Legal
Privacy Policy
Heksis, MB — Leafy
1. Introduction
Heksis, MB ("we", "us", or "our") operates Leafy ("the Service") — a do-anything assistant that runs on the web pages you visit. We are committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable EU member state law.
This Privacy Policy explains what data we collect, why we collect it, how we use it, who we share it with, and what rights you have. Please read it carefully.
Data Controller: Heksis, MB
Registered address: V. Nagevičiaus g. 3, LT-08237 Vilnius
Contact: support@leafy.you
2. Data We Collect
We collect the following categories of personal data:
2.1 Account & Identity Information
- Email address (used to sign in and to contact you about your account)
- Display name, if you provide one
- Password, stored only as a salted cryptographic hash (scrypt) — never in plaintext
2.2 Billing & Subscription Information
If you subscribe to Leafy Pro, payment is processed by Stripe. We do not see or store your card details; we retain only your subscription status and the Stripe customer and subscription identifiers needed to manage your plan, plus transaction records required for accounting.
2.3 Content You Ask Leafy to Act On
Leafy acts only when you invoke it. When you do, the content you point it at — the text or elements on the current page, a screenshot you take, a voice note you record, and the message you type — is sent to our backend and to our AI provider (and, where your task requires it, to a connected app via Composio) to understand and carry out your request. Leafy does not read, capture, or transmit page content in the background or on pages where you have not invoked it.
2.4 Your Lists, Reminders, Notes & Knowledge
The lists, reminders, on-page notes, and knowledge you create in Leafy are stored so the Service can show them back to you and act on them. You can export or delete them at any time.
2.5 Connected-App Data
Leafy lets you connect third-party services (e.g. Gmail, Google Calendar, Slack, Notion, CRMs, and many more), brokered through our integration provider, Composio. When you authorise a connection, we access data from that service solely at your direction and only to deliver the functionality you requested. We never access a service you have not explicitly connected. Connection credentials (OAuth tokens and configuration) are retained while the connection is active and deleted promptly when you disconnect it (see Section 7). Composio's own sub-processors are listed at https://trust.composio.dev
2.6 Diagnostic & Usage Data
To operate, secure, and improve the Service we keep limited server logs and a minimal record of assistant activity (for example, a timestamp and the account that ran a request). We do not use third-party advertising networks, and we do not embed analytics or tracking SDKs that profile you across the web.
2.7 Local Browser Storage
The Leafy browser extension stores your sign-in token and your on-page notes in your browser's local extension storage so they persist between sessions. This data stays in your browser and is not an advertising cookie.
3. Legal Basis for Processing
Under the GDPR, we rely on the following lawful bases:
- Performance of a contract (Article 6(1)(b)): to create and manage your account, run the tasks you ask of Leafy, and manage your subscription
- Legitimate interests (Article 6(1)(f)): to secure, maintain, debug, and improve the Service
- Consent (Article 6(1)(a)): for each third-party integration, on the basis of your explicit authorization
- Legal obligation (Article 6(1)(c)): where required by law (e.g. accounting and tax records)
4. How We Use Your Data
We use your personal data to:
- Create and manage your Leafy account
- Understand and carry out the tasks you ask Leafy to perform
- Power the third-party integrations you have authorized
- Provide, operate, secure, and improve Leafy
- Process payments and manage your subscription
- Diagnose technical issues and prevent abuse
- Communicate with you about your account, updates, and support requests
- Comply with our legal obligations
5. Data Sharing & Third Parties
We do not sell your personal data, and we do not use or share it for any purpose unrelated to running Leafy. We share data only with the third-party service providers ("data processors") that help us operate the Service, and only so they can perform their function on our behalf and under our instructions. Where required, these providers are bound by Data Processing Agreements.
Our current sub-processors:
- Microsoft Azure (Azure OpenAI): Powers Leafy's assistant. The content and queries you submit — your messages and the page content, screenshots, or voice you point Leafy at — are processed through Azure OpenAI models to plan and carry out your task, and to transcribe voice captures. Azure OpenAI does not use this data to train its models.
- Composio: Brokers the third-party app connections you authorize and executes actions on those apps at your direction; it also powers Leafy's web search and page-reading. Composio processes the OAuth tokens, credentials, connection configuration, and the queries or content needed to perform what you asked. Composio maintains its own sub-processor list at https://trust.composio.dev
- Stripe: Processes payment, billing, and subscription information on our behalf when you subscribe to Leafy Pro. Card details are handled entirely by Stripe and are never stored on our servers.
- Cloud server hosting: Leafy's backend and its PostgreSQL database run on a virtual private server we manage at Hostinger, which stores your account and Service data and may therefore process personal data.
We may add or change sub-processors from time to time and will update this list when we do.
We may also disclose personal data where required by applicable law, court order, or regulatory authority, or where necessary to protect the rights, safety, or property of Heksis, MB, its users, or the public.
6. International Data Transfers
Heksis, MB is established in the EU. Some of our sub-processors (for example, our AI, integration, and payment providers) may process personal data outside the European Economic Area (EEA). Where they do, we rely on appropriate safeguards — such as the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision — to protect your data.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law:
- Account data (including your password hash) is retained for the life of your account and deleted within 30 days of account closure.
- Your lists, reminders, notes, and knowledge are kept until you delete them or close your account.
- The content you ask Leafy to act on is processed to fulfil your request and is not used to train AI models; our AI provider may retain it only transiently for abuse monitoring in line with its terms.
- Connection credentials are deleted within 48 hours of you disconnecting an app.
- Subscription and transaction records are retained as required for accounting and tax purposes.
- Diagnostic and usage records are kept for no longer than necessary to operate and secure the Service (typically up to 90 days) and are then deleted or anonymised.
8. Your Rights Under the GDPR
As a data subject, you have the following rights:
- Right of access: to obtain a copy of the personal data we hold about you
- Right to rectification: to correct inaccurate or incomplete data
- Right to erasure: to request deletion of your data, subject to legal retention obligations
- Right to restriction of processing: to restrict how we process your data in certain circumstances
- Right to data portability: to receive your data in a structured, commonly used, machine-readable format
- Right to object: to object to processing based on legitimate interests
- Rights related to automated decision-making: we do not make solely automated decisions that produce legal or similarly significant effects on you
To exercise any of these rights, contact us at support@leafy.you. We will respond within 30 days as required by the GDPR.
9. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or disclosure. These include:
- Encryption of data in transit (TLS) and at rest where supported
- Passwords stored only as salted scrypt hashes
- Access controls and the principle of least privilege
- Regular monitoring and review
No method of transmission or storage is completely secure, but we work to protect your data and to respond promptly to any incident.
10. Children's Data
The Service is not directed at children under the age of 16 (or such lower age as permitted by the applicable EU member state). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@leafy.you and we will take prompt steps to delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or via a prominent notice within the Service before the change takes effect. The "Last updated" date at the top of this document reflects the most recent revision.
Your continued use of the Service after the effective date of any update constitutes your acknowledgement of the revised policy.
12. Contact & Supervisory Authority
For any questions or concerns about this Privacy Policy or our data practices, please reach out:
Heksis, MB
Email: support@leafy.you
Registered address: V. Nagevičiaus g. 3, LT-08237 Vilnius
You also have the right to lodge a complaint with your national data protection supervisory authority. As a company established in Lithuania, the relevant authority is:
State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija)
Website: https://vdai.lrv.lt
Email: ada@ada.lt