticated encryption before being written to our database. Even in the event of a database breach, written responses cannot be read without the encryption key, which is stored separately from the database.

Self-Review Data

Self-assessments include personal ratings and written reflections. Written reflections follow the same encryption practices as feedback responses.

Payment Information

Payment is processed by Stripe. We do not store credit card numbers, CVVs, or full card details. We store your Stripe customer ID, subscription plan, and subscription status to manage your account.

Usage Data

We use PostHog for product analytics. We collect page views, feature usage events (e.g., check-in started, feedback submitted, results viewed), session duration, and device/browser information. We do not track the content of your feedback in analytics — only that an event occurred.

Automatically Collected Information

We collect standard web information including IP addresses, browser type, device type, and referring URLs through cookies and similar technologies.

2. How We Use Your Information

We use the information we collect to:

• Operate and maintain the Keep platform
• Deliver weekly feedback cycles and results to your household
• Generate perception gap insights and track action items
• Process subscription payments
• Send transactional emails (check-in reminders, feedback release notifications, trial expiration notices)
• Improve the product through aggregated, anonymized analytics
• Communicate with you about your account or product updates

We do not sell, rent, or share your personal information or feedback data with third parties for marketing purposes.

3. Data Shared Within Your Household

Keep is a family feedback tool. By design, certain data is shared among members of your workspace:

• Feedback ratings and written responses are shared with the intended recipient after the weekly release date.
• Parents can view feedback given to and from their children.
• Children can only view feedback addressed to or from them.
• Self-review data is visible only to the individual and to parents.
• Action items are visible to the individual who created them and to parents.

The workspace owner (typically a parent) has administrative control over the workspace, including the ability to add or remove profiles, configure the feedback schedule, and release feedback early.

4. Children's Privacy

Keep is designed for use by families, including children under 13. We take children's privacy seriously.

• Parental consent: Children's profiles are created by a parent or guardian who controls the workspace. By creating a child's profile, the parent consents to the collection and use of the child's information within Keep.
• Minimal data collection: For child profiles, we collect only the information necessary for the product to function: name, role, gender, birth year (optional), and their feedback responses.
• Parental oversight: Parents have full visibility into their children's feedback data and can remove a child's profile and associated data at any time.
• Observed profiles: Children too young to participate directly can be added as "observed" members. These profiles collect only observational feedback from parents about the child — the child does not submit any data.
• No direct marketing: We do not send marketing emails to children or use children's data for advertising.

If you believe we have collected information from a child without appropriate parental consent, please contact us immediately.

5. How We Protect Your Information

Encryption

Written feedback responses are encrypted using AES-256-GCM authenticated encryption before storage. Each response has a unique initialization vector (IV) and authentication tag to ensure both confidentiality and integrity.

Authentication & Access Control

• User accounts are protected by email/password authentication
• Individual profiles are protected by PIN codes (hashed before storage)
• PIN lockout protection activates after 5 failed attempts (15-minute lockout)
• Feedback is only accessible after the workspace owner releases the weekly results
• Role-based permissions ensure family members only see feedback relevant to them

Infrastructure

• Data is hosted on Neon PostgreSQL with encryption in transit (TLS)
• The application is deployed on Vercel with HTTPS enforced
• Payment processing is handled by Stripe (PCI DSS compliant)
• Environment secrets (encryption keys, API keys) are stored securely and never committed to source code

Shared Device Security

Keep is designed for families who may share a single device. The PIN-based profile system ensures that family members cannot access each other's sessions without their individual PIN.

6. Data Retention

• Active accounts: Your data is retained for as long as your account is active.
• Canceled subscriptions: Your data is retained for 90 days after cancellation to allow for reactivation. After 90 days, feedback data is permanently deleted.
• Deleted profiles: When a profile is removed from a workspace, all feedback given by and to that profile is permanently deleted via database cascade.
• Encryption keys: In the event that an encryption key needs to be rotated, previously encrypted data will be re-encrypted with the new key.

7. Your Rights

You have the right to:

• Access your personal data and feedback history
• Correct inaccurate profile information through your account settings
• Delete your account and all associated data by contacting us
• Export your feedback data by contacting us
• Withdraw from the platform at any time by canceling your subscription

Workspace owners can manage profiles and data directly through the Keep settings page. For account deletion requests, contact us at the address below.

8. Third-Party Services

Keep uses the following third-party services:

We do not share your feedback content with any third party.

9. Cookies

Keep uses cookies for:

• Authentication: Session cookies to keep you logged in
• Profile switching: Cookies to remember the active profile on shared devices
• Analytics: PostHog cookies for anonymized usage tracking

You can disable cookies in your browser settings, but this will prevent Keep from functioning properly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last Updated" date. For significant changes, we may also send an email notification.

11. Contact Us

For privacy questions, data requests, or concerns:

Email: jordan@takingheed.com
Website: takingheed.com

Keep is a product of Heed, a company founded by Jordan Valverde.