§00 — PRIVACY POLICY
Privacy Notice.
This notice describes how we collect, use, and disclose personal data, and is provided to comply with Singapore's Personal Data Protection Act 2012 (the PDPA). By using our website, application, or services, you consent to the practices described here.
EFFECTIVE 2026-07-07 · LAST UPDATED 2026-07-07 · GOVERNING LAW — SINGAPORE
Contents
§01
Who we are
heyjane.io (Singapore) is the organisation responsible for the personal data described in this notice.
§02
What we may collect
Our service lets a business (a “Venue”) connect its own WhatsApp number to an AI agent that replies to the Venue's customers, takes orders, and escalates conversations to the Venue as needed. Depending on how you interact with us, we may collect:
- account and workspace data — name, email address, business information, and role, for the person and organisation signing up;
- authentication data needed to sign you in and manage sessions, handled through our authentication provider;
- WhatsApp message content exchanged between a Venue's connected number and its customers, so our agent can read and respond to conversations;
- a Venue's customers' WhatsApp phone numbers and profile display names, to the extent needed to route messages and fulfil orders;
- order details placed through a WhatsApp conversation — items, quantities, and prices;
- billing and subscription information, processed through our payment provider; we do not see or store full payment card or bank account details;
- IP address, device, and usage information, and any information you choose to provide when you contact us.
§03
Why we collect it
We may collect, use, or disclose personal data for purposes including:
- providing, operating, and maintaining the service;
- operating the WhatsApp-based agent, including reading, routing, and replying to messages, taking orders, and escalating conversations to a Venue when needed;
- verifying identity, managing accounts, and enforcing permissions;
- processing payments and administering subscriptions;
- responding to enquiries, requests, complaints, or support tickets;
- monitoring, analysing, and improving the service;
- complying with applicable laws, regulations, court orders, or requests from competent authorities;
- transmitting personal data to third-party service providers, agents, and authorities, in Singapore or abroad, for any of the above purposes;
- any other purpose to which you have consented.
The above purposes may continue to apply for a reasonable period after your relationship with us ends, including any period needed to enforce our rights.
§04
Legal basis
We rely on your consent (given when you sign up or otherwise provide personal data), on the performance of any contract between you and us, and on our legitimate interests where the PDPA permits.
In particular, we rely on the PDPA's legitimate interests exception (Schedule 1, Part 3) for activities including fraud detection and prevention, prevention of misuse of the service, security analysis, debugging, and protection of our rights, property, or the safety of others.
You may withdraw consent for non-essential processing by writing to our Data Protection Officer at the email in the Contact section below. Withdrawal may mean we can no longer provide some or all of the service to you, and does not affect the lawfulness of processing carried out before withdrawal or processing permitted without consent under applicable law.
§05
Who we share it with
We may share personal data with third-party service providers and agents that help us operate the service, in categories including:
- cloud database and hosting providers, who store the service's data;
- an authentication provider, who manages sign-in and sessions;
- a payment provider, who processes subscription billing;
- an email delivery provider, who sends transactional email on our behalf;
- AI / large-language-model inference providers, who process message content so our agent can generate replies;
- product analytics providers, in aggregate or pseudonymised form.
We may also disclose personal data where required or permitted by law, in response to lawful requests from authorities, to enforce our terms, or to protect our rights, property, or the safety of any person.
We do not sell personal data, and we do not share it with advertisers.
§06
Business customers and their customers' data
If you are a Venue using the service to communicate with your own customers over WhatsApp, a separate relationship applies to your customers' personal data (their WhatsApp message content, phone numbers, profile names, and order details). In that relationship, the Venue is the party that decides why and how that data is processed, and we act only as a data intermediary, processing it solely on the Venue's instructions and only to provide the service — reading, routing, and replying to messages, taking orders, and escalating conversations to the Venue.
We do not use a Venue's customers' personal data for our own independent purposes, and we apply the same security measures described in this notice, plus tenant-level data isolation between Venues. A Venue is responsible for its own compliance with the PDPA (or other applicable law) toward its customers, including any consents needed to message them over WhatsApp through the service. The contractual terms governing this relationship, including our obligations as a data intermediary, are set out in the “Data processing for your customers” section of our Terms of Service.
§07
International transfers
Some of the service providers we use may store or process personal data outside Singapore. Where this happens, we take reasonable steps consistent with the PDPA's Transfer Limitation Obligation to ensure the recipient is bound by terms providing a standard of protection comparable to the PDPA.
Our database is hosted by our cloud database provider (Supabase) in the ap-southeast-1 (Singapore) region, which is within Singapore — so our primary datastore does not involve a cross-border transfer. To the extent any other service provider we use (for example, authentication, payments, hosting, or AI/LLM infrastructure) processes personal data outside Singapore, we apply the safeguards described above.
§08
Retention
We retain personal data for as long as it is necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable laws (including tax, accounting, and other record-keeping obligations). This includes WhatsApp message content and conversation history, which we retain for as long as needed to provide the service to you and your customers, unless you request earlier deletion. When personal data is no longer required, we will take reasonable steps to delete it or remove the means by which it can be associated with you.
§09
Security
We have implemented appropriate administrative, technical, and organisational measures to safeguard personal data in our possession or under our control. No system can be guaranteed completely secure, and we make no warranty regarding security.
§10
Access, correction, and deletion
We rely on the personal data you provide. To help us comply with our Accuracy Obligation under the PDPA, please keep your account information current and notify us in writing if any personal data we hold about you needs to be updated or corrected.
Subject to the PDPA, you may request access to, correction of, or deletion of the personal data we hold about you by writing to our Data Protection Officer at the email below (see also our Data Deletion page). We may charge a reasonable fee for an access request and will tell you the fee before processing it. We will respond as soon as reasonably possible. If we cannot respond within 30 days of receiving your request, we will inform you in writing of the time by which we will respond. Where the PDPA permits, we may decline a request and will inform you of the reason.
§11
Eligibility
The service is intended for use by individuals aged 18 years or older. By using the service you represent that you are at least 18 years old. We do not knowingly collect personal data from anyone under 18 without verified parental or guardian consent.
§12
Changes to this notice
We may revise this notice at any time without prior notice. Revised versions take effect on the date posted, indicated by the “Last updated” date at the top of this page. Your continued use of the service constitutes your acknowledgement and acceptance of the revised notice.
§13
Contact
Enquiries about this notice or requests under the PDPA should be made in writing to our Data Protection Officer at privacy@heyjane.io.
Data Protection Officer heyjane.io