Last Updated: October 22, 2025
Hey Operator ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered voice agent service for meetings. This policy applies to all users and complies with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA), and similar US state privacy laws.
2.1 We Are the Controller For: Account information (name, phone number, email, authentication credentials), payment and billing data, usage analytics, system logs, and aggregate service metrics. For this data, we determine the purposes and means of processing.
2.2 You Are the Controller For: Call content (recordings, transcripts, speaker identities, summaries). You determine which calls to record, who participates, and when to delete content. We process this data solely on your instructions as your data processor.
2.3 Joint Responsibility: For certain features (e.g., speaker diarization, voice analysis), we may act as joint controllers with you. In such cases, both parties share responsibility for compliance with data protection obligations.
We collect biometric identifiers (voiceprints) as detailed in Section 6. We do not collect other categories of sensitive personal information (health data, precise geolocation, social security numbers, etc.) unless you voluntarily include such information in call content.
We process your personal data for the following purposes, based on the legal grounds indicated:
5.1 AI Processing: We use artificial intelligence and machine learning technologies to provide our services, including real-time transcription, speaker identification, and summary generation. Your call content is processed by AI systems to deliver these features.
5.2 Third-Party AI Services: We use third-party AI services (transcription providers, natural language processing APIs) to process your call content. These providers process data on our behalf under strict confidentiality obligations. See Section 7 for subprocessor details.
5.3 Service Improvement: We may analyze usage patterns and system performance to improve our platform. Any use of data for service improvement will be conducted in accordance with applicable law and this Privacy Policy.
5.4 Aggregate Non-Personal Data: We may use aggregate, non-identifiable usage statistics (e.g., average call duration, feature usage rates) to improve our platform. This data cannot be traced back to individual users or calls.
6.1 Collection and Purpose: We may collect and process biometric identifiers, specifically voiceprints derived from your voice recordings. Voiceprints are mathematical representations of unique voice characteristics. We use voiceprints for: (a) speaker identification and diarization; (b) future automatic authentication (opt-in); (c) fraud prevention; (d) service quality improvement.
6.2 Legal Basis: For GDPR: legitimate interest (service functionality) or explicit consent (future authentication). For US state laws: informed written consent as evidenced by your acceptance of these terms.
6.3 Retention: Voiceprints are retained according to the schedule in Section 8. You may request deletion at any time.
6.4 No Sale or Profit: We will not sell, lease, trade, or otherwise profit from your biometric data. We will not disclose voiceprints except as necessary to provide services, with your consent, or as required by law.
6.5 State-Specific Compliance: For Illinois (BIPA) and other states with biometric privacy laws, this section serves as written notice of our collection, use, and retention schedule. By using our service, you consent to such processing. You may refuse consent, but this will prevent service use.
7.1 Service Providers (Subprocessors): We share data with third-party service providers who process data on our behalf under strict confidentiality and data protection obligations. Categories include:
A complete list of current subprocessors is available at heyoperator.com/subprocessors. We will update this list and notify you of material changes.
7.2 Legal Requirements: We may disclose information when required by law, court order, subpoena, or legal process, or to protect rights, safety, and property.
7.3 Business Transfers: In connection with mergers, acquisitions, restructuring, or asset sales, your information may be transferred to successor entities. We will notify you and ensure continued protection.
7.4 We Do Not Sell or Share Your Personal Information: We do not sell personal information as defined by CCPA, CPRA, or similar laws. We do not share personal information for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals as opt-outs of sale/sharing.
7.5 Sensitive Personal Information: We limit use and disclosure of sensitive personal information (biometric data, precise geolocation if collected) to purposes necessary to provide services and as permitted by law.
We retain personal data only as long as necessary for the purposes described in this policy, or as required by law. Specific retention periods:
| Data Type | Retention Period | Basis |
|---|---|---|
| Call recordings and audio | 30 days | Automatic deletion unless requested sooner |
| Transcripts and speaker diarization | 30 days | Automatic deletion unless requested sooner |
| Call summaries and metadata | 12 months | Service functionality and user history |
| Voiceprints (biometric data) | 30 days after last call | Speaker identification functionality |
| Account information | Until account deletion | Active user accounts |
| Billing and payment records | 7 years | Tax and financial compliance |
| Usage logs and analytics | 12 months | Security and system monitoring |
Early Deletion: You may request deletion of call content, voiceprints, or your entire account at any time. We will process deletion requests within 30 days, except where retention is required by law or to resolve disputes.
