Terms of Service
Last updated: July 9, 2026
These Terms of Service (the "Terms") are a contract between HeyBuddy LLC ("HeyBuddy", "we", "us") and the organization you represent ("Customer", "you"). They govern access to and use of the HeyBuddy platform, including the dashboard at app.joinheybuddy.ai, our APIs, the HeyBuddy widget, and related services (together, the "Service").
You accept these Terms by creating an account, signing or accepting an order form that references them, confirming acceptance in writing (including by email), or using the Service. If you accept on behalf of an organization, you represent that you have authority to bind it. These Terms, together with any order form and the policies they reference, form the "Agreement".
1. The Service
In short
HeyBuddy connects to the customer data you already collect, watches your accounts, and helps your team act: health scores, signals, briefings, and AI-drafted next moves.
The Service is an AI customer success platform. It ingests data from sources Customer connects or submits (Section 5), analyzes that data to produce account health scores, signals, briefings, reports, and recommendations, and provides AI-assisted features that draft content for Customer's review. We may enhance or modify the Service over time. During a paid subscription term we will not materially reduce the core functionality of the Service.
2. Accounts and authorized users
Customer may allow its personnel to use the Service under Customer's account ("Users"). Customer is responsible for its Users' compliance with the Agreement, for maintaining accurate account information, and for safeguarding credentials and API keys. Customer will notify us promptly at andrew@joinheybuddy.ai of any suspected unauthorized access. The Service is for business use by users who are at least 18 years old.
3. Customer Data
In short
Your data stays yours. We only use it to run the Service for you. We never sell it and never use it to train AI models.
"Customer Data" means data submitted to the Service by or for Customer, including data ingested from connected sources (such as product analytics, CRM, support, and messaging tools), the events API, file uploads, and the HeyBuddy widget. Customer Data includes personal data about Customer's own customers and their end users, such as names, email addresses, identifiers, product usage events, and messages.
As between the parties, Customer owns all Customer Data. Customer grants HeyBuddy a worldwide, non-exclusive license to host, copy, process, transmit, and display Customer Data solely to provide and support the Service, to prevent or address technical or security issues, and as required by law. Personal data within Customer Data is processed under the Data Processing Terms in Section 14.
HeyBuddy may generate and use data about the operation and use of the Service that is aggregated or de-identified so that it does not identify Customer or any individual ("Usage Data") to operate, secure, and improve the Service. We do not use Customer Data to train machine learning or large language models, and we contractually restrict our AI providers from doing so.
4. Customer responsibilities
In short
You need the right to share the data you connect, your privacy policy has to cover it, and some data types (card numbers, health records, government IDs) must stay out of HeyBuddy.
Customer is responsible for:
- having all rights, permissions, notices, and lawful bases needed to collect Customer Data and to provide it to HeyBuddy for processing as described in the Agreement, including end-user data from analytics, CRM, and support tools;
- complying with privacy and other laws that apply to Customer's collection and use of Customer Data;
- the accuracy and legality of Customer Data and of the instructions Customer gives through its configuration of the Service.
Customer will not submit to the Service: payment card numbers or other data subject to PCI DSS; protected health information subject to HIPAA; government identification numbers; or special categories of personal data under GDPR Article 9, unless we agree in writing first.
Customer will not, and will not permit anyone to:
- use the Service unlawfully or to infringe anyone's rights;
- reverse engineer, copy, or create derivative works of the Service, or access it to build a competing product;
- resell or provide the Service to third parties except as agreed;
- interfere with the Service's operation, probe its security other than through coordinated disclosure, or circumvent usage limits.
5. Connected sources and third-party services
The Service interoperates with third-party products Customer chooses to connect, such as Mixpanel, HubSpot, Slack, and Help Scout ("Connected Sources"). By connecting a source, Customer authorizes HeyBuddy to access and exchange data with it on Customer's behalf. Connected Sources are governed by their own terms, and HeyBuddy is not responsible for them. Disconnecting a source stops future syncs; data already ingested remains in the Service until deleted.
6. AI features
In short
Buddy drafts, you decide. AI output can be wrong, so review it before you rely on it or send it to a customer.
