HenjiPrivacy Policy
Henji (the "Service") is operated by Appelier, a sole proprietorship ("we", "us", or "Operator"). This Privacy Policy describes how we handle information about you (the "Customer" or "you") when you use the Service. It is incorporated into our Terms of Service.
Last updated: June 7, 2026
1. Scope
This Policy applies to the Henji desktop application, the landing page (https://henji.ai), the backend API, and related services.
2. Information We Collect
2.1 Collected Automatically
- Device identifiers: an auto-generated Device ID and a SHA-256 hash of the hardware UUID (we do not store the raw hardware UUID).
- Usage statistics: number of launches, generations, agent names, input/output token counts.
- App / OS info: app version, macOS version, locale.
- Error logs: crash information, API error codes.
2.2 Provided by You
- Inputs to AI Features: screenshot images, text instructions, agent configurations.
- Outputs: AI-generated reply candidates — displayed locally on your device. We do not store the body of Outputs on our servers.
- Payment information: entered directly on Stripe Checkout. Card numbers and similar payment data never pass through our servers.
- Contact info on support / limit-increase requests: email address and a description of your usage.
2.3 What We Do NOT Collect
The following are never sent to our analytics backend (Google Analytics):
- Screenshot images
- The body of generated reply text
- The body of user instruction text
- The raw macOS hardware UUID (we keep only a SHA-256 hash)
2.4 macOS Permissions Requested by the Service
The Service requests the following macOS permissions when you choose to use the relevant features. You may revoke any of them at any time from System Settings (the corresponding feature will then be unavailable).
| Permission | Purpose | What we access | Where it goes |
| Screen Recording | Capturing screenshots | The captured screenshot image, converted to text on-device via Vision OCR | Only the OCR text is sent to the AI model provider (§4). The image itself never leaves your device. |
| Accessibility | Detecting text selection, generating replies, and recording the source app | The text you have selected and its source app name (e.g., Slack, Mail) | The selected text and its source app name are sent to the AI model provider (§4) only when you click the icon to generate a reply. |
We collect or transmit data tied to a permission only when that permission is granted. Selected text is never sent off-device unless you actively trigger a reply generation.
3. Purposes of Use
We use the information above for:
- Delivering the Service (executing generation requests, displaying replies)
- Billing (Stripe-based payments and subscription management)
- Enforcing monthly usage limits
- Quality and reliability improvement (aggregated, anonymized statistics)
- Responding to support inquiries and limit-increase requests
- Detecting and addressing violations of the Terms
- Complying with legal obligations
4. How AI Features Handle Inputs and Outputs
- On-device OCR and transmission: Screenshots are OCR-processed locally on your device via macOS Vision. When you use AI Features, only the extracted text and your instructions are transmitted over HTTPS to AI model providers (Anthropic, PBC. or Google LLC) which return Outputs. The screenshot image itself is never sent to our servers or to the AI model providers.
- Not stored by us: We do not store the body of Inputs or Outputs in our backend DB (Cloudflare D1). What we store is metadata: usage counts, token counts, agent IDs, etc.
- Provider-side retention: We have enabled the no-logging / zero-data-retention options offered by our AI providers. Anthropic and Google do not use Inputs or Outputs to train their models and do not retain them beyond brief operational processing windows, in accordance with their published policies.
- Encryption in transit: All transit is encrypted with TLS 1.2 or higher.
- Local history: Where the Service offers a local generation history, those records remain on your device and are not transmitted to our servers.
5. No Training on Your Data
We do not use your Inputs or Outputs to train, fine-tune, or evaluate our own or any third party's AI models. We have also enabled the no-training opt-outs available from our AI Sub-Processors.
6. Sub-Processors
We rely on the following Sub-Processors to deliver the Service.
| Category | Recipient | Data shared | Purpose | Primary locations |
| AI model | Anthropic, PBC. | OCR-extracted text, instructions (no image) | Reply generation | United States |
| AI model | Google LLC | OCR-extracted text, instructions (no image) | Reply generation | United States |
| Payments | Stripe, Inc. | Card info, email, billing history | Payments and subscription management | US, EU, Japan |
| Cloud | Cloudflare, Inc. | Device ID, usage stats, subscription state | Backend / API hosting and database | US, EU, Japan regions |
| Analytics | Google LLC | Device ID, usage stats, app / OS version | Anonymous analytics | United States |
Sub-Processors may be added or replaced from time to time; material changes will be reflected in the updated date on this page.
7. Data Storage and Retention
| Data | Location | Retention |
| License info | macOS Keychain (local to your device) | Until you delete it |
| Device ID, subscription state | Cloudflare D1 (US, EU, Japan) | 12 months after cancellation, or upon deletion request |
| Monthly usage counts | Cloudflare D1 | 25 months (to support year-over-year comparison) |
| Payment info | Stripe (US, EU, Japan) | Per Stripe's policies |
| Analytics | Google Analytics (US) | 14 months (default retention) |
| AI Inputs / Outputs | (not stored by us) | — |
8. International Data Transfers
Your data may be processed by Sub-Processors located in the United States, the EU, Japan, and elsewhere. We rely on appropriate technical and organizational safeguards (TLS encryption, access controls, no-logging settings, etc.) to keep your data secure across regions.
9. Your Rights
You may request to:
- Access the information we hold about you
- Correct inaccurate information
- Delete your information
- Restrict specific processing
- Port your data in a machine-readable format
See §11 for how to make these requests.
10. Security
We apply reasonable technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, and loss, including:
- TLS encryption in transit
- Local encryption of sensitive data using the macOS Keychain (via Electron
safeStorage) - Access controls and least-privilege principles
- Avoiding unnecessary data retention (we do not persist the body of Inputs or Outputs)
11. Deletion Requests and Contact
For deletion requests, questions about this Policy, or to exercise your rights:
- Contact:
support@henji.ai - Please include: the last 8 characters of your Device ID, shown in the Settings screen.
- Response: we respond within 14 days. Items we can delete immediately (e.g., Google Analytics events) are handled within 24 hours.
12. Cookies
Our landing page (https://henji.ai) may use cookies or similar technologies to remember your language preference (hl=ja|en) and to collect anonymized usage data via Google Analytics.
13. Analytics Settings
In-app analytics is always enabled. The data sent is limited to what is described in §2.1 and never includes the body of Inputs or Outputs.
14. Children's Privacy
The Service is not directed to children under 13 (or under 16 in jurisdictions that apply that threshold). We do not knowingly collect information from these individuals.
15. Updates
We may update this Policy as laws change, as the Service evolves, or as we update Sub-Processors. Material changes will be announced via in-app notice or email.
16. Revision History
| Date | Change |
| 2026-05-10 | Initial publication |
| 2026-05-13 | Restructured to mirror Notion AI's Privacy Policy: AI Inputs/Outputs handling, explicit no-training statement, Sub-Processor list, retention schedule, international transfers, and user rights |
| 2026-05-28 | Added §2.4 "macOS Permissions Requested by the Service" (Screen Recording / Accessibility — usage and transmission scope) |
| 2026-05-31 | Updated §4 and §6 to match implementation: clarified that only OCR-extracted text (not the image) is sent to AI model providers, and corrected the providers to Anthropic / Google |
| 2026-06-07 | Aligned with implementation: removed "format preset names" from §2.1 usage statistics (the format-preset feature was discontinued), and revised the §2.4 Accessibility purpose from "active-app detection" to recording the selection's source app as provenance / context |
Contact: support@henji.ai