Privacy Policy

Last Updated: October 4, 2025

At HeyCX, Inc. (“HeyCX,” “we,” “our,” or “us”), we take privacy seriously. We understand that as a call center platform integrated with CRMs, VoIP, workflows, and customer interaction data, we are entrusted with sensitive information.

This Privacy Policy explains in detail how HeyCX collects, uses, stores, transfers, and protects your information. It also outlines your rights, our obligations, and how you can contact us regarding any privacy concerns.

By accessing or using HeyCX Services (our website, SaaS platform, mobile applications, or integrations), you agree to this Privacy Policy. If you do not agree, you must stop using our Services immediately.

1. Scope of This Policy

This Privacy Policy applies to:

  • The HeyCX platform, including web, mobile, and desktop applications.
  • Our corporate website, demo scheduling tools, and client portals.
  • Support, sales, and marketing communications managed by HeyCX.
  • Third-party integrations that are connected to HeyCX (e.g., Salesforce, HubSpot, Zoho, Zendesk, Shopify, Five9, Aircall).

 

This policy does not apply to:

  • Websites or platforms operated by third parties not under HeyCX’s control.
  • Data that clients independently collect outside of HeyCX.

2. Information We Collect

We collect information in several ways, including directly from users, automatically through technology, and via client integrations.

a) Personal Information You Provide

  • Account & Identity Data: first and last name, job title, company name, phone number, work email address, and login credentials.
  • Payment & Billing Data: billing address, company tax ID, and payment method (credit card, ACH, or invoice data).
  • Support & Communications: when you contact HeyCX, we collect information from emails, live chats, tickets, and demo requests.
  • Marketing Subscriptions: preferences for newsletters, webinars, and event registrations.

b) Automatically Collected Information

  • Device & Log Data: IP address, browser type, operating system, device type, access times, pages viewed, and referral source.
  • Platform Usage Data: call metrics, call recordings, handle times, first-call resolution rates, agent activity logs, and QA scores.
  • Cookies & Tracking: session cookies, analytics tags, pixels, and third-party tracking tools.

c) Customer & Client Data

HeyCX acts as a data processor for client organizations. Clients may upload, transmit, or store:

  • Customer communication records (call notes, chat transcripts, emails).
  • Audio/VoIP data (recorded calls, transcriptions).
  • CRM-synced information (leads, contact details, pipeline stage, account history).
  • Sensitive industry-specific data, such as financial details (PCI), health information (HIPAA), or regulatory compliance records.

This data remains the property of our clients. HeyCX only processes it under client instructions.

3. How We Use Information

We use collected data for the following purposes:

  1. Service Delivery & Operations
    • Providing access to the HeyCX platform.
    • Routing, processing, and recording calls.
    • Enabling workflow automation, call scripting, QA monitoring, and reporting.
    • Managing CRM, VoIP, and third-party integrations.
  2. Platform Improvement
    • Analyzing usage trends to enhance features.
    • Optimizing call handling and reducing inefficiencies.
    • Using AI to refine scripts, workflows, and agent guidance.
  3. Customer Support
    • Responding to inquiries, technical issues, and requests.
    • Training and onboarding assistance.
  4. Marketing & Communication
    • Sending updates, service notices, event invitations, and newsletters (if opted in).
    • Tailoring product recommendations based on usage.
  5. Legal & Compliance
    • Enforcing platform terms and preventing fraud.
    • Ensuring compliance with GDPR, CCPA, HIPAA, PCI-DSS, AML, KYC and other applicable frameworks.
    • Responding to lawful requests from regulators and law enforcement.
  6. Analytics & Benchmarking
    • Aggregating anonymized data for internal research.
    • Identifying performance benchmarks (e.g., call handle times across industries).

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), HeyCX processes personal data on the following legal bases:

  • Contractual Necessity: to deliver Services as agreed in client contracts.
  • Consent: when users opt in to marketing or optional features.
  • Legitimate Interests: improving platform security, performance, and fraud prevention.
  • Legal Obligations: complying with financial, health, and privacy regulations.

