elisa.

— Privacy —

Held plainly.

How we collect, hold, and protect your information.

Effective: 2026-04-18 · Controller: elisa Ltd, 71–75 Shelton Street, London WC2H 9JQ, United Kingdom · Contact: privacy@hielisa.com

What we collect

  • Account data. Name, email, password (hashed), jurisdiction, timezone.
  • Conversations. The messages you send to elisa and her replies. Stored per-user, isolated.
  • Memory. Structured facts she has learned from your conversations — names, dates, threads, preferences — held as a private knowledge graph on your account.
  • Connected sources. When you connect Google Calendar, email, Stripe, or other integrations, we access only what you grant and only what's needed for her to help.
  • Delegated commerce. Transactions elisa makes on your behalf, with itemized receipts.
  • Technical. IP, user agent, device identifiers for rate-limiting and security.

How we use it

Solely to provide the elisa service: remember what you've told her, notice what needs doing, handle requests, confirm spends. We do not sell your data. We do not train foundation models on your conversations. We do not run ads.

Third-party sources

With your explicit OAuth grant, elisa reads from:

  • Google Calendar / Apple Calendar — scheduling context
  • Gmail / Outlook — email context and draft insertion
  • Stripe — payment processing for delegated commerce
  • YNAB — budget and category context (closed test)

Each integration has a separate consent screen. You can revoke any connection at any time from Settings with a single tap.

Your rights

Under UK GDPR and CCPA/CPRA: access, portability, correction, deletion, objection, and the right to limit the use of sensitive personal information (including financial data from connected sources).

Exercise any of these by emailing privacy@hielisa.com or dpo@hielisa.com. We respond within 30 days.

Security

Data encrypted at rest (AES-256) and in transit (TLS 1.3). Per-user isolated memory stores. No human reads your conversations without explicit support escalation. Report vulnerabilities to security@hielisa.com.

Retention

Conversations and memory are retained for the life of your account. Deleting your account removes everything, including the long-term memory, within 30 days. Backups age out within 90 days.

International transfers

elisa operates on infrastructure in the US and UK. When data moves between jurisdictions we rely on Standard Contractual Clauses and applicable adequacy decisions.

Changes

If this policy changes materially, we'll email every affected user at least 30 days before the change takes effect.