logo

HeyBoss AI Privacy Policy

Effective Date: September 17, 2025

Hee Labs, Inc. ("we," "our," or "us") operates HeyBoss.ai (the "Site") and provides AI-powered website building services (the "Services"). This Privacy Policy explains how we collect, use, store, and disclose your information when you use our Site and Services. By accessing or using our Site and Services, you agree to this Privacy Policy.

1. Information We Collect

1.1 Information You Provide Directly

Account Information

  • Name, email address, username, and encrypted password
  • Billing information and payment details (processed by third-party payment processors)
  • Profile information such as profile photos, company details, and descriptions

Content and Creative Data

  • Text prompts and instructions you provide to our AI systems
  • Website content, code, designs, and media files you create or upload
  • Project names, descriptions, and configuration settings
  • Custom branding elements, logos, and visual assets
  • Communication with our support team, including chat logs and email correspondence

Business Information (for enterprise users)

  • Company name, industry, and business requirements
  • Team member information and access permissions
  • Custom integration requirements and API usage data

1.2 Information We Collect Automatically

Usage and Interaction Data

  • Pages visited, features used, and time spent on different sections
  • Click patterns, navigation paths, and user interface interactions
  • AI generation requests, including frequency and complexity metrics
  • Project creation, modification, and publishing activities
  • Search queries and template usage patterns

Technical Information

  • IP address, browser type, version, and language settings
  • Operating system, device type, and screen resolution
  • Referral URLs and exit pages
  • Session duration and frequency of visits
  • Error logs and performance metrics

Cookies and Tracking Technologies We use several types of cookies and similar technologies:

  • Strictly Necessary Cookies: Essential for site functionality, login sessions, and security
  • Performance Cookies: Analytics cookies to understand site usage (Google Analytics, Mixpanel)
  • Functional Cookies: Remember your preferences, settings, and project states
  • Marketing Cookies: Track marketing campaign effectiveness and user acquisition

You can manage cookie preferences through your browser settings or our cookie management interface.

1.3 Information from Third-Party Services

Authentication Services

  • Profile information from Google, GitHub, or other OAuth providers you choose to use
  • Basic profile data (name, email, profile picture) from social login services

Integrated Services Data

  • Data from services you integrate into your websites (payment processors, analytics, maps)
  • API usage and configuration data for third-party service connections

2. How We Use Your Information

2.1 Service Provision and Platform Operation

Core Service Delivery

  • Process AI generation requests and deliver website creation services
  • Maintain user accounts, authentication, and access control
  • Host and serve your websites and applications
  • Provide customer support and technical assistance
  • Process payments and manage billing (through third-party processors)

Platform Improvement and AI Training

  • Analyze usage patterns to improve AI model performance and accuracy
  • Use aggregated and anonymized data to enhance platform features
  • Develop new AI capabilities and expand service offerings
  • Conduct research and development for platform optimization

Important Note on AI Training: We use interactions with our AI systems, including prompts and generated content, to improve our AI models. For paid users with private projects, we only use this data in aggregated, anonymized form unless you explicitly consent otherwise. For free users with public projects, we may use project data more directly for AI training and improvement.

2.2 Communication and User Experience

Service Communications

  • Send account notifications, security alerts, and service updates
  • Provide customer support and respond to inquiries
  • Share product updates, new features, and platform improvements
  • Send billing notices and payment confirmations

Marketing and Promotional Communications (with your consent)

  • Newsletter with platform tips, industry insights, and feature highlights
  • Information about new plans, pricing changes, or special offers
  • Case studies and success stories (with your explicit permission)

Platform Security

  • Monitor for fraudulent activities, spam, and abuse
  • Detect and prevent security threats and unauthorized access
  • Investigate violations of our Terms of Service
  • Maintain system integrity and prevent service disruption

Legal and Regulatory Compliance

  • Comply with applicable laws, regulations, and legal processes
  • Respond to legal requests, court orders, and government inquiries
  • Protect our rights, property, and interests, and those of our users
  • Enforce our Terms of Service and other platform policies

3. How We Share Your Information

We do not sell your personal information to third parties. We may share your information in the following circumstances:

3.1 Service Providers and Technology Partners

Essential Service Providers

  • Cloud hosting providers (AWS, Google Cloud) for infrastructure and data storage
  • Content Delivery Network (CDN) providers for website performance
  • Payment processors (Stripe, PayPal) for billing and subscription management
  • Email service providers for transactional and marketing communications
  • Analytics providers (Google Analytics, Mixpanel) for usage insights
  • Customer support tools for help desk and communication management

AI and Technology Partners

  • AI model providers and training infrastructure partners
  • Security service providers for threat detection and prevention
  • Backup and disaster recovery service providers

All service providers are contractually required to protect your data and use it only for specified purposes.

