Privacy Policy — HeyThere

Fritter Factory Innovation Labs Inc. (“we,” “us,” or “our”) operates HeyThere, an AI-powered call, text, and voicemail management service. This Privacy Policy explains how we collect, use, store, and protect your information. We are a Canadian company based in Prince Edward Island, and we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). If you are located in the European Union, we also respect your rights under the General Data Protection Regulation (GDPR).

1. Information We Collect

Account Information

When you sign up, we collect your name, email address, and business name or type. This information is used to create and manage your account.

Call, Text, and Voicemail Data

When you use the Service, we process call recordings, voicemail audio, text messages, transcriptions, and AI-generated summaries. This data is necessary to provide the core functionality of HeyThere.

Usage Data

We collect information about how you interact with the Service, including features used, pages visited, and actions taken. This helps us understand how to improve the product.

Device and Technical Data

We may collect device type, operating system, browser type, IP address, and similar technical information for security and troubleshooting purposes.

2. How We Use Your Information

We use your information to:

Provide, maintain, and improve the Service
Process and summarize your voicemails and text conversations using AI
Route calls and messages to the appropriate recipients
Communicate with you about your account and the Service
Detect and prevent fraud, abuse, and security issues
Comply with legal obligations

3. How AI Processes Your Data

HeyThere uses artificial intelligence to process your communication data. When a call, voicemail, or text message is received, it is processed by AI to generate transcriptions, summaries, and routing decisions. We are transparent about this: AI is a core part of how the Service works, not a hidden feature.

We use third-party AI providers to process voice data. Your data is sent to these providers solely for the purpose of providing the Service. Your voice data is not used to train AI models — not ours, and not our providers'.

4. Data Storage and Security

Your data is stored on secure servers with industry-standard encryption in transit and at rest. We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

5. Third-Party Services

We use third-party service providers to help us operate the Service. These may include cloud hosting providers, AI processing services, analytics tools, and communication platforms. These providers have access to your information only as necessary to perform their functions and are obligated to protect it.

Slack integration

When you connect Slack to HeyThere, we use Slack's OAuth 2.0 flow to obtain a bot access token scoped to your workspace. The token is stored server-side and is used only to call the Slack API on your behalf. We use it to:

Post call summaries, voicemail transcripts, and form submissions to the channels you choose
Update those messages in place when a team member claims, snoozes, or resolves a call
Send direct messages to assigned team members
Read a workspace member's profile email so we can match Slack users to HeyThere users for direct-message routing
Read each user's Do Not Disturb status so we can skip non-urgent notifications during quiet hours
Receive bot events from your workspace (app uninstall, token revocation, app home opens, reactions on our posts, and links to HeyThere being shared in your Slack channels)

We can read the content of direct messages exchanged between a user and the HeyThere bot — for example, when a user DMs the bot to claim a call privately — so the bot can respond. We do not read direct messages between two human users, we do not read messages in channels we have not been invited to, and we do not store Slack message content beyond the message identifiers needed to update our own posts. When you disconnect HeyThere from Slack — either from the HeyThere dashboard or by uninstalling the app from your Slack workspace — we immediately invalidate the access token and stop calling the Slack API.

Google Calendar integration

When you connect a Google account to HeyThere, we use Google's OAuth 2.0 flow with the following non-sensitive scopes:

openid and email — to identify the connecting account
auth/calendar.app.created — to write events to a calendar HeyThere creates inside your Google account, and only that calendar
auth/calendar.freebusy — to read whether a time block is free or busy across your calendars (no event details)

HeyThere's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What Google data we receive. Your account email and profile id (for identification), free/busy windows from your Google calendars (during availability checks), and the events HeyThere itself created on the app-owned calendar.

What we write. Events on the calendar HeyThere created via the calendar.app.created scope, only. We do not read, modify, or delete events on your primary calendar or any other calendar you own.

Storage. Refresh tokens are encrypted at rest in our database. Access tokens are short-lived and not persisted long-term. We do not store the contents of your primary calendar events or your free/busy results beyond the duration of an availability request.

Retention and deletion. Tokens are retained while a calendar resource is connected. When you disconnect a resource — either from the HeyThere dashboard or by revoking access at myaccount.google.com/permissions — we revoke the token at Google and delete our copy within seven days. Bookings already created remain on the app-owned calendar inside your Google account; you can delete that calendar from Google directly if you no longer want them.

No third-party transfer.Google data is not used for advertising or to train machine-learning models — neither ours, nor those of our infrastructure providers. We do not sell or share Google data with third parties beyond the infrastructure providers (Vercel, Supabase, OpenAI for transcription/summarization, etc.) listed elsewhere in this policy. For information on Google's own privacy practices, see policies.google.com/privacy.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. If you close your account, we will delete your personal information within a reasonable timeframe, unless we are required to retain it for legal or regulatory purposes.

7. Your Rights

You have the right to access, correct, or delete your personal information. You may also request a copy of your data in a portable format. Under PIPEDA, you have the right to withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions. If you are in the EU, you also have rights under GDPR including the right to object to processing and the right to lodge a complaint with a supervisory authority.

To exercise any of these rights, contact us at privacy@getheythere.com.

8. Cookies and Tracking

We use privacy-friendly analytics (Fathom Analytics) that does not use cookies or track personal information. We do not use advertising trackers. If we introduce cookies in the future, we will update this policy and provide you with appropriate notice and controls.

9. Children's Privacy

The Service is not intended for users under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will take steps to delete it promptly.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own. When we transfer data internationally, we ensure that appropriate safeguards are in place to protect your information in compliance with applicable data protection laws, including PIPEDA and, where applicable, GDPR.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

12. Contact

If you have questions or concerns about this Privacy Policy or how we handle your data, please contact us at privacy@getheythere.com.

Fritter Factory Innovation Labs Inc.
Prince Edward Island, Canada