heyly.io
Legal

Privacy Policy

Last updated April 2026. Heyly is operated by RA Meedia OÜ (Estonia). This page explains what data we collect, why, and what your rights are.

We collect as little as possible. We host in the EU. We never sell your data or your visitors' data. If you have questions, email hello@heyly.io.

1. Who is the data controller?

RA Meedia OÜ, registered in the Estonian Commercial Register, with its registered address in Tallinn, Estonia. For privacy questions, contact hello@heyly.io.

2. Two roles, two data flows

Heyly handles personal data in two distinct roles:

  • As controller — for our own customers (the people who sign up at heyly.io and use the dashboard).
  • As processor— for end-visitor analytics on our customers' websites (the people who see the widget). Our customers are the controllers of that data.

3. Data we collect from customers (controller)

  • Account: email, password (hashed by Supabase Auth).
  • Site configuration: site name, optional domain, niche, creator name, tagline, avatar image (uploaded by you), button configuration.
  • Video files: stored in Cloudflare Stream (EU region), accessible only via your dashboard and via the widget on sites you install it on.
  • Billing: handled by Stripe. We never see or store your card number — only Stripe customer IDs and subscription status.

4. Data we collect from your website visitors (processor)

When the Heyly widget loads on your website, it collects minimal analytics for you:

  • Visitor ID:a random UUID stored in the visitor's browser localStorage (e.g. v_a1b2c3d4...). Not tied to any name, email, IP, or fingerprint. Used only to count unique visitors.
  • Events: view (bubble loaded), play (video opened), complete (video watched to end), click (action button clicked). Each event is just a type plus a timestamp.

We do not collect IP addresses, user agents, referrers, geolocation, page URLs, or any third-party cookies. Heyly is designed to be lighter than Google Analytics on visitor privacy.

5. Where data is stored

  • Customer accounts and configurations: Supabase (Frankfurt, EU).
  • Videos and avatars: Cloudflare Stream and Supabase Storage (EU regions).
  • Application: Vercel (EU edge network for European traffic).
  • Payments: Stripe (US-headquartered, EU operations, GDPR compliant under SCCs).
  • Email: Resend (transactional emails like account confirmation; minimal metadata).

6. How long we keep data

  • Account data: as long as your account is active. If you delete your account, we delete personal data within 30 days, except where law requires retention (invoices: 7 years).
  • Visitor events:24 months by default. You can request earlier deletion of your site's events by emailing us.
  • Backups: rolling 30-day backups, automatically purged.

7. Your rights (GDPR / EU residents)

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — delete your data (“right to be forgotten”)
  • Portability — receive your data in a machine-readable format
  • Restriction — pause processing
  • Objection — object to specific uses
  • Complaint — lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

To exercise any right, email hello@heyly.io. We respond within 30 days.

8. Sharing data

We do not sell data. We share it only with the processors named above (Supabase, Cloudflare, Vercel, Stripe, Resend), each under a Data Processing Agreement and only for the purposes described here.

9. Cookies and similar

Heyly itself uses one localStorage entry (visitor ID) and minimal auth cookies for the dashboard. See the Cookie Policy for details.

10. Changes to this policy

Material changes will be announced by email to active customers and posted on this page. The “Last updated” date at the top always reflects the current version.

We use a small amount of browser storage and basic analytics to remember whether you've seen the video greeting and to count widget loads. No third-party trackers, no profiles. Read more.