Last updated: May 18, 2026

Privacy Policy

heyghe is an Instagram DM automation tool for creators. We're currently in private invite-only beta. This page explains every category of data we touch, why we touch it, how long we keep it, and the rights you retain. Questions or requests: hello@heyghe.com.

1. Who we are

heyghe is operated by Pranav Bhatkar, an independent creator-developer based in Amravati, Maharashtra, India. heyghe is not (yet) incorporated as a company; it is a tool being tested with a small group of Indian creators. There is no team, no investors, and no external operators. All contact is via hello@heyghe.com.

2. What we collect, and why

The table below lists every category of data heyghe stores, where it comes from, why we need it, and how long we keep it. If a category isn't here, we don't collect it.

DataSourceWhyRetention
Account info: email, name, role, localeBetter Auth sign-in + invite acceptanceIdentify the creator behind the dashboardUntil account deletion
Instagram access tokenMeta OAuth on Connect IGCall Meta APIs on your behalf to send DMs, reply to comments, fetch media metadataEncrypted in Cloudflare KV (AES-GCM-256); deleted immediately on disconnect
IG account metadata: handle, IG user ID, business account ID, profile picture URL, subscribed webhook fieldsMeta Graph API on connectDisplay your connected account in the dashboard; route webhooks to the right automationRefreshed each connect; deleted on disconnect or account deletion
Comment events: comment text, comment ID, media ID, commenter IG user ID + handle, timestampMeta webhooks for posts/reels you subscribed toMatch your keywords and decide whether to trigger an automation; show you the matched-comments history90 days, then deleted
DM events: recipient IGSID, message payload snapshot, delivery status, response index, error codeheyghe's send pipelineTrack DM delivery, retry safely, surface failures in your dashboard90 days, then deleted
Contacts: IGSID, display name + profile picture URL (if Meta returns them), counters, first/last triggered timestampsMeta Graph API, lazily enriched on activityPopulate the Contacts page so you know who heyghe DM'd on your behalf365 days from last activity, or until you delete
Lead submissions: the form fields a viewer fills in response to a Lead Form DMSubmitted by your audience inside Instagram DMHand the leads back to you (CSV export, dashboard view)Until you delete the parent automation, or your account is deleted
Waitlist applications: name, email, IG handle, follower bucket, optional message, user-agent, hashed IPheyghe.com "Apply for early access" formEvaluate applicants for the private beta + spam-rate-limit the form12 months from submission, or sooner on written request
Audit log entries: sensitive action, IP, user-agentServer-side, generated by heygheInvestigate security incidents (login from new device, IG connect/disconnect, invite use)90 days
Marketing analytics: page views, named events, hashed IP, country, device classGoogle Analytics 4 + PostHog on heyghe.comUnderstand which pages bring real creators (no advertising retargeting)GA4: 14 months (default). PostHog: 7 years (provider default; we'll delete on request)

Note: IP addresses for the waitlist form are stored as a one-way SHA-256 hash, never the raw IP. Marketing analytics use anonymized IP collection (GA4 anonymize_ip: true) and no PostHog session replay.

3. What we do NOT collect

  • We do not read or store your Instagram DMs other than the ones heyghe explicitly sends on your behalf.
  • We do not scrape Instagram posts, followers, hashtags, or any content outside the webhook fields you authorize at OAuth time.
  • We do not collect payment information; heyghe is free during the beta.
  • We do not run session-replay tooling. The marketing site uses GA4 + PostHog with autocapture and session recording both disabled.
  • We do not sell, rent, or share your data with third parties for marketing or advertising. Ever.
  • We do not use your data to train AI or ML models.

4. Where your data lives

heyghe runs entirely on Cloudflare. Your data resides in:

  • Cloudflare D1 (Asia-Pacific region): relational data such as users, invites, IG account metadata, comment events, DM events, contacts, lead submissions, audit logs, and waitlist applications.
  • Cloudflare KV: encrypted Instagram access tokens, short-lived caches (webhook dedup, OAuth state nonces), and rate-limit counters.
  • Cloudflare R2: image attachments you upload inside the automation editor (used as DM media).

The marketing site (heyghe.com), dashboard (app.heyghe.com), and API (api.heyghe.com) are all served from Cloudflare's edge. Cloudflare's data processing terms apply to the underlying infrastructure.

5. Who we share data with

We do not sell your data. We never share it for advertising or marketing purposes. The only third parties that ever see any of your data are infrastructure processors strictly necessary to run heyghe:

  • Meta Platforms, Inc.: to call the Instagram Graph API on your behalf (sending DMs, replying to comments, fetching profile metadata). Subject to Meta's Privacy Policy.
  • Cloudflare, Inc.: hosting, edge routing, D1, KV, R2, and Workers. Cloudflare Privacy Policy.
  • Resend: transactional email delivery (magic-link sign-in, account notifications). Your email address is passed to Resend only at send-time. Resend Privacy Policy.
  • Google LLC: only if you choose Google OAuth as a sign-in method. Google receives the sign-in request; we receive your email + Google account ID. Google Privacy Policy.
  • Google Analytics 4: page-level marketing analytics on heyghe.com only. IP is anonymized at collection. Google Privacy Policy.
  • PostHog: product and marketing analytics (no autocapture, no session replay, no surveys). On the marketing site, persistence is set to in-memory so no PostHog cookies are written. On the dashboard, a first-party PostHog cookie is used to stitch sessions. PostHog Privacy Policy.
  • Sentry: server-side error monitoring. Logs are scrubbed for sensitive keys before send; no IG tokens, no DM contents. Sentry Privacy Policy.

