Privacy Policy

This Privacy Policy governs the collection, use, storage, and disclosure of personal information by HeyCollect, a service operated by Rotita Investments (Private) Limited ("Rotita Investments," "we," "us," or "our").

This Policy applies to:

• Account Holders: Individuals or entities who register for and use HeyCollect to create, manage, and deploy forms ("Form Creators" or "you")
• Form Respondents: Individuals who interact with HeyCollect forms via WhatsApp by submitting responses through our WhatsApp Assistants ("Respondents" or "End Users")
• Website Visitors: Anyone who accesses our website at heycollect.app

By using HeyCollect services, accessing our website, or submitting responses through our WhatsApp Assistants, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Policy, you must discontinue use of our services immediately.

"Personal Information" means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, phone numbers, WhatsApp numbers, location data, IP addresses, and any other data that can be used to identify an individual directly or indirectly.

"WhatsApp Assistants" means the automated WhatsApp-based conversational agents provided by HeyCollect that facilitate form interactions, collect responses, and communicate with Respondents on behalf of Form Creators.

"Form Data" means all information collected through forms created on HeyCollect, including questions, responses, submission metadata, and associated files.

"Services" means all products, services, features, and functionality provided by HeyCollect, including form creation, WhatsApp integration, data collection, analytics, and export capabilities.

3.1 Information from Form Creators

When you register for and use HeyCollect as a Form Creator, we collect:

• Account Information: Full name, email address, phone number, password (encrypted), company name (if applicable), billing address, and payment information
• Profile Information: Profile pictures, user preferences, notification settings, and account customization data
• Form Content: All forms you create, including titles, descriptions, questions, question types, settings, welcome messages, final remarks, banner images, and any other content you input
• Usage Data: Information about how you use our Services, including features accessed, forms created, forms published, AI queries made, republish actions, login times, session duration, and interaction patterns
• Device Information: Device type, operating system, browser type and version, IP address, device identifiers, and general location data derived from IP address
• Communication Data: Records of your communications with us, including support tickets, emails, feedback, and any other correspondence
• Payment Information: Credit card details (processed through secure third-party payment processors), billing history, transaction records, and purchase receipts

3.2 Information from Form Respondents

When Respondents interact with forms through our WhatsApp Assistants, we collect:

• Contact Information: WhatsApp phone numbers (with country codes) used to interact with our WhatsApp Assistants
• Response Data: All answers, inputs, and data submitted through form questions, including but not limited to text responses, email addresses, selections, ratings, dates, times, numbers, and any other information requested by Form Creators
• Location Data: GPS coordinates and location information if requested by specific form questions and consented to by the Respondent
• File Uploads: Documents, images, videos, or other files uploaded in response to file upload questions (subject to size and type restrictions)
• Metadata: Submission timestamps, completion times, WhatsApp interaction logs, message delivery status, read receipts (where available), and device information from WhatsApp
• Communication Records: Complete conversation history with WhatsApp Assistants, including all messages sent and received during form interactions

3.3 Automatically Collected Information

• Cookies and Tracking Technologies: We use cookies, web beacons, pixels, local storage, and similar technologies to collect information about your browsing behavior, preferences, and interactions with our website
• Log Data: Server logs containing IP addresses, browser types, referring/exit pages, operating systems, date/time stamps, and clickstream data
• Analytics Data: Aggregated and anonymized data about usage patterns, feature adoption, performance metrics, and user behavior

3.4 Information from Third Parties

• WhatsApp Platform: Information provided by WhatsApp Business API, including message delivery status, account status, and technical metadata
• Payment Processors: Transaction confirmation data, payment status, and fraud prevention information from payment gateway providers
• Authentication Providers: If you use social login or OAuth, we receive basic profile information from those providers

4.1 Service Provision and Performance

• Create, maintain, and manage user accounts
• Enable form creation, editing, publication, and management
• Operate WhatsApp Assistants to facilitate form interactions and collect responses
• Process and store form submissions and response data
• Provide data export functionality (CSV and PDF)
• Generate AI-powered form content and edits using your prompts
• Enforce form settings including access restrictions, response limits, and compliance rules
• Deliver notifications about form activity, submissions, and account status

4.2 Payment Processing and Billing

• Process bundle purchases and subscription payments
• Generate invoices and receipts
• Manage billing cycles and payment methods
• Detect and prevent fraudulent transactions
• Handle refund requests and payment disputes

4.3 Communication

• Send transactional emails (account creation, password resets, payment confirmations)
• Provide customer support and respond to inquiries
• Send service announcements and important updates
• Deliver marketing communications (with your consent and opt-out option)
• Conduct surveys and request feedback

