GDPR

Data protection rights under GDPR

If you are in the EU/EEA or otherwise covered by GDPR, this page describes your rights, how we protect your data, and how to exercise those rights.

Last updated: February 22, 2026

How We Protect Your Data Under GDPR

HeyAvo is built on Google Cloud infrastructure. All data is encrypted in transit via TLS and encrypted at rest using Google Cloud platform-managed encryption. We do not sell personal data and do not use it for ad targeting.

Specific technical measures include:

•Authenticated sessions using HttpOnly, Secure, SameSite cookies scoped to .heyavo.ai, with server-side verification and revocation checking on every request.
•CSRF protection using SHA-256 derived tokens with timing-safe comparison on all state-changing operations.
•Firestore security rules that enforce per-user data isolation. Users can only read and write their own data; admin operations require verified JWT custom claims.
•Content Security Policy, HSTS, X-Frame-Options (DENY), and Permissions-Policy headers that block cross-site scripting, clickjacking, and unauthorized browser features.
•Rate limiting on AI endpoints and sensitive operations with fail-closed behavior on protected routes.
•Automated CI/CD checks that validate auth gate correctness, admin route access patterns, and dependency vulnerabilities before code reaches production.

Infrastructure partners (Google Cloud, Firebase, Vercel) operate under contractual data protection obligations. AI processing providers receive only content you explicitly send through HeyAvo's AI features, scoped to that specific request.

Your Rights

Under GDPR, you can make the following requests about how your personal data is processed.

Right to Access

Request a full copy of all personal data we hold about you, including workspace content, account metadata, and AI interaction history.

Right to Rectification

Request correction of any inaccurate or incomplete personal data. Profile information can also be updated directly in app settings.

Right to Erasure

Request deletion of your personal data and account. This removes your content from Firestore and associated media from Firebase Storage.

Right to Restriction

Request that we limit how your personal data is processed while a dispute or request is being resolved.

Right to Data Portability

Request your data in a structured, machine-readable format that you can transfer to another service.

Right to Object

Object to certain types of processing. HeyAvo does not use your data for advertising or automated decision-making that affects you legally.

How to Submit a Request

Email us from the address associated with your HeyAvo account so we can verify your identity and protect your data.

•Include your request type (access, deletion, export, correction, restriction, or objection) and specify which workspace(s) or app(s) are affected.
•Provide any context that helps locate relevant data: date ranges, app names, project names, or Circle context.
•We will acknowledge your request within 72 hours and respond within the GDPR-mandated 30-day timeline. Extensions will be communicated in advance if needed.

For GDPR requests, contact privacy@heyavo.ai.

How We Protect Your Data Under GDPR

Specific technical measures include:

•Authenticated sessions using HttpOnly, Secure, SameSite cookies scoped to .heyavo.ai, with server-side verification and revocation checking on every request.

•CSRF protection using SHA-256 derived tokens with timing-safe comparison on all state-changing operations.

•Firestore security rules that enforce per-user data isolation. Users can only read and write their own data; admin operations require verified JWT custom claims.

•Content Security Policy, HSTS, X-Frame-Options (DENY), and Permissions-Policy headers that block cross-site scripting, clickjacking, and unauthorized browser features.

•Rate limiting on AI endpoints and sensitive operations with fail-closed behavior on protected routes.

•Automated CI/CD checks that validate auth gate correctness, admin route access patterns, and dependency vulnerabilities before code reaches production.

How to Submit a Request

Email us from the address associated with your HeyAvo account so we can verify your identity and protect your data.

•Include your request type (access, deletion, export, correction, restriction, or objection) and specify which workspace(s) or app(s) are affected.

•Provide any context that helps locate relevant data: date ranges, app names, project names, or Circle context.

•We will acknowledge your request within 72 hours and respond within the GDPR-mandated 30-day timeline. Extensions will be communicated in advance if needed.

For GDPR requests, contact privacy@heyavo.ai.