Privacy Policy
Last updated: Aug 16, 2023
Updates in this version:
Updated the Privacy Shield section to reflect the new Data Privacy Framework.
Data privacy is important. Please read this carefully.
We respect your privacy. This Privacy Policy explains our privacy practices and how we handle the information we process. When you use Aha! Labs Inc. websites, services, applications, and documentation, you are agreeing to the collection, transfer, manipulation, storage, disclosure, and other uses of your information as described in this Privacy Policy.
If you have feedback or suggestions on our Privacy Policy, please email us at support@aha.io.
At Aha! Labs Inc. (“Aha!”), we respect and protect the privacy of visitors to our website (together with the other accounts and websites we own or control, the “Aha! Websites”), and our customers who use our on-demand product development solution, tools, and services offered on the Aha! Websites (together with the Aha! Websites, the “Service”). This Privacy Policy (“Policy”) explains how we collect and use (“process”) visitors’ and customers’ information as part of the Service. Any discussion of your use of the Service in this Policy is meant to include your visits and other interactions with the Aha! Websites, whether or not you are a customer or user of our on-demand product development solution.
Aha! strives to follow these concepts when it processes personal information:
Transparency. We tell you what we are collecting. We disclose the subprocessors that we use to provide the Service. We do not give, sell, rent, or loan personal information to third parties.
Purpose limitation. We process personal information for the reasons that we tell you when collecting it (or that you tell us). We collect what is necessary to fulfill that purpose.
Security. We take reasonable and appropriate measures to protect personal information.
Individuals rights. We provide you with access to your personal information and allow you to exercise your rights in that information. Opt-out requests are promptly honored.
What information does Aha! process?
“Personal information” is information or an information set that identifies or could be used by or on behalf of Aha! to identify an individual.
We process the following personal information: name, username, address, email, phone, IP address, LinkedIn url, social media handles, credit card, and payment information. Aha! does not seek to collect any sensitive data through the Service (e.g., health status; political opinions or religious/philosophical beliefs; trade-union membership; or racial or ethnic origin).
“Other information” is any information that is not personal information. Other information includes:
“Usage Data” is encoded or anonymized information or aggregated data about a group or category of services, features, or users which does not contain personal information. Usage Data helps us understand trends in usage of the Service so that we can better consider new features or otherwise tailor the Service. In addition, we may disclose Usage Data with customers, partners, and service providers for various purposes which include helping us better understand our customers' needs, improving the Service, as well as for advertising and marketing purposes. We do not disclose Usage Data with third parties in a way that would enable them to identify you personally.
“Log files” are information gathered from website usage which includes internet protocol addresses as well as browser, internet service provider, referring/exit pages, operating system, date/time stamp, and clickstream data. We use this information to analyze trends, administer and maintain the Service, or track usage of various features within the Service. Occasionally (e.g., in response to an error, inquiry, investigations), we may link a specific log file to an individual to improve the Service.
“Cookies” are used to assist in collecting Other Information. For more details about how we use cookies, please see our Cookie Notice below.
“Web beacons” are tiny graphics with a unique identifier that are used to track online movements of internet users. Unlike cookies, which are stored on a user's computer hard drive, web beacons are embedded invisibly on websites. We also employ web beacons to help us better manage content in the Service by informing us what content is effective or which emails have been opened by recipients. For more details about how we use web beacons, please see our Cookie Notice below.
Why does Aha! process personal information?
We need to process personal information to provide the Service
When you register for the Service, we ask for personal information, such as your name, address, phone number, email address, and credit card information.
Depending on the purpose it is collected for, Aha! uses that information to:
Schedule a demo
Set up your account
Administer your account, including identification, authentication, usage monitoring, security, logging, and back-ups
Provide you with technical support
Send you newsletters or other marketing materials
Consider your job application
Answer your questions or suggestions
Publish your content or comments
Interact with you via social media
Facilitate payment for your subscription
Conduct research
Improve the content and functionality of the Service
In all cases, Aha! has a legal basis for processing personal information and the most common ones are: consent; necessary for the performance of (or at your request prior to entering into) a contract with Aha!; or there is a legitimate interest.
You’ve asked us to
As a customer, you may ask us to process personal information as part of a contractual arrangement (e.g., DPA). In that case, we will only process information for the express purpose that you authorize us to.
When we are legally compelled to disclose it
Aha! may disclose personal information in response to subpoenas, court orders, legal process, lawful requests by public authorities (including to meet national security or law enforcement requirements), or to establish or exercise our legal rights or defend against legal claims. We may also disclose such information if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service, or as otherwise required by law.