The Service uses large language models operated by third-party AI providers (currently Anthropic and OpenAI, listed at joinheybuddy.ai/subprocessors) to analyze Customer Data and generate content such as summaries, diagnoses, and draft messages ("Outputs"). Customer instructs HeyBuddy to send relevant Customer Data to these providers for this purpose. Our AI provider configurations use zero data retention API terms, and providers may not use Customer Data to train their models.
Outputs are generated by machine and may be inaccurate, incomplete, or unsuitable for a given situation. Customer is responsible for reviewing Outputs before relying on them or acting on them. As between the parties, Outputs based on Customer Data are Customer Data.
7. Fees and payment
Fees are set out in the applicable order form or, absent one, the pricing communicated to Customer in writing. Usage-based components (such as action credits) are measured by the Service's usage ledger, which is the record for billing purposes. Payments are processed by Stripe. Except as expressly stated in the Agreement or required by law, fees are non-refundable. Fees exclude taxes, which Customer is responsible for, excluding taxes on our income. If Customer disputes an invoice in good faith, it must notify us within 30 days of the invoice date and pay undisputed amounts on time.
We may offer the Service, or parts of it, free of charge, including pilot and design-partner arrangements. Free access is provided "as is", may be subject to usage limits, and may be suspended or ended at any time.
8. Term, suspension, and termination
In short
Subscriptions renew unless either side gives 30 days' notice. When the relationship ends, you get 30 days to export your data, then we delete it.
The subscription term is stated in the order form and renews for successive periods of the same length unless either party gives notice of non-renewal at least 30 days before the renewal date. Either party may terminate the Agreement if the other materially breaches it and fails to cure within 30 days of written notice. We may suspend access immediately if reasonably necessary to address a security risk, unlawful use, or overdue payment, and will restore access once the issue is resolved.
Upon termination or expiry, Customer's access ends. For 30 days after termination, we will make Customer Data available for export on request. After that window we delete Customer Data as described in Section 14.9. Sections that by their nature should survive (including 3, 9, 10, 11, 12, 13, 14.9, and 15) survive termination.
9. Confidentiality
Each party may receive non-public information of the other that is marked confidential or that reasonably should be understood as confidential ("Confidential Information"). Customer Data is Customer's Confidential Information. Each party will protect the other's Confidential Information with at least reasonable care, use it only to perform under the Agreement, and not disclose it except to personnel and contractors who need it and are bound by comparable obligations. These obligations do not apply to information that is or becomes public through no fault of the recipient, was known without restriction before disclosure, is independently developed, or is rightfully received from a third party. A party may disclose Confidential Information where required by law, giving prior notice where legally permitted. These obligations continue for 3 years after termination, and for Customer Data and trade secrets for as long as they remain confidential.
10. Intellectual property
HeyBuddy and its licensors own the Service, including all software, models, designs, and documentation, and all related intellectual property rights. No rights are granted except as expressly stated in the Agreement. If Customer provides feedback or suggestions, HeyBuddy may use them without restriction or obligation.
11. Beta features
We may make early-access or beta features available, identified as such. Beta features are provided "as is", may change or be discontinued at any time, and are excluded from any performance commitments.
12. Warranties and disclaimers
HeyBuddy will provide the Service with reasonable skill and care. EXCEPT AS EXPRESSLY STATED IN THE AGREEMENT, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE", AND EACH PARTY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. HEYBUDDY DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT OUTPUTS WILL BE ACCURATE OR COMPLETE. BUSINESS DECISIONS MADE IN RELIANCE ON THE SERVICE ARE CUSTOMER'S RESPONSIBILITY.
13. Limitation of liability
In short
Neither side is liable for indirect damages, and total liability is capped at what you paid us in the last 12 months (or $1,000 if you haven't paid us anything yet).
