Privacy at Honne

UPDATED · April 21, 2026

Jump to…

What we collect and why
Who sees it
How long we keep it
Your rights
Participants vs. researchers
Third parties we use
Cookies
Security practices
Children's privacy
Contact

TL;DR

We store what you give us (email, workspace, studies). We store what your participants give you (their responses). We don't sell it. We don't share it with advertisers. You can export or delete it anytime. [LAWYER REVIEW: confirm this reflects actual data handling before production deploy.]

What we collect and why

When you sign up, we store your email and workspace name. That's the minimum we need to give you an account you can log back into.

When participants complete your studies, we store their responses, any free-text answers, and session recordings if you enabled them. These live in your workspace. You own them.

We also log standard server metadata — IP address, user agent, request timestamp — for 30 days, to detect abuse and debug outages. [LAWYER REVIEW: confirm 30-day retention is correct.]

Who sees it

Your workspace data is visible to you and whoever you invite. Nobody else on your team sees a study until you share it with them.

A small group of Honne engineers can access production systems when something breaks. Access is logged and requires two-person approval for anything touching participant responses. [LAWYER REVIEW: confirm access-control policy matches production reality.]

We don't sell your data. We don't hand it to advertisers. We don't use it to train models for other customers.

How long we keep it

Studies and responses stay in your workspace until you delete them or close your account. After account closure, we keep data for 30 days in case you change your mind, then it's permanently removed from primary storage.

Encrypted backups may retain deleted data for up to 90 additional days before rolling off. [LAWYER REVIEW: confirm backup retention windows.]

Your rights

You can see, export, correct, or delete any data we hold about you. Most of that is one click inside your workspace settings. If you need something we don't expose in the UI, email us and a human will handle it.

If you're in the EU, UK, California, or another jurisdiction with specific data-subject rights, those rights apply to you here. [LAWYER REVIEW: enumerate GDPR/CCPA/other rights with exact statutory language.]

Participants vs. researchers

Two different relationships exist on Honne, and they work differently.

If you're a researcher— the person running a study — we're your data processor. Your responses and participants live in your workspace; we help you store and analyze them.

If you're a participant— someone answering a study — the researcher who invited you is the data controller for your responses. Honne is their infrastructure. If you want to access or delete your responses, contact the researcher first; we'll help them fulfill the request. [LAWYER REVIEW: confirm controller/processor framing under GDPR.]

Third parties we use

We use a small set of infrastructure providers to run the service:

Supabase — our database and auth layer
Vercel — hosting for the web app
Stripe — billing (only if you're on a paid plan)
PostHog — product analytics (first-party, no ad networks)

Each has a data-processing agreement with us. [LAWYER REVIEW: link to current subprocessor list and DPAs; keep this in sync.]

Cookies

We use a small number of cookies: one to keep you logged in, one to remember your theme preference, and one for product analytics. No third-party advertising cookies, ever.

See our cookie policy for the full list and how to opt out.

Security practices

Data is encrypted in transit (TLS 1.2+) and at rest. Row-level security isolates every workspace in the database. We rotate secrets regularly and require two-factor auth for all staff accounts.

If we discover a security incident that affects you, we'll notify you within 72 hours with what we know and what we're doing about it. [LAWYER REVIEW: confirm breach-notification SLA matches GDPR Art. 33.]

Children's privacy

Honne isn't for anyone under 16. We don't knowingly collect data from children. If you believe a child has submitted data through a study on Honne, contact us and we'll delete it. [LAWYER REVIEW: confirm minimum age aligns with GDPR-K and COPPA.]

Contact

Privacy questions go to [email protected]. A real person reads that inbox and will reply within two business days.

For formal data-subject requests, include your account email and the workspace name so we can locate your data quickly. [LAWYER REVIEW: confirm mailing address + DPO designation for EU reps.]