Last updated: 3 November 2025

Who we are: HeyTeam.ai is operated by Creative Cloud Limited, a company registered in England and Wales (No. 11579011), registered address: 167–169 Great Portland Street, London, England, W1W 5PF (“HeyTeam”, “we”, “us”, “our”).

We respect your privacy and are committed to protecting personal data. This Privacy Policy explains what we collect, why we collect it, how we use and share it, and the choices and rights you have.

This Policy covers:

Visitors to our websites (including heyteam.ai)

Account owners and admins of customer organisations

End users (e.g., employees/contractors added by a customer)

Prospects who interact with our marketing

If HeyTeam processes personal data on behalf of your employer or organisation, we act as a processor and your organisation is the controller. In those cases, please contact your account owner/admin to exercise your rights. Our processing as a processor is governed by our Data Processing Addendum (DPA) with the customer.

1) Key Definitions

Services: HeyTeam’s web and mobile apps, APIs, notifications (including SMS/WhatsApp/email/push), and related support.

Personal Data: Information relating to an identified or identifiable person.

Customer: An organisation that has a HeyTeam account.

User: Any person using the Services under a Customer account (e.g., admin, manager, employee, contractor).

Prospect: A visitor or lead engaging with our site, forms, ads, webinars, or emails.

2) What We Collect

A. Data you provide

Account & profile: name, email, phone number (including mobile), job title/role, team, profile photo (optional).

Organisation details: company name, billing contact, subscription tier, SMS bundle purchases and rollover selections.

Support & feedback: helpdesk messages, call notes/recordings (where lawful/with notice), survey responses, testimonials.

Content you upload: contacts, rosters, job details, shift/assignment notes, attachments, and templates.

B. Data collected automatically

Technical/usage: IP address, device identifiers, browser, OS, language, time zone, app version, feature usage, clicks, session logs, error reports, performance metrics, referral/exit pages.

Cookies/SDKs: analytics and preference cookies/SDKs. See our Cookie Policy for details and controls.

C. Location & communications features (optional/controlled by your organisation)

Precise location (GPS): if your organisation enables location features (e.g., location-verified clock-in/out, job site geofencing). You can control device permissions; some features may not function without them.

Rota/availability links: when contractors access rota via a secure link, we log access time and IP/device metadata for security and audit.

SMS/WhatsApp in/out: message metadata (sender, recipient, timestamps, delivery status) and message content where needed to deliver, log, and show conversation history to your organisation.

D. Payment & commercial

Payments: handled by our payment processor (e.g., Stripe). We may receive limited details (last 4 digits, card brand, expiry month/year) and transaction metadata.

Commercial activity: subscription tier, SMS credit usage, bundle purchases, credit rollover status, and invoice history.

E. Data from third parties

Integrations your organisation enables (e.g., HRIS, calendars, single sign-on)

Lead enrichment and ad/analytics partners (business contact data for B2B outreach, where lawful)

We do not intentionally collect “special category” data and we do not knowingly collect data from children under 16.

3) Why We Use Personal Data (Lawful Bases)

Purpose

Examples

Lawful Basis

Provide and secure the Services

account creation, authentication, roles/permissions, rota & job dispatch, 2FA, fraud/security monitoring

Contract; Legitimate interests

Enable communications

transactional messages (e.g., shift alerts, confirmations), in/out SMS, WhatsApp, email, push

Contract; Legitimate interests

SMS credits & rollover

tracking monthly allowances, applying one-month rollover where configured, notifying on low balance, processing top-ups

Contract; Legitimate interests

Customer support

tickets, troubleshooting, diagnostics, quality assurance, training

Contract; Legitimate interests

Improve and develop

analytics, product research, A/B tests, quality/performance insights

Legitimate interests

Billing & compliance

subscriptions, invoices, tax records, charge prevention

Legal obligation; Contract

Marketing to B2B contacts

emails about features, webinars, offers; showing interest-based ads (subject to consent where required)

Legitimate interests; Consent

Location features (optional)

verify clock-in/out location, show on-site status, job site geofencing

Contract/Legitimate interests (controller is usually your organisation); Consent where required

Legal & security

enforce T&Cs, prevent abuse, respond to lawful requests

Legal obligation; Legitimate interests

Where consent is the most appropriate basis (e.g., certain cookies/SDKs, specific recordings, some marketing), you can withdraw it at any time via settings or using the links provided.

