logo
follow HeyBoss AI on X.com

HeyBoss AI Privacy Policy

Effective Date: September 17, 2025

Hee Labs, Inc. ("we," "our," or "us") operates HeyBoss.ai (the "Site") and provides AI-powered website building services (the "Services"). This Privacy Policy explains how we collect, use, store, and disclose your information when you use our Site and Services. By accessing or using our Site and Services, you agree to this Privacy Policy.

1. Information We Collect

1.1 Information You Provide Directly

Account Information

  • Name, email address, username, and encrypted password
  • Billing information and payment details (processed by third-party payment processors)
  • Profile information such as profile photos, company details, and descriptions

Content and Creative Data

  • Text prompts and instructions you provide to our AI systems
  • Website content, code, designs, and media files you create or upload
  • Project names, descriptions, and configuration settings
  • Custom branding elements, logos, and visual assets
  • Communication with our support team, including chat logs and email correspondence

Business Information (for enterprise users)

  • Company name, industry, and business requirements
  • Team member information and access permissions
  • Custom integration requirements and API usage data

1.2 Information We Collect Automatically

Usage and Interaction Data

  • Pages visited, features used, and time spent on different sections
  • Click patterns, navigation paths, and user interface interactions
  • AI generation requests, including frequency and complexity metrics
  • Project creation, modification, and publishing activities
  • Search queries and template usage patterns

Technical Information

  • IP address, browser type, version, and language settings
  • Operating system, device type, and screen resolution
  • Referral URLs and exit pages
  • Session duration and frequency of visits
  • Error logs and performance metrics

Cookies and Tracking Technologies We use several types of cookies and similar technologies:

  • Strictly Necessary Cookies: Essential for site functionality, login sessions, and security
  • Performance Cookies: Analytics cookies to understand site usage (Google Analytics, Mixpanel)
  • Functional Cookies: Remember your preferences, settings, and project states
  • Marketing Cookies: Track marketing campaign effectiveness and user acquisition

You can manage cookie preferences through your browser settings or our cookie management interface.

1.3 Information from Third-Party Services

Authentication Services

  • Profile information from Google, GitHub, or other OAuth providers you choose to use
  • Basic profile data (name, email, profile picture) from social login services

Integrated Services Data

  • Data from services you integrate into your websites (payment processors, analytics, maps)
  • API usage and configuration data for third-party service connections

1.4 Google User Data

HeyBoss integrates with Google services in two distinct ways. We handle each type of Google data separately and in full compliance with Google's User Data Policy.

1.4.1 Google OAuth Authentication (Account Sign-In)

When you sign in using Google OAuth, we receive limited data from Google to create and manage your account:

Data We Receive

  • Basic profile information (name, email address, profile picture)
  • Google account identifier for authentication purposes
  • Email verification status

How We Use This Data

  • Account creation and authentication: Creating and maintaining your HeyBoss account
  • Service provision: Providing you access to our AI website building platform
  • Service communications: Sending you essential service notifications and support responses
  • Security: Protecting your account and preventing unauthorized access

1.4.2 Gmail Contacts Import (Optional Feature)

If you choose to use our Gmail contacts import feature to add customers to your project, you will be asked to grant additional permissions:

Data We Access (Only When You Choose to Import)

  • Contact information from your Google Contacts (via Google People API)
  • Contact details include: names, email addresses, phone numbers, and addresses

How We Use Gmail Contacts Data

  • Customer management: Importing contacts into YOUR project's customer database for YOUR business use
  • Your control: You select which contacts to import; we only import what you explicitly choose
  • Your data: Imported contacts become part of your project data and are under your control
  • Storage: Contacts are stored in your project's customer database and associated with your account

Important Limitations on Gmail Contacts

  • Contacts data is ONLY used to populate your customer management system
  • Imported contacts are stored exclusively for your use in managing your project's customers
  • We do NOT use imported Gmail contacts for any other purpose
  • We do NOT share imported contacts with any third parties
  • We do NOT use contacts for advertising, marketing, or AI training
  • When you delete a customer from your project or delete your project, the contact data is permanently deleted

1.4.3 What We Do NOT Do with Any Google User Data

Prohibited Uses (applies to ALL Google data - both OAuth and Gmail contacts):

  • We do NOT sell Google user data to any third parties
  • We do NOT transfer Google user data to advertising platforms, data brokers, or information resellers
  • We do NOT use Google user data for serving ads, including retargeting, personalized, or interest-based advertising
  • We do NOT use Google user data to determine creditworthiness or for lending purposes
  • We do NOT allow human review of Google user data except when necessary for security purposes, legal compliance, or with your explicit consent
  • We do NOT use Google user data for AI model training

