PRIVACY POLICY

heyBTW AI, Inc. ("heyBTW," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our collaborative marketing intelligence platform and services (collectively, the "Services").

1. Information We Collect

1.1 Information You Provide to Us

We collect information that you voluntarily provide when you:

• Create an account: Email address, name, password, company name, and job title
• Use our Services: Workspace names, collaboration preferences, integration configurations, and platform settings
• Contact us: Contact information, inquiry details, and communication preferences
• Participate in surveys or provide feedback: Responses, opinions, and suggestions

1.2 Information Collected Automatically

When you access our Services, we automatically collect certain information, including:

• Usage Information: Features used, pages viewed, actions taken, time and frequency of access
• Device Information: Browser type, operating system, device type, IP address, and unique device identifiers
• Log Data: Access times, pages viewed, the page you visited before navigating to our Services, and other system activity
• Cookies and Similar Technologies: We use cookies, web beacons, and similar tracking technologies to collect information about your browsing activities

1.3 Information from Third-Party Services

When you connect third-party services to heyBTW, we may collect:

• Authentication Information: OAuth tokens and credentials (encrypted) necessary to access your connected services
• Profile Information: Basic profile data from single sign-on providers (if you use SSO to access heyBTW)
• Integration Data: Data you authorize us to access from your connected business systems (see Section 3 below for details on Customer Data processing)

2. How We Use Your Information

We use the information we collect to:

2.1 Provide and Improve Our Services

• Deliver, operate, and maintain the heyBTW platform
• Process your transactions and manage your account
• Provide customer support and respond to your inquiries
• Improve, personalize, and expand our Services
• Develop new features, products, and services
• Understand and analyze how you use our Services
• Monitor and analyze usage trends and activities

2.2 Communicate With You

• Send you service-related communications, including account verification, technical notices, updates, security alerts, and administrative messages
• Respond to your comments, questions, and customer service requests
• Send you marketing communications about our Services, new features, promotions, and events (you can opt out at any time)
• Request feedback or participation in surveys

2.3 Ensure Security and Prevent Fraud

• Protect against, identify, and prevent fraud and other illegal activities
• Monitor and analyze security threats
• Enforce our Terms of Service and other policies
• Verify accounts and activity, and ensure security

2.4 Comply with Legal Obligations

• Comply with applicable laws, regulations, and legal processes
• Respond to lawful requests from public authorities
• Protect our rights, privacy, safety, or property, and that of you or others

3. Data Processing for Business Customers

3.1 Your Role as Data Controller

When you use heyBTW to manage collaborative marketing events, you remain the data controller for:

• Contact information about your customers, prospects, and event attendees
• Your CRM data, including opportunity and pipeline information
• Event registration and attendance records
• Your company's business data and analytics

heyBTW acts as your data processor, processing this data ("Customer Data") solely to provide our Services and according to your instructions.

3.2 Customer Data We Process on Your Behalf

Depending on which integrations and features you enable, we may process the following types of Customer Data:

Contact and Company Data

• Names, email addresses, job titles, and company information
• Contact interaction history and engagement data
• CRM fields and custom properties you choose to synchronize
• Account and company firmographic data

Event Data

• Event registration information and attendance records
• RSVP status and check-in data
• Event engagement metrics and attendee feedback
• Event performance analytics and conversion data

Business Intelligence Data

• Opportunity and pipeline information from your CRM
• Account mapping and relationship data
• Attribution data connecting events to business outcomes
• AI-generated insights derived from your data patterns
• Partnership performance metrics and ROI analytics

System Integration Data

• Authentication credentials and API tokens (encrypted)
• Integration configuration and field mappings
• Synchronization logs and error reports
• Webhook configurations and event triggers

3.3 How We Access Your Business Systems

You maintain full control over which systems to connect and what data to share with heyBTW:

Customer Relationship Management (CRM) Platforms: When you connect your CRM (such as HubSpot, Salesforce, or similar platforms), you authorize us to access specific data through secure OAuth connections. You configure which objects, fields, and records to synchronize through our integration settings. We access only the CRM data necessary to provide event attribution, partnership intelligence, and collaborative workspace features.

Event Management Platforms: When you integrate event management tools (such as Luma, Splash, or similar platforms), we access attendee data, registration information, and event performance metrics through approved API connections. This data enables us to provide real-time event analytics and attribution tracking.

Marketing Analytics Systems: When you connect analytics platforms, we access aggregate performance data, conversion metrics, and attribution information to provide comprehensive partnership ROI insights.

Authentication and Identity Systems: For enterprise customers using single sign-on (SSO), we integrate with your identity provider to authenticate users and enforce access controls according to your security policies.

