1. Introduction

Welcome to HeyMag ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our WhatsApp and Telegram business automation services.

By using our services, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, phone number, business name
• Business Information: Business registration details, tax ID, business address
• WhatsApp Business API Credentials: Phone Number ID, WhatsApp Business Account ID, Access Tokens (stored encrypted)
• Payment Information: Processed securely through Stripe (we do not store credit card details)
• Communication Data: Messages sent through our platform for your business automation

2.2 Information Collected Automatically

• Usage Data: Service usage patterns, feature interactions, performance metrics
• Device Information: IP address, browser type, operating system
• Cookies: Session cookies for authentication and preferences

2.3 Information from Meta/WhatsApp

• WhatsApp message metadata (sender, timestamp, message status)
• WhatsApp Business Account verification status
• Message delivery and read receipts

3. How We Use Your Information

We use the collected information for:

• Providing and maintaining our automation services
• Processing and managing your WhatsApp Business integration
• Sending and receiving messages on your behalf through WhatsApp Business API
• Managing your account and providing customer support
• Processing payments and billing
• Improving our services and developing new features
• Complying with legal obligations and protecting our rights
• Sending service updates and important notifications

4. Data Sharing and Disclosure

We may share your information with:

• Meta/WhatsApp: To facilitate WhatsApp Business API integration
• Service Providers: Supabase (database), Vercel (hosting), Stripe (payments), n8n (workflow automation)
• Legal Requirements: When required by law or to protect rights and safety
• Business Transfers: In case of merger, acquisition, or sale of assets
• With Your Consent: When you explicitly agree to sharing

We do NOT sell, rent, or trade your personal information to third parties for marketing purposes.

5. Data Security

We implement appropriate security measures including:

• Encryption of sensitive data (API tokens, credentials) at rest and in transit
• Secure HTTPS connections for all data transfers
• Regular security audits and updates
• Access controls and authentication mechanisms
• Row Level Security (RLS) in our database
• Regular backups and disaster recovery procedures

6. Data Retention

We retain your information for as long as necessary to:

• Provide our services to you
• Comply with legal obligations
• Resolve disputes and enforce agreements

Message data is retained for 90 days by default. You may request deletion of your data at any time.

7. Your Rights (GDPR Compliance)

You have the right to:

• Access: Request copies of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data
• Portability: Receive your data in a portable format
• Objection: Object to processing of your data
• Withdraw Consent: Withdraw previously given consent

To exercise these rights, contact us at hello@heymag.app

8. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.

9. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

10. Third-Party Services

Our service integrates with:

• Meta/WhatsApp Business API: Subject to Meta's Privacy Policy
• Telegram Bot API: Subject to Telegram's Privacy Policy
• Stripe: For payment processing (PCI compliant)
• Supabase: For data storage and authentication

11. Cookies Policy

We use cookies for:

• Authentication and session management
• Preferences and settings
• Analytics (with your consent)

You can control cookies through your browser settings.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

13. Contact Information

14. Legal Basis for Processing (GDPR)

We process your personal data based on:

• Contract: To provide services you've requested
• Consent: Where you've given explicit consent
• Legitimate Interests: To improve our services and prevent fraud
• Legal Obligations: To comply with applicable laws