Legal

Privacy Policy

This page explains what information Heym may collect, why we use it, how long we keep it, and what rights you have. If you self-host Heym entirely on your own infrastructure, you remain responsible for the data processed inside your own deployment.

Last updated: March 29, 2026Need the rules for using Heym? Read our Terms of Service.

1. Scope

This Privacy Policy applies to the Heym homepage, our newsletter, support channels, community interactions, and any hosted or managed Heym services that we directly operate. It does not replace the privacy obligations of users who deploy Heym on their own infrastructure.

Heym is a source-available, self-hosted AI workflow automation platform that enables users to build intelligent automations through a visual drag-and-drop canvas with 33 node types across triggers, AI, logic, data, integrations, and automation categories. Because Heym is designed for self-hosting, the vast majority of data processing occurs entirely within your own infrastructure when you run your own deployment.

If you self-host Heym and do not use a service operated by us, you control the data collected in that environment and act as the primary controller for that deployment. This Privacy Policy does not govern data processed within self-hosted instances — you are responsible for your own data handling practices, including compliance with GDPR, CCPA, or any other applicable data protection regulations in your jurisdiction.

2. Information We Collect

We collect different types of information depending on how you interact with Heym. The categories below describe what we may collect when you use the heym.run website, subscribe to our newsletter, contact us for support, or use a hosted service that we directly operate.

2.1 Contact and account details

We may collect the following when you interact with us directly:

  • Email address and contact details you submit through forms, newsletters, or support channels.
  • Name, company, and role when you request enterprise information, demos, or custom development services.
  • Account credentials and profile details for services we directly host, including usernames and encrypted passwords.
  • Communication history from support tickets, Discord conversations, or email exchanges you initiate with our team.

2.2 Product and workflow data

When you use a Heym service operated by us, we may process the following data that is necessary to execute your workflows and provide the service:

  • Workflow definitions including node configurations, edge connections, prompts, and expression DSL formulas.
  • Execution logs, LLM traces, input and output payloads, and timing data generated during workflow runs.
  • Uploaded files including documents for RAG vector stores, skill attachments, and files generated by workflow nodes.
  • Credential metadata needed to connect to third-party services, with all secret values encrypted at rest using AES-256 Fernet encryption.
  • DataTable contents, global variables, template configurations, and team membership information.
  • Support attachments or samples you voluntarily share while requesting help with troubleshooting.

2.3 Technical and usage data

We may collect technical information to keep the service secure, reliable, and performant. This data helps us detect abuse, diagnose issues, and improve the platform:

  • IP address, browser type and version, operating system, device information, and approximate geographic region.
  • Referral pages, landing pages, navigation paths, crash data, and request timing information.
  • Cookie and consent preferences required to remember your privacy choices and session state.
  • API request metadata including endpoints accessed, response codes, and rate limit counters for abuse prevention.

2.4 Analytics data

We only enable website analytics when analytics is configured and you grant consent. In that case, Heym may record page views, session duration, scroll depth, and related measurement data in a privacy-aware configuration that respects Do Not Track signals. We do not use analytics data for advertising, profiling, or selling to third parties.

3. How We Use Information

We use personal information strictly for the purposes described below. We do not use your data for advertising, sell it to data brokers, or share it with third parties for their own marketing purposes.

  • Operate, secure, maintain, and improve the Heym website, documentation, and any hosted services we provide.
  • Respond to support requests, sales inquiries, enterprise consultations, and partnership conversations.
  • Deliver newsletters, product updates, release notes, and community highlights when you explicitly opt in to receive them.
  • Execute your workflows, process LLM requests, manage vector store operations, and deliver execution results on hosted instances.
  • Monitor system health, detect anomalies, prevent fraud, abuse, spam, and unauthorized access to our infrastructure.
  • Comply with legal obligations, enforce our Terms of Service, and protect the rights and safety of our users and team.
  • Analyze aggregated, anonymized usage patterns to understand which features are most valuable and prioritize development accordingly.

4. Legal Bases for Processing

Where GDPR or similar data protection laws apply, we process personal data under one or more of the following legal bases. The specific basis depends on the context of your interaction with Heym:

  • Your consent, which you can withdraw at any time, for activities such as website analytics, newsletter subscriptions, and optional telemetry.
  • The performance of a contract, when processing is necessary to provide support, hosted services, or enterprise engagements you have requested.
  • Our legitimate interests in operating, securing, improving, and promoting Heym, balanced against your fundamental rights and freedoms.
  • Compliance with legal obligations, such as tax record-keeping requirements, responding to lawful government requests, or preserving evidence in legal proceedings.

Where we rely on legitimate interests, we have conducted balancing tests to ensure that our processing does not override your rights. You may request details of these assessments by contacting us at the address provided below.

