Privacy Policy
This Privacy Policy explains what personal information Hey AI, Inc. ("Hey AI," "we," "us") collects when you use the Hey AI iOS app, the hey.ai website, and any related services (collectively, the "Services"), how we use that information, who we share it with, and the rights you have over it.
If you do not agree with this Policy, please do not use the Services. Questions? Email privacy@hey.ai.
Contents
- Who we are
- Information we collect
- How we use information
- Legal basis (EEA/UK)
- Who we share data with
- Sub-processors
- HealthKit, Calendar & voice
- Children & Kids mode
- How long we keep data
- Security
- International transfers
- Your rights
- Account & data deletion
- Cookies & analytics
- California rights (CCPA / CPRA)
- Changes to this Policy
- Contact
1. Who we are
Hey AI, Inc. is a Delaware corporation. The Services let you "hire" one or more AI coach personas that text you, call you, and check in on a schedule you set. Coaches can be given access to your Apple HealthKit data and calendar events with your consent.
Data controller. For users in the European Economic Area, the United Kingdom, and Switzerland, Hey AI, Inc. is the data controller for personal information processed through the Services.
How to reach us about privacy: privacy@hey.ai.
2. Information we collect
You give us
- Account & identity: phone number (for SMS-based sign-in via Firebase Authentication), display name, and any optional profile details you add.
- Coach & goal setup: the personas you create or hire, goals you set, reminders, scheduled call times, and the cadence you choose.
- Conversation content: the text messages, voice memos, and voice calls you exchange with your AI coaches. This includes message text, audio captured during calls, and transcripts generated from that audio.
- Child profiles (Kids mode): if you enable Kids mode, the child's first name (or nickname), age range, and characters they interact with. See Section 8.
- Billing: subscription tier and status. Payment instruments (card numbers, etc.) are entered directly into Stripe and we never see them — we only see a token, the last four digits, and billing status.
- Voice-clone audio (optional): if you choose to create a voice clone, the reference audio you upload or record so a text-to-speech provider can synthesise a voice that resembles it.
- Support communications: messages you send us by email or in-app feedback.
We collect automatically
- Device & technical: device model, iOS version, app version, language, time zone, IP address, crash diagnostics, and basic usage events (which screen you opened, whether a call connected).
- Push tokens: APNs device tokens and PushKit (VoIP) tokens used to deliver notifications and ring branded incoming calls.
- Cookies on the website: session cookies used to keep you logged in at hey.ai. The marketing site does not run third-party analytics, ad pixels, or behavioural tracking. See Section 14.
You grant access (only with your consent)
- Apple HealthKit: steps, active energy, exercise minutes, body mass, heart rate, sleep, and workout summaries. Only the metric types you allow in the iOS Health permission sheet are read.
- Apple Calendar (EventKit): a peek at the next 24 hours of events, used to give coaches relevant context (e.g., "you've got a 3 PM block — want me to call at 4?").
- Google Calendar (optional OAuth): if you connect Google Calendar, we read events for the same purpose.
- Microphone, camera, contacts, location: only when you initiate a feature that needs them.
From other services
- Firebase Authentication returns a signed token confirming you control the phone number you signed in with.
- Stripe tells us your subscription status (active, past due, cancelled, etc.).
- Apple App Store returns receipts for any in-app purchases.
3. How we use information
We use your information to:
- Provide the Services — generate coach replies, dial scheduled calls, deliver push notifications, log goal progress, run voice rooms.
- Personalize — feed your goals, calendar context, and a synthesized "memory narrative" (a short Groq-generated summary of recent activity) into the prompt so coaches reply with continuity.
- Run safety, fraud, and abuse defences — detect spam, scripted abuse, and account takeover.
- Process payments via Stripe and our App Store relationship with Apple.
- Communicate with you — service notices, billing receipts, optional briefing emails. We send marketing only with your consent and you can opt out from any marketing message.
- Improve the Services — diagnose crashes, fix bugs, evaluate which features are used.
- Comply with law and enforce our Terms.
We do not sell your personal information. We do not use your messages, voice recordings, HealthKit data, or calendar data to train third-party AI models. The AI sub-processors we use to generate coach replies process your prompts on a per-request basis and, where the provider offers it, we use accounts configured with training-opt-out.
4. Legal basis for processing (EEA / UK)
If you are in the EEA, UK, or Switzerland, our lawful bases under Article 6 GDPR are:
- Performance of a contract — to provide the Services you signed up for (most processing).
- Consent — for HealthKit data, calendar data, voice-clone creation, microphone access, optional marketing emails, and any other sensitive processing. You can withdraw consent at any time in iOS Settings or in-app.
- Legitimate interest — to keep the Services secure, prevent fraud, and improve quality. Where we rely on legitimate interest you can object at privacy@hey.ai.
