Privacy Policy
Last updated: 3 July 2026
This policy explains what data HeyBob collects, why, and how we protect it. HeyBob is operated by Tiny Cloud Ventures (“we,” “us”). If anything here is unclear, email [email protected].
What we collect
- Account & workspace data: your name, work email, workspace name, and billing details.
- Messages you direct to Bob: the requests you @mention or send Bob, and the results, files, and receipts of each run.
- Connected-tool data: the specific data Bob reads or writes in the tools you connect (e.g. a CRM record, an accounting entry) in order to complete a task you asked for.
- Workspace memory: preferences, definitions, and decisions your team asks Bob to remember. This is scoped to your workspace and editable by you.
- Usage & audit metadata: run timestamps, tool calls, approvals, and credit accounting — the data behind your receipts and audit log.
What we do not do
- We do not use your data, prompts, or connected-tool content to train external AI models.
- We do not sell your data.
- Bob only reads the messages directed to him (an @mention or a direct message) — not your team’s wider conversations.
How connected credentials are handled
Credentials for tools you connect are held in a dedicated OAuth vault, encrypted at rest, and are never stored in our application database. Agent runs execute in isolated sandboxes with no direct access to those credentials — tokens are used server-side to make the specific tool calls a task requires.
Subprocessors
To run the product we rely on a small set of vendors, including a cloud hosting provider, our AI model provider (Anthropic), and a payments processor (Stripe). Under the BYOK model, your model tokens are billed directly by Anthropic to you under your own agreement. We maintain a current list of subprocessors and will provide it on request.
Data retention & deletion
We retain workspace data, run history, and audit logs for as long as your workspace is active, so your receipts and audit trail remain complete. You can request export or deletion of your workspace data at any time by emailing us; we will action deletion requests promptly, subject to any legal retention obligations.
Security
Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted and logged. A SOC 2 examination is in progress; we will update this page as that work completes.
Your rights
Depending on where you are, you may have rights to access, correct, export, or delete your personal data. To exercise any of these, email [email protected] and we’ll respond.
Changes to this policy
If we make material changes, we’ll update the date above and, where appropriate, notify workspace admins.