3.2 Public Project Sharing

Community Templates and Public Projects

  • Free users' published projects become part of our public community template library
  • Public project data may be used for marketing materials, case studies, and platform promotion
  • Other users can view, clone, and modify public projects according to our Terms of Service

Privacy for Paid Users

  • Private projects from paid subscribers are not shared publicly
  • We do not use private project data for marketing or public display without explicit consent

Legal Compliance

  • Compliance with valid legal process, including subpoenas, court orders, and search warrants
  • Protection of our rights, property, and safety, and those of our users and the public
  • Investigation of potential violations of law or our Terms of Service
  • Cooperation with law enforcement and regulatory authorities when legally required

Business Transactions

  • In connection with a merger, acquisition, bankruptcy, or sale of company assets
  • Due diligence processes for potential business transactions
  • Transfer of user accounts and data as part of business restructuring

Data will be transferred only to entities that agree to protect your information according to this Privacy Policy.

3.4 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably identify you, including:

  • Industry reports and research insights
  • Platform usage statistics and trends
  • Performance benchmarks and case studies
  • Academic research and development partnerships

4. Data Storage and International Transfers

4.1 Data Storage Locations

Primary Data Storage

  • User data is primarily stored in secure data centers in the United States
  • We use industry-standard cloud providers (AWS, Google Cloud) with SOC 2 compliance
  • Backup data may be stored in multiple geographic locations for disaster recovery

Content Delivery and Performance

  • Website content may be cached and distributed globally through CDN services
  • Some technical data may be processed in different countries for performance optimization

4.2 International Data Transfers

Cross-Border Data Processing

  • If you access our Services from outside the United States, your data may be transferred to and processed in the US
  • We implement appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) where applicable
  • For EU users, we provide additional protections under GDPR requirements

Third-Party Service Locations

  • Some service providers may process data in countries other than your residence
  • We ensure all international service providers maintain adequate data protection standards

5. Your Rights and Choices

5.1 Account Access and Management

Profile Management

  • Access and update your account information through your profile settings
  • Change your password, email address, and profile details
  • Manage project settings, privacy preferences, and notification options
  • Download your project data and code at any time

Communication Preferences

  • Unsubscribe from marketing emails using the unsubscribe link
  • Manage notification preferences in your account settings
  • Opt out of non-essential communications while maintaining service notifications

5.2 Data Subject Rights (GDPR and Similar Laws)

Access and Portability

  • Request a copy of all personal data we hold about you
  • Receive your data in a structured, machine-readable format
  • Transfer your data to another service provider (data portability)

Correction and Deletion

  • Correct inaccurate or incomplete personal information
  • Request deletion of your personal data (subject to legal and operational limitations)
  • Request restriction of processing under certain circumstances

Objection and Consent Withdrawal

  • Object to processing based on legitimate interests
  • Withdraw consent for marketing communications and optional data processing
  • Object to automated decision-making and profiling (where applicable)

Exercising Your Rights To exercise these rights, contact us at contact@heyboss.ai with a clear description of your request. We will respond within the timeframes required by applicable law (typically 30 days).

5.3 California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

Right to Know

  • Categories of personal information collected and sources
  • Business purposes for collecting personal information
  • Categories of third parties with whom we share information

Right to Delete

  • Request deletion of personal information we have collected
  • Exceptions for information necessary for business operations or legal compliance

Right to Opt-Out

  • While we don't "sell" personal information in the traditional sense, you can opt out of certain data sharing practices

Non-Discrimination

  • We will not discriminate against you for exercising your California privacy rights

Browser Controls

  • Configure your browser to block or delete cookies
  • Use private/incognito browsing modes
  • Install browser extensions for enhanced privacy control

Platform Controls

  • Access cookie preferences through our cookie management interface
  • Opt out of non-essential tracking and analytics
  • Manage marketing and advertising cookie preferences

Note: Disabling certain cookies may affect platform functionality and user experience.

6. Data Retention and Deletion

6.1 Retention Periods

Account Data

  • Account information: Retained while your account is active, plus 3 years after account deletion
  • Project data: Varies based on account type and activity level
  • Communication records: Retained for 7 years for legal and customer service purposes

Usage and Technical Data

  • Analytics data: Aggregated data retained indefinitely; individual data retained for 2 years
  • Log files: Typically retained for 1 year unless needed for security or legal purposes
  • Session data: Deleted after session expiration or account inactivity

6.2 Data Deletion Policies

User-Initiated Deletion

  • Account deletion: All associated personal data deleted within 90 days
  • Project deletion: Individual projects deleted within 30 days
  • Some data may be retained in encrypted backups for up to 1 year for disaster recovery

Automatic Cleanup

  • Inactive free accounts: May be deleted after 2 years of inactivity with 90 days notice
  • Inactive projects: May be archived or deleted based on account type and activity
  • Temporary files: Automatically deleted according to system maintenance schedules

Legal and Operational Retention

  • Some data may be retained longer for legal compliance, dispute resolution, or fraud prevention
  • Anonymized and aggregated data may be retained indefinitely for research and improvement purposes

7. Security Measures

7.1 Technical Safeguards

Data Encryption

  • Data in transit: All communications protected with TLS 1.3 encryption
  • Data at rest: Sensitive data encrypted using AES-256 encryption
  • Database encryption: All user data encrypted at the database level