1.4.4 Data Separation and Security

Google user data is kept separate from other data types:

  • Technical/usage data (analytics) does not include identifiable Google user data
  • Public project content does not include your Google account information
  • AI training data does not include any Google user data
  • Gmail contacts are stored separately and only accessible to you within your projects

Your Rights Over Google Data

  • You can revoke HeyBoss's access to your Google account at any time through your Google Account permissions
  • You can delete imported Gmail contacts at any time from your project's customer management interface
  • Revoking access will not delete previously imported contacts; you must delete them manually

Compliance This Google user data handling complies with the Google API Services User Data Policy. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2. How We Use Your Information

2.1 Service Provision and Platform Operation

Core Service Delivery

  • Process AI generation requests and deliver website creation services
  • Maintain user accounts, authentication, and access control
  • Host and serve your websites and applications
  • Provide customer support and technical assistance
  • Process payments and manage billing (through third-party processors)

Platform Improvement and AI Training

  • Analyze usage patterns to improve AI model performance and accuracy
  • Use aggregated and anonymized data to enhance platform features
  • Develop new AI capabilities and expand service offerings
  • Conduct research and development for platform optimization

Important Note on AI Training: We use interactions with our AI systems, including prompts and generated content, to improve our AI models:

  • For paid users with private projects: We only use this data in aggregated, anonymized form unless you explicitly consent otherwise
  • For free users with public projects: We may use project data more directly for AI training and improvement
  • Google user data is NEVER used for AI training: We do NOT use Google OAuth profile data (name, email, profile picture) or imported Gmail contacts for AI model training or improvement under any circumstances

2.2 Communication and User Experience

Service Communications

  • Send account notifications, security alerts, and service updates
  • Provide customer support and respond to inquiries
  • Share product updates, new features, and platform improvements
  • Send billing notices and payment confirmations

Marketing and Promotional Communications (with your consent)

  • Newsletter with platform tips, industry insights, and feature highlights
  • Information about new plans, pricing changes, or special offers
  • Case studies and success stories (with your explicit permission)

Platform Security

  • Monitor for fraudulent activities, spam, and abuse
  • Detect and prevent security threats and unauthorized access
  • Investigate violations of our Terms of Service
  • Maintain system integrity and prevent service disruption

Legal and Regulatory Compliance

  • Comply with applicable laws, regulations, and legal processes
  • Respond to legal requests, court orders, and government inquiries
  • Protect our rights, property, and interests, and those of our users
  • Enforce our Terms of Service and other platform policies

3. How We Share Your Information

We do not sell your personal information to third parties. We may share your information in the following circumstances:

3.1 Service Providers and Technology Partners

Essential Service Providers

  • Cloud hosting providers (AWS, Google Cloud) for infrastructure and data storage
  • Content Delivery Network (CDN) providers for website performance
  • Payment processors (Stripe, PayPal) for billing and subscription management
  • Email service providers for transactional and marketing communications
  • Customer support tools for help desk and communication management

Analytics and Performance Monitoring

  • Google Analytics: Receives technical usage data to help us understand platform performance and user experience
  • Third-party analytics providers (e.g., Mixpanel): Receive only anonymized technical and usage data (page views, feature usage, session duration, device types) to improve our Services

Important: Analytics providers do NOT receive Google user data (names, email addresses, or OAuth profile information). We only share aggregated, anonymized technical metrics necessary for service improvement, which is permitted under Google's User Data Policy.

AI and Technology Partners

  • AI model providers and training infrastructure partners
  • Security service providers for threat detection and prevention
  • Backup and disaster recovery service providers

All service providers are contractually required to protect your data and use it only for specified purposes.

3.2 Public Project Sharing

Community Templates and Public Projects

  • Free users' published projects become part of our public community template library
  • Public project content (websites, code, designs) may be used for marketing materials, case studies, and platform promotion
  • Other users can view, clone, and modify public projects according to our Terms of Service

Important: When we use public projects for marketing:

  • We only showcase the project content itself (website designs, code examples, features)
  • We do NOT include your Google account data (name, email, profile picture)
  • We do NOT include imported Gmail contacts or any Google user data
  • Attribution is provided only if you explicitly grant permission

Privacy for Paid Users

  • Private projects from paid subscribers are not shared publicly
  • We do not use private project data for marketing or public display without explicit consent

Legal Compliance

  • Compliance with valid legal process, including subpoenas, court orders, and search warrants
  • Protection of our rights, property, and safety, and those of our users and the public
  • Investigation of potential violations of law or our Terms of Service
  • Cooperation with law enforcement and regulatory authorities when legally required

Business Transactions

  • In connection with a merger, acquisition, bankruptcy, or sale of company assets
  • Due diligence processes for potential business transactions
  • Transfer of user accounts and data as part of business restructuring

Data will be transferred only to entities that agree to protect your information according to this Privacy Policy.