TO THE MAXIMUM EXTENT PERMITTED BY LAW: (A) NEITHER PARTY IS LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, REVENUE, OR GOODWILL, EVEN IF ADVISED OF THE POSSIBILITY; AND (B) EACH PARTY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THE AGREEMENT IS LIMITED TO THE GREATER OF (i) THE AMOUNTS PAID OR PAYABLE BY CUSTOMER TO HEYBUDDY IN THE 12 MONTHS BEFORE THE EVENT GIVING RISE TO LIABILITY AND (ii) USD 1,000. THESE LIMITS DO NOT APPLY TO CUSTOMER'S PAYMENT OBLIGATIONS, EITHER PARTY'S BREACH OF SECTION 9 (CONFIDENTIALITY), OR LIABILITY THAT CANNOT BE LIMITED UNDER APPLICABLE LAW. THE LIMITS APPLY ACROSS ALL CLAIMS AND THEORIES OF LIABILITY, INCLUDING UNDER SECTION 14.
14. Data Processing Terms
In short
This section is our data processing agreement. It applies automatically to every customer: you control your data, we process it only on your instructions, with the safeguards GDPR Article 28 requires. A signature-ready standalone copy is available for procurement teams that need a countersigned document.
14.1 Roles and definitions
"Data Protection Laws" means the laws that apply to the processing of personal data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and the California Consumer Privacy Act as amended ("CCPA"). "Personal data", "controller", "processor", "data subject", and "processing" have the meanings given in those laws. "Customer Personal Data" means personal data contained in Customer Data.
For Customer Personal Data, Customer is the controller (or a processor acting for its own controllers) and HeyBuddy is Customer's processor. Under the CCPA, HeyBuddy acts as Customer's service provider: we do not sell or share Customer Personal Data, do not retain, use, or disclose it except to provide the Service and as permitted for service providers, and do not combine it with personal data from other sources except as permitted for service providers. We will notify Customer if we determine we can no longer meet these obligations.
14.2 Details of processing
- Subject matter and duration: the provision of the Service for the term of the Agreement, plus the deletion period in Section 14.9.
- Nature and purpose: hosting, storage, identity resolution, analysis, scoring, signal detection, AI-assisted summarization and drafting, notification delivery, and support, in each case to provide the Service.
- Categories of data subjects: end users of Customer's products; personnel of Customer's customers; Customer's own personnel whose data appears in Connected Sources.
- Categories of personal data: identifiers (name, email address, user and account IDs); product usage events and page or interaction context; messages submitted through the HeyBuddy widget; CRM attributes (such as plan, spend, renewal date, account owner); support conversation content and metadata.
- Special categories: none intended; submission is prohibited by Section 4.
14.3 Instructions
HeyBuddy will process Customer Personal Data only on Customer's documented instructions, which are: the Agreement, Customer's configuration and use of the Service, and other written instructions the parties agree, unless required otherwise by law (in which case we will inform Customer before processing, unless the law prohibits it). We will inform Customer if, in our opinion, an instruction infringes Data Protection Laws.
14.4 Confidentiality of processing
We ensure that persons authorized to process Customer Personal Data are bound by contractual or statutory obligations of confidentiality.
14.5 Security
We implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, taking into account the state of the art, the nature of the data, and the risks of processing. Our current measures are described at joinheybuddy.ai/security, which is incorporated into these terms. They include per-tenant database isolation enforced at the database layer, encryption in transit and at rest, application-layer encryption of integration credentials, and least-privilege access controls. We may update these measures provided the overall level of protection is not materially reduced.
14.6 Subprocessors
Customer provides general written authorization for HeyBuddy to engage subprocessors to process Customer Personal Data. The current list is published at joinheybuddy.ai/subprocessors, which is incorporated into these terms. We will notify Customer by email at least 30 days before adding or replacing a subprocessor. Customer may object within that period on reasonable, documented data protection grounds; if we cannot resolve the objection, Customer may terminate the affected services and receive a prorated refund of prepaid, unused fees. We impose data protection obligations on each subprocessor that are materially equivalent to those in this Section 14, and we remain liable for their performance.
14.7 Data subject requests
Taking into account the nature of the processing, we will assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligations to respond to data subject requests (access, rectification, erasure, restriction, portability, and objection), including through the Service's deletion and export capabilities. If a data subject contacts us directly about Customer Personal Data, we will direct them to Customer where lawful, and will not respond on Customer's behalf except on Customer's instruction or as required by law.