Aha! is not processing your personal data when you link or integrate with a third-party application website
The Service contains links to other websites and allows you to integrate with web applications that are not owned or controlled by Aha! Please be aware that we do not determine and are not responsible for the privacy practices or content of such other sites or applications. Once clicked or enabled, those third parties may send Aha! certain information. We encourage you to be aware when you leave the Service and to check the privacy settings and notices of those third parties to understand what data may be disclosed or processed.
Who helps Aha! process personal information?
Aha! uses subprocessors to assist with the delivery of the Service. These subprocessors have access to personal information only to assist Aha! to process that data as you have authorized. All subprocessors are subject to a check in which Aha! reviews privacy, security, and confidentiality practices. Aha! currently uses the following subprocessors to assist it in providing its on-demand product development solution:
Amazon Web Services, Inc. (Cloud service provider) (US)
Automattic Inc. (Cloud-based anti-spam service provider) (US)
Datadog, Inc. (Cloud-based analytics services) (U.S.)
Duo Security, Inc. (Cloud-based trusted access solution) (US)
Functional Software, Inc. (Cloud-based error-tracking services) (US)
Google Inc. (Cloud service provider) (US)
Netlify (Cloud service provider) (US)
OOPSpam LLC (Cloud-based anti-spam services) (US)
OpenAI, LLC (Cloud based language model services) (US)
Recurly, Inc. (Cloud-based payment services) (US)
The Rocket Science Group, LLC (Cloud-based email notification services) (US)
Zendesk, Inc. (Cloud-based customer support services) (US)
https://www.aha.io/legal/subprocessors
Aha! uses the following subprocessors for other areas of its business, separate from the actual provision of its on-demand product roadmap and marketing planning solution:
Algolia (Cloud service provider) (US)
Calendly (Cloud-based scheduling services) (US)
Slack (Cloud-based communication services) (US)
Zoom (Cloud-based remote connectivity services) (US)
Aha! does not sell Personal Information. Aha! does not share Personal Information of California users for cross-context advertising.
How long is personal information retained?
Aha! will retain personal information we process on behalf of our customers for as long as needed to provide Service to our customers, subject to our compliance with this Policy (and your rights as you choose to exercise them). We may further retain and use this personal information as necessary to comply with legal obligations, resolve disputes, enforce our agreements, and for legitimate interests. Other information, such as anonymized usage data, is retained until it no longer serves a business purpose and is further anonymized as it ages.
What rights do you have to personal information?
Access, correction, objection, and portability rights
You have the right to request access to, rectification of errors in, or erasure of your personal information. You also have the right to object to the processing of your personal data and to receive a copy of your personal information in a structured, commonly used, and machine-readable format. For individuals in the EU, the United Kingdom, or Switzerland, you may always lodge a complaint with your local data protection supervisory authority.
If you wish to exercise the above rights, you can update or change the personal information you have provided Aha! by logging into the Service and providing such additional information where applicable. Be advised that there may be legal conditions or limitations on these rights. If you have additional questions about exercising these rights, please contact us at support@aha.io.
Opt-out rights
If you would like to stop receiving marketing communications from us, either email us at support@aha.io or follow the unsubscribe instructions included in each marketing email.
How seriously does Aha! take its data protection obligations? (Answer: Very seriously)
Security of personal information
Aha! is committed to ensuring the security of your personal information through reasonable and appropriate measures to protect it from loss, misuse, and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
We utilize precautions to protect the confidentiality and security of the personal information within the Service, by employing technological, physical and administrative security safeguards, such as firewalls and other security procedures. For example, when you enter sensitive information (such as login credentials and all your activity on our Service platform), we encrypt the transmission of that information using transport layer security technology (TLS). These technologies, procedures, and other measures are used in an effort to ensure that your data is safe, secure, and only available to you and to those you authorized to access your data. However, no internet, email, or other electronic transmission is ever fully secure or error-free, so you should take care in deciding what information you send to us in this way.
Data Privacy Framework notice
Aha! complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Aha! has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Aha! has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) (collectively, the DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. In cases where Aha! receives personal information under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF and subsequently transfers it to a third party subprocessor, Aha! potentially remains responsible if personal information is processed in a manner inconsistent with the DPF Principles.
If there is any conflict between the terms in this Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Aha! commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact us at support@aha.io. Aha! further commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. Contact details for the EU data protection authorities can be found at https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. Contact details for the UK Information Commissioner’s Office (ICO) can be found at https://ico.org.uk/. Contact details for the Federal Data Protection and Information Commissioner (FDPIC) for individuals in Switzerland can be found at https://www.edoeb.admin.ch/edoeb/en/home.html.