- Legal obligation — to comply with tax, accounting, and law enforcement requirements.
Sensitive data (health data). Where HealthKit data is processed, we rely on your explicit consent (Article 9(2)(a) GDPR).
5. Who we share data with
We share personal information only with:
- Sub-processors that operate parts of the Services on our behalf (see Section 6).
- Apple — push notification delivery and App Store billing for in-app purchases.
- Law enforcement and regulators — only when we are required to by valid legal process, and where we can, we will notify you.
- An acquirer — if Hey AI is sold or merged, your information may transfer to the surviving entity, subject to this Policy.
We do not share your data with advertisers, data brokers, or marketing partners.
6. Sub-processors
We use the following sub-processors. We sign a data processing agreement (DPA) with each one where one is offered, and we share only the minimum personal information needed for the provider to perform its function. We will update this list when sub-processors change; to receive notice of changes, contact privacy@hey.ai.
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| Google Cloud Platform (incl. Firebase) | App hosting, database, file storage, phone-number authentication, push notifications | Account profile, messages, call summaries, audio files, device push tokens | United States |
| Groq | Large-language-model inference for coach replies and voice calls | Conversation text, persona and memory context | United States |
| OpenAI | Text embeddings for memory retrieval and semantic search | Conversation text excerpts | United States |
| AssemblyAI | Speech-to-text transcription during voice calls | Call audio | United States |
| ElevenLabs | Text-to-speech (premium character voices) | Reply text to be spoken | United States |
| Fish Audio | Text-to-speech (kids characters, celebrity voices) | Reply text to be spoken | United States / Singapore |
| InWorld | Text-to-speech (everyday characters and user voice clones) | Reply text; voice-clone reference audio when you opt in | United States |
| LiveKit Cloud | Real-time WebRTC voice rooms and the voice-agent runtime | Call audio, session metadata | United States |
| Twilio | Outbound phone calls (SIP) and phone-number verification | Phone number, call routing metadata | United States |
| Stripe | Subscription billing and payment processing | Name, email, phone, payment method (held by Stripe), subscription status | United States / Ireland |
| SendGrid (Twilio) | Transactional email (receipts, briefings, account notices) | Email address, message content | United States |
| Apple | Push notifications (APNs / PushKit), CallKit branded calls, HealthKit / Calendar OS integrations, App Store billing | Device push tokens, App Store receipts, call metadata | United States |
7. HealthKit, Calendar & voice — specific disclosures
HealthKit
Health data is sensitive. We treat it accordingly:
- We read HealthKit only after you grant explicit per-metric permission in the iOS Health sheet.
- We use HealthKit data to auto-log goal progress (e.g., a "10,000 steps" goal logs from your steps reading) and to give coaches contextual awareness ("you slept 5h last night — want to talk about it?").
- HealthKit data is not shared in raw form with any of the AI sub-processors in Section 6. When relevant, we include short, derived summaries in the prompt to the language model (for example, "user walked 8,200 steps yesterday; sleep was below their target"). We never send raw HealthKit time-series data outside our backend.
- We do not sell HealthKit data, do not use it for advertising, and do not share it with third parties for any purpose other than operating the Services.
- You can revoke HealthKit access at any time in iOS Settings → Privacy & Security → Health.
Calendar (EventKit & Google Calendar)
Calendar access is read-only and limited to surfacing nearby events to coaches for scheduling and context. Calendar contents are not shared with sub-processors except as short derived summaries in the prompt (e.g., "user has a 3 PM meeting") on the same basis as HealthKit above.
Voice calls and recordings
During a voice call, your audio is sent to a speech-to-text sub-processor (AssemblyAI) for transcription and the resulting transcript is sent to the LLM provider (Groq) to generate a reply, which is then synthesised back to audio by a text-to-speech provider (ElevenLabs / Fish / InWorld depending on the persona). Call audio is held briefly to generate a post-call summary; the summary is retained on your account and the raw audio is deleted within 30 days unless you've explicitly saved it.
Voice clones
If you create a voice clone, the reference audio you provide is uploaded to InWorld (or another TTS provider) under your account. We delete the reference audio and the cloned voice when you delete the clone or when you delete your account.
8. Children & Kids mode
Hey AI accounts are created only by adults aged 18 or older. By creating an account you confirm that you are at least 18.
Kids mode is an optional feature that a parent or legal guardian can enable so that their child can interact with curated AI characters (storytelling, learning, conversation) under the parent's account. When Kids mode is enabled:
- The parent creates the child profile, provides verifiable parental consent, and controls whether to turn it on.
- We process the child's voice during calls and their interactions with characters only to provide the feature.
- Children's voice recordings used for in-call speech recognition are not retained beyond what is needed to produce transcripts and call summaries.