5. How We Share Information

We do not sell personal information. We do not rent, trade, or otherwise commercially distribute your data to third parties. We may share information only when necessary and only with the following categories of recipients:

  • Infrastructure, hosting, and email service providers acting on our instructions under data processing agreements that require them to protect your data.
  • Payment processors if you purchase enterprise services, support packages, or custom development engagements.
  • Analytics providers when analytics is enabled and you have granted explicit consent for measurement data collection.
  • Authorities, regulators, or counterparties when required by law, court order, or to protect the legal rights, safety, or property of Heym or our users.
  • Successors in the context of a merger, acquisition, reorganization, or asset transfer, with advance notice to affected users whenever practical.

When your workflows connect to third-party services through HTTP nodes, Slack integrations, email nodes, or other connectors, data flows directly between your Heym instance and those services according to their respective privacy policies. We recommend reviewing the privacy practices of any third-party service you integrate with through your workflows.

6. Cookies and Tracking Technologies

The heym.run website uses a limited number of cookies that are strictly necessary for the website to function. These include session cookies for authentication, consent preference cookies, and theme preference cookies. We do not use tracking cookies for advertising or cross-site profiling.

When you grant consent for analytics, additional measurement cookies may be set to collect anonymized usage data. You can withdraw your analytics consent at any time through the cookie settings on our website, and the measurement cookies will be removed.

7. Retention

We keep personal data only for as long as needed for the purposes described in this policy, including security, legal, and operational requirements. When data is no longer needed, we securely delete or anonymize it.

  • Newsletter records are kept until you unsubscribe or request deletion. Unsubscribe links are included in every email we send.
  • Support records may be retained for up to three years for continuity, compliance, audit trails, and dispute handling purposes.
  • Hosted workflow data, including execution logs, vector store contents, and DataTable rows, is generally retained while the related account or service remains active, plus a limited backup period of up to 90 days after account closure.
  • Website analytics data is retained in aggregated form and automatically purged after 26 months.
  • Security logs, including authentication events and API access records, are retained for up to 12 months for abuse prevention and incident investigation.

8. Security

We apply reasonable technical and organizational safeguards designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit using TLS, encryption of sensitive credentials at rest using AES-256 Fernet, access controls based on role and team membership, and regular security reviews of our infrastructure and codebase.

No service can guarantee absolute security. You should also protect your own environments by using strong, unique passwords, keeping your self-hosted deployments updated with the latest security patches, and following the security best practices documented in the Heym repository. If you discover a security vulnerability, please report it responsibly to our team.

9. International Transfers

Your information may be processed in countries other than your own, including countries within the European Economic Area and other jurisdictions where our infrastructure providers operate. When personal data is transferred outside your jurisdiction, we use appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other contractual measures required by applicable law to ensure your data receives an equivalent level of protection.

10. Your Rights

Depending on your location and applicable data protection laws, you may have the following rights regarding your personal data:

  • The right to access a copy of the personal data we hold about you.
  • The right to rectify inaccurate or incomplete personal data.
  • The right to erasure, also known as the right to be forgotten, allowing you to request deletion of your personal data.
  • The right to restrict processing in certain circumstances, such as when you contest the accuracy of your data.
  • The right to data portability, allowing you to receive your data in a structured, commonly used, and machine-readable format.
  • The right to object to processing based on legitimate interests, including any automated decision-making or profiling.
  • The right to withdraw consent at any time where processing is based on your consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days. If we need additional time due to the complexity of the request, we will notify you of the extension and the reasons for the delay. You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated.

11. Children's Privacy

Heym is not directed to children under 16, and we do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information as quickly as possible. If you believe a child under 16 has provided personal information to us, please contact us at the address below.

12. Third-Party Services and AI Providers

When you use Heym to connect to third-party AI model providers such as OpenAI, Anthropic, Cohere, or Ollama, the prompts, inputs, and outputs exchanged with those services are governed by their respective privacy policies and data processing agreements. We do not control how third-party providers handle the data you send to them through LLM nodes, Agent nodes, or other AI-powered workflow components.

Similarly, when you use integration nodes to connect with services like Slack, Redis, RabbitMQ, Grist, or external HTTP APIs, the data exchanged with those services is subject to their own privacy practices. We recommend reviewing the privacy policies of all third-party services you integrate with through your Heym workflows to understand how they collect, use, and protect your data.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the features available in the Heym platform. When we do, we will revise the "Last updated" date on this page. For material changes that significantly affect how we handle personal data, we will provide notice through the website, email, or the Heym dashboard at least thirty days before the changes take effect. Continued use of our services after an update takes effect means the revised policy applies going forward.

14. Contact and Related Pages

Questions, concerns, or requests about this Privacy Policy can be sent to [email protected]. We aim to respond to all privacy-related inquiries within five business days. For data subject rights requests, we will acknowledge receipt within 48 hours and provide a substantive response within 30 days.

For the rules that govern use of Heym, please review our Terms of Service. For legal disclosure and operator information required under § 5 TMG, see our Impressum. You can also return to the homepage to learn more about Heym's features, including the visual workflow editor, multi-agent orchestration, RAG pipelines, MCP support, and the full library of 33 node types.