heyghe

Last updated: May 16, 2026

Privacy Policy

heyghe is currently in private invite-only beta. This policy explains what we collect from beta users, how we store it, and the rights you retain over your data. If you have questions, email hello@heyghe.com.

1. Who runs heyghe

heyghe is operated by Pranav Bhatkar, an independent creator-developer based in Nashik, India. heyghe is not incorporated as a company; it is a self-hosted tool currently being validated with a small group of Indian creators. All contact is via hello@heyghe.com.

2. What we collect

When you accept a beta invite and use heyghe, we collect the following:

  • Email address. Required for magic-link sign-in via Better Auth. Stored in our Cloudflare D1 database alongside your user record.
  • Instagram OAuth access token. Obtained when you connect your Instagram Business or Creator account. Encrypted with AES-GCM-256 before being stored in Cloudflare KV. Never logged. Never transmitted in plaintext. Never stored in our application database.
  • Instagram metadata. Your Instagram username, profile picture URL, Instagram user ID, and the list of webhook fields you subscribed to. Stored in D1.
  • Comment events. When a viewer comments on your subscribed reels or posts, we receive a webhook from Meta containing the comment text, the commenter's Instagram user ID and username, the media ID, and a timestamp. We store this in our D1 database so the keyword-matching engine can decide whether to send a DM and so you can review the history in your dashboard.
  • DM event records. When heyghe sends a DM on your behalf, we record the recipient's Instagram user ID, the message payload we sent (as a snapshot at send-time), the delivery status, and any error returned by Meta.
  • Audit log entries. Security-sensitive actions (connecting / disconnecting an Instagram account, accepting invitations, signing in from a new device) are logged with IP address and user-agent for 90 days.
  • Analytics events. Aggregated, non-personally-identifying usage events (e.g., "a user created an automation") via PostHog. We do NOT collect user-level behavioral analytics during the beta.

3. What we do NOT collect

  • We do not access your Instagram DMs (other than ones heyghe explicitly sends on your behalf).
  • We do not scrape Instagram posts, followers, or any content outside the webhook feed you authorize.
  • We do not collect payment information during the beta (heyghe is free).
  • We do not use cookies for advertising or third-party tracking.
  • We do not sell, rent, or share your data with third parties for marketing.

4. Where your data lives

heyghe is self-hosted on Cloudflare. All data resides in:

  • Cloudflare D1 (Sydney/Asia-Pacific region) — relational data: users, invites, Instagram account metadata, comment events, DM events, audit logs.
  • Cloudflare KV — short-lived caches (webhook dedup, rate limits, OAuth state) and the encrypted Instagram access tokens.
  • Cloudflare R2 — image attachments for DM responses (uploaded by you in the automation editor).

We use Cloudflare Workers and Pages to serve heyghe.com, app.heyghe.com, and api.heyghe.com. Cloudflare's data processing terms apply to all infrastructure-level handling of your data.

5. Third parties we send data to

  • Meta (Instagram Graph API). We send your DMs and your comment replies via Meta's official APIs using your access token. Subject to Meta's own privacy policy and Platform Terms.
  • Resend. Transactional email delivery for magic-link sign-in. Your email address is passed to Resend at send-time only.
  • Google. If you sign in via Google OAuth, Google receives the sign-in request and we receive your email + Google account ID.
  • PostHog. Anonymous product analytics. No user-level personally identifying information sent.

6. Security

  • Instagram access tokens are encrypted at rest with AES-GCM-256 and a versioned key envelope.
  • Magic-link tokens are hashed before storage and expire after 15 minutes.
  • Owner accounts can enable TOTP-based 2FA at any time.
  • All webhook events from Meta are signature-verified (HMAC-SHA256) before processing.
  • Constant-time string comparison for all token/secret validation paths.
  • Session cookies use the __Host- prefix with Secure, HttpOnly, and SameSite=Lax.

7. Your rights and controls

  • Disconnect at any time. Revoke heyghe's access in your Instagram Settings → Apps and Websites. Our server-side cleanup deletes your access token immediately and stops processing webhooks for your account.
  • Account deletion. Email hello@heyghe.com and we will delete your user record, IG metadata, comment events, DM events, and contacts within 7 days. Audit log entries are retained for 90 days for security purposes (then deleted).
  • Data export. Email us and we'll send you a JSON dump of every record tied to your account within 7 days.
  • Data deletion callback. Meta can request data deletion on behalf of an Instagram user via https://api.heyghe.com/api/ig/oauth/data-deletion. We honor every such request automatically.

8. Retention

  • Account + IG metadata: retained while your account is active.
  • Comment events + DM events: retained while your account is active. Re-trigger relies on this history.
  • Audit logs: 90 days.
  • Webhook dedup cache: 24 hours.
  • Magic-link tokens: 15 minutes (auto-expire).
  • OAuth state nonces: 10 minutes (auto-expire).

9. Changes to this policy

We will update the "Last updated" date at the top of this page whenever the policy changes. During the beta we will also email any material changes to every active beta user.

10. Contact

Questions, concerns, or data requests: hello@heyghe.com