5. Information Sharing

We only share data under specific conditions:

  • With Service Providers: trusted vendors (hosting providers, payment processors, CRM integrators, AI analytics tools).
  • Within HeyCX Corporate Structure: subsidiaries or affiliates to streamline operations.
  • Legal Compliance: disclosure required by law, subpoena, or regulatory investigation.
  • Business Transactions: mergers, acquisitions, or asset transfers.
  • Client Instructions: at the explicit request of clients to integrate with third-party tools.

We do not sell, rent, or trade personal information to advertisers or unrelated third parties.

6. Data Security

HeyCX employs a defense-in-depth security model, including:

  • Encryption: TLS 1.2+ in transit, AES-256 at rest.
  • Access Controls: multi-factor authentication (MFA), least-privilege access, role-based permissions.
  • Infrastructure Security: hosted on leading cloud providers (e.g., AWS) with redundancy, firewalls, and DDoS protection.
  • Monitoring: continuous monitoring for anomalies and security incidents.
  • Compliance Standards: operations aligned with SOC 2 Type II, ISO 27001, GDPR, HIPAA, and PCI-DSS frameworks.
  • Employee Training: all staff undergo mandatory data security and privacy training.

7. Data Retention

We retain data only as long as necessary for the purposes described:

  • User Accounts: retained for the lifetime of the account plus 30–90 days after cancellation.
  • Call Data & QA Transcripts: configurable retention (default 12 months, extendable by client request).
  • Billing Records: retained for 7 years to meet tax and compliance requirements.
  • Deleted Accounts: permanently erased or anonymized unless retention is legally mandated.

8. International Transfers

If you are located outside the United States, your information may be transferred to and processed in the U.S. or other jurisdictions.

We use safeguards such as:

  • Standard Contractual Clauses (SCCs) for EU/UK users.
  • Data Processing Agreements (DPAs) with all sub-processors.
  • Regional Data Centers (where available) for clients requiring data residency.

9. Your Rights

Depending on your jurisdiction, you may have rights including:

  • Access: obtain a copy of your personal data.
  • Rectification: correct inaccurate or incomplete information.
  • Erasure: request deletion of personal data (“right to be forgotten”).
  • Restriction: limit how we process your information.
  • Portability: receive your data in a machine-readable format.
  • Opt-Out: decline marketing communications or certain analytics.
  • Do Not Sell My Information (CCPA): California residents can opt out of data sharing categorized as “sales.”

Requests can be made by contacting us at [email protected]. We respond within the timelines required by applicable law (e.g., 30 days under GDPR, 45 days under CCPA).

10. Cookies & Tracking

HeyCX uses cookies and tracking tools for:

  • Essential Cookies: login, session management, authentication.
  • Analytics Cookies: Google Analytics, internal dashboards, and QA reporting.
  • Preference Cookies: remembering language, time zone, and workflow settings.
  • Advertising Cookies (Optional): remarketing or campaign tracking.

You can disable cookies via browser settings, but essential functionality may be limited.

11. Industry-Specific Compliance

Because HeyCX supports multiple regulated industries, we adhere to:

  • Healthcare (HIPAA): BAAs available for covered entities and business associates.
  • Finance (PCI-DSS, AML, KYC): secure handling of payments and financial data.
  • Debt Collection (FDCPA, CFPB): built-in compliance workflows for call centers.
  • Telecommunications Regulations: TCPA and other regional requirements for call centers.

12. Children’s Privacy

HeyCX is intended for business use and is not directed at children under 16. We do not knowingly collect data from children. If discovered, we will delete such information promptly.

13. Third-Party Links & Integrations

Our Services may include integrations with third-party providers (Salesforce, HubSpot, Zoho, Zendesk, Shopify, Jira, etc.). Each integration is governed by its own privacy policy. We encourage reviewing third-party policies before enabling integrations.

14. Policy Updates

We may revise this Privacy Policy from time to time. Changes will be posted here with a new “Last Updated” date. Significant changes may also be communicated via email or platform notifications.

15. Contact Us

For questions, concerns, or requests related to privacy: [email protected]