4) How We Share Personal Data

We share personal data only as needed and under appropriate safeguards:

With your organisation (Customer) – Data in your account is generally visible to your account owner/admins and, depending on settings, to other users in your organisation (e.g., managers viewing shift responses, availability, message threads, clock-ins, and—if enabled—location logs).

Service providers (processors/sub-processors) – For hosting, storage, analytics, support, email/SMS delivery (e.g., Twilio for SMS), payments (e.g., Stripe), CRM, and security. They are bound by contracts and process data only on our instructions.

Integrations you enable – If your organisation connects third-party tools, we exchange relevant data as instructed by the account admin.

Business transfers – In a merger, acquisition, or asset sale, data may transfer under equivalent protections.

Legal and safety – Where required by law, court order, or to protect rights, safety, and security (including fraud/abuse prevention).

Aggregated/anonymous data – We may publish or share insights that do not identify individuals.

We do not sell personal data.

5) International Transfers

We operate with trusted providers that may process data outside the UK/EEA. Where transfers occur, we implement appropriate safeguards (e.g., UK International Data Transfer Agreement/Addendum, EU Standard Contractual Clauses, and supplementary measures). You can contact us for details of current transfer mechanisms relevant to your data.

6) Retention

We retain personal data only as long as necessary for the purposes above, including to comply with legal, tax, and accounting requirements and to defend legal claims.

Account data: for the life of the account, then archived or deleted per our retention policy.

SMS logs/content: retained to operate the Service, provide conversation history/audit for your organisation, and for a limited period thereafter where legally necessary.

Location logs (if enabled): retained per your organisation’s settings/policies or as required for audit/compliance.

Prospect/marketing data: retained while active and for a reasonable period after last interaction or until you opt out.

Where we process data as a processor, we retain it according to the Customer’s instructions and our DPA.

7) Your Rights

Subject to UK/EU data protection laws, you may have the right to:

Access your personal data and obtain a copy

Rectify inaccurate or incomplete data

Erase data (right to be forgotten)

Restrict or object to processing (including direct marketing)

Data portability

Withdraw consent (where processing relies on consent)

How to exercise:

If your data is within an organisation’s HeyTeam account, please contact your account owner/admin (the controller).

For data we control directly (e.g., website enquiries, B2B marketing lists), contact us at [email protected].

We may need to verify your identity before acting on a request. We will respond in accordance with applicable law.

8) Marketing Preferences

Email: use the unsubscribe link in our emails or contact [email protected].

Cookies/SDKs: manage via our Cookie Policy and your browser/device settings.

SMS: reply STOP to opt out of non-essential marketing texts. You’ll continue to receive service-critical messages where your organisation requires them (e.g., shift confirmations), as they are integral to the Service.

9) Security

We implement appropriate technical and organisational measures including encryption in transit, access controls, least-privilege, monitoring, backups, and staff confidentiality obligations. No system is 100% secure; you can help by using strong passwords, enabling MFA, and keeping access links private.

10) Cookies & Similar Technologies

We use cookies/SDKs for core functionality, preferences, analytics, and (where consented) advertising measurement. Full details, types, and controls are in our Cookie Policy. You can change your choices at any time.

11) Role of Controller vs Processor

Controller (we control): website visitors/prospects data, our billing and customer admin records, some product telemetry, and direct B2B marketing (as allowed by law).

Processor (we process for your organisation): end-user account/profile data, shifts/rotas, availability responses (Y/N), job communications (including SMS content/metadata), optional GPS logs, contacts uploaded by your organisation, and other workspace content. This processing is governed by our DPA with the Customer.

12) SMS Credits, Bundles & Rollover – Privacy Aspects

To operate your plan we process: plan type, monthly SMS allowance, bundles purchased, credit usage, and one-month rollover status where configured. We log delivery status and message metadata (and where applicable, content for conversation history) to show accurate balances, audit delivery, prevent abuse/fraud, and support billing and customer service.