3.4 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably identify you, including:

  • Industry reports and research insights
  • Platform usage statistics and trends
  • Performance benchmarks and case studies
  • Academic research and development partnerships

4. Data Storage and International Transfers

4.1 Data Storage Locations

Primary Data Storage

  • User data is primarily stored in secure data centers in the United States
  • We use industry-standard cloud providers (AWS, Google Cloud) with SOC 2 compliance
  • Backup data may be stored in multiple geographic locations for disaster recovery

Content Delivery and Performance

  • Website content may be cached and distributed globally through CDN services
  • Some technical data may be processed in different countries for performance optimization

4.2 International Data Transfers

Cross-Border Data Processing

  • If you access our Services from outside the United States, your data may be transferred to and processed in the US
  • We implement appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) where applicable
  • For EU users, we provide additional protections under GDPR requirements

Third-Party Service Locations

  • Some service providers may process data in countries other than your residence
  • We ensure all international service providers maintain adequate data protection standards

5. Your Rights and Choices

5.1 Account Access and Management

Profile Management

  • Access and update your account information through your profile settings
  • Change your password, email address, and profile details
  • Manage project settings, privacy preferences, and notification options
  • Download your project data and code at any time

Communication Preferences

  • Unsubscribe from marketing emails using the unsubscribe link
  • Manage notification preferences in your account settings
  • Opt out of non-essential communications while maintaining service notifications

5.2 Data Subject Rights (GDPR and Similar Laws)

Access and Portability

  • Request a copy of all personal data we hold about you
  • Receive your data in a structured, machine-readable format
  • Transfer your data to another service provider (data portability)

Correction and Deletion

  • Correct inaccurate or incomplete personal information
  • Request deletion of your personal data (subject to legal and operational limitations)
  • Request restriction of processing under certain circumstances

Objection and Consent Withdrawal

  • Object to processing based on legitimate interests
  • Withdraw consent for marketing communications and optional data processing
  • Object to automated decision-making and profiling (where applicable)

Exercising Your Rights To exercise these rights, contact us at contact@heyboss.ai with a clear description of your request. We will respond within the timeframes required by applicable law (typically 30 days).

5.3 California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

Right to Know

  • Categories of personal information collected and sources
  • Business purposes for collecting personal information
  • Categories of third parties with whom we share information

Right to Delete

  • Request deletion of personal information we have collected
  • Exceptions for information necessary for business operations or legal compliance

Right to Opt-Out

  • While we don't "sell" personal information in the traditional sense, you can opt out of certain data sharing practices

Non-Discrimination

  • We will not discriminate against you for exercising your California privacy rights

Browser Controls

  • Configure your browser to block or delete cookies
  • Use private/incognito browsing modes
  • Install browser extensions for enhanced privacy control

Platform Controls

  • Access cookie preferences through our cookie management interface
  • Opt out of non-essential tracking and analytics
  • Manage marketing and advertising cookie preferences

Note: Disabling certain cookies may affect platform functionality and user experience.

6. Data Retention and Deletion

6.1 Retention Periods

Account Data

  • Account information: Retained while your account is active, plus 3 years after account deletion
  • Project data: Varies based on account type and activity level
  • Communication records: Retained for 7 years for legal and customer service purposes

Usage and Technical Data

  • Analytics data: Aggregated data retained indefinitely; individual data retained for 2 years
  • Log files: Typically retained for 1 year unless needed for security or legal purposes
  • Session data: Deleted after session expiration or account inactivity

6.2 Data Deletion Policies

User-Initiated Deletion

  • Account deletion: All associated personal data deleted within 90 days
  • Project deletion: Individual projects deleted within 30 days
  • Some data may be retained in encrypted backups for up to 1 year for disaster recovery

Automatic Cleanup

  • Inactive free accounts: May be deleted after 2 years of inactivity with 90 days notice
  • Inactive projects: May be archived or deleted based on account type and activity
  • Temporary files: Automatically deleted according to system maintenance schedules

Legal and Operational Retention

  • Some data may be retained longer for legal compliance, dispute resolution, or fraud prevention
  • Anonymized and aggregated data may be retained indefinitely for research and improvement purposes

7. Security Measures

7.1 Technical Safeguards

Data Encryption

  • Data in transit: All communications protected with TLS 1.3 encryption
  • Data at rest: Sensitive data encrypted using AES-256 encryption
  • Database encryption: All user data encrypted at the database level

