Privacy Policy

HeySocialFish Ltd ("we", "us", "our") is the data controller for personal data collected through the HeySocialFish platform. We are registered in England and Wales.

Website: https://www.heysocialfish.com

App: https://app.heysocialfish.com

Contact: support@heysocialfish.com

We're a small, independent team. This policy is written to be understood, not to bury the important bits in legalese. If anything is unclear, just ask us directly.

Account data: Name, email address, password (hashed), subscription tier, billing information (processed via payment gateway — we do not store card details).

Content data: Content you create, upload, or generate using the platform, including posts, video analysis results, strategy plans, and campaign data.

Platform connection data: OAuth tokens for connected social platforms (YouTube, LinkedIn, X, TikTok, Instagram, Facebook). These are stored encrypted in Azure Key Vault.

TikTok integration: HeySocialFish connects to the TikTok API to enable content scheduling and analytics. We access only the scopes required for these features. TikTok data is processed in accordance with TikTok's Privacy Policy. Our app URL for TikTok API registration purposes is https://www.heysocialfish.com and the privacy policy URL is https://www.heysocialfish.com/legal/privacy.

Usage data: AI credit usage, feature usage, log data, session information, and error reports.

Technical data: IP address, browser type, device identifiers, and cookies (see Cookie Policy).

• To provide, maintain, and improve the Service
• To personalise AI Copilot guidance and content suggestions
• To process subscription payments and manage your account
• To send service-critical notifications (account, billing, security alerts)
• To send product updates and hints (you can opt out any time)
• To investigate abuse, fraud, or policy violations
• To comply with legal obligations

We do not sell your data to third parties. We do not use your content to train AI models shared with other customers.

• Contract: Processing necessary to provide the Service under our Terms of Service
• Legitimate interest: Security monitoring, fraud prevention, service improvement
• Consent: Marketing communications (opt-in)
• Legal obligation: Compliance with applicable law

All data is stored on Microsoft Azure infrastructure with UK data residency (UK South / UK West regions). We apply encryption at rest and in transit, role-based access controls, and regular security reviews.

Workspace isolation: Each user account operates within a private, isolated workspace. Your workspace data — plans, content, analytics, AI interactions — is stored separately and is not accessible to any other user of the platform. No cross-user data queries are possible through normal or API-level use of the Service.

Connected platform credentials: OAuth tokens for connected social platforms (TikTok, LinkedIn, Instagram, X, YouTube, Facebook) are stored encrypted in Azure Key Vault. They are never exposed in plaintext, cannot be retrieved via the application interface, and are not shared with any third party beyond the intended platform integration.

Staff access: HeySocialFish staff do not access workspace content in the normal course of operations. Access may occur only where strictly necessary for technical support you have requested, or to comply with a legal obligation — and only with appropriate authorisation and logging.

Your responsibility: While we protect your data on our end, you are responsible for the security of the devices and credentials used to access your account. If you choose to share your login with others, you accept responsibility for their actions within your workspace. We cannot protect your account from risks you introduce yourself.

We use the following third-party processors under Data Processing Agreements:

• Microsoft Azure — cloud infrastructure, storage, AI services
• OpenAI — AI language model processing (data not used for training)
• GoCardless — Direct Debit payment processing (bank details not stored by us). GoCardless processes payments under their own privacy policy at https://gocardless.com/legal/privacy-notice/. GoCardless is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017 (FRN 597190).
• SendGrid / SMTP provider — transactional email delivery

We retain your data for as long as your account is active. On account closure, we delete personal data within 90 days, except where we are required to retain it for legal or financial compliance purposes (typically 7 years for financial records under UK law).

HeySocialFish Improver and Pro tiers include CRM-style contact management features (the "Contacts" section of the Sales Hub). These features allow you to store names, email addresses, and engagement notes about your own contacts — people you are communicating with in your business.

You are the data controller for your contacts' data. HeySocialFish acts only as a data processor on your behalf for this data. Your contacts have rights under UK GDPR that you are responsible for honouring:

• Right to be forgotten: If one of your contacts requests erasure of their data, you must delete them from the Contacts section. Use the Delete action on their record, or export and purge their data.
• Unsubscribe requests: If a contact no longer wishes to receive email from you, you must respect that. Use the Unsubscribed tag on their contact record and do not include them in future mail sends. HeySocialFish does not add automated unsubscribe footers to mail sent from the Sales Hub — this is your responsibility.
• Consent: You should only store contacts for whom you have a legitimate reason to hold data (e.g. they are a business contact, a customer, or have opted in to hear from you). Do not use the Contacts feature to store data obtained without a lawful basis.
• Data portability: Use the Export CSV button to provide a contact with a copy of their data if requested.

HeySocialFish stores your contact data on the same secure Azure infrastructure as your other workspace data. Contact data is workspace-isolated and never shared with other users. We do not use your contacts' data for any purpose beyond providing the CRM feature to you.

If a contact of yours contacts us directly requesting erasure or unsubscription, we will forward that request to you as the controller. We cannot act on it without your instruction unless legally required to do so.

You have the following rights regarding the personal data we hold about you as a HeySocialFish user:

• Access — request a copy of the data we hold about you
• Rectification — correct inaccurate data
• Erasure ("right to be forgotten") — request deletion of your account and all associated personal data
• Restriction — limit how we use your data
• Portability — receive your data in a machine-readable format (JSON/CSV)
• Object — object to processing based on legitimate interest
• Withdraw consent — at any time, for processing based on consent
• Unsubscribe from marketing — use the unsubscribe link in any marketing email, or use the button below

You may also lodge a complaint with the ICO (Information Commissioner's Office) at ico.org.uk.

We use cookies and similar tracking technologies. See our Cookie Policy for full details.

Material changes will be notified via email or in-app notification. The latest version is always available at: https://www.heysocialfish.com/legal/privacy.

When you use the Sales Hub CRM and mail features, you take on responsibilities as a data controller for your contacts' personal data. These include:

• Ensuring you have a lawful basis for holding and contacting each person in your CRM
• Honouring unsubscribe and erasure requests promptly
• Not using the platform to send unsolicited bulk email (spam)
• Keeping contact data accurate and up to date

HeySocialFish provides the tooling; the legal responsibility for how you use it rests with you. Our Terms of Service reflect this responsibility.

If you're one of our early users — thank you. Your data protection matters to us, and so does your trust. We will never do anything unexpected with your data, and we welcome questions or concerns at support@heysocialfish.com. Early adopters have a direct line to the team and a real say in how the platform develops. Use it.