Legal

Privacy Policy

How we collect, use, protect, and share personal data across the HeyRelio platform.

Get started

Last updated: June 3, 2026

1. Who We Are

HeyRelio ("HeyRelio," "we," "us") provides a managed, API-first Instagram outreach platform. This Privacy Policy explains how we handle personal data in connection with our website and Service. For data we process on behalf of our customers as part of running their campaigns, our customer is the data controller and we act as a processor; those activities are also governed by our Data Processing Addendum.

2. Data We Collect

  • Account & contact information — name, email, organization, and billing details for the people who administer a customer account.
  • Instagram credentials — login details, session cookies, or QR/session data for the sender accounts you connect. These are encrypted at rest using AES-256-GCM and are never stored in plaintext.
  • Campaign target lists — the Instagram usernames and recipient information you upload, processed on your instructions to run your campaigns.
  • Usage & log data — IP address, device and browser information, API request metadata, and product activity used to operate, secure, and improve the Service.
  • Webhook delivery records — metadata about the events we send to your endpoints, including timestamps, status, and delivery/retry outcomes.

3. How We Use Data

We use personal data to:

  • provide, operate, and maintain the Service and run campaigns on your instructions;
  • authenticate users, manage API keys, and secure accounts;
  • process billing and send service-related communications;
  • monitor performance, prevent abuse, enforce limits, and improve the Service; and
  • comply with legal obligations and respond to lawful requests.

4. Legal Bases

Where the GDPR or similar laws apply, we rely on the following legal bases: performance of a contract (to provide the Service you request); legitimate interests (to secure, operate, and improve the Service, balanced against your rights); consent (where required, e.g. certain communications); and compliance with legal obligations. For data processed on behalf of customers, the customer is responsible for establishing the lawful basis to contact recipients.

5. Data Sharing & Sub-Processors

We do not sell personal data. We share data with vetted sub-processors strictly to deliver the Service:

  • DuoPlus — cloud Android phone provisioning that runs the sender automation.
  • IPFoxy — mobile/residential proxy infrastructure for sender accounts.
  • Resend — transactional email delivery.
  • Hosting / VPS provider — compute, storage, and database hosting for the platform.

We may also disclose data to comply with law, enforce our agreements, or in connection with a merger or acquisition, subject to appropriate safeguards.

6. Data Retention

We retain personal data for as long as needed to provide the Service and for the legitimate and legal purposes described here. Account and billing records are retained for the life of the account and as required by law. Campaign and target data are retained while your account is active and deleted or returned on termination as described in our DPA. Encrypted credentials are deleted when you disconnect a sender account.

7. Security Measures

We apply technical and organizational measures appropriate to the risk, including encryption of credentials at rest with AES-256-GCM, encryption in transit (TLS), strict per-tenant data isolation so one customer's data is never accessible to another, role-based access controls, suppression and opt-out handling, rate limiting, and audit logging. No system is perfectly secure, but we work continuously to protect your data.

8. Your Rights

Depending on your location, you may have rights to access, correct, delete, port, or restrict the processing of your personal data, and to object to certain processing or withdraw consent. To exercise these rights, contact us at support@heyrelio.com. Where we process data on a customer's behalf, we will route requests to that customer as the controller.

9. International Transfers

We and our sub-processors may process data in countries other than your own. Where data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms to protect your data.

10. Cookies

The HeyRelio dashboard uses strictly necessary session cookies to keep you authenticated and secure your session. We do not use these cookies for advertising. You can control cookies through your browser, though disabling session cookies will prevent you from logging in.

11. Children's Data

The Service is intended for business use and is not directed to individuals under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version with a revised "Last updated" date and, for material changes, provide additional notice where appropriate.

13. Contact

Questions or requests about your privacy? Contact us at support@heyrelio.com.