Access Controls

  • Multi-factor authentication for employee access to systems
  • Role-based access controls and principle of least privilege
  • Regular access reviews and permission audits
  • Secure API authentication and authorization

Infrastructure Security

  • Regular security assessments and penetration testing
  • Automated vulnerability scanning and patch management
  • Network segmentation and firewall protection
  • Intrusion detection and monitoring systems

7.2 Operational Security

Employee Training and Access

  • Regular security awareness training for all employees
  • Background checks for employees with data access
  • Confidentiality agreements and data handling policies
  • Limited and monitored access to personal data

Incident Response

  • Documented incident response procedures
  • Immediate containment and investigation of security incidents
  • Notification procedures for affected users and authorities
  • Post-incident analysis and security improvements

7.3 Data Breach Notification

User Notification

  • Notification within 72 hours for high-risk breaches
  • Clear information about what data was affected and steps being taken
  • Specific recommendations for user actions and protection measures
  • Follow-up communications with additional details as available

Regulatory Notification

  • Compliance with GDPR, CCPA, and other applicable breach notification laws
  • Coordination with relevant authorities and regulatory bodies
  • Documentation and reporting of all security incidents

8. Children's Privacy (COPPA Compliance)

8.1 Age Restrictions

Our Services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

Age Verification

  • We require users to confirm they are at least 13 years old during registration
  • Users between 13-17 must have parental consent to use our Services
  • We may request additional verification for accounts that appear to belong to minors

Parental Rights

  • Parents can request access to their child's account information
  • Parents can request deletion of their child's account and associated data
  • We provide special protections for accounts belonging to minors

8.2 Discovery and Response

Inadvertent Collection If we discover that we have collected information from a child under 13:

  • We will delete the information immediately
  • We will terminate the child's account
  • We will notify parents if contact information is available

Reporting Parents who believe their child under 13 has provided information to us should contact us immediately at contact@heyboss.ai.

9. Updates to This Privacy Policy

9.1 Policy Changes

Notification of Changes

  • Material changes will be communicated at least 30 days in advance
  • Notice will be provided via email, platform notifications, and website posting
  • Continued use of Services after changes indicates acceptance of updated policy

Types of Changes

  • Changes in data collection practices or purposes
  • New third-party partnerships or data sharing arrangements
  • Updates to user rights or data retention policies
  • Changes in security measures or data storage locations

9.2 Version Control

Policy Versioning

  • Each version includes an effective date and change summary
  • Previous versions are archived and available upon request
  • Major changes are highlighted and explained in plain language

User Review Period

  • Significant changes include a review period before taking effect
  • Users who object to changes may close their accounts before the effective date
  • We may provide granular controls for specific types of data processing

10. International Privacy Frameworks

10.1 GDPR Compliance (EU Users)

Legal Basis for Processing

  • Contract performance: Processing necessary for providing our Services
  • Legitimate interests: Platform improvement, security, and analytics
  • Consent: Marketing communications and optional features
  • Legal obligations: Compliance with applicable laws and regulations

Data Protection Officer

  • For GDPR-related inquiries, contact our Data Protection Officer at contact@heyboss.ai
  • Include "GDPR Request" in your subject line for priority processing

Cross-Border Data Transfers

  • Standard Contractual Clauses (SCCs) for transfers outside the EEA
  • Adequacy decisions and other legal mechanisms where applicable
  • Additional safeguards for sensitive data transfers

10.2 Other Regional Privacy Laws

Canada (PIPEDA)

  • Compliance with Personal Information Protection and Electronic Documents Act
  • Privacy impact assessments for high-risk processing activities

Brazil (LGPD)

  • Compliance with Lei Geral de Proteção de Dados requirements
  • Data subject rights equivalent to GDPR provisions

Other Jurisdictions

  • We monitor and comply with emerging privacy laws in jurisdictions where we operate
  • Regional privacy requirements are incorporated into our global privacy framework

11. Contact Information and Privacy Requests

11.1 General Privacy Inquiries

Privacy Contact Information Hee Labs, Inc.
Privacy Team
530 Lytton Avenue, Floor 2
Palo Alto, CA 94301
Email: contact@heyboss.ai

11.2 Specific Request Types

Data Subject Access Requests

  • Email: contact@heyboss.ai
  • Subject Line: "Data Access Request"
  • Include: Full name, email address, and specific information requested

Data Deletion Requests

  • Email: contact@heyboss.ai
  • Subject Line: "Data Deletion Request"
  • Include: Account email, reason for deletion, and confirmation of identity

Security and Breach Reports

  • Email: contact@heyboss.ai
  • Subject Line: "Security Issue" or "Privacy Concern"
  • Include: Detailed description and any supporting evidence

11.3 Response Times

Standard Requests: 30 days (or as required by applicable law) Complex Requests: Up to 90 days with notification of extension Urgent Security Issues: Within 24-48 hours GDPR/CCPA Requests: Within legally required timeframes

12. Google API Services Compliance

HeyBoss's use of information received from Google APIs is governed by this Privacy Policy and adheres to the Google API Services User Data Policy, including the Limited Use requirements.