Access Controls

  • Multi-factor authentication for employee access to systems
  • Role-based access controls and principle of least privilege
  • Regular access reviews and permission audits
  • Secure API authentication and authorization

Infrastructure Security

  • Regular security assessments and penetration testing
  • Automated vulnerability scanning and patch management
  • Network segmentation and firewall protection
  • Intrusion detection and monitoring systems

7.2 Operational Security

Employee Training and Access

  • Regular security awareness training for all employees
  • Background checks for employees with data access
  • Confidentiality agreements and data handling policies
  • Limited and monitored access to personal data

Incident Response

  • Documented incident response procedures
  • Immediate containment and investigation of security incidents
  • Notification procedures for affected users and authorities
  • Post-incident analysis and security improvements

7.3 Data Breach Notification

User Notification

  • Notification within 72 hours for high-risk breaches
  • Clear information about what data was affected and steps being taken
  • Specific recommendations for user actions and protection measures
  • Follow-up communications with additional details as available

Regulatory Notification

  • Compliance with GDPR, CCPA, and other applicable breach notification laws
  • Coordination with relevant authorities and regulatory bodies
  • Documentation and reporting of all security incidents

8. Children's Privacy (COPPA Compliance)

8.1 Age Restrictions

Our Services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

Age Verification

  • We require users to confirm they are at least 13 years old during registration
  • Users between 13-17 must have parental consent to use our Services
  • We may request additional verification for accounts that appear to belong to minors

Parental Rights

  • Parents can request access to their child's account information
  • Parents can request deletion of their child's account and associated data
  • We provide special protections for accounts belonging to minors

8.2 Discovery and Response

Inadvertent Collection If we discover that we have collected information from a child under 13:

  • We will delete the information immediately
  • We will terminate the child's account
  • We will notify parents if contact information is available

Reporting Parents who believe their child under 13 has provided information to us should contact us immediately at contact@heyboss.ai.

9. Updates to This Privacy Policy

9.1 Policy Changes

Notification of Changes

  • Material changes will be communicated at least 30 days in advance
  • Notice will be provided via email, platform notifications, and website posting
  • Continued use of Services after changes indicates acceptance of updated policy

Types of Changes

  • Changes in data collection practices or purposes
  • New third-party partnerships or data sharing arrangements
  • Updates to user rights or data retention policies
  • Changes in security measures or data storage locations

9.2 Version Control

Policy Versioning

  • Each version includes an effective date and change summary
  • Previous versions are archived and available upon request
  • Major changes are highlighted and explained in plain language

User Review Period

  • Significant changes include a review period before taking effect
  • Users who object to changes may close their accounts before the effective date
  • We may provide granular controls for specific types of data processing

10. International Privacy Frameworks

10.1 GDPR Compliance (EU Users)

Legal Basis for Processing

  • Contract performance: Processing necessary for providing our Services
  • Legitimate interests: Platform improvement, security, and analytics
  • Consent: Marketing communications and optional features
  • Legal obligations: Compliance with applicable laws and regulations

Data Protection Officer

  • For GDPR-related inquiries, contact our Data Protection Officer at contact@heyboss.ai
  • Include "GDPR Request" in your subject line for priority processing

Cross-Border Data Transfers

  • Standard Contractual Clauses (SCCs) for transfers outside the EEA
  • Adequacy decisions and other legal mechanisms where applicable
  • Additional safeguards for sensitive data transfers

10.2 Other Regional Privacy Laws

Canada (PIPEDA)

  • Compliance with Personal Information Protection and Electronic Documents Act
  • Privacy impact assessments for high-risk processing activities

Brazil (LGPD)

  • Compliance with Lei Geral de Proteção de Dados requirements
  • Data subject rights equivalent to GDPR provisions

Other Jurisdictions

  • We monitor and comply with emerging privacy laws in jurisdictions where we operate
  • Regional privacy requirements are incorporated into our global privacy framework

11. Contact Information and Privacy Requests

11.1 General Privacy Inquiries

Privacy Contact Information Hee Labs, Inc.
Privacy Team
530 Lytton Avenue, Floor 2
Palo Alto, CA 94301
Email: contact@heyboss.ai

11.2 Specific Request Types

Data Subject Access Requests

  • Email: contact@heyboss.ai
  • Subject Line: "Data Access Request"
  • Include: Full name, email address, and specific information requested

Data Deletion Requests

  • Email: contact@heyboss.ai
  • Subject Line: "Data Deletion Request"
  • Include: Account email, reason for deletion, and confirmation of identity

Security and Breach Reports

  • Email: contact@heyboss.ai
  • Subject Line: "Security Issue" or "Privacy Concern"
  • Include: Detailed description and any supporting evidence

11.3 Response Times

Standard Requests: 30 days (or as required by applicable law)
Complex Requests: Up to 90 days with notification of extension
Urgent Security Issues: Within 24-48 hours
GDPR/CCPA Requests: Within legally required timeframes

12. Additional Resources

This Privacy Policy is effective as of the date listed above and supersedes all previous versions. For questions about this Privacy Policy, please contact us at contact@heyboss.ai.