The Federal Trade Commission has jurisdiction over Aha!’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. Under certain conditions, privacy complaints that remain unresolved after pursuing the above channels may be subject to binding arbitration before the Data Privacy Framework Panel to be created jointly by the US Department of Commerce and the European Commission. For more details, see https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.
No use of Aha! by minors
Aha! does not knowingly collect personal information from individuals below the age of 18. If we learn that we have collected or received personal data from an individual under 18 without verification of parental consent, we will delete that information. If you believe Aha! might have any personal information from or about a child under 18, please contact support@aha.io.
California privacy rights
The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide California residents with specific rights regarding their personal information. You have the right to know that we may have collected the following Personal Information directly from you:
Category of Personal Information | Purpose for collection | Disclosed for a business purpose? | Sold for a business purpose? | Shared for California users for cross-context advertising |
Identifiers (ex. name, online identifier, email, name, username, address, email, phone, social media handles or urls) | Performing services at your request, which include facilitating your access to and use of the Service and responding to direct communications | Yes — only to services providers /subprocessors listed in the “Who helps Aha! process personal information?” section above | No | No — see details below* |
Personal Information categories listed in the California Customer records statute (ex. name, email, address, telephone number, credit card number, payment information, education, employment history) | Performing services at your request, which include facilitating your access to and use of the Service and reviewing employment applications | Yes — only to services providers /subprocessors listed in the “Who helps Aha! process personal information?” section above | No | No |
Internet activity (ex. details about interactions with the Service) | Administering and maintaining the Service, including linking a log file to an individual to improve the Service. | Yes — only to services providers /subprocessors listed in the “Who helps Aha! process personal information?” section above | No | No |
Geolocation data (ex. IP address) | Verifying U.S. sanctions compliance | Yes — only to services providers /subprocessors listed in the “Who helps Aha! process personal information?” section above | No | No |
Professional or employment-related information | Performing services at your request, which include reviewing employment applications | Yes — only to services providers /subprocessors listed in the “Who helps Aha! process personal information?” section above | No | No |
*Aha! does not share California user personal information for cross-context advertising purposes. In the twelve months preceding January 2023, Aha! had shared cookie identifiers of California users for a cross-context advertising business purpose, which no longer occurs.
Aha! does not sell personal information
California residents have the right to request that we disclose to you certain information about our collection and use of your Personal Information over the past 12 months. After we receive and verify your request, we will disclose:
The categories of Personal Information we collected about you;
The categories of sources for that Personal Information;
Our business or commercial purpose for collecting or selling that Personal Information;
The categories of third parties with whom we process that Personal Information;
The specific pieces of your Personal Information we have collected; and
If we sold, shared or disclosed that Personal Information for a business purpose, separate lists of what was sold, shared or disclosed and the categories of Personal Information in each case.
You also have the right to request that we delete your Personal Information from our records and direct any service providers to delete that Personal Information from their records. After we receive and verify your request, we will delete that Personal Information unless a legal exception applies.
Any request to exercise your CCPA or CPRA rights should be submitted either via email to support@aha.io or via phone to 888-926-2240. We will not discriminate against you for exercising any of your above rights, including: denying you access to the Service; charging you a different price to access the Service; providing you a different level of service; or suggesting that you may receive a different price or level of service.
When does Aha! update this policy?
We may change this Policy from time to time. We will post the changes to this page. If we make changes that materially alter your privacy rights, Aha! will provide additional notice. If you disagree with changes to this Policy, you should deactivate your account for the Service. Your continued use of the Service constitutes your agreement to be bound by such changes to this Policy.
Who can you contact with questions about privacy?
To exercise any of the rights mentioned in this Policy or if you have questions regarding this Policy, please email us at support@aha.io.
Cookie notice
To make our website and other communications related to the Service work properly, we sometimes place small text files (cookies) on your device when you use the Service.This Cookie Policy (the “Policy”) provides information about how and when we use cookies for these purposes. Capitalized terms used in this policy but not defined have the meaning set forth in our Privacy Policy.
What is a cookie?
A “cookie” is a small software file stored temporarily or placed on your computer's hard drive. The main purpose of a cookie is to allow a web server to identify your computer and web browser and then tailor web pages and login information to your preferences. Cookies last for one of two time periods:
“Session-based cookies” last only while your browser is open and are automatically deleted when you close your browser.
“Persistent cookies” last until you or your browser delete them or until they expire.
