Heavano Legalv1.0

Privacy Policy

We believe enterprise customers deserve to know exactly how their data — and their customers' data — is handled. This policy is written to be read, not just displayed.

Last updated
May 19, 2026
Effective date
May 19, 2026
🔒
Heavano is SOC 2 Type II certified, HIPAA-ready, GDPR-compliant, and ISO 27001 aligned. We never sell personal data. Enterprise customers can request a Data Processing Agreement (DPA) or Business Associate Agreement (BAA) at privacy@heavano.com.

1. Overview

This Privacy Policy describes how Heavano, Inc. ("Heavano," "we," "us," or "our") collects, uses, stores, shares, and protects information in connection with the Heavano voice AI platform, including our APIs, dashboard, website, and all related products and services (collectively, the "Services").

Heavano operates as both a Data Controller (for information we collect about platform users and website visitors) and a Data Processor (for call data and personal information processed on behalf of our enterprise customers). Our customers act as Data Controllers for the personal data of their end users and callers.

If you are a caller or end user of a business that uses Heavano, please contact that business directly with privacy requests related to your call data, as we process that data on their behalf and under their instructions.

2. Data We Collect

We collect different types of information depending on whether you are a platform user (a business building with Heavano) or an end user of a Heavano-powered agent.

Account & Platform User Data

Identity
Name, work email address, job title, company name collected at registration or account update.
Authentication
Hashed passwords, SSO tokens, OAuth identifiers. We do not store plaintext passwords.
Billing
Payment card details (processed by our PCI-compliant payment processor; we store only the last four digits and card type), billing address, invoice history.
Usage telemetry
