This Privacy Policy explains how Hiya Studio (“Hiya,” “we,” “us,” or “our”) collects, uses, and protects information when you use our service at hiyastudio.com. By using our service, you agree to the practices described here.
We handle two types of people's data: yours (you, the business customer using Hiya) and your visitors' (the people who interact with the chat widget on your site).
1. Information we collect
From you (the customer)
- Account information — your email address, website URL, and business name when you sign up
- Knowledge base content — URLs, text, and documents you provide to train your bot
- Billing information — payment details handled securely by Stripe; we do not store your full card number
- Usage data — how you interact with our dashboard and features
- Communications — emails or messages you send us
From your site visitors (via the widget)
- Chat messages — the conversation between your visitor and the bot
- Page context — the URL of the page where the widget is loaded
- Session identifiers — anonymous IDs used to maintain conversation continuity
We do not collect visitor names, email addresses, or other personally identifiable information unless they voluntarily provide it in the chat. We do not track visitors across different websites.
2. How we use your information
- To provide, operate, and improve the Hiya service
- To generate AI responses in the chat widget using your knowledge base
- To process payments and manage your subscription
- To send transactional emails (account confirmation, trial notices, billing receipts)
- To respond to your support requests
- To detect and prevent fraud, abuse, or violations of our Terms
- To comply with legal obligations
We do not sell your data or your visitors' data to anyone, ever. We do not use your private content or visitor conversations to train shared AI models.
3. How we share your information
We share data only with trusted service providers who need it to operate the service:
- Anthropic — AI model provider that processes chat messages to generate responses. Subject to their privacy and data use policies.
- Supabase — Database and storage provider where customer and conversation data is stored.
- Vercel — Hosting infrastructure provider.
- Stripe — Payment processor. Handles all billing data under their own PCI-compliant systems.
- Loops — Transactional email provider used to send account-related emails.
We may also disclose information if required by law, court order, or governmental authority, or to protect the rights, property, or safety of Hiya Studio or others.
We do not share your data with advertisers or data brokers.
4. Data retention
- Account data — retained while your account is active, plus 30 days after deletion to allow for export
- Chat transcripts — retained for up to 12 months
- Knowledge base content — deleted immediately when you remove a source or close your account
- Billing records — retained for 7 years as required by law
5. Data security
We take reasonable measures to protect your data, including:
- TLS encryption for all data in transit
- Encrypted storage at rest via Supabase
- API keys and secrets stored as environment variables, never in code
- Access to production data limited to what is necessary to operate the service
No method of transmission or storage is 100% secure. We cannot guarantee absolute security, and we are not liable for unauthorized access beyond our reasonable control.
6. Cookies
We use strictly necessary cookies for authentication (to keep you logged into your dashboard). We do not use advertising cookies or third-party tracking cookies. The widget script itself does not set cookies on your visitors' browsers by default.
7. Your rights
Depending on where you are located, you may have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you
- Correction — request that we fix inaccurate data
- Deletion — request that we delete your data (“right to be forgotten”)
- Portability — request your data in a machine-readable format
- Objection — object to certain types of processing
- Withdrawal of consent — where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, email hello@hiyastudio.com. We will respond within 30 days. We may need to verify your identity before processing your request.
As a customer, you are also responsible for honoring your own visitors' data rights regarding conversations they have with your bot.
8. California residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and share, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at hello@hiyastudio.com.
9. European residents (GDPR)
If you are in the European Economic Area or the UK, our legal bases for processing your data are: (a) performance of a contract — to provide the service you signed up for; (b) legitimate interests — to improve our service and prevent abuse; and (c) legal obligation — to comply with applicable law. You have the right to lodge a complaint with your local data protection authority.
10. Children
Our service is not directed to anyone under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal data, contact us and we will delete it promptly.
11. Third-party links
Our service may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their policies.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by updating the date at the top of this page. Continued use of the service after changes take effect constitutes acceptance.
Contact
Questions or concerns about this policy? Email us at hello@hiyastudio.com. We'll respond within 30 days.