Cookies help us promptly display the information you need to use the capabilities of the Service and other information which we consider to be of interest to you. Cookies do not typically contain personal information but can be linked to personal information that you have already provided us. By gathering and remembering information about your website preferences through cookies, we can provide a better web and marketing experience.
Does Aha! use cookies?
Yes. When you use the Service, we utilize session cookies, which allow us to uniquely identify your browser while you are logged in and to process your online transactions. Session cookies disappear from your computer when you close your web browser or turn off your computer.
We also utilize persistent cookies to identify you as an Aha! customer, agent, or end user and make it easier for you to log into and use the Service. Persistent cookies remain on your computer after you close your web browser or turn off your computer.
The above-described cookies are further categorized as follows:
“Essential cookies” are critical to the functionality of the Service. We use these cookies to keep a user logged into the Service and remember relevant information when the user returns to the Service.
“Functional cookies” track users' activities in the Service, understand their preferences, and improve their user experience. These cookies can also be used to remember customizable configurations of the Service.
Third-party providers serve a variety of “marketing cookies” that enable us to track and analyze usage, navigation, and other statistical information from visitors to the Aha! Websites. This information alone is not personal information, though it can be associated with personal information. Marketing cookies are also used to track the performance of our advertisements and are employed by third-party advertising networks that we utilize. These ad networks follow online activities of visitors to the Aha! Websites and use this information to inform, optimize, and serve tailored advertisements on the Aha! Websites or on other websites you visit that we believe would most effectively promote the Service to you. We also use third parties to collect information that assists us in other methods of “remarketing” our Service to visitors to the Aha! Websites, including customized email communications. Aha! does not share Personal Information of California users for cross-context advertising.
What cookies does Aha! use in the Service?
Aha! uses the following cookies in the Service:
Purpose | Category | Duration | Company |
Aha! sessions and login | Essential | Session | Aha! |
Aha! performance | Essential | Various under 1 day | Datadog and Aha! |
Aha! videos | Essential | 2 years | Vimeo |
Aha! support sessions | Essential | Various under 1 year | Zendesk |
Aha! billing | Essential | Various under 1 year | Recurly |
Aha! analytics | Functional | Various under 2 years | Aha! |
Analytics | Marketing | Various under 2 years | Google and Aha! |
Analytics | Marketing | Various, up to 5 years | Crazy Egg* |
Advertising | Marketing | Various under 2 years | |
Advertising | Marketing | Various under 2 years | Bing |
Advertising | Marketing | Various under 90 days | Facebook and Aha! |
Advertising | Marketing | Various under 2 years | |
Advertising | Marketing | Various under 2 years | |
Advertising | Marketing | Various under 5 years | The Trade Desk |
Analytics | Marketing | Various under 13 months | G2 |
*For more information on the privacy practices of Crazy Egg, click here.
How does Aha! use cookies in its product development solutions?
Aha! restricts the use of marketing cookies in its product development solutions. Aha! does not use marketing cookies on pages that display your product roadmap and strategy data. Aha! does use the above Google Analytics cookies on some public pages such as login screens. If consent is required for any of those cookies and consent has not already been received, then the cookie will not be set.
Can cookies be turned off?
You can generally accept or decline the use of cookies through functionality built into your web browser. We obtain consent for placement of non-essential cookies in jurisdictions that require it. To revoke your consent, you should delete the cookies.
If you want to learn more about cookies or how to control or delete them, please visit http://www.aboutcookies.org/ for detailed guidance. In addition, certain third-party advertising networks, including Google, permit users to opt out of or customize preferences associated with your internet browsing. To learn more about this feature from Google, click here. To learn more about this feature from Crazy Egg, click here. Please note that if you do elect to disable your web browser's ability to accept cookies, you may not be able to access or take advantage of many features of the Service.
It is our hope that you find the display of advertising to you based on your anonymous interests valuable. If you would prefer not to participate in the services offered through these solutions, you can always opt-out of tailored advertising for services that support opt-out by visiting the Network Advertising Initiative (NAI) website by clicking: here.
How does Aha! respond to Do Not Track signals?
Currently, there is no consensus on what “Do Not Track” means and how to respond to “Do Not Track” signals. For that reason, we do not respond to those signals. Be advised that third parties linked from or integrated with the Service set their own policies regarding responses to Do Not Track signals.
How does Aha! respond to Global Privacy Control signals?
Aha! does not sell personal information. Aha! does not set non-essential cookies without consent if consent is required. Aha! does not share personal information for California users for cross-context advertising purposes. For these reasons, we do not respond to Global Privacy Control (GPC) signals. Be advised that third parties linked from or integrated with the Service set their own policies regarding responses to Global Privacy Control signals.