We access only the data necessary to provide our Services, and only when you actively use features requiring that access. You can modify integration permissions, pause synchronization, or disconnect integrations at any time through your heyBTW account settings.

3.4 Your Responsibilities as Data Controller

When using heyBTW, you are responsible for:

• ✓ Providing appropriate privacy notices to your event attendees, contacts, and customers
• ✓ Obtaining necessary consents for data collection, processing, and sharing
• ✓ Ensuring you have legal authority to process and share the data you provide to heyBTW
• ✓ Complying with applicable privacy laws (GDPR, CCPA, etc.) for your use of Customer Data
• ✓ Responding to data subject access requests from your customers and event attendees
• ✓ Configuring integration permissions appropriately for your privacy and security requirements
• ✓ Ensuring data sharing with partner organizations complies with your legal obligations

3.5 Our Commitments as Data Processor

heyBTW commits to:

• ✓ Process Customer Data only as instructed by you and as necessary to provide our Services
• ✓ Implement appropriate technical and organizational security measures to protect Customer Data
• ✓ Not use your Customer Data for our own marketing purposes or to benefit other customers
• ✓ Not share your Customer Data with third parties except as necessary to provide Services (e.g., cloud hosting infrastructure)
• ✓ Assist you with data subject access requests where technically feasible and legally required
• ✓ Notify you promptly of any data breach affecting your Customer Data
• ✓ Delete or return your Customer Data upon termination of Services, as you direct
• ✓ Allow for reasonable audits and inspections as required by enterprise agreements
• ✓ Maintain confidentiality and ensure our personnel are bound by confidentiality obligations

3.6 AI and Machine Learning Processing

heyBTW uses artificial intelligence and machine learning to provide intelligent insights and automation, including:

• Enriching event attendee data with account intelligence
• Identifying patterns in collaborative event success
• Recommending optimal partnership strategies
• Predicting event ROI and partnership effectiveness
• Automating event coordination and follow-up workflows

What We Do: Our AI models analyze your Customer Data to generate personalized insights and recommendations for your organization. These insights help you understand which partnerships drive revenue and how to optimize your collaborative marketing investments.

What We Don't Do:

• ✗ We do NOT use your specific CRM data, contact lists, or opportunity information to train AI models that benefit other customers
• ✗ We do NOT share insights derived from your data with your competitors
• ✗ We do NOT sell or license AI models trained on your Customer Data

Our AI infrastructure maintains logical separation between customers. While we may learn from aggregated, anonymized patterns across the platform to improve our algorithms, your specific business data and competitive intelligence remain completely isolated and confidential.

3.7 Data Sharing in Collaborative Workspaces

Data Shared with Partner Organizations:

• Event details, descriptions, dates, and logistics
• Shared attendee lists and registration information (for co-hosted events)
• Event performance metrics and aggregate analytics
• Mutual account insights and relationship mapping (where both companies have existing relationships)
• Workspace activity logs and collaboration history

Data That Remains Private:

• Individual company CRM data and pipeline information (unless explicitly shared)
• Proprietary contact lists and prospect databases
• Company-specific revenue data and deal details
• Internal notes, strategies, and confidential business information

You control which teammates within your organization and which partner companies can access each workspace. Before inviting partner companies to collaborate, ensure you have:

• Appropriate data sharing agreements with partner organizations
• Legal authority to share event attendee and customer data with partners
• Obtained necessary consents from individuals whose data will be shared
• Verified that sharing this data complies with your privacy obligations and policies

3.8 Subprocessors and Third-Party Service Providers

We engage carefully selected subprocessors to help us deliver our Services. All subprocessors are contractually required to maintain appropriate data protection and security standards.

Categories of Subprocessors:

• Cloud Infrastructure and Hosting: Providers that host our platform and databases (U.S.-based)
• Authentication Services: Services that enable secure system connections and OAuth integrations
• Application Performance Monitoring: Tools that help us monitor system performance and identify errors
• Security and Compliance: Services that provide security monitoring, threat detection, and compliance tools
• Customer Communication: Email and communication platforms used to deliver service-related messages

We maintain a complete list of subprocessors that is available to enterprise customers upon request. We will notify enterprise customers of any new subprocessors in accordance with our Data Processing Agreement terms, providing an opportunity to object.

3.9 Data Location and Residency

Your Customer Data is primarily stored and processed in the United States. Our cloud infrastructure is hosted in secure, SOC 2 compliant data centers located in the U.S.

For enterprise customers with specific data residency requirements or restrictions on international data transfers, please contact us at privacy@heybtw.com to discuss available options.

