Privacy Policy

1. Introduction

HelloMaily ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our platform and services ("the Service"). This policy applies to all users of the Service, including account holders, team members, and end-customers whose data is processed through the Service.

2. Data Controller and Data Processor

Under the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679):

• HelloMaily as Data Controller: We are the Data Controller for the personal data of our account holders and team members (e.g., registration data, billing information, usage analytics).
• HelloMaily as Data Processor: When you use HelloMaily to communicate with your customers, we act as a Data Processor on your behalf. You, as the business using HelloMaily, are the Data Controller for your customers' data. You are responsible for obtaining all necessary consents and providing appropriate privacy notices to your end-customers.

Upon request, we will enter into a Data Processing Agreement (DPA) in compliance with GDPR Article 28. Contact us at privacy@hellomaily.io to request a DPA.

3. Information We Collect

3.1 Information You Provide

• Account data: Name, email address, password (hashed), organization name, phone number, profile picture
• Billing data: Payment method details (processed and stored by Stripe; we do not store full card numbers), billing address, VAT number, invoicing details
• Communication data: Messages, media files, and attachments sent and received through connected channels
• CRM data: Contact information, deal details, notes, tags, custom fields, and lead scoring data you enter into the platform
• Content data: Social media posts, campaigns, email templates, landing pages, forms, knowledge base articles, and design assets you create
• Support data: Information you provide when contacting our support team

3.2 Information Collected Automatically

• Usage data: Features used, pages visited, actions performed, timestamps, session duration
• Device data: Browser type, operating system, device type, screen resolution, IP address
• Log data: Server logs, error reports, API call logs
• Analytics data: Aggregated performance metrics, conversation statistics, response times

3.3 Information from Third Parties

• Social platform data: Profile information, messages, and engagement data from connected platforms (Meta, Telegram, Twitter/X, LinkedIn, TikTok) via their official APIs
• Payment processor data: Transaction status and billing events from Stripe
• Authentication providers: Basic profile data if you sign in with a third-party provider

4. How We Use Your Information

We process your data based on the following legal bases under GDPR:

• Contract performance (Art. 6(1)(b)): To provide, operate, and maintain the Service; to process payments; to manage your account; to deliver messages across channels
• Legitimate interests (Art. 6(1)(f)): To improve the Service and user experience; to detect and prevent fraud, abuse, and security incidents; to provide customer support; to send service-related communications
• Consent (Art. 6(1)(a)): To send marketing communications (you can withdraw consent at any time); to use analytics cookies beyond essential ones
• Legal obligation (Art. 6(1)(c)): To comply with tax, accounting, and regulatory requirements

5. AI Features and Data Processing

Our AI features (chatbots, auto-replies, suggestions, lead scoring, content generation) may process your data and your customers' data using third-party AI providers, including OpenAI and Google. When using these providers:

• Data is transmitted securely via encrypted connections
• We use API agreements that prohibit these providers from using your data to train their general-purpose models
• AI-processed data is not stored by third-party providers beyond the time necessary to generate a response
• You can disable AI features at any time from your account settings
• We do not use Your Content to train HelloMaily's own AI models without your explicit opt-in consent

6. Data Sharing and Third-Party Services

We do not sell your personal data. We share data only in the following circumstances:

• Service providers: We use trusted third-party providers to operate the Service, including cloud hosting (Vercel, AWS), payment processing (Stripe), email delivery, and AI providers. All providers are bound by data processing agreements.
• Connected platforms: When you connect social channels, data is exchanged with those platforms (Meta, Telegram, etc.) via their official APIs, subject to their privacy policies.
• Legal requirements: We may disclose data if required by law, regulation, court order, or governmental request.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you before your data becomes subject to a different privacy policy.
• With your consent: We may share data with third parties when you have given explicit consent.

7. International Data Transfers

Your data may be processed in countries outside the European Economic Area (EEA). When transferring data outside the EEA, we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission where applicable
• The EU-US Data Privacy Framework for US-based providers that have been certified

You can request information about the specific safeguards applied to your data by contacting us at privacy@hellomaily.io.

8. Data Storage and Security

We implement industry-standard technical and organizational security measures to protect your data, including:

• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Role-based access controls and principle of least privilege
• Regular security audits and vulnerability assessments
• Secure password storage using industry-standard hashing algorithms
• Audit logging of administrative actions
• Automated backups with encryption
• Incident response procedures with notification within 72 hours as required by GDPR

9. Data Retention

• Active accounts: We retain your data for as long as your account is active and as needed to provide the Service.
• After account deletion: When you delete your account, we remove your personal data within 30 days. Some data may be retained longer where required by law (e.g., billing records for tax purposes, up to 10 years under Italian tax law).
• Message data: Customer messages processed through the Service are retained as long as your account is active. You can delete specific conversations or contacts at any time.
• Backups: Deleted data may persist in encrypted backups for up to 90 days before being permanently purged.
• Anonymized data: We may retain anonymized, aggregated data indefinitely for statistical and product improvement purposes. This data cannot be linked back to any individual.

10. Cookies and Tracking Technologies

We use the following types of cookies:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
• Functional cookies: Remember your preferences and settings (e.g., language, theme).
• Analytics cookies: Help us understand how you use the Service. These are only placed with your consent.

We do not use advertising or tracking cookies. You can manage your cookie preferences at any time through your browser settings or our cookie consent banner.

11. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to restrict processing (Art. 18): Request that we limit how we use your data.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format or request transfer to another provider.
• Right to object (Art. 21): Object to processing based on legitimate interests, including profiling.
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
• Right to lodge a complaint: File a complaint with your local data protection authority (in Italy: Garante per la Protezione dei Dati Personali).

To exercise any of these rights, contact us at privacy@hellomaily.io. We will respond within 30 days as required by GDPR.

12. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that data promptly. If you believe we may have collected data from a child, please contact us at privacy@hellomaily.io.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated at least 30 days in advance via email or in-app notification. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after the effective date of changes constitutes your acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us:

• Email: privacy@hellomaily.io
• General inquiries: legal@hellomaily.io