Quick summary
- On heyly.io we set login cookies (strictly necessary) and a consent record. Google Analytics only runs after you accept the cookie banner.
- On websites that embed the Heyly widget, the widget itself can be configured to stay silent until the visitor accepts. We never set advertising cookies, never share data with ad networks, and never run cross-site tracking.
- You can revoke consent at any time by clearing the
heyly_consentlocalStorage entry — instructions below.
1. heyly.io (this marketing site + dashboard)
Strictly necessary (no consent required)
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
sb-*-auth-token | HttpOnly cookie | Keeps you logged into the dashboard. Set by Supabase Auth. | Session, refreshed on activity |
sb-*-auth-token-code-verifier | HttpOnly cookie | OAuth / email confirmation handshake. | Short-lived (minutes) |
heyly_consent | localStorage | Records whether you accepted or declined the cookie banner. Used so we don't ask again on every page load. | Persistent until you clear browser storage |
Optional (only after you click “Accept”)
| Name / source | Type | Purpose | Lifetime |
|---|---|---|---|
Google Analytics 4 (_ga, _ga_*) | First-party cookies set by Google's gtag.js | Aggregate usage stats for our marketing site. Loaded only after consent — until then no GA script is in the page. | Up to 24 months (Google default) |
heyly_visitor_id | localStorage | Random UUID used by our own widget on this site so we can count unique demo bubble loads. | Persistent until you clear storage |
heyly_dismissed_[id] | localStorage / sessionStorage | Timestamp of when you closed the demo bubble, so it doesn't pop up immediately again. | Until the configured cooldown ends |
2. Websites that embed the Heyly widget
When a Heyly customer pastes our widget on their own site, the widget runs in the visitor's browser. By default it sets the same two first-party items as above (heyly_visitor_id, heyly_dismissed_*), and posts widget interaction events to our analytics endpoint.
We never set marketing cookies, advertising IDs, fingerprints, or any cross-site tracking. We do not share visitor data with the customer beyond aggregate counts in their dashboard.
Customers who run a cookie banner can add data-consent-required to the widget script tag — Heyly then makes zero requests, sets nothing in storage, and renders nothing until the visitor accepts. See the install guide in the dashboard for the exact snippet.
3. What we record about widget interactions
When the widget loads on a page (with consent, where required) we log these events in our database, tied to the random heyly_visitor_id:
- view — the bubble appeared on screen
- play — the visitor opened the video
- complete — the visitor watched to the end
- click — the visitor clicked one of the action buttons
Each event also stores the page URL (origin + path only, no query strings or hashes), the video the bubble showed, and the timestamp. We do not log IP addresses, user agents, or referrers.
4. Third-party processors
Heyly uses the following sub-processors. None of them receive marketing or advertising signals from Heyly visitors:
- Cloudflare Stream — hosts and streams the video itself. Cloudflare may set its own short-lived cookies for video delivery; these are not used for tracking.
- Supabase (EU/Frankfurt) — application database and auth.
- Vercel — hosts the heyly.io site and API.
- Resend — sends transactional emails (welcome, beta invites). Not used for marketing.
- OpenAI— when a Heyly customer requests captions or a translation, we send the audio (Whisper) or VTT subtitle text (gpt-4o-mini) to OpenAI's API. OpenAI's API terms confirm inputs are not used to train their models.
- Google Analytics 4 — only on heyly.io itself, only after consent. Aggregate, IP-anonymised data.
- Stripe (when billing is live) — payment processing for paid plans.
5. Revoking consent / clearing storage
On heyly.io: open your browser DevTools → Application → Local Storage → https://heyly.io → delete the heyly_consent entry. The cookie banner will reappear on next page load.
On a website that embeds the widget: clear localStorage for that host's origin. Your visitor ID regenerates and any frequency cooldown resets.
To delete all event data we hold tied to your visitor ID, email privacy@heyly.iowith the ID and the website you visited; we'll wipe it within 30 days.
6. Your rights under GDPR
If you're in the EU/EEA you have the right to access, correct, erase, restrict, port, and object to processing of your personal data. Email privacy@heyly.io with your request. Our data controller is RA Meedia OÜ, registered in Estonia. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
7. Changes to this policy
Material changes will be posted here with a new “last updated” date. We won't weaken your protections without re-asking for consent.