3.10 Enterprise Data Processing Agreements

For enterprise customers, we provide a comprehensive Data Processing Agreement (DPA) that includes:

• Detailed processing instructions, scope, and limitations
• Technical and organizational security measure specifications
• Data breach notification procedures and timelines
• Subprocessor management, approval, and notification processes
• Audit and inspection rights
• Standard Contractual Clauses (SCCs) for international data transfers
• Data subject rights assistance procedures
• Data return and deletion procedures upon termination
• Indemnification and liability terms

Our DPA incorporates standard contractual clauses approved by the European Commission for transfers of personal data to countries outside the European Economic Area.

To request our enterprise Data Processing Agreement, contact your account manager or email legal@heybtw.com.

4. How We Share Information

We do not sell your personal information. We may share information about you in the following circumstances:

4.1 With Your Consent

We share information about you when you direct us to do so, such as when you:

• Invite colleagues or partners to join your workspace
• Create collaborative events with partner organizations
• Configure integrations to share data with third-party services
• Explicitly authorize data sharing through our platform features

4.2 Service Providers and Vendors

We share information with third-party vendors and service providers who perform services on our behalf, such as:

• Cloud hosting and infrastructure providers
• Payment processors
• Email communication services
• Customer support platforms
• Analytics and monitoring services
• Security and fraud prevention services

These service providers are contractually obligated to use your information only for the purpose of providing services to us and are prohibited from using your information for their own purposes.

4.3 Business Transfers

If heyBTW is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of company assets, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

4.4 Legal Requirements and Protection of Rights

We may disclose information about you if we believe disclosure is:

• Required by applicable law, regulation, legal process, or governmental request
• Necessary to enforce our Terms of Service or other agreements
• Necessary to detect, prevent, or address fraud, security, or technical issues
• Necessary to protect the rights, property, or safety of heyBTW, our users, or the public

4.5 Aggregated and De-Identified Information

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. This may include:

• Industry benchmarks and trends
• Usage statistics and platform analytics
• Research and product development insights

5. Data Security

We take the security of your information seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction.

5.1 Security Measures

Our security measures include:

Technical Controls:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 encryption
• Secure password hashing using industry-standard algorithms
• API authentication using OAuth 2.0 and secure token management
• Network security controls including firewalls and intrusion detection
• Regular security vulnerability scanning and penetration testing
• Automated security monitoring and threat detection

Access Controls:

• Role-based access controls (RBAC) limiting data access to authorized personnel
• Multi-factor authentication for administrative access
• Single Sign-On (SSO) support for enterprise customers
• Workspace-level permissions and data isolation
• Audit logging of access and modifications to sensitive data

Organizational Controls:

• Security awareness training for all employees
• Background checks for personnel with access to customer data
• Confidentiality agreements with all employees and contractors
• Incident response procedures and security breach protocols
• Regular security policy reviews and updates

5.2 Compliance and Certifications

We are committed to meeting industry-standard security and compliance requirements:

• SOC 2 Type II: We are pursuing SOC 2 Type II certification to validate our security controls and practices
• GDPR Compliance: Our practices align with General Data Protection Regulation requirements
• CCPA Compliance: We comply with California Consumer Privacy Act requirements

5.3 Data Breach Notification

In the event of a security breach that affects your personal information or Customer Data, we will:

• Notify you without undue delay, and in accordance with applicable law
• Provide information about the nature of the breach and affected data
• Describe the measures we are taking to address the breach
• Provide recommendations for steps you can take to protect yourself
• Cooperate with you in any required notifications to affected individuals or authorities

5.4 Limitations

While we implement strong security measures, no system is completely secure. You acknowledge that:

• Internet transmissions are never completely private or secure
• Any information you transmit may be intercepted by others
• We cannot guarantee that unauthorized access, hacking, data loss, or breaches will never occur

You are responsible for maintaining the security of your account credentials and should notify us immediately of any unauthorized access to your account.

6. Data Retention

6.1 Account and Profile Information

We retain your account information and profile data for as long as your account is active and you continue to use our Services. You can request deletion of your account at any time by contacting privacy@heybtw.com.

6.2 Customer Data Retention

Active Accounts: We retain Customer Data that you upload or sync to heyBTW for as long as your account is active and you use our Services.

After Account Termination: Upon termination of your subscription or at your request, we will:

• Delete your Customer Data from our active systems within 90 days, unless you request a different retention period, or
• Return your Customer Data in a portable format if requested, then delete it from our systems
• Retain only what is required for legitimate business purposes (e.g., billing records, audit logs) or legal compliance

Backup and Disaster Recovery: Customer Data may persist in backup systems for up to 90 days after deletion from active systems. Backup data is securely stored and not accessible for operational use.

