Privacy

Privacy policy

Effective date: September 22, 2025

This Privacy Policy explains how Synthos Labs LLC ("we," "us," or "our") collects, uses, and protects information when you visit heyally.ai and any pages we host (the "Site"), and—where noted—when you use our mobile apps (the "App"). We keep data collection lean on purpose and do not sell or share your personal information for cross‑context behavioral advertising.

Who we are

  • Company: Synthos Labs LLC

  • Mailing location: 5555 Hyde Park Rd, Ravenel, South Carolina 29470, USA

  • Privacy contact: Brian Gladu, contact@heyally.ai

Scope

This policy covers the Site and, where marked, the App. It does not cover third‑party websites or services that we don’t control.

What we collect

We only collect what we need to operate and improve the Site/App.

You provide:

  • Email address if you choose to submit it via Site forms or when you contact us.

  • Support content you send us (e.g., emails, tickets, chat messages) and crash reports you opt to share.

Collected automatically (Site/App):

  • Basic analytics data (pages viewed, session duration, device/OS/browser, approximate location by IP, referral/UTM parameters).

We do not intentionally collect: sensitive categories (health, biometric templates, precise GPS), government identifiers, or account passwords on the Site.

How we collect it

  • Directly from you (forms, support emails/chats).

  • Through analytics scripts/SDKs configured to minimize personal data.

Why we use it (legal bases/purposes)

  • Operate the Site/App and provide support.

  • Analytics and product improvement.

  • Marketing measurement (non‑intrusive; no sale/share for cross‑context ads).

  • Security and fraud prevention.

  • Legal compliance (e.g., responding to lawful requests).

If you are in the EEA/UK, our legal bases are legitimate interests to operate and secure our services and consent where your jurisdiction requires it for non‑essential cookies/SDKs.

No sale or share of personal information

  • We do not sell personal information.

  • We do not share personal information for cross‑context behavioral advertising (as defined by the California Consumer Privacy Act / CPRA).

  • If this ever changes, we will update this Policy and provide a clear “Do Not Sell/Share” mechanism.

Cookies and tracking

What we use

  • Strictly necessary cookies for basic Site functionality.

  • Analytics cookies/SDKs (see Vendors) for aggregated usage metrics.

  • Social embeds: If you interact with embedded content (e.g., a post or video), that platform may set its own cookies/collect data under its policy.

Not used: fingerprinting or device graphing to identify individuals.

Consent model

  • We do not display an EU/UK cookie banner because we do not actively target those regions. If we expand targeting to the EEA/UK, we will implement explicit opt‑in consent for non‑essential cookies/SDKs.

Global Privacy Control / Do Not Track

  • We do not currently respond to GPC or DNT signals because we don’t sell/share data for advertising. If we introduce advertising technology, we will honor GPC for sale/share opt‑outs.

Retention of cookies/SDK data

  • Analytics data generally persists up to 14 months (see Retention), subject to vendor defaults and your browser settings.

Data retention (defaults)

We keep personal data only as long as needed for the purposes above, then delete or de‑identify it.

  • Email addresses submitted via forms: up to 24 months after last interaction.

  • Support tickets/chats: up to 24 months after resolution.

  • Crash reports: up to 12 months.

  • Server logs/security logs: up to 90 days.

  • Analytics events: up to 14 months.

  • Backups: typically ≤ 30 days rolling.

Security

We use reasonable administrative, technical, and physical safeguards, including:

  • Encryption in transit (TLS) and at rest where supported by our providers.

  • Access control/least privilege (the smallest practical team; access on a need‑to‑know basis).

  • Vendor due diligence and configuration to minimize personal data.
    No security method is perfect. If we learn of a breach that affects you, we will notify you and regulators as required by law.

International data transfers

Our primary infrastructure and vendors are based in the United States. If you access the Site/App from outside the U.S., your data may be transferred to and processed in the U.S. Where required (e.g., for the EEA/UK), transfers rely on vendor Standard Contractual Clauses or equivalent safeguards.

Your privacy rights

Your rights depend on your location. In all cases, you can contact us to accesscorrect, or delete your personal data, or to ask questions.

California (CPRA): Right to know, delete, correct, and to opt out of sale/share (not applicable because we don’t sell/share). Right to limit use of sensitive data (we don’t collect it).

EEA/UK (GDPR): Rights to access, rectify, erase, restrict/ object to processing, and data portability; right to withdraw consent where processing is based on consent; right to lodge a complaint with a supervisory authority.

How to exercise: Email contact@heyally.ai. We may ask you to verify your email address or identity before acting on your request. We aim to respond within applicable legal timeframes.

Children

The Site/App is not directed to anyone under 18. We do not knowingly collect personal data from children. If you believe a child provided us with personal data, contact us and we will delete it.

App‑specific information (if you use our App)

  • Purchases: Transactions are processed by the Apple App Store. We do not receive your full payment card details. We may receive purchase status (e.g., subscription active) via our in‑app purchase infrastructure.

  • RevenueCat: We use RevenueCat to manage in‑app subscriptions/entitlements. We receive non‑sensitive purchase metadata (e.g., anonymized app user ID, product, renewal status) to operate your subscription.

  • Voice & on‑device processing: Enhancements are performed locally on your device. We do not send your voice recordings to third‑party LLM providers for processing or model training.

  • AI training: We do not retain your data for model training.

Vendors (processors/controllers)

We use trusted vendors to operate the Site/App. Each processes data under its own policy and our instructions where applicable.

  • Analytics: Google Analytics 4 (configured for minimal data), PostHog (product analytics).

  • Tag management: Google Tag Manager.

  • Hosting/CDN/Build: Framer, Vercel.

  • Subscriptions/entitlements (App): RevenueCat.

  • Payments (App): Apple App Store/Apple Pay (handled by Apple; we don’t collect payment card data on the Site).

  • Security/Fraud: May include standard platform‑level protections provided by our hosts/CDNs.

  • Support: Direct email (and any ticketing/chat tool we may deploy from time to time, updated here if added).

We do not use data enrichment or third‑party advertising pixels on the Site. If that changes, we will update this Policy and provide appropriate choices.

Changes to this Policy

When we make material changes, we will update the Effective date above. Continued use of the Site/App after changes means you accept the updated Policy.

Contact

Questions, requests, or concerns: contact@heyally.ai

If you’re in the EEA/UK and believe we process your data in scope of GDPR, you can lodge a complaint with your local authority. Our services are primarily intended for users in the United States and we do not currently appoint an EU/UK representative.

© 2025 Synthos Labs LLC. All right reserved

© 2025 Synthos Labs LLC. All right reserved