14.8 Personal data breach
We will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notice will describe, to the extent known, the nature of the breach, the categories and approximate volume of data and data subjects affected, the likely consequences, and the measures taken or proposed. We will cooperate with Customer and take reasonable steps to mitigate the breach.
14.9 Deletion and return
During the term, Customer can delete Customer Personal Data through the Service or by request, including per-individual erasure. Upon termination, and after the 30-day export window in Section 8, we will delete Customer Personal Data within 60 days, except where retention is required by law. Residual copies in encrypted backups are overwritten in the ordinary backup rotation cycle, no later than 90 days after deletion, and remain protected by this Section 14 until overwritten.
14.10 Assistance
Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance with Customer's obligations under Articles 32 to 36 of the GDPR (and equivalents), including security, breach notification, data protection impact assessments, and consultations with supervisory authorities.
14.11 Audits
We will make available to Customer information reasonably necessary to demonstrate compliance with this Section 14, including our security documentation and responses to reasonable written security questionnaires. Customer (or an independent auditor bound by confidentiality) may audit our compliance no more than once per 12-month period, on at least 30 days' written notice, during business hours, at Customer's expense, and in a manner that does not compromise the security or confidentiality of other customers' data. Where we hold current third-party audit reports or certifications, we may satisfy an audit request by providing them.
14.12 International transfers
HeyBuddy processes Customer Personal Data in the United States. Where Customer Personal Data protected by the GDPR, UK GDPR, or Swiss FADP is transferred to HeyBuddy in a country without an adequacy decision, the parties enter into the European Commission's Standard Contractual Clauses (Decision 2021/914), Module Two (controller to processor) or Module Three (processor to processor) as applicable, which are incorporated into these terms by reference, with Customer as data exporter and HeyBuddy as data importer, and with the annexes completed by the information in this Section 14, the subprocessor list, and the security page. For UK transfers, the clauses are supplemented by the UK International Data Transfer Addendum, and for Swiss transfers they are adapted as required by the FADP. The fully completed clauses are included in the standalone copy of these terms (Section 14.13).
14.13 Standalone copy and precedence
This Section 14 is the parties' data processing agreement and applies automatically to every Customer. A signature-ready standalone copy, including the completed Standard Contractual Clauses, is available by emailing andrew@joinheybuddy.ai. If the parties execute a standalone data processing agreement, it supersedes this Section 14. If there is a conflict between this Section 14 and the rest of the Terms regarding the processing of personal data, this Section 14 controls.
15. General
- Governing law and venue. The Agreement is governed by the laws of the State of [STATE], excluding its conflict of laws rules. The state and federal courts located in [COUNTY, STATE] have exclusive jurisdiction, and each party consents to their jurisdiction.
- Notices. Notices to HeyBuddy go to andrew@joinheybuddy.ai. Notices to Customer go to the account owner's email address. Email notice is effective when sent.
- Changes to these Terms. We may update these Terms. For material changes we will give at least 30 days' notice by email or through the Service. Changes take effect at the start of Customer's next renewal, or 30 days after notice for customers without a fixed term. Continued use after the effective date constitutes acceptance.
- Publicity. Neither party will use the other's name or logo publicly without prior consent (email suffices).
- Assignment. Neither party may assign the Agreement without the other's consent, except to an affiliate or in connection with a merger, acquisition, or sale of substantially all assets, with notice.
- Force majeure. Neither party is liable for delay or failure caused by events beyond its reasonable control.
- Entire agreement; order of precedence. The Agreement is the entire agreement between the parties about the Service and supersedes prior discussions. If there is a conflict, the order of precedence is: a signed order form, a signed standalone data processing agreement (for data processing matters), then these Terms.
- Severability; waiver. If a provision is unenforceable, the rest remains in effect. Failure to enforce a provision is not a waiver.
16. Contact
HeyBuddy LLC
[REGISTERED ADDRESS]
andrew@joinheybuddy.ai