HeyCheero!

Legal

Privacy Policy

Last updated: 2026-05-12

This policy explains what data HeyCheero collects about you, why we collect it, who we share it with, and the rights you have over it. It applies to heycheero.com and the signed-in product.

HeyCheero is operated from the United Kingdom by Pawel Bacza, a sole trader. For UK GDPR purposes Pawel Bacza is the data controller for personal data we collect and decide how to use through HeyCheero. You can contact us at [email protected].

1. What we collect

We collect only what we need to run the service:

  • Account data. Email address, hashed password, display name, timezone, and (if you sign in with a provider) basic profile info returned by that provider.
  • Conversation content.The messages you send, the AI's replies, working-memory entries derived from your conversations, and any summaries or performance-review drafts generated for you.
  • Embeddings. Numerical representations of your conversations stored in our database so the AI can recall relevant context across sessions.
  • Billing data. Subscription status, plan, renewal date, and a customer identifier from Paddle. We do not store your card details — Paddle handles payment data directly.
  • Usage and technical data. Basic server logs (IP address, user agent, request paths, timestamps) used to keep the service running and to investigate abuse.
  • Cookies and local storage. A session cookie issued by our auth system to keep you signed in, and local storage entries for UI preferences (theme, sidebar state). No third-party advertising or cross-site tracking cookies.

2. Why we use it (and the legal basis)

  • To provide the service — show you your conversations, run the AI, send summaries. Legal basis: performance of the contract with you.
  • To bill you — process subscriptions, issue invoices via Paddle. Legal basis: performance of the contract.
  • To communicate with you — transactional emails (sign-in, billing, account notices). Legal basis: performance of the contract.
  • To keep the service secure — fraud detection, rate limiting, abuse investigation. Legal basis: legitimate interests.
  • To improve the service — aggregate, non-identifying usage patterns. Legal basis: legitimate interests.
  • To comply with law — tax, accounting, responding to lawful requests. Legal basis: legal obligation.

3. AI processing and model training

We do not use your conversations to train or fine-tune HeyCheero-owned models. We don't sell your content. We don't use it to build advertising profiles.

When we send your messages to our LLM provider to generate a reply, they process the content to return an answer. We use reasonable efforts to configure routing to providers that say they do not train on prompts or outputs, but provider policies, routing, and retention controls may change. If our own use of your content changes in a material way, we will update this policy before that change applies.

4. Who we share data with

We share personal data only where needed to run HeyCheero, comply with law, or protect the service:

  • Paddle.com Market Limited— payments, tax, and Merchant of Record services. Paddle may act as an independent controller for checkout, payment, tax, fraud, and compliance data. Paddle receives your name, email, billing address, and payment details. See Paddle's privacy notice at paddle.com.
  • OpenRouter — LLM inference and embeddings. Your messages and relevant prior context are sent for processing by OpenRouter and the model providers it routes requests to.
  • Resend — sending transactional email. Receives your email address and the contents of the message sent to you.
  • Hosting provider (OVH). Our servers and database run on their infrastructure; they have access to data only as needed to host it.

We may also disclose data if legally required (court order, valid request from a regulator) or to protect the safety of our users.

5. International transfers

Some of our providers (including OpenRouter and Resend) are based in the United States or may process data there. Where we make a restricted transfer of personal data outside the UK or EEA, we rely on applicable safeguards such as adequacy decisions, the EU Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, the EU-US Data Privacy Framework and UK Extension where available, or another lawful transfer mechanism.

6. How long we keep data

  • Account data and conversations: for as long as your account is active.
  • After account deletion: we delete your conversations, embeddings, and working memory within a reasonable period unless we need to keep limited data for legal, security, or dispute reasons. Backups are overwritten or purged on a rolling basis.
  • Billing and tax records: retained by us and Paddle for up to 7 years to meet HMRC requirements, even after account deletion.
  • Server logs: up to 30 days unless needed for an ongoing security investigation.

7. How we protect it

We use reasonable technical and organisational measures such as HTTPS/TLS, password hashing, managed infrastructure security controls, and limited production access. No system is perfectly secure. If we become aware of a personal data breach that requires notification, we will notify affected users, the ICO, or other regulators where required by law.

8. Your rights

Under UK GDPR, and similar EEA laws where they apply, you have the right to:

  • access the personal data we hold about you;
  • ask us to correct inaccurate data;
  • ask us to delete your data ("right to erasure");
  • ask us to restrict or object to certain processing;
  • receive your data in a portable format;
  • withdraw consent where processing is based on consent.

You can exercise these rights by emailing [email protected]. We'll respond within one month unless a longer period is permitted by law.

If you are in the United States, privacy rights may vary by state. Where applicable, you may have rights to access, correct, delete, or receive a copy of personal information, or to opt out of certain uses. We do not sell personal information or share it for cross-context behavioural advertising.

If you think we've handled your data badly, you can complain to the UK's Information Commissioner's Office at ico.org.uk.

9. Children

HeyCheero is not for people under 18. We don't knowingly collect data from children. If you believe a child has given us data, contact us and we'll delete it.

10. Cookies

We use a small number of first-party cookies and local storage entries to keep you signed in and remember your UI preferences. We do not use third-party advertising cookies or cross-site tracking. You can clear cookies from your browser at any time — doing so will sign you out.

11. Changes to this policy

We'll update this policy when our practices change. For material changes we'll notify you by email before they take effect.

12. Contact

Questions, requests, or complaints: [email protected]. See also our Terms of Service.