SMS are delivered via trusted providers (e.g., Twilio) acting as our processors; they handle message transmission and delivery reporting under strict contractual safeguards.

13) Third-Party Links

Our website may link to third-party sites. Their privacy practices are their own, so please review their policies.

14) Children

Our Services are not intended for children under 16. If you believe a child has provided personal data, contact us and we will take appropriate action.

15) Changes to This Policy

We may update this Policy from time to time. Material changes will be notified via the website, in-app notice, or email to account contacts. The “Last updated” date shows the effective date.

16) Contact Us

Creative Cloud Limited (HeyTeam)

167–169 Great Portland Street, London, England, W1W 5PF

Email: [email protected]

Subject line: “Privacy – Request” for rights requests

If you are in the UK/EU and believe your rights have not been respected, you can lodge a complaint with your local data protection authority. In the UK, that’s the ICO (ico.org.uk).

Optional Appendices (add if useful)

Data Processing Addendum (DPA) – governs processor activities for Customers

Cookie Policy – detailed cookie list and control centre

Sub-processor List – current vendors (e.g., hosting, Twilio, Stripe, analytics)

Quick Summary (Plain English)

We collect only what’s needed to run HeyTeam (accounts, messages, rota/availability, optional GPS) and to keep the lights on (billing, support, security, analytics).

Your organisation usually controls your in-app data; we process it for them.

SMS credits/rollover require us to track usage and delivery (via Twilio).

You can opt out of marketing, manage cookies, and exercise UK/EU GDPR rights.

We secure your data and use approved safeguards for any international transfers.

Cookie Policy

Last updated: 3 November 2025

This Cookie Policy explains how HeyTeam.ai (operated by Creative Cloud Limited, 167–169 Great Portland Street, London, W1W 5PF) uses cookies and similar technologies on our website and apps (“Services”). It should be read together with our Privacy Policy.

1) What are cookies?

Cookies are small text files placed on your device to store settings and usage information. We also use similar technologies like pixels, local storage, and SDKs (together, “cookies”).

2) How we use cookies

We use cookies to:

Run core site functions (security, log-in, load balancing)

Remember preferences (e.g., language)

Measure site/app performance and improve features

Support optional marketing analytics and reach (with your consent)

3) Types of cookies we use

Strictly Necessary (always on): Required for the Services to work (e.g., session, authentication, security). These do not require consent.

Performance/Analytics: Help us understand usage (e.g., page views, errors) to improve speed, UX, and reliability.

Functionality: Remember choices (e.g., language, saved filters) to personalise your experience.

Advertising/Measurement (optional): Help measure campaign effectiveness and, where enabled, deliver/limit ads. We do not sell personal data.

4) Legal basis

Strictly Necessary: legitimate interests (providing a secure, functioning Service).

All others: consent via our cookie banner/preferences centre. You can change or withdraw consent at any time.

5) Managing your choices

Cookie banner / preferences: Use “Cookie Settings” (footer link) to accept, reject, or fine-tune categories at any time.

Browser settings: You can block/delete cookies through your browser. Blocking some cookies may impact functionality.

Global Privacy Control (GPC): Where supported, we honour GPC signals for applicable jurisdictions by treating them as an opt-out for marketing/advertising cookies.

6) Retention

Session cookies expire when you close your browser/app.

Persistent cookies stay on your device for a set period (typically 1–24 months) unless deleted earlier or unless we rotate/refresh them for security.

7) Third parties

We may use trusted analytics and service providers that set cookies on our behalf. These providers process data under our instructions and contractual safeguards. If you connect third-party integrations, their cookies/policies will apply as controllers for those services.

8) Updates

We may update this Cookie Policy to reflect changes to our cookies or legal requirements. The “Last updated” date shows when the latest changes took effect. Significant changes will be highlighted via the banner or in-product notice.

9) Contact

Questions about cookies?

Email: [email protected]

Subject line: “Cookie Policy”