Try it free

Privacy Policy

How we handle your data on heify.com, the SaaS platform and the Chrome extension.

Last updated: May 2, 2026

1. Identification of the Data Controller

This Privacy Policy governs the processing of personal data collected by Heify through its website, SaaS platform and Chrome extension.

Legal name: ARREBOLA DE DIEGO, SOCIEDAD LIMITADA

Tax ID (CIF): B26840629

Address: Paseo Martiricos 15, 29009 Málaga, Spain

Contact email: hola@heify.com

2. What data we collect

2.1. From SaaS platform users (sandbox.heify.com)

  • Email (passwordless OTP authentication via AWS Cognito).
  • Session tokens (idToken, refreshToken from Cognito).
  • API keys generated for the user.
  • AI configurations, participants and evaluators created by the user.
  • Audio files uploaded by the user.
  • Transcriptions, summaries, extracted fields and AI-generated evaluations.
  • Email addresses of report recipients.

2.2. From Chrome extension users ("Heify — AI meeting reports")

  • Audio recorded from the active browser tab (via chrome.tabCapture).
  • Audio from the user's microphone (via getUserMedia).
  • Screenshots initiated by the user (via chrome.tabs.captureVisibleTab).
  • Meeting name (extracted from the tab title, editable by the user).
  • API key and Cognito tokens (read from sandbox.heify.com localStorage by a content script to pair the extension with the user's account).
  • Local preferences (language, theme, last selected configuration).

2.3. From visitors of heify.com and sandbox.heify.com

  • Vercel Web Analytics: anonymous statistics on page views, countries, referrers and devices. No cookies, no personal identification.
  • Microsoft Clarity: anonymous session recordings and heatmaps on sandbox.heify.com. Anonymized, no PII.

3. Local storage in the Chrome extension

The extension uses the following browser storage on the user's device:

  • chrome.storage.local: API key, tokens, preferences and pending reports queue (TTL 7 days).
  • chrome.storage.session: ephemeral recording state.
  • IndexedDB (heify-recordings): audio chunks during active recording for crash recovery. Automatically deleted after successful upload, or after a maximum of 24h if they remain orphaned.

This data never leaves the user's device except when the user themselves decides to upload it to the Heify backend.

4. Purposes and legal bases

DataPurposeLegal basis
Audio + metadataAI transcription, report generationContract performance
User emailAuthentication, sending reportsContract performance
Recipient emailsSending the report to the recipientLegitimate interest
Anonymous web analyticsImproving user experienceLegitimate interest
Payment dataBillingLegal obligation

5. Key guarantees

Heify guarantees that:

  • We do NOT use Customer data to train AI models.
  • We do NOT sell data to third parties.
  • We do NOT share data with third parties beyond authorized subprocessors.
  • We do NOT use data for advertising or marketing.
  • We comply with Google's Chrome Web Store User Data Privacy and Limited Use policies.

6. Subprocessors

To deliver the Service we rely on third-party technology providers (subprocessors) that process data on Heify's behalf under our instructions and always covered by data processing agreements.

These subprocessors cover the following functions:

  • Cloud infrastructure: hosting, file storage, authentication, database and processing, primarily in data centers located in the European Union (Paris).
  • Automatic audio transcription: AI-based speech-to-text service.
  • Summary and evaluation generation: large language models (LLM) for transcript analysis.
  • Transactional email delivery: delivery of the generated reports.
  • Anonymous web analytics: aggregated measurement of website and product usage, without personal identification of the visitor.

Common guarantees applicable to all subprocessors:

  • Bound by data processing agreements (DPA) and confidentiality clauses.
  • Compliant with internationally recognized security standards.
  • Customer audio files are not stored on AI providers' systems: they are processed in transit and discarded.
  • For transfers outside the European Economic Area, Standard Contractual Clauses (SCC) approved by the European Commission apply, plus additional safeguards where appropriate.

The up-to-date list of specific subprocessors is available upon request by writing to hola@heify.com.

7. Permissions requested by the Chrome extension

The extension requests the following permissions, each justified by a specific product feature:

  • tabCapture — capture audio from the active tab when the user starts recording. Without this permission the product's main feature is not possible.
  • offscreen — keep MediaRecorder active in the background (MV3 requirement). Without it, recording would be interrupted every 30 s.
  • activeTab — access to the active tab only when the user invokes the extension.
  • storage — persist API key, preferences and pending reports queue locally.
  • tabs — detect the tab title (for the default meeting name) and react to the closing of the tab being recorded.
  • alarms — keep the service worker alive during long recordings (keep-alive).
  • notifications — notify the user if a report remains pending after several days.
  • downloads — allow the user to download the .webm file as a backup if upload fails.
  • scripting — inject the floating recording indicator (timer, pause/screenshot/stop) into the tab being recorded.
  • host_permissions on api.heify.com, *.s3.amazonaws.com, *.s3.eu-west-3.amazonaws.com, sandbox.heify.com and cognito-idp.eu-west-3.amazonaws.com — communication with the Heify backend and AWS.

8. Retention

  • Customer audio and reports: stored indefinitely unless deletion is requested.
  • Local IndexedDB chunks in the extension: deleted after successful upload, maximum 24h if they remain orphaned.
  • Pending reports queue (chrome.storage): maximum 7 days.
  • Billing data: the corresponding legal retention period (minimum 5 years under Spanish tax law).

9. Security

  • Encryption in transit (TLS 1.2+).
  • Encryption at rest (AES-256 via AWS).
  • Role-based access controls.
  • Audits and continuous monitoring.
  • Subprocessors with SOC 2 Type II, HIPAA and GDPR certifications.

10. User rights (GDPR / LOPDGDD)

The user has the right to:

  • Access, rectification, erasure, portability, objection and restriction of processing.
  • Withdraw consent at any time.
  • File a complaint with the Spanish Data Protection Agency (AEPD): https://www.aepd.es.

To exercise any right, contact hola@heify.com.

11. International transfers

Some subprocessors may process data in the United States. These transfers are made under:

  • Standard Contractual Clauses (SCC) approved by the European Commission.
  • Additional mechanisms where applicable (provider-specific DPA).

12. Cookies and similar technologies

  • heify.com: does not use tracking cookies. Only strictly necessary cookies.
  • sandbox.heify.com: Vercel Analytics (no cookies), Microsoft Clarity (anonymous local storage, no identification cookies).
  • Chrome extension: uses chrome.storage (these are not cookies; it is extension-local storage in the user's browser).

13. Minors

The service is not intended for users under 14 years of age (consistent with the Terms of Use). We do not knowingly collect data from users below that age.

14. Changes to this policy

Any changes to this Privacy Policy will be notified at least 30 days in advance via email or notice on the platform.

15. Contact

For any questions about privacy or to exercise the rights described above:

  • Email: hola@heify.com
  • Postal address: Paseo Martiricos 15, 29009 Málaga, Spain

If you have any questions about this Privacy Policy, contact us at hola@heify.com