4.4 Service Improvement and Development

• Analyze usage patterns to improve features and user experience
• Train and improve AI models for form generation and editing
• Develop new features and functionality
• Conduct research and testing
• Monitor and optimize system performance
• Fix bugs and technical issues

4.5 Security and Fraud Prevention

• Detect, prevent, and investigate security threats and fraudulent activity
• Protect against unauthorized access and abuse
• Verify user identities and prevent account takeovers
• Enforce our Terms of Service and other policies
• Comply with legal obligations and respond to legal requests

4.6 Compliance and Legal Requirements

• Verify compliance with WhatsApp Business API terms and policies
• Check forms for compliance with data protection regulations
• Respond to legal requests, court orders, and regulatory requirements
• Establish, exercise, or defend legal claims
• Maintain records for audit and compliance purposes

We process personal information based on the following legal grounds:

• Contract Performance: Processing necessary to provide Services you have requested and fulfill our contractual obligations
• Consent: Where you have given explicit consent for specific processing activities (e.g., marketing communications, location data collection)
• Legitimate Interests: Processing necessary for our legitimate business interests, including service improvement, fraud prevention, and security, provided these interests do not override your fundamental rights
• Legal Obligations: Processing required to comply with applicable laws, regulations, court orders, and regulatory requirements
• Vital Interests: Processing necessary to protect life or physical safety in emergency situations

You have the right to withdraw consent at any time for processing based on consent, without affecting the lawfulness of processing based on consent before its withdrawal.

6.1 Form Creators and Response Data

IMPORTANT: When Respondents submit information through forms, that data is made available to the Form Creator who deployed the form. Form Creators have full access to all responses, including WhatsApp numbers, answers, metadata, and uploaded files. We act as a data processor on behalf of Form Creators for this response data.

Form Creators are independent data controllers responsible for their own compliance with data protection laws regarding how they collect, use, and store response data. We strongly encourage Form Creators to:

• Provide clear privacy notices to Respondents
• Collect only necessary information
• Obtain appropriate consents
• Comply with applicable data protection regulations
• Implement appropriate security measures

6.2 Third-Party Service Providers

We share information with carefully vetted third-party service providers who assist in operating our Services:

• WhatsApp (Meta Platforms, Inc.): We use WhatsApp Business API to operate WhatsApp Assistants. WhatsApp receives message content, phone numbers, and metadata necessary for message delivery
• Cloud Hosting Providers: We use secure cloud infrastructure providers to host our application and store data
• Payment Processors: Payment information is processed by PCI-DSS compliant third-party payment processors
• Email Service Providers: For sending transactional and marketing emails
• Analytics Providers: To understand usage patterns and improve our Services
• AI/ML Providers: For AI-powered form generation and editing features
• Customer Support Tools: For managing support tickets and customer communications

All third-party service providers are contractually obligated to protect your information and use it only for the purposes we specify.

6.3 Legal and Regulatory Disclosures

We may disclose information when required by law or when we believe in good faith that disclosure is necessary to:

• Comply with legal obligations, court orders, subpoenas, or regulatory requirements
• Respond to lawful requests from public authorities, including law enforcement
• Enforce our Terms of Service and other agreements
• Protect the rights, property, or safety of the Company, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues
• Defend against legal claims or litigation

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, bankruptcy, or other business transaction, your information may be transferred to the successor entity. We will provide notice and obtain consent if required by applicable law before your information becomes subject to a different privacy policy.

6.5 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. This may include statistical data about usage patterns, industry benchmarks, or research insights.

6.6 With Your Consent

We may share your information for other purposes with your explicit consent.

7.1 WhatsApp Assistants

Our WhatsApp Assistants are automated conversational agents that operate via WhatsApp Business API. When Respondents interact with forms through WhatsApp:

• All messages are transmitted through WhatsApp's infrastructure and subject to WhatsApp's Privacy Policy and Terms of Service
• WhatsApp (Meta Platforms, Inc.) processes message content, metadata, and phone numbers
• We receive and store complete conversation histories for form functionality and compliance
• Message delivery, read receipts, and status updates are tracked
• WhatsApp numbers are permanently associated with form submissions for identification and single-entry enforcement

7.2 WhatsApp Data Retention

Conversation data between Respondents and WhatsApp Assistants is retained for:

• Service provision and form submission processing
• Compliance verification and audit purposes
• Dispute resolution and customer support
• Legal and regulatory requirements

We retain WhatsApp conversation data for as long as the associated form exists plus 90 days, or longer if required by law or legitimate business purposes.

