Privacy Policy
Effective Date: April 17, 2026
Heyo CRM (“we,” “our,” or “us”) values your privacy. This Privacy Policy explains how we collect, use, store, protect, and share your information when you use https://heyocrm.com (the “Service”). By using the Service, you acknowledge that you have read and understood this Privacy Policy.
1. Information We Collect
Personal Data: We collect your name, email address, and payment details when you create an account or subscribe to a paid plan.
Google Account Data: When you connect your Gmail account, we request access to the following Google API scopes:
- Gmail Read-Only (gmail.readonly): to read and display your email messages within the CRM.
- Gmail Send (gmail.send): to allow you to send emails to your contacts directly from the CRM.
- Email and Profile: to identify your Google account and display your name and email address.
Usage Data: We collect information about the contacts, leads, and communications you manage through the Service, including data synced from your connected Gmail account, in order to provide and improve the Service.
Non-Personal Data: We collect cookie data and usage statistics to understand how users interact with our website.
2. How We Use Your Data
We use your information to:
- Facilitate transactions and provide access to our services.
- Sync and organize your Gmail communications with your CRM contacts and leads.
- Send emails on your behalf when you use the compose feature within the CRM.
- Store your contact records, notes, and communication history so you can access them at any time.
- Improve and personalize the user experience.
- Communicate updates, notices, or important information regarding the Service.
3. Google API Services User Data Policy
Heyo CRM’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements (https://developers.google.com/terms/api-services-user-data-policy).
Limited Use Disclosure: We only use Google user data to provide and improve user-facing features of the Service that are visible in our application interface. Specifically:
- We do not transfer or sell Google user data to third parties, advertisers, data brokers, or information resellers.
- We do not use Google user data for serving advertisements, ad targeting, or retargeting.
- We do not use Google user data to determine credit-worthiness or for lending purposes.
- We do not allow humans to read your Google user data unless: (a) you have given explicit consent to view a specific message, (b) it is necessary for security purposes such as investigating abuse, (c) it is required to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.
4. Data Protection and Security
We take the security of your data seriously and implement the following measures to protect sensitive data, including data obtained through Google APIs:
Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security). All API calls to and from Google services are made over HTTPS.
Encryption at Rest: Sensitive data stored in our databases, including Google user data, is encrypted at rest using industry-standard encryption (AES-256).
Access Controls: Access to user data is restricted to authorized personnel only, using role-based access controls and the principle of least privilege. Production database access requires multi-factor authentication.
Secure Infrastructure: Our application is hosted on secure cloud infrastructure with network-level protections including firewalls, intrusion detection, and regular security patching.
Monitoring and Logging: We monitor our systems for unauthorized access attempts and maintain audit logs of data access events.
Token Security: Google OAuth tokens are stored securely and encrypted. We use the minimum scopes necessary to provide the Service, and we never request more access than is needed.
Incident Response: In the event of a data breach involving your personal or Google user data, we will notify affected users and relevant authorities in accordance with applicable laws.
5. Third-Party Services
We use third-party services to operate Heyo CRM, including:
- Stripe for payment processing.
- Google APIs for Gmail integration.
- Resend for transactional email delivery.
- Backblaze B2 for media storage.
These services only receive the minimum data necessary to perform their function. Your personal data is not sold or shared with third parties for marketing purposes. Each third-party service is subject to its own privacy policy and data protection practices.
6. Gmail Data
When you connect your Gmail account, we access your email data solely to display, organize, and manage communications within the CRM, and to send emails on your behalf when you use the compose feature. Specifically:
- We read your emails to display them alongside your CRM contacts and leads.
- We send emails on your behalf only when you explicitly initiate sending from within the CRM.
- We do not use your email content for advertising, market research, or any purpose unrelated to providing the CRM functionality.
- We do not store the full content of your emails beyond what is necessary to display them within the CRM interface.
- You can revoke access to your Gmail account at any time from your account settings or from your Google Account permissions page (https://myaccount.google.com/permissions).
7. Data Confidentiality
Your personal data is kept confidential and is not shared with third parties, except as required by law or as described in Sections 3 and 5.
8. Data Retention
Your account data, contact records, and synced communications are retained for as long as your account is active. If you delete your account:
- Your personal data and stored records will be permanently removed from our systems.
- Any cached Google user data will be deleted.
- OAuth tokens granting access to your Google account will be revoked and deleted.
Data deletion is completed within 30 days of account deletion.
9. Your Rights
You have the right to:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate personal data.
- Deletion: Request deletion of your personal data and account.
- Revoke Consent: Disconnect your Gmail account and revoke Google API access at any time.
- Data Portability: Request an export of your data in a commonly used format.
To exercise any of these rights, contact us through our contact page at https://heyocrm.com/contact.
10. Children’s Privacy
We do not knowingly collect personal information from children under the age of 13. If we become aware that we have inadvertently collected data from a child under 13, we will take steps to delete it. This Service is not directed at children under 13.
11. Cookies and Tracking
We use cookies and similar technologies to collect non-identifiable information about site usage and performance. This helps us enhance the Service and improve functionality. We do not use cookies to track your email content or Google user data.
12. Updates to This Privacy Policy
We may update this Privacy Policy from time to time. Users will be notified of material changes via email. The “Effective Date” at the top of this policy indicates when it was last updated. Continued use of our services constitutes acceptance of the updated Privacy Policy.
13. Contact Us
For any questions or concerns regarding privacy, data protection, or this Privacy Policy, please contact us through our contact page at https://heyocrm.com/contact.