For the long version, see the Privacy Policy.
Two roles, two responsibilities
Under GDPR, Heyly plays two roles depending on whose data we're talking about:
- Controller — for our own customer accounts (people who sign up at heyly.io).
- Processor — for the visitor analytics our customers collect via the widget on their websites. Our customers are the controllers of that data.
Data Processing Agreement (DPA)
If you process EU personal data through Heyly (e.g. you embed the widget on a site that EU visitors use), GDPR Article 28 requires a DPA between you and us.
Our standard DPA is incorporated by reference into these terms — by using Heyly you accept it. A signed PDF copy is available on request to hello@heyly.io; we'll send it within a business day.
Sub-processors we use
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Database, auth, storage | Frankfurt, EU |
| Cloudflare Stream | Video hosting and delivery | EU edge nodes |
| Vercel | Application hosting | EU edge nodes |
| Stripe | Payment processing | US (with SCCs and EU operations) |
| Resend | Transactional email | EU |
We notify customers by email at least 30 days before adding or replacing sub-processors that handle personal data. You can object to new sub-processors and terminate your subscription if you can't accept the change.
International transfers
Most data stays in the EU. Stripe involves a US transfer for payments; we rely on Standard Contractual Clauses (SCCs) under Article 46 GDPR for that transfer.
Visitor rights
Heyly's widget collects only a random visitor ID stored in localStorage and event timestamps. There is no IP, no name, no email unless your visitor types one into a form you control on your own site.
If a visitor asks you (the controller) for their data, you can find their events in your dashboard's analytics view (coming soon) — or email us with the visitor ID and we'll help you retrieve and delete those events.
Data Protection Officer
Heyly is small enough that GDPR doesn't require a formal DPO. The role is held by the founder, Riin Aas: riin@heyly.io.
Breach notification
In the unlikely event of a data breach affecting personal data, we notify affected customers within 72 hours per Article 33 GDPR, with the scope and remediation steps.
Your rights summary
Whether you're a Heyly customer or a visitor whose data we process for our customer:
- Right to access your data
- Right to rectification of incorrect data
- Right to erasure (“right to be forgotten”)
- Right to data portability (machine-readable export)
- Right to restrict or object to processing
- Right to complain to your supervisory authority. In Estonia: Andmekaitse Inspektsioon.
Email hello@heyly.io to exercise any right. We respond within 30 days.