Effective date: April 29, 2026

Privacy Policy

Overview

Heylo is operated by Piccup, Inc., a United States corporation ("Heylo," "we," "us"). This Privacy Policy explains what data we collect, how we use it, who we share it with, and the choices you have.

If you use Heylo, this policy applies to you.

Data we collect

Information you provide

  • Account information. Your name, and your email address and/or phone number. We use the phone number to send SMS one-time passcodes when you sign in.
  • Social sign-in data. If you sign in with Apple or Google, we receive your name, email, and avatar from the provider. Apple and Google act as independent controllers of the data they share with us.
  • Social media links. You can add a social media URL to your profile. Separately, you can opt in to import some public information from your account, such as your handle or bio, to help fill in your Heylo profile.
  • Profile information. Profile photos, bio, and other optional fields.
  • Demographic information. Leaders can choose to collect date of birth, gender, and similar fields for their group or events.
  • Contacts. If you enable contacts, we use them to help you invite people you know and to recommend groups and events you might like.
  • Content you create. Messages, posts, polls, photos, and event descriptions.
  • AI feature inputs. Text or other content you submit to AI-powered features, such as suggested replies or content assistance.
  • Event and group information. Event registrations, attendance, waiver acceptances, and member questionnaires.
  • Location you provide. Addresses and locations you set for events and groups.
  • Payment information. Credit card numbers, bank account details, and similar payment information are collected and processed directly by our payment processor. Heylo does not have access to or store credit card numbers. KYC (know-your-customer) and tax information required for leader payouts are collected and verified by our payment processor.
  • Communications with us. Support emails, feedback, and messages you send us.
  • Reports and safety information. When you report a user, message, or content, we receive the report, the reported content, and any context you provide.

Information collected automatically

  • Device and diagnostic data. Device type, operating system, app version, session data, crash logs.
  • Usage data. Analytics and feature interactions, including which features you use and how.
  • Device fingerprinting data. Browser and device attributes used for fraud prevention and moderation.
  • Push notification tokens. To deliver notifications you've opted into.
  • Location. Coarse location derived from IP for event-related features. Precise location only if you grant permission.
  • Cookies and similar technologies. On the web. See Cookies below.

Information from third parties

  • Sign-in providers. Apple and Google share the data described above when you sign in with them.
  • Social media imports. If you opt in to import information from a social media URL on your profile, we receive the public profile information available from that platform.
  • Payment processor. Our payment processor shares limited metadata with Heylo, such as the last four digits of a card, payout status, and transaction identifiers. Heylo never receives full card numbers or bank account numbers.

How we use your data

We use your data to operate Heylo, communicate with you, process payments, keep the platform safe, improve the Service, and meet legal obligations. The specific purposes are below.

  • Operating the Service. Delivering Heylo's features, like your account, content, messaging, events, and notifications.
  • Processing payments and payouts. Handling payments, refunds, and leader payouts.
  • Customer support. Answering your questions, troubleshooting issues, and accessing your account when needed to help.
  • AI features. When you use an AI feature, your input goes to a third-party model provider to generate a response.
  • Personalization and recommendations. Recommending groups, events, and content based on your location, interests, and activity.
  • Transactional communications. Receipts, security alerts, and account notices.
  • Marketing communications. Product updates, tips, and promotional content from Heylo. You can opt out anytime, and we honor unsubscribes immediately.
  • Fraud prevention and platform security. Protecting against abuse, fraud, and security threats.
  • Automated content moderation. Detecting spam and flagging unwanted or illegal imagery.
  • Improving Heylo. Understanding how Heylo is used and using that data to improve our services and build new features.
  • Research and aggregated insights. Producing anonymized insights for research, benchmarking, and measuring brand-partner campaign performance.
  • Legal compliance. Meeting obligations under tax, accounting, and other laws.
  • Enforcing our Terms. Investigating and acting on violations of our Terms of Service.

Data sharing

We share data with:

  • Service providers. Companies that help us operate Heylo, including our payment processor, AI model providers, and analytics tools. The full named list is at heylo.com/subprocessors.
  • Group leaders. Leaders of groups you join can see your profile, activity in the group, and information they request. Leaders cannot see your payment details. Leaders are responsible for the data they collect and must comply with applicable privacy laws.
  • Brand partners. We may share aggregated metrics with brand partners for campaign measurement and attribution. We do not sell personal information, and we do not share personal information with brand partners for their own marketing.
  • Legal and safety. When required by law, legal process, or to protect the safety of people or the platform. Details at heylo.com/safety.
  • Business transfers. In connection with a merger, acquisition, or sale of assets.