We do not transfer data to any processor outside this list. We do not engage data brokers, ad networks, or affiliate partners.

6. How we secure your data

  • Instagram access tokens are encrypted at rest with AES-GCM-256 using a versioned key envelope, stored only in Cloudflare KV, and never logged or written to D1.
  • Magic-link tokens are hashed before storage and expire after 15 minutes.
  • Owner accounts are required to enable TOTP-based 2FA on first sign-in.
  • All Meta webhooks are HMAC-SHA256 signature-verified over the raw request bytes before any processing.
  • Constant-time string comparison is used for all token, invite, and signature validations.
  • Session cookies use the __Host- prefix with Secure, HttpOnly, and SameSite=Lax.
  • Logger middleware scrubs sensitive keys (tokens, signatures, authorization headers) at every depth before serialization to Sentry.
  • heyghe is single-tenant per Cloudflare account, so there is no shared multi-tenant database surface across operators.

heyghe is not (yet) SOC 2, ISO 27001, or HIPAA certified. We do not make compliance claims we can't back up. The full security model is documented internally and reviewed on every change.

7. Your rights and how to use them

Under India's Digital Personal Data Protection Act, 2023 and (for EU/UK users) the GDPR / UK GDPR, you have the right to access, correct, export, and delete your personal data. heyghe honors these rights regardless of your jurisdiction.

  • Disconnect Instagram at any time. Revoke heyghe's access in Instagram Settings → Apps and Websites. Our server-side cleanup deletes your access token immediately and stops processing webhooks for that account.
  • Delete your account. Visit app.heyghe.com → Settings → Danger Zone, or email hello@heyghe.com. We delete your user record, IG metadata, contacts, lead submissions, and queued DM events within 7 days. Audit log entries are retained for 90 days for security purposes, then deleted.
  • Withdraw from the waitlist. Email hello@heyghe.com with the email you applied with; we'll delete your application within 7 days.
  • Export your data. Email us and we'll send a JSON dump of every record tied to your account within 7 days.
  • Correct your data. Most fields are editable in the dashboard. For anything else, email us.
  • Meta-initiated data deletion. Meta calls https://api.heyghe.com/api/ig/oauth/data-deletion when an Instagram user requests deletion. We honor every such request automatically and respond with a confirmation URL per Meta's spec.

If you believe heyghe has mishandled your data, you can lodge a complaint with India's Data Protection Board (once constituted under DPDP-2023) or, for EU users, your local supervisory authority. We'd appreciate you emailing us first so we can fix it.

8. Cookies and analytics

The marketing site (heyghe.com) uses two analytics tools and a minimal set of first-party cookies:

  • Google Analytics 4: writes _ga and _ga_* cookies (first-party) for visit measurement. IP anonymization is enabled. We do not enable Google Signals, ad personalization, or remarketing audiences.
  • PostHog (marketing): runs with persistence: "memory", so it writes no cookies on the marketing site. Autocapture is off, session recording is off, surveys are off.
  • PostHog (dashboard): on app.heyghe.com, a first-party PostHog cookie is used to stitch authenticated sessions. No session recording.

Both GA4 and PostHog respect the browser Do Not Track header. If your browser sets navigator.doNotTrack === "1", neither tool fires.

We do not use third-party advertising cookies. We do not load Facebook Pixel, LinkedIn Insight, or any other ad-network tracker.

9. Children

heyghe is not intended for users under the age of 18, in line with Meta Platform Terms for the Instagram Graph API. We do not knowingly collect data from anyone under 18. If you believe a minor has signed up, email hello@heyghe.com and we will delete the account.

10. International data transfers

heyghe is operated from India. Your data is processed on Cloudflare's global edge network and stored primarily in their Asia-Pacific D1 region. Cloudflare may route requests through other regions for performance and reliability, covered by their data processing addendum.

For EU/UK users: where processors (Cloudflare, Resend, Google, PostHog, Sentry) are based outside the EEA, they operate under either Standard Contractual Clauses or their own GDPR-compliant transfer mechanisms.

11. Changes to this policy

We will update the "Last updated" date at the top of this page whenever the policy changes. For material changes (new categories of data, new processors, changes to retention) we will email every active beta user at least 14 days before the change takes effect.

12. Contact

Questions, concerns, or data requests: hello@heyghe.com. We aim to respond within 7 days; for urgent security or deletion requests, please write "urgent" in the subject line.