Privacy Policy - HeyThanks

Introduction

HeyThanks LLC ("HeyThanks," "Company," "we," "us," or "our") is committed to protecting your privacy and the security of your personal information. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you use our website at heythanks.app, our web application, APIs, and all related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not use the Service.

This Privacy Policy should be read in conjunction with our Terms of Service, available at heythanks.app/terms.

1. Information We Collect

1.1 Information You Provide Directly

We collect information you provide directly to us, including:

Account Information

Name and email address
Password (stored in hashed form)
Phone number (optional)
Profile information and preferences

Business Information

Business name, type, and industry
Business address and location(s)
Business website URL
Business description and brand voice preferences
Owner/manager name and contact information

Payment Information

Billing name and address
Payment method details (processed and stored securely by Stripe; we do not store full credit card numbers)
Transaction history

Communication Information

Emails, messages, and other communications you send to us
Feedback, surveys, and reviews you provide
Customer support inquiries and correspondence

1.2 Information from Connected Platforms

When you connect your business profiles on third-party platforms (such as Google Business Profile), we collect information from those platforms, including:

OAuth Access Tokens: Access and refresh tokens necessary to interact with connected platforms on your behalf (encrypted at rest)
Business Profile Data: Business name, address, categories, attributes, hours, and other profile information
Review Data: Customer reviews including reviewer name (as displayed), rating, review text, date, and any reviewer profile information made available by the platform
Response Data: Responses posted to reviews, including those posted through the Service

1.3 Information Collected Automatically

When you access or use the Service, we automatically collect certain information, including:

Usage Data

Features accessed and actions taken within the Service
Responses generated, approved, and posted
Pages viewed and links clicked
Time spent on pages and features
Search queries within the Service

Device and Technical Information

IP address and approximate geographic location
Browser type and version
Operating system
Device type and unique device identifiers
Screen resolution and display settings
Mobile network information (for mobile devices)

Log Data

Access times and dates
Referring URLs and exit pages
Error logs and crash reports
API request and response logs

1.4 Information from Third-Party AI Providers

The Service uses third-party AI providers (such as Anthropic) to generate review responses. When processing your requests, we may receive information back from these providers, including the generated response content and metadata about the generation process.

2. How We Use Your Information

2.1 Providing the Service

We use your information to:

Create and manage your account
Connect to and sync data from your third-party business profiles
Monitor and retrieve customer reviews
Generate AI-powered review responses based on your business profile and settings
Post responses to your connected business profiles on your behalf
Provide analytics and reporting on your reviews and responses

2.2 Billing and Payments

Process subscription payments and renewals
Send invoices and payment receipts
Manage billing information and subscription status
Prevent payment fraud

2.3 Communication

Send service-related communications (account verification, subscription updates, security alerts)
Respond to your inquiries and customer support requests
Send product updates and feature announcements
Send marketing communications (with your consent, where required by law)

2.4 Improvement and Development

Analyze usage patterns to understand how the Service is used
Identify and fix bugs, errors, and technical issues
Develop new features and improve existing functionality
Conduct research and analysis to improve the Service
Train and improve our AI models (using anonymized data only)

2.5 Security and Legal

Detect, prevent, and address fraud, abuse, and security threats
Enforce our Terms of Service and other policies
Comply with legal obligations and respond to legal requests
Protect the rights, property, and safety of HeyThanks, our users, and others

2.6 Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions that require a legal basis for processing personal data, we rely on the following legal bases:

Performance of Contract: To fulfill our contractual obligations to provide the Service to you
Legitimate Interests: To pursue our legitimate business interests, including improving the Service, ensuring security, and marketing (where not overridden by your rights)
Consent: For certain processing activities where we ask for your consent, such as marketing communications
Legal Obligation: To comply with applicable laws, regulations, and legal processes

3. How We Share Your Information

3.1 Connected Platforms

When you connect your business profiles, we share data with those platforms as necessary to provide the Service:

Google Business Profile: Review responses are posted to your Google Business Profile. Your business name and response content become publicly visible on Google.
Other Platforms: Similar data sharing occurs with other platforms you connect (e.g., Yelp, Facebook) as those integrations become available.

3.2 Service Providers (Subprocessors)

We share your information with trusted third-party service providers who assist us in operating the Service. These providers are contractually obligated to protect your information and use it only for the purposes we specify.

Provider	Purpose	Data Shared	Location
Supabase	Database hosting, authentication	All account and application data	United States
Vercel	Application hosting	Application code, some request data	United States
Stripe	Payment processing	Payment and billing information	United States
Anthropic	AI response generation	Review content, business context	United States
Google	Business Profile API	Reviews, responses, profile data	United States
Google Analytics	Website analytics	Usage data, device information	United States
Meta (Facebook)	Conversion tracking	Conversion events, device information	United States

3.3 AI Providers

To generate AI-powered review responses, we share certain data with our AI providers (currently Anthropic):

Customer review content (text, rating)
Your business name and description
Response style and tone preferences

We have agreements in place with our AI providers prohibiting them from using your data to train their models without your consent. Review content is processed to generate responses and is not retained by AI providers for training purposes.

3.4 Legal Requirements

We may disclose your information when required by law or when we believe in good faith that disclosure is necessary to:

Comply with a legal obligation, subpoena, court order, or legal process
Protect and defend our rights or property
Prevent or investigate possible wrongdoing in connection with the Service
Protect the personal safety of users of the Service or the public
Protect against legal liability

3.5 Business Transfers

In connection with any merger, acquisition, sale of assets, financing, or transfer of all or a portion of our business, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website of any change in ownership or uses of your personal information.

