HL Architect

Privacy Policy

Last updated: March 25, 2026

1. Overview

HL Architect ("the App") is operated by Rocket Digital Marketing LLC ("we", "us", "our"). This policy describes what data we collect, how we use it, and how we protect it. We are committed to minimizing data collection and protecting your privacy.

2. Data We Collect

Authentication Data

When you install the App, HighLevel provides OAuth 2.0 tokens (access token and refresh token) that allow us to interact with your sub-account. These tokens are stored server-side in encrypted Redis storage. We also store your location ID, user ID, and company ID in a signed session cookie.

API Key (BYOK)

If you choose to use AI features, you provide your own Anthropic API key. This key is encrypted using AES-256-GCM with a unique initialization vector before storage. The key is only decrypted at the moment of an AI request and is never logged, displayed, or transmitted to any third party other than Anthropic for the purpose of generating AI responses.

CRM Configuration Data

We read your sub-account's custom fields, custom values, tags, pipeline stages, calendars, custom objects, and associations to display them in the editor. This data is cached temporarily in Redis (typically 5 minutes for active data, up to 30 days for stable configuration) to reduce API calls to HighLevel.

What We Do NOT Collect

  • Contact personal information (names, emails, phone numbers)
  • Conversation or message content
  • Payment or billing information (handled by HighLevel)
  • Analytics or tracking data
  • Cookies beyond the signed session cookie

3. How We Use Your Data

  • OAuth tokens: To authenticate API requests to your HighLevel sub-account
  • Session cookie: To maintain your authenticated session
  • API key: To send requests to Anthropic on your behalf for AI features
  • CRM data: To display your current configuration in the editor and to provide context to the AI assistant

4. AI and Data Processing

When you use the AI chat feature, your current CRM configuration data (field names, value names, tag names, pipeline stages — not contact records) is sent to Anthropic as context for generating suggestions. This data is processed under Anthropic's data usage policies. We use the BYOK model specifically so that your data is governed by your own Anthropic agreement, not ours.

5. Data Storage and Security

  • All data is stored in Upstash Redis (encrypted at rest, hosted on AWS)
  • OAuth tokens are stored server-side only — never in cookies or client-side storage
  • Session cookies are signed with HMAC-SHA256 and marked HttpOnly, Secure, SameSite=None
  • API keys are encrypted with AES-256-GCM using a unique IV per encryption
  • All data is transmitted over HTTPS/TLS
  • Redis keys are prefixed with "hla:" for namespace isolation

6. Data Retention

  • Session cookies expire after 7 days
  • Cached CRM data expires after 5 minutes (active) to 30 days (stable config)
  • OAuth tokens are refreshed daily and retained while the App is installed
  • Upon uninstallation, all tokens, API keys, and cached data are permanently deleted

7. Third-Party Services

  • HighLevel — CRM platform (OAuth provider, data source)
  • Anthropic — AI model provider (receives CRM configuration context, governed by your BYOK agreement)
  • Vercel — Application hosting
  • Upstash — Redis database hosting (via Vercel Marketplace)

We do not sell, rent, or share your data with any other third parties.

8. Your Rights

You may at any time:

  • Delete your stored API key through the Settings page
  • Uninstall the App to delete all stored data
  • Request a copy of your stored data by contacting us
  • Request manual deletion of your data by contacting us

9. Changes to This Policy

We may update this policy at any time. Material changes will be communicated through the App interface. Continued use after changes constitutes acceptance.

10. Contact

For privacy questions or data requests, contact us at privacy@hlarchitect.ai.