6.3 Usage and Analytics Data

We may retain aggregated, anonymized analytics and usage data indefinitely for purposes including:

• Product improvement and development
• Industry research and benchmarking
• Training machine learning models (using only anonymized, non-identifiable data)

This anonymized data cannot be used to identify you, your company, or your customers.

6.4 Legal and Compliance Retention

We may retain certain information for longer periods when required by law or necessary for legal purposes, including:

• Financial records and transaction data (as required by tax and accounting regulations)
• Information relevant to legal proceedings or investigations
• Records necessary to enforce our agreements or protect our legal rights
• Audit logs and security incident records

6.5 Inactive Accounts

Accounts that have been inactive for 24 consecutive months may be flagged for deletion. We will notify you before deleting an inactive account and provide an opportunity to reactivate it.

7. Your Privacy Rights

7.1 Rights for All Users

Regardless of your location, you have the following rights regarding your personal information:

Access: You can request access to the personal information we hold about you.

Correction: You can request that we correct inaccurate or incomplete personal information.

Deletion: You can request deletion of your personal information, subject to certain legal exceptions.

Data Portability: You can request a copy of your personal information in a structured, commonly used, machine-readable format.

Opt-Out of Marketing: You can opt out of receiving marketing communications from us by following the unsubscribe link in emails or by contacting us.

7.2 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: You can request disclosure of:

• Categories of personal information we collect about you
• Categories of sources from which we collect personal information
• Our business or commercial purpose for collecting or selling personal information
• Categories of third parties with whom we share personal information
• Specific pieces of personal information we have collected about you

Right to Delete: You can request deletion of personal information we have collected from you, subject to certain exceptions.

Right to Opt-Out of Sale: We do not sell personal information. If our practices change, we will update this Privacy Policy and provide a clear opt-out mechanism.

Right to Limit Use of Sensitive Personal Information: If we collect sensitive personal information, you have the right to limit its use to purposes specified by law.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

7.3 European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

Right of Access: You have the right to request access to your personal data.

Right to Rectification: You have the right to request correction of inaccurate personal data.

Right to Erasure ("Right to be Forgotten"): You have the right to request deletion of your personal data under certain conditions.

Right to Restrict Processing: You have the right to request restriction of processing your personal data under certain conditions.

Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object: You have the right to object to processing of your personal data for direct marketing purposes or based on legitimate interests.

Right to Withdraw Consent: If processing is based on consent, you have the right to withdraw consent at any time.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country.

7.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: privacy@heybtw.com
• Subject Line: "Privacy Rights Request"

We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request. For security purposes, we may require additional information to verify your identity.

7.5 Enterprise Customer Rights

Enterprise customers have additional rights as specified in their Master Service Agreement and Data Processing Agreement, including:

• Enhanced audit and inspection rights
• Custom data retention and deletion policies
• Dedicated security and privacy reviews
• Priority response to data subject access requests
• Assistance with impact assessments and compliance documentation

Enterprise customers should contact their designated account manager or email legal@heybtw.com for assistance with enterprise privacy matters.

8. International Data Transfers

heyBTW AI, Inc. is based in the United States, and our servers and service providers are primarily located in the United States. If you access our Services from outside the United States, your information will be transferred to, processed, and stored in the United States.

8.1 Legal Basis for Transfers

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on:

• Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses for transfers to countries outside the EEA
• Your Consent: By using our Services and agreeing to this Privacy Policy, you consent to the transfer of your information to the United States
• Necessity for Contract Performance: The transfer is necessary to provide the Services you have requested

8.2 Data Protection Standards

When we transfer personal data internationally, we ensure appropriate safeguards are in place, including:

• Contractual commitments from recipients to protect the data
• Compliance with applicable data protection laws in both the originating and receiving countries
• Implementation of appropriate technical and organizational security measures

8.3 Enterprise Data Residency

For enterprise customers with specific data residency requirements or concerns about international transfers, please contact us at privacy@heybtw.com to discuss available options and additional safeguards.

9. Children's Privacy

Our Services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18 without parental consent, we will delete that information as quickly as possible.

If you believe we have collected information from a child under 18, please contact us immediately at privacy@heybtw.com.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

• Update the "Last Updated" date at the top of this Privacy Policy
• Post the revised Privacy Policy on our website
• For material changes, notify you by email (to the email address associated with your account) or through a prominent notice on our platform

Material changes will take effect 30 days after notification. Your continued use of our Services after the effective date constitutes acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.