We implement industry-standard technical, administrative, and physical safeguards to protect your information, including: (a) encryption in transit (TLS 1.3) and at rest (AES-256); (b) secure authentication with hashed PINs; (c) role-based access controls; (d) regular security assessments and penetration testing; (e) secure software development practices; (f) incident response procedures. However, no system is 100% secure. We cannot guarantee absolute security and are not liable for unauthorized access resulting from circumstances beyond our reasonable control.
Depending on your location, you may have the following rights under GDPR, CCPA, CPRA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and similar laws:
You may designate an authorized agent to submit privacy requests on your behalf. We require proof of authorization (signed permission or power of attorney) and may verify your identity directly.
Submit requests via email to privacy@heyoperator.com or through your account settings. We will respond within 30-45 days (depending on jurisdiction). We do not discriminate against users who exercise privacy rights.
Appeals: If you are dissatisfied with our response to a privacy request, you may appeal by emailing privacy@heyoperator.com with "APPEAL" in the subject line. We will respond within 45 days. You also have the right to lodge a complaint with your local data protection authority.
11.1 What We Use: We use cookies, local storage, and similar technologies to: (a) maintain user sessions and authentication; (b) remember preferences; (c) analyze usage patterns; (d) improve performance and user experience.
11.2 Types of Cookies:
11.3 Third-Party SDKs: We may use third-party analytics services (e.g., usage analytics providers) that collect data via SDKs or scripts. These services operate under their own privacy policies. We do not use advertising cookies or cross-site tracking.
11.4 Your Choices: You can manage cookies via browser settings or our cookie consent banner. Disabling essential cookies may prevent service use. We honor Do Not Track (DNT) and Global Privacy Control (GPC) signals for non-essential tracking.
12.1 Location of Processing: Your data may be processed in the United States and other countries where we or our service providers operate. These countries may have different data protection laws than your jurisdiction.
12.2 Safeguards for EEA/UK Transfers: For transfers from the EEA or UK to countries without adequate data protection, we rely on: (a) Standard Contractual Clauses (SCCs) approved by the European Commission; (b) EU-US Data Privacy Framework (DPF) for certified service providers; (c) UK Extension to the EU-US DPF where applicable; (d) supplementary technical and organizational measures to ensure data security.
12.3 Your Rights: You may request copies of transfer mechanisms (SCCs) by contacting privacy@heyoperator.com.
All calls are automatically recorded. An automated message is played at call start to notify initial participants. If you add participants after that message, YOU ARE SOLELY RESPONSIBLE for notifying them. Some US states (including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington) require all-party consent for call recording. By using this service, you represent that you have obtained all necessary consents and comply with applicable laws.
We do not make automated decisions that produce legal effects or similarly significantly affect you without human involvement. Our AI features (transcription, speaker identification, summarization) are assistive tools that do not determine eligibility, rights, or access to services. You are not subject to profiling for marketing or other purposes. If this changes, we will provide notice and obtain consent as required by law.
In the event of a data breach that risks your rights and freedoms, we will notify affected users and relevant supervisory authorities within legally required timeframes (typically 72 hours for GDPR). Notifications will describe the breach, potential consequences, and remedial actions taken. We maintain an incident response plan and conduct regular security assessments to minimize breach risks.
Our service is not intended for users under 18 years of age (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at privacy@heyoperator.com, and we will delete it promptly.
We may update this Privacy Policy to reflect changes in our practices, legal requirements, or service features. Material changes will be communicated via email (if provided) or prominent notice on our website at least 30 days before taking effect. The "Last Updated" date will be revised. Continued use after changes indicates acceptance. If you object to changes, you may close your account before the effective date.
For questions about this Privacy Policy, to exercise your rights, or to raise concerns, contact us at:
Email: privacy@heyoperator.com
Mailing Address (Legal Notices Only):
Hey Operator Legal Department
c/o Bytware, LLC
131 Continental Drive Suite 305
Newark, DE 19713
United States
EU Representative: [To be appointed if required under GDPR Art. 27]
UK Representative: [To be appointed if required under UK GDPR Art. 27]
Data Protection Officer (DPO): [Contact if appointed]
Supervisory Authorities: EEA users may contact their local data protection authority. UK users may contact the Information Commissioner's Office (ICO). US users may contact state attorneys general or consumer protection agencies.