7.3 Third-Party Access via WhatsApp

By using our WhatsApp Assistants to submit form responses, Respondents acknowledge that:

• WhatsApp (Meta Platforms, Inc.) will process their messages and personal information according to WhatsApp's policies
• Their responses will be visible to the Form Creator who deployed the form
• Their WhatsApp number will be collected and associated with their submission
• Conversation history may be reviewed for quality assurance and compliance

We implement comprehensive technical, physical, and administrative security measures to protect personal information against unauthorized access, alteration, disclosure, or destruction:

8.1 Technical Safeguards

• Encryption of data in transit using TLS/SSL protocols
• Encryption of sensitive data at rest
• Regular security assessments and penetration testing
• Intrusion detection and prevention systems
• Automated security monitoring and alerting
• Secure authentication mechanisms including password hashing
• Regular security updates and patches
• Firewall protection and network segmentation

8.2 Administrative Safeguards

• Role-based access controls limiting employee access to personal information
• Comprehensive employee training on data protection and security
• Confidentiality agreements with all employees and contractors
• Incident response procedures and breach notification protocols
• Regular security audits and compliance reviews
• Vendor management and third-party security assessments

8.3 Physical Safeguards

• Secure data center facilities with restricted access
• Environmental controls and redundancy systems
• Video surveillance and security personnel
• Secure disposal procedures for hardware and storage media

8.4 Limitations

While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute security of your information. You are responsible for maintaining the confidentiality of your account credentials and should notify us immediately of any unauthorized access to your account.

8.5 Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify affected users within 72 hours of discovery (or as required by applicable law) via email and/or prominent notice on our website. We will provide information about the breach, its impact, and steps being taken to address it.

We retain personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

9.1 Retention Periods

• Account Information: Retained for the duration of your account plus 90 days after account closure, unless longer retention is required for legal or regulatory purposes
• Form Data: Retained indefinitely until you delete forms or close your account
• Response Data: Retained indefinitely until the Form Creator deletes responses or closes their account
• WhatsApp Conversation Logs: Retained for the duration of form existence plus 90 days, or longer if required by law
• Payment Records: Retained for 7 years from the date of transaction for tax and accounting purposes
• Support Communications: Retained for 3 years from last interaction
• Marketing Communications: Retained until you unsubscribe or object to processing
• Security Logs: Retained for 12 months for security monitoring and investigation

9.2 Deletion and Anonymization

After retention periods expire, we will either:

• Securely delete personal information using industry-standard deletion methods
• Anonymize data so it can no longer identify individuals
• Aggregate data for statistical purposes where individual identification is impossible

9.3 Legal Holds

We may retain information beyond standard retention periods when required by legal obligations, litigation holds, regulatory investigations, or to establish, exercise, or defend legal claims.

Depending on your location and applicable laws, you may have the following rights regarding your personal information:

10.1 Access and Portability

• Request access to personal information we hold about you
• Obtain a copy of your data in a structured, commonly used format
• Request data portability to transfer your information to another service

10.2 Correction and Updating

• Update or correct inaccurate personal information through your account settings
• Request correction of inaccurate data we cannot update yourself
• Complete incomplete personal information

10.3 Deletion and Erasure

• Delete forms, responses, and associated data through your account
• Request deletion of your account and associated personal information
• Exercise "right to be forgotten" where applicable under GDPR or similar laws

Note: We may retain certain information where we have legal obligations or legitimate interests, such as fraud prevention, financial record-keeping, or resolving disputes.

10.4 Restriction and Objection

• Object to processing based on legitimate interests
• Object to direct marketing and profiling
• Request restriction of processing in certain circumstances
• Withdraw consent where processing is based on consent

10.5 Marketing Communications

• Opt out of marketing emails using unsubscribe links in emails
• Update communication preferences in your account settings
• Note: You cannot opt out of transactional or service-related communications

10.6 Cookies and Tracking

• Manage cookie preferences through browser settings
• Use browser tools to block or delete cookies
• Opt out of analytics tracking where available

10.7 Exercising Your Rights

To exercise any of these rights, contact us at support@heycollect.app with:

• Your full name and email address associated with your account
• Specific right you wish to exercise
• Details of your request
• Proof of identity (we may require verification to protect your information)

We will respond to verified requests within 30 days (or as required by applicable law). If we need additional time, we will notify you of the extension and reason.