3.6 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. This includes:

Industry benchmarks and statistics
Aggregate usage metrics
Research and analysis reports

We Do Not Sell Your Personal Information

HeyThanks does not sell, rent, or trade your personal information to third parties for their marketing purposes. We do not share your personal information with third parties for their own commercial purposes without your explicit consent.

4. Data Security

We implement robust technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

4.1 Technical Safeguards

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
Encryption at Rest: Sensitive data, including OAuth tokens, is encrypted at rest using AES-256 encryption
Secure Authentication: Passwords are hashed using bcrypt with appropriate salt rounds
Access Controls: Role-based access controls and the principle of least privilege for internal access
Security Monitoring: Automated monitoring for suspicious activity and potential security threats
Regular Updates: Regular security patches and updates to our systems and dependencies

4.2 Organizational Safeguards

Employee training on data security and privacy practices
Background checks for employees with access to sensitive data
Confidentiality agreements with all employees and contractors
Regular security assessments and audits
Incident response procedures

4.3 Your Responsibilities

Security is a shared responsibility. You can help protect your information by:

Using a strong, unique password for your account
Not sharing your login credentials with others
Logging out when using shared or public devices
Keeping your connected platform credentials secure
Notifying us immediately if you suspect unauthorized access

Important: Despite our efforts, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

5. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

Data Type	Retention Period	Reason
Account Information	Duration of account + 30 days	Service provision and account recovery
Business Profile Data	Duration of account	Service functionality
Review Data	3 years	Analytics and service improvement
Generated Responses	3 years	Service records and improvement
Billing Records	7 years	Tax and legal compliance
Log Data	90 days	Security and debugging
OAuth Tokens	Until revoked or account deleted	Platform connectivity

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., tax records) or for legitimate business purposes (e.g., fraud prevention, resolving disputes, enforcing our agreements).

6. Your Privacy Rights

6.1 Rights for All Users

Regardless of your location, you have the following rights:

Access: Request access to the personal information we hold about you
Correction: Request correction of inaccurate or incomplete personal information
Deletion: Request deletion of your account and associated personal data
Data Portability: Request a copy of your data in a machine-readable format
Disconnect Accounts: Disconnect third-party platform accounts at any time through your account settings
Opt-Out of Marketing: Unsubscribe from marketing communications at any time

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: Request information about the categories and specific pieces of personal information we have collected, the sources of that information, the purposes for collecting it, and the categories of third parties with whom we share it
Right to Delete: Request deletion of your personal information, subject to certain exceptions
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information: Request limitation on the use of sensitive personal information, if applicable
Right to Non-Discrimination: You will not be discriminated against for exercising your privacy rights

To exercise these rights, contact us at privacy@heythanks.app or use the contact information below. We will verify your identity before processing your request.

6.3 European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Right of Access: Request a copy of the personal data we hold about you
Right to Rectification: Request correction of inaccurate or incomplete data
Right to Erasure: Request deletion of your personal data ("right to be forgotten")
Right to Restriction: Request restriction of processing in certain circumstances
Right to Data Portability: Receive your data in a structured, machine-readable format
Right to Object: Object to processing based on legitimate interests or for direct marketing
Right to Withdraw Consent: Withdraw your consent at any time where processing is based on consent
Right to Lodge a Complaint: Lodge a complaint with your local data protection authority

For GDPR inquiries, contact our Data Protection contact at privacy@heythanks.app.

6.4 Exercising Your Rights

To exercise any of your privacy rights, please contact us at:

Email: privacy@heythanks.app

We will respond to your request within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing certain requests.

7. International Data Transfers

HeyThanks is based in the United States. Your information is processed and stored in the United States and may be transferred to and processed in other countries where our service providers operate.

If you are located outside the United States, please be aware that information you provide to us may be transferred to and processed in the United States and other countries, which may have different data protection laws than your country.

For transfers of personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards, including:

Standard Contractual Clauses approved by the European Commission
The recipient's participation in the EU-US Data Privacy Framework (where applicable)
Other legally recognized transfer mechanisms

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your browsing activity on our website and to improve your experience.

8.1 Types of Cookies We Use

Category	Purpose	Duration
Essential	Authentication, security, session management. Required for the Service to function.	Session / 7 days
Functional	Remember your preferences and settings	1 year
Analytics	Understand how visitors use our website (Google Analytics)	2 years
Marketing	Track conversions and measure ad effectiveness (Facebook Pixel)	90 days

8.2 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to:

See what cookies are stored and delete them individually
Block third-party cookies
Block cookies from specific websites
Block all cookies
Delete all cookies when you close your browser

Please note that blocking essential cookies may prevent the Service from functioning properly.

9. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law. For breaches subject to GDPR, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where feasible) and notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms.

10. Data Processing Agreement

Business customers who require a Data Processing Agreement (DPA) for GDPR or other regulatory compliance may contact us at legal@heythanks.app to request our standard DPA. The DPA sets out the terms under which we process personal data on your behalf as a data processor.

11. Children's Privacy

The Service is not intended for use by anyone under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at privacy@heythanks.app, and we will take steps to delete such information from our systems.

12. Third-Party Links

The Service may contain links to third-party websites, applications, or services that are not operated or controlled by HeyThanks. This Privacy Policy does not apply to such third-party services. We encourage you to review the privacy policies of any third-party services you access. We are not responsible for the privacy practices or content of third-party services.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes:

We will update the "Last Updated" date at the top of this Privacy Policy
We will notify you via email and/or prominent notice within the Service at least 30 days before the changes take effect
For significant changes, we may require you to re-acknowledge acceptance of the updated Privacy Policy

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree to the changes, you should stop using the Service.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

HeyThanks LLC

Privacy Inquiries: privacy@heythanks.app
Legal/DPA Requests: legal@heythanks.app
Support: support@heythanks.app
General: hello@heythanks.app

Website: https://heythanks.app