Data retention

We keep personal data for as long as your account is active and afterward as required for legal compliance, fraud prevention, dispute resolution, and enforcement of our agreements.

Some records, including tax and financial records, are kept for at least 7 years to meet legal obligations.

Your rights

You have the right to:

  • Access, correct, or delete your personal data.
  • Request a copy of your data.
  • Email support@heylo.com for any privacy request. We'll verify your identity before processing.

California residents. You have additional rights under CPRA, including the right to limit use of sensitive personal information and to opt out of sale or sharing. Heylo does not sell or share your personal information as defined under California law. We won't discriminate against you for exercising your rights, and you may designate an authorized agent to submit a request on your behalf.

EU and UK residents. The data controller is Piccup, Inc. GDPR requires us to rely on a specific legal basis for each processing purpose. Depending on the purpose, we rely on performance of our contract with you, legitimate interests (such as keeping the platform safe and improving it), your consent (where required, for example for certain marketing), or compliance with a legal obligation. You have additional rights under GDPR and UK GDPR, including the right to object to or restrict processing, data portability, withdrawal of consent where processing is based on consent, and the right to lodge a complaint with your local supervisory authority.

Account deletion

You can delete your account from within the Heylo platform or by emailing support@heylo.com. When you delete your account:

  • Your account is deactivated and your name is removed. For example, your name becomes "Deleted" in group messages.
  • You're removed from groups and email lists.
  • Active subscriptions are cancelled.
  • Underlying data is retained for at least 7 years for tax and legal compliance, fraud prevention, and backup integrity. We do not perform a hard purge of all associated data.
  • Accepted waivers are retained for record keeping.

Data portability

Leaders can export group data as CSV from within the platform. Members can request a copy of their data by emailing support@heylo.com.

Platform messaging privacy

Group messages are visible to the members and leaders of that group. Private (direct) messages are not visible to other users.

Heylo staff may review messages if legally required, or to respond to a report submitted through our Trust & Safety process.

Messages are stored on our servers to provide the Service.

AI and automated processing

Heylo uses AI-powered features. Inputs may be processed by third-party model providers. We may also use data to improve our services and features.

We use automated tools for content moderation, including spam detection and classification of unwanted or illegal imagery. Image scanning is used only for moderation, never for advertising or personalization.

If an automated decision significantly affects you, you can request human review by emailing support@heylo.com. The same address handles appeals.

Security

We protect your data with industry-standard safeguards:

  • Encryption in transit (TLS) and at rest.
  • Role-based access controls.
  • Logging and monitoring.
  • An incident response program.

Our infrastructure runs on cloud providers that maintain SOC 2 and ISO 27001 certifications. Payment card details are handled by our PCI-compliant payment processor and are never stored on Heylo servers.

If a security incident affects your personal data, we will notify you as required by applicable law.

Keep your password confidential. If you think someone has accessed your account, email support@heylo.com right away.

For detailed contractual security commitments to leaders and enterprise customers, see the Data Processing Addendum at heylo.com/dpa.

International transfers

Heylo is based in the United States. Your data may be transferred to and processed in the US and in other countries where our service providers operate.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses. For transfers from the UK specifically, we rely on the UK International Data Transfer Addendum to the Standard Contractual Clauses.

Cookies

Heylo uses cookies for authentication, site functionality, and analytics. Heylo does not use advertising cookies.

Children's privacy

Heylo is not for users under 13. If we learn a user is under 13, we will delete their account and associated data.

If you're a parent or guardian and believe your child has created an account, email support@heylo.com.

Changes to this policy

This policy may change over time.

For material changes, we'll give you at least 30 days' advance notice by email and a platform notice before the change takes effect.

Non-material changes, like fixing typos, clarifying existing terms, or adding a new feature description that doesn't affect your rights, may take effect immediately.

If you keep using Heylo after a change takes effect, you accept the updated policy.

Contact

For privacy questions or to exercise your rights, email support@heylo.com.

The data controller is:

Piccup, Inc.

Email: support@heylo.com

Mailing address: 315 Montgomery Street, Suite 900, San Francisco, CA 94104

EU and UK users: Piccup, Inc. is the controller for your personal data processed by Heylo. You can contact us using the details above.