Skip to main content
← HeeyuuLast updated 6 June 2026

Privacy Policy

This Privacy Policy explains how Heeyuu ("we", "us") processes personal data in connection with the Heeyuu service. We are the data controller under Regulation (EU) 2016/679 (the "GDPR").

1. Data we collect

  • Account data: email address, hashed password, authentication provider identifiers (e.g. Google sub).
  • Workspace data: projects, documents, AI prompts and responses, drafts, evaluations, partner shortlists you create.
  • Billing data: subscription tier, invoice metadata. Card details are handled by Adyen; we never see them.
  • Usage data: page views, feature usage, error logs, IP address (for security and rate-limiting), user agent.

2. Why we process it

  • Contract: to provide the Service you signed up for.
  • Legitimate interest: security, fraud prevention, product analytics, abuse rate-limiting.
  • Legal obligation: tax records, responding to lawful requests.
  • Consent: optional marketing emails (separate opt-in).

3. Sub-processors

We use the following sub-processors to operate the Service. Each is bound by a data-processing agreement.

  • Supabase — database, authentication, file storage (EU region).
  • Cloudflare — application hosting and edge compute.
  • Adyen — payment processing (NL).
  • Resend — transactional email delivery.
  • Google Gemini, OpenAI, Anthropic, Mistral, Perplexity — AI model inference for prompts you submit.
  • Mapbox — map tiles for geographic features.

Some sub-processors may transfer data outside the EEA. Where they do, we rely on the European Commission's Standard Contractual Clauses or an adequacy decision.

4. Retention

  • Account data: while your account is active, plus 30 days after deletion.
  • Workspace data: same as account data; you can export at any time.
  • Billing records: 7 years (Belgian tax law).
  • Server and security logs: 90 days.

5. Your rights

Under the GDPR you can request:

  • access to your personal data;
  • rectification of inaccurate data;
  • erasure ("right to be forgotten");
  • restriction of processing;
  • data portability;
  • objection to processing based on legitimate interest;
  • withdrawal of consent.

Email privacy@heeyuu.eu to exercise these rights. You can also lodge a complaint with the Belgian Data Protection Authority (gegevensbeschermingsautoriteit.be).

6. Security

Data in transit is encrypted with TLS. Data at rest is encrypted by our infrastructure provider. We use row-level security to isolate every workspace. Passwords are hashed and checked against the Have I Been Pwned breach database; compromised passwords are rejected.

7. AI prompts

Prompts you send to AI features are transmitted to the model providers listed above for inference. We do not consent to your data being used to train their models, and we use provider APIs that respect this.

8. Changes

Material changes are notified by email at least 30 days in advance.

Contact

Data protection enquiries: privacy@heeyuu.eu.