12.1 Google APIs We Use

Google OAuth API

  • Purpose: User authentication and account creation
  • Scopes: openid, email, profile
  • Data Accessed: Basic profile information (name, email, profile picture)

Google People API (Contacts)

  • Purpose: Optional Gmail contacts import for customer management
  • Scopes: https://www.googleapis.com/auth/contacts.readonly
  • Data Accessed: Contact information (names, emails, phone numbers, addresses)
  • User Control: Users explicitly choose which contacts to import

12.2 Limited Use Commitment

In accordance with Google's Limited Use requirements, HeyBoss commits to the following:

Permitted Uses Only We use Google user data exclusively for:

  1. Authentication: Verifying user identity and creating accounts
  2. Service Provision: Providing access to our AI website building platform
  3. Customer Management: Importing user-selected Gmail contacts into the user's own project customer database
  4. Service Communications: Sending essential account and service notifications
  5. Security: Protecting user accounts and preventing unauthorized access

Prohibited Uses - What We Never Do We do NOT:

  • Sell Google user data to third parties
  • Transfer Google user data to advertising platforms, data brokers, or information resellers
  • Use Google user data for serving ads (including retargeting, personalized, or interest-based advertising)
  • Use Google user data to determine creditworthiness or for lending purposes
  • Share Google user data with surveillance entities
  • Use Google user data for AI model training
  • Allow unnecessary human review of Google user data

12.3 Data Handling Practices

Data Minimization

  • We only request Google API scopes that are essential for our Services
  • We only access the minimum data necessary to provide functionality
  • Users can choose to authenticate without granting contacts access

Secure Storage and Transmission

  • All Google user data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access to Google user data is restricted to authorized personnel only
  • We implement industry-standard security measures to protect Google user data

Retention and Deletion

  • Google OAuth data is retained only while the user maintains an active account
  • Imported Gmail contacts are deleted when you delete the customer from your project or delete your project
  • Upon account deletion, all Google user data is permanently deleted within 90 days

12.4 User Rights and Control

Managing Google Permissions

  • You can revoke HeyBoss's access to your Google account at any time via Google Account Permissions
  • Revoking access will prevent future data collection but will not automatically delete previously collected data
  • You must separately delete imported contacts from your project's customer management interface

Transparency

  • We clearly communicate what Google data we access and why during the OAuth consent flow
  • We never access Google data without explicit user consent
  • We provide this Privacy Policy with detailed explanations of our Google data practices

12.5 Third-Party Sharing Restrictions

No Unauthorized Transfers

  • Google user data is never transferred to third parties except as explicitly permitted:
    • Cloud hosting providers (AWS, Google Cloud) under strict data processing agreements
    • Security service providers for fraud prevention (under contract)
    • Legal authorities when required by law

Service Provider Contracts All third-party service providers with any access to Google user data are contractually bound to:

  • Use data only for specified purposes
  • Implement appropriate security measures
  • Not share data with any other parties
  • Delete data when no longer needed

12.6 Compliance and Verification

Regular Audits

  • We conduct regular internal audits of our Google API usage
  • We maintain documentation of our data handling practices
  • We monitor for any unauthorized access or use of Google user data

Policy Updates

  • We will notify users of any material changes to our Google data handling practices
  • Changes will be communicated at least 30 days in advance
  • Continued use after changes constitutes acceptance of the updated practices

Google OAuth Verification

  • HeyBoss undergoes Google's OAuth verification process
  • We maintain compliance with Google's branding guidelines
  • We respond promptly to any Google compliance inquiries

12.7 Contact for Google API Questions

For specific questions about our use of Google APIs and Google user data:

  • Email: contact@heybossai.com
  • Subject Line: "Google API Data Inquiry"
  • We will respond within 5 business days

For immediate security concerns related to Google data:

  • Email: contact@heybossai.com
  • Subject Line: "URGENT: Google Data Security Issue"
  • We will respond within 24-48 hours

13. Additional Resources

This Privacy Policy is effective as of the date listed above and supersedes all previous versions. For questions about this Privacy Policy, please contact us at contact@heybossai.com.