Privacy Policy
Effective date: April 15, 2026
This Privacy Policy explains how Hey Oana! ("we", "us", or "our") collects, uses, and protects information about you when you use our service at heyoana.com (the "Service"). By creating an account you agree to this policy.
1. What We Collect
Account information
When you sign up we collect your email address and a hashed password (we never store your plaintext password). If you sign up with Google, we receive your email address from Google.
AI provider credentials
If you use your own API keys (BYOK), we store them encrypted at rest using AES-GCM with a server-side master key. We never log or expose your raw API keys. OAuth credentials (e.g. GitHub Copilot, Google Workspace) are stored the same way.
Platform credentials
Bot tokens for messaging platforms you connect (Discord, Telegram, Slack) are stored AES-GCM encrypted. WhatsApp sessions are managed by your agent container directly; no WhatsApp credentials are stored in the console database.
Conversation content
Messages you exchange with your AI agent are stored in your agent's dedicated container on a compute node in Germany (EU). They are not stored in the Hey Oana! console database and are not used to train any AI model. Conversations are deleted when you deprovision your agent.
Subscription and billing data
We store your plan status, subscription ID, and billing period. Payment card data is handled exclusively by Lemon Squeezy — we never see or store your card number.
Usage data
We collect aggregate token usage counts and message counts per agent to enforce plan quotas, generate usage summaries, and display your usage history on the dashboard. We do not record individual message content in these metrics.
Technical and operational logs
We log container lifecycle events (start, stop, restart, failures) for debugging and reliability monitoring. These logs may include timestamps, agent IDs, and error messages. They do not include message content.
2. How We Use Your Data
- To create and manage your account and AI agent
- To forward your messages to the AI provider you have configured
- To enforce plan-level usage quotas
- To process subscription payments via Lemon Squeezy
- To send transactional emails (account creation, billing alerts)
- To debug service issues and improve reliability
- To comply with legal obligations
We do not sell your personal data. We do not use your conversation content for AI training or model improvement.
3. Third Parties We Share Data With
| Party | Purpose | Data shared |
|---|---|---|
| Lemon Squeezy | Payment processing & subscription management | Email, billing intent |
| Hetzner | Cloud compute — agent containers run on Hetzner VPS in Germany | Agent container data (conversations, workspace files) |
| AI providers (Anthropic, OpenAI, Google, Groq, etc.) | Inference — your messages are sent to the provider you configure | Message content, model parameters |
| Google (OAuth only) | Sign-in if you choose Google login | Email address |
4. Data Storage and Security
- Console database: hosted on Vercel infrastructure
- Agent containers and conversation data: hosted on Hetzner VPS in Germany (EU)
- API keys and platform credentials: AES-GCM encrypted at rest
- Passwords: bcrypt-hashed before storage
- All connections encrypted with TLS
- Sessions secured with signed JWTs; logout invalidates the token immediately
We implement technical and organisational measures appropriate to the risk, but no system is perfectly secure. If we discover a breach affecting your data we will notify you as required by applicable law.
5. Data Retention
- Account data — retained until you delete your account. Email us at support@heyoana.com to request deletion.
- Conversation history — stored in your agent container; deleted when you deprovision your agent.
- API keys and credentials — deleted immediately when you remove them from the dashboard, or when your account is deleted.
- Billing records — retained for 7 years as required by applicable accounting regulations.
- Usage counters — daily counters reset each day; historical snapshots retained for up to 12 months.
- Container event logs — retained for up to 90 days for debugging purposes.
6. Your Rights
Depending on where you live, you may have rights under the GDPR (EU/EEA), the CCPA (California), or other applicable laws, including:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — request deletion of your account and associated data
- Portability — receive your data in a machine-readable format
- Object / restrict processing — where processing is based on legitimate interests, you may object
- Withdraw consent — where processing is consent-based
To exercise any of these rights, email us at support@heyoana.com. We will respond within 30 days.
7. Cookies and Sessions
We use a single session cookie to keep you logged in. We do not use third-party tracking cookies or advertising cookies. The session cookie is HttpOnly, Secure, and SameSite=Lax.
8. Children
The Service is not directed to children under 16. If you believe a child has provided us personal data, contact us at support@heyoana.com and we will delete it promptly.
9. International Transfers
Your data may be transferred to and processed in countries outside your own. Agent compute is hosted in the EU (Germany). Console infrastructure is hosted on Vercel. AI inference is processed by whichever provider you configure — please review that provider's own data processing terms.
10. Changes to This Policy
We will post any material changes here and update the effective date. Continued use of the Service after a change constitutes acceptance of the updated policy. For significant changes we will notify you by email.
11. Contact
Questions or requests: support@heyoana.com