10.8 Right to Lodge a Complaint

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with:

• The relevant data protection authority in your jurisdiction
• Your local supervisory authority under GDPR (for EU residents)
• Other applicable regulatory bodies based on your location

11.1 Cross-Border Transfers

These countries may have data protection laws different from those in your country of residence. When we transfer personal information internationally, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by relevant authorities
• Data Processing Agreements with third-party processors
• Adequacy decisions where applicable
• Other legally approved transfer mechanisms

11.2 WhatsApp Data Transfers

When you interact with our WhatsApp Assistants, your data is processed by WhatsApp (Meta Platforms, Inc.) and may be transferred to and stored in the United States and other countries where Meta operates. These transfers are subject to WhatsApp's Privacy Policy and applicable data transfer mechanisms.

11.3 Your Consent

By using our Services, you acknowledge and consent to the international transfer and processing of your personal information as described in this Policy.

Our Services are not intended for, nor directed to, children under the age of 18 years (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided personal information to us, please contact us immediately at support@heycollect.app. We will take prompt steps to delete such information from our systems.

Form Creators are responsible for ensuring their forms comply with applicable laws regarding collection of information from minors. If you create forms that may be accessed by children, you must:

• Obtain appropriate parental or guardian consent before collecting personal information from minors
• Comply with the Children's Online Privacy Protection Act (COPPA) if applicable
• Implement age verification mechanisms where required
• Provide appropriate privacy notices to parents/guardians

13.1 Types of Cookies We Use

Essential Cookies: Required for the website to function properly, including authentication, security, and basic functionality. These cannot be disabled.

Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences and settings.

Analytics Cookies: Help us understand how visitors use our website, which pages are popular, and how users navigate through the site.

Marketing Cookies: Used to deliver relevant advertisements and track marketing campaign effectiveness.

13.2 Third-Party Cookies

We use third-party services that may set cookies on your device:

• Google Analytics for website analytics
• Payment processor cookies for secure transactions
• Social media plugins (if applicable)

13.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling certain cookies may impact website functionality. Most browsers allow you to:

• View and delete cookies
• Block third-party cookies
• Block cookies from specific sites
• Block all cookies (not recommended)
• Delete all cookies when closing the browser

Our Services may contain links to third-party websites, applications, or services not operated by us. This Privacy Policy does not apply to third-party services.

We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access through our platform.

Specifically, when using WhatsApp Assistants, you are also subject to:

• WhatsApp Privacy Policy (https://www.whatsapp.com/legal/privacy-policy)
• WhatsApp Terms of Service (https://www.whatsapp.com/legal/terms-of-service)
• Meta's overall data policies

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

15.1 Right to Know

You have the right to request disclosure of:

• Categories of personal information collected
• Sources of personal information
• Business or commercial purposes for collection
• Categories of third parties with whom we share information
• Specific pieces of personal information collected about you

15.2 Right to Delete

You have the right to request deletion of personal information, subject to certain exceptions.

15.3 Right to Opt-Out

You have the right to opt out of the "sale" of personal information. We do not sell personal information as traditionally defined.

15.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

15.5 Authorized Agents

You may designate an authorized agent to make CCPA requests on your behalf. We may require verification of the agent's authority.

To exercise CCPA rights, contact us at support@heycollect.app or call our toll-free number (if applicable).

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• Right to lodge a complaint with supervisory authorities

For EU/EEA residents, our legal basis for processing is outlined in Section 5 of this Policy.

Some browsers have "Do Not Track" (DNT) features that signal websites you visit that you do not want your online activities tracked. Currently, there is no uniform standard for recognizing and implementing DNT signals.

At this time, we do not respond to DNT signals. We will continue to monitor developments in DNT technology and may implement DNT recognition in the future.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

• Update the "Last updated" date at the top of this Policy
• Post the revised Policy on our website
• Notify you via email if changes are material (at our discretion)
• Display a prominent notice on our website for significant changes
• Obtain your consent if required by applicable law

Material changes will take effect 30 days after notice is provided or as otherwise required by law. Your continued use of our Services after the effective date constitutes acceptance of the revised Policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to all inquiries within 30 days or as required by applicable law.

By using HeyCollect Services, creating an account, or submitting responses through our WhatsApp Assistants, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

You specifically acknowledge and consent to:

• Collection, use, and processing of your personal information as described
• Sharing of information with third-party service providers
• Processing by WhatsApp (Meta Platforms, Inc.) when using WhatsApp Assistants
• Storage and retention of data as outlined in this Policy
• Use of cookies and tracking technologies

If you do not agree with any aspect of this Privacy Policy, you must not use our Services.