Privacy Policy
Last updated: March 9, 2026
At HeyBuddy, we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platform and services ("Service").
1. Information We Collect
| Data Type |
What We Collect |
Why |
| Account Info |
Name, email, phone (optional), password (hashed) |
Account creation and authentication |
| Billing Info |
Subscription tier, billing history |
Subscription management (payment details handled by Stripe) |
| Usage Data |
Message counts, feature usage, to-do/reminder counts |
Tier enforcement and service improvement |
| Conversation Data |
Messages with HeyBuddy AI |
Providing AI assistant features (stored by PersonaOne) |
| Security Data |
IP address, user agent, login timestamps |
Account security and fraud prevention |
| Device Info |
Browser type, operating system |
Service optimization and troubleshooting |
2. How We Use Your Information
We use your information to:
- Provide and maintain the Service
- Process your subscription and billing
- Deliver AI assistant features (via PersonaOne)
- Send transactional emails (verification, password reset, billing)
- Detect and prevent security threats and fraud
- Improve the Service through aggregated, anonymized analytics
- Respond to your feedback and support requests
We do not sell your personal information to third parties. We do not use your data for advertising.
3. Data Storage & Security
Your data is stored securely using Amazon Web Services (AWS) infrastructure:
- Encryption at rest: All data is encrypted using AWS DynamoDB encryption
- Encryption in transit: All connections use HTTPS/TLS
- Password security: Passwords are hashed using bcrypt with a cost factor of 12 — we never store plaintext passwords
- Payment security: Credit card information is handled entirely by Stripe (PCI DSS compliant) — we never see or store your card details
- Access controls: Strict IAM policies limit data access to necessary services only
4. Third-Party Services
We use the following third-party services to operate HeyBuddy:
- PersonaOne: Processes AI conversations, SMS, email, and voice calls on our behalf. PersonaOne acts as a data processor and is subject to its own privacy and security policies.
- Stripe: Handles payment processing. See Stripe's Privacy Policy.
- Amazon Web Services (AWS): Hosts our infrastructure including databases, APIs, and email delivery (SES).
We do not share your data with any other third parties unless required by law.
5. Your Rights (GDPR)
If you are in the European Economic Area (EEA), you have the following rights under GDPR:
- Right to Access: Request a copy of all personal data we hold about you
- Right to Rectification: Update or correct your personal information
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Data Portability: Export your data in a machine-readable format (JSON/CSV)
- Right to Restrict Processing: Request that we limit how we use your data
- Right to Object: Object to certain types of data processing
You can exercise these rights directly from your HeyBuddy dashboard under Privacy & Data, or by contacting us at privacy@heybuddy.work.
6. Data Export & Deletion
You can take the following actions from your dashboard at any time:
- Export your data: Download all your personal data in JSON or CSV format
- Clear conversation history: Delete your chat history with HeyBuddy
- Delete your account: Permanently remove your account and all associated data
When you delete your account, we retain your data for 30 days (soft delete) to allow recovery, after which it is permanently and irreversibly removed from our systems.
7. Cookies
HeyBuddy uses minimal cookies:
- Authentication tokens: Stored in local storage (not cookies) to keep you signed in
- Essential cookies: Session management only — no tracking or analytics cookies
We do not use third-party advertising or tracking cookies.
8. Data Retention
- Account data: Retained while your account is active + 30 days after deletion
- Security logs: Retained for 90 days, then automatically deleted
- Conversation data: Retained by PersonaOne per their data retention policy. You can clear your history at any time.
- Billing records: Retained as required by law (typically 7 years for tax purposes)
9. Children's Privacy
HeyBuddy is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the Service. The "Last updated" date at the top of this page indicates the most recent revision.
11. Contact Us
For any privacy-related questions or requests: