← Back

Privacy Policy

Last updated: May 9, 2026

Draft for review. This document is a plain-English summary of how Heeo handles data. It is not a substitute for legal advice and will be reviewed by counsel before we launch paid marketing. Questions? Email support@heeo.io.

1. What this policy covers

This policy explains what Heeo does with data about you, the Heeo user — the person who creates an account and builds a project. It does not cover the relationship between you and your visitors. That part is covered in Section 7 below.

2. Information we collect about you

  • Account information: your name, email, and (for email signups) a password stored as a one-way hash.
  • Google sign-in: if you sign in with Google, we receive your name, email, and profile picture from Google.
  • Usage data: which features you use, which projects you create, and aggregate interaction patterns. We use this to improve the service.
  • Payment data: if you subscribe or buy a top-up pack, our payment processor (Stripe) collects your billing details. Heeo does not see or store your card number.

3. How we use your information

We use your information to provide the service, process payments, send you service-related messages, and improve Heeo. We do not sell your personal data to anyone. We do not use your personal content or your project content to train AI models without your explicit consent.

4. Generated content

The text, images, and code generated for your project belong to you. Heeo stores them so the service works (so your site can load, so you can export, so you can keep editing). We do not reuse your generated content outside your project.

5. Third-party services we use

Heeo runs on top of a few third-party services. Each has its own privacy policy. The full list, kept up to date, is on our Sub-processors page. Highlights:

  • Anthropic — AI generation for your team chat, agent replies, content drafts. Anthropic's API tier does not train on your content. Where Heeo has a Zero-Data-Retention contract with Anthropic, we mark requests with a header so prompts and outputs are not retained for trust/safety review.
  • Vercel — hosts Heeo and the sites deployed to *.heeo.io.
  • Supabase — stores Heeo's application database.
  • Stripe — processes Heeo subscriptions and top-ups; handles your founders' end-customer payments.
  • Resend — sends Heeo's transactional emails (verification, daily standup, Friday digest, moment-marker emails).
  • Google — provides Google Sign-In if you choose that option.
  • Sentry — captures application errors and diagnostics so we can fix bugs. See Section 6 below for what's recorded.

What stays in-house: Heeo's semantic memory (what your agents remember about your project) is computed on our own servers — embeddings never leave Heeo. We deliberately don't use a third-party embedding provider for this layer.

5a. Heeo and AI (transparency)

Heeo is an AI-powered service. The text, summaries, agent replies, and code Heeo generates come from large language models, primarily from Anthropic. AI output can be wrong, incomplete, or out of date — review anything material before relying on it.

Where the EU AI Act applies, Heeo acts as a deployer of general-purpose AI. We mark AI-generated content as such where required, and we do not use AI to make legally significant decisions about you (for example, hiring, lending, or eligibility decisions). If we ever introduce a feature that does, you will be told in advance and given a way to opt out.

You always have the right to ask a human (the founder) to review an AI-driven action that affects you. Email support@heeo.io.

6. Cookies and similar storage

Heeo and Heeo-hosted sites use a small number of cookies and browser-storage items:

  • Essential session cookies — keep you signed in while you use Heeo. Required for the service to work.
  • Concierge visitor identifier — a random ID stored in your visitors' browsers so the concierge can remember a conversation across page reloads. Not linked to personal data.
  • "Coming soon" vote dedup cookie — when a visitor votes on an upcoming feature on your site, we set a cookie that lasts up to 1 year so the same visitor is not counted twice.
  • Error diagnostics (Sentry). When you encounter an error in Heeo, our error-monitoring tool records a short replay of what happened on the page just before the error, together with your browser type and the URL you were on. This only runs when an error actually occurs — not during normal use. The recording is used to fix the bug and is not used for advertising.

If you operate Heeo-hosted sites for EU visitors, you may need to show your own cookie notice — see Section 7.

7. Visitor data from your concierge (processor relationship)

Your site includes a concierge chat widget. When your visitors send messages, we store and process those messages on your behalf. Under GDPR and similar laws:

  • You are the data controller for your visitors' messages. You decide why they are collected and what happens to them.
  • Heeo is the data processor. We store and display those messages so your concierge works and so you can read them.
  • If your visitors are in the EU (or similar jurisdictions), you may need your own privacy notice on your site telling them that a concierge records their chat.
  • You can ask us to delete your visitor chat history at any time.

We do not use your visitors' messages to train AI models. We do use the content of their conversation, in real time, to generate the concierge's reply — that is how the concierge works.

8. Data storage and retention

Your data is stored encrypted in our application database. We keep it for as long as your account is active. Paused projects are preserved so you can reactivate them.

You can delete your account and all associated data at any time from your account settings. Deletion is immediate — projects, agents, memories, sessions, artifacts, and chat history are removed at the database level. Some pseudonymized rows (e.g. anonymized playbook patterns contributed before deletion) may persist for our learning loop; these contain no personal identifiers.

9. Your rights

Depending on where you live, you may have rights to access, correct, export, or delete the personal data we hold about you. You can exercise these rights by contacting us. For users in the EU and UK, this includes the rights described in GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).

We aim to respond to verified rights requests within 30 days. To make a request, email support@heeo.io with the subject “Privacy request.” If you are unhappy with our response, you have the right to lodge a complaint with your local data-protection authority.

You can export your project files at any time through the Export feature.

9a. International transfers

Some of our sub-processors are based in the United States. Where personal data of EU/UK users is transferred outside the EEA, we rely on the EU Commission's Standard Contractual Clauses or, where applicable, an adequacy decision, for those transfers. The current list of sub-processors and their regions is on the Sub-processors page.

9b. Reporting illegal content or abuse

To report copyright infringement, illegal content, or abuse on a Heeo-hosted site (a *.heeo.io subdomain), see our DMCA & abuse page.

10. Changes to this policy

We may update this policy. If a change is material, we will notify you by email or in-product before it takes effect.

11. Contact

Privacy questions: support@heeo.io.