- We do not knowingly use children's data for advertising, do not sell it, and share it only with the sub-processors in Section 6 strictly to operate the feature.
- A parent may review, edit, or delete the child profile and associated data at any time from the in-app settings or by emailing privacy@hey.ai.
If we learn that a child's information was collected without the required parental consent, we will deactivate the relevant profile and take reasonable measures to delete that data.
9. How long we keep data
| Category | Retention |
|---|---|
| Account profile (phone, name, settings) | For the life of your account, then deleted within 30 days of account deletion (90 days for backups). |
| Coach threads & message history | For the life of your account, or until you delete the thread. |
| Voice call audio (raw) | Up to 30 days, unless you explicitly save it. |
| Voice call transcripts & post-call summaries | For the life of your account, or until you delete the thread. |
| HealthKit-derived log entries | For the life of your account, or until you delete them. |
| Diagnostic logs (server-side) | 30 days. |
| Billing records | Up to 7 years for tax/accounting compliance. |
| Backups | Up to 90 days after deletion. |
10. Security
We use industry-standard safeguards including TLS in transit, encryption at rest, principle-of-least-privilege access controls, audit logging, and short-lived credentials. No system is perfectly secure; if we ever become aware of a breach that affects you, we will notify you within the timeframes required by applicable law.
11. International data transfers
Hey AI is based in the United States and most of our sub-processors are based in the United States. If you are in the EEA, UK, or Switzerland, your data will be transferred to and processed in the United States and other countries that may have different data protection laws than your own. We rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable) to lawfully transfer personal data internationally. To request a copy of the SCCs in place with a specific sub-processor, email privacy@hey.ai.
12. Your rights
Depending on where you live, you may have the right to:
- Access the personal information we hold about you and receive a copy.
- Correct inaccurate information.
- Delete your information (see Section 13).
- Port your information to another service in a machine-readable format.
- Restrict or object to certain processing.
- Withdraw consent at any time where we rely on consent.
- Lodge a complaint with a supervisory authority (EEA/UK users — find yours here).
To exercise any of these rights, email privacy@hey.ai or use the in-app controls in Settings → You. We will respond within 30 days (45 days for complex requests, with notice).
13. Account & data deletion
Delete from inside the app. Open the You tab in the Hey AI iOS app → Account → Delete account. This permanently removes your account, coach threads, messages, call history, goals, logs, voice clones, child profiles, and all user-keyed files in cloud storage.
No app access? You can also request deletion at hey.ai/data-deletion or by emailing privacy@hey.ai from the phone number on file.
What gets deleted, in order:
- Third-party OAuth tokens (Google Calendar, Todoist, etc.) are revoked at the upstream provider.
- User-keyed files in cloud storage (recordings, voice memos, coach avatars, uploaded images) are removed.
- Coach threads, every message in those threads, scheduled calls, call sessions, goals, log entries, daily commitments, voice memos, voice clones, connected accounts, and child profiles are removed from the database.
- Your account row is removed last.
- Backups containing deleted data are rotated out within 90 days.
Some records may be retained longer where required by law (for example, billing records for tax purposes). Aggregated, fully de-identified information may be retained indefinitely.
14. Cookies, tracking & analytics
The Hey AI website (hey.ai) uses only essential cookies to keep you signed in. We do not run third-party analytics (Google Analytics, Mixpanel, etc.), ad pixels (Meta, TikTok, X, Google Ads), or session replay tools on the marketing site. We do not honor or need to honor a "Do Not Track" header because we do not track across sites.
The iOS app collects basic diagnostic and usage events on our own backend; it does not include third-party analytics SDKs and does not use the Apple advertising identifier (IDFA).
15. California privacy rights (CCPA / CPRA)
California residents have the following rights under the CCPA / CPRA:
- Right to know what categories and specific pieces of personal information we have collected.
- Right to delete personal information.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing of personal information for cross-context behavioural advertising.
- Right to limit use and disclosure of sensitive personal information.
- Right to non-discrimination for exercising these rights.
We do not sell or share personal information for cross-context behavioural advertising as those terms are defined under the CCPA. We have not sold or shared personal information in the prior 12 months.
To exercise California rights, email privacy@hey.ai or use the in-app deletion control described in Section 13. Authorized agents may submit requests on your behalf with written authorization.
16. Changes to this Policy
If we change this Policy in a way that materially affects how we use your personal information, we will give you notice by email, push notification, or an in-app banner before the change takes effect. The "Effective" date at the top reflects the most recent revision.
17. Contact
Hey AI, Inc.
Privacy team: privacy@hey.ai
General: info@hey.ai
If you are in the EEA, UK, or Switzerland and prefer to contact a data protection authority, you can find your local supervisory authority's contact details at edpb.europa.eu.