Privacy Policy

Effective Date: May 1, 2025

Last Updated: Jun 16, 2025

1. Introduction

Welcome to HeyHay.ai (“we,” “us,” “our”). We provide an artificial intelligence-powered applications (the “Service”) that our clients (“Clients”) use to manage interactions with their customers (“End-Users”). These conversations may take place on our Clients’ websites, on Facebook Messenger, WhatsApp, and via phone (SMS/text) (collectively, “Platforms”).

This Privacy Policy explains how we collect, use, disclose, and protect information in our role as a Data Processor on behalf of our Clients. It also describes how we collect and use information from our own website visitors and Clients in our role as a Data Controller.

This policy is global in scope and is intended to comply with major privacy regulations including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and others.

For the purposes of this policy:

  • Client: A business or entity that signs up for and uses our Service.
  • End-User: An individual who interacts with our Service via one of our Client’s deployed chatbots.
  • Personal Data: Any information that identifies or can be used to identify an individual, directly or indirectly.

2. Information We Process on Behalf of Our Clients (We are the Data Processor)

Our primary role is to process data on behalf of our Clients. Our Clients are the Data Controllers of the End-User data and are responsible for having a lawful basis for its collection and processing.

a. What We Process:

When an End-User interacts with our Service, we process the following Personal Data as instructed by our Client:

  • Conversation Content: The full transcript of the conversation between the End-User and the AI chatbot. This may include names, contact details, support questions, sales inquiries, and any other information the End-User voluntarily provides.
  • Contact Information: Phone number (for WhatsApp/SMS), Facebook Profile information (name, profile picture, as permitted by the End-User and Facebook), IP address, and any contact details provided.
  • Technical Data: Platform used (e.g., WhatsApp, Messenger), timestamps, device type, browser information, and other metadata related to the interaction.

b. How We Use This Data:

  • To deliver our Service to the Client as per our contractual agreement.
  • To enable the AI chatbot to understand context and provide relevant responses.
  • To pass information to our Client’s systems (e.g., their CRM) as configured by them.
  • To troubleshoot and maintain the Service.

3. Information We Collect from Our Clients and Website Visitors (We are the Data Controller)

a. What We Collect:

  • Client Account Information: When a Client signs up, we collect business contact information, such as name, company name, email address, phone number, and billing information.
  • Website & Service Usage Information: We use cookies and similar technologies to collect information about how our Clients and visitors interact with our website ([YourWebsite.com]). This includes IP address, browser type, pages visited, and session duration.

b. How We Use This Data:

  • To provide, maintain, and bill for our Service.
  • To manage our Client relationships and provide customer support.
  • To send administrative information, service updates, and marketing communications (where consent is obtained or legitimate interest applies).
  • To improve our website and marketing efforts.

4. Legal Basis for Processing (for EEA/UK Individuals)

If you are from the European Economic Area (EEA) or the United Kingdom (UK), our legal basis for collecting and using Personal Data depends on the context:

  • Processing End-User Data: We process End-User data based on the instructions of our Client (the Data Controller). Our Clients are responsible for establishing a lawful basis (e.g., End-User consent, legitimate interest, contractual necessity).
  • Processing Client/Website Visitor Data: We process this data based on:
  • Contract: To fulfill our Service agreement with our Clients.
  • Consent: For sending marketing communications or using non-essential cookies.
  • Legitimate Interests: For security, service improvement, and direct marketing to our business clients, provided these interests are not overridden by your data protection rights.

5. How We Share and Disclose Information

We do not sell Personal Data. We may share information under the following circumstances:

  • With Our Clients: All End-User data processed for a Client is accessible to that Client.
  • With Sub-Processors and Service Providers: We use third-party vendors to provide the necessary infrastructure for our Service. These include:
  • Cloud hosting providers (e.g., Amazon Web Services, Google Cloud).
  • AI model providers (e.g., OpenAI, Google). [This section requires updating based on your specific vendors].
  • Communication platform providers (e.g., Twilio for SMS, Meta for Messenger/WhatsApp).
  • Payment processors.
    We have data processing agreements with these sub-processors to ensure they protect Personal Data.
  • For Legal Reasons: We may disclose information if required by law, subpoena, or other legal process, or if we have a good faith belief that disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, information may be transferred.

6. Third-Party Platforms (Messenger & WhatsApp)

When End-Users interact with our Service via Facebook Messenger or WhatsApp, they are also subject to the privacy policies of Meta Platforms, Inc. We are not responsible for the data practices of these platforms.

7. Data Retention

We retain End-User data for as long as our Client instructs us to, or as long as their account is active. We retain Client and website visitor data for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law.

8. Security

We implement robust technical and organizational measures to protect Personal Data, including encryption in transit and at rest, access controls, and regular security assessments. However, no method of transmission or storage is 100% secure.

9. International Data Transfers

We operate globally and may transfer Personal Data to countries outside of your own, including the United States. When we transfer data from the EEA/UK, we rely on appropriate legal mechanisms such as the EU-U.S. Data Privacy Framework, Standard Contractual Clauses (SCCs), and/or the UK’s International Data Transfer Addendum to ensure an adequate level of data protection.

10. Your Privacy Rights

Depending on your location, you may have the following rights regarding your Personal Data:

  • For End-Users: Because we are a Data Processor, you should direct any requests to exercise your data protection rights to the Client on whose behalf we processed your data. We will assist our Clients in responding to these requests.
  • For Clients and Website Visitors: You have the following rights regarding the data we control:
  • Right to Access, Rectify, or Erase: You can request access to, correction of, or deletion of your Personal Data.
  • Right to Object/Restrict Processing: You can object to or request the restriction of our processing of your data.
  • Right to Data Portability: You can request a copy of your data in a machine-readable format.
  • Right to Withdraw Consent: Where we rely on consent, you can withdraw it at any time.

Specific to California (CCPA/CPRA):

You have the right to know what personal information is collected, used, and shared. You have the right to delete personal information and the right to opt-out of the “sale” or “sharing” of your personal information (note: we do not sell data). You have the right to correct inaccurate information and to limit the use of sensitive personal information. To exercise these rights, please contact us.

To exercise any of these rights, please contact us at [privacy@[yourcompany].com].

11. Children’s Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect Personal Data from children. If you become aware that a child has provided us with Personal Data, please contact us immediately.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on our website and, where appropriate, through direct communication.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

HeyHay.ai

Email: infosec@heyhay.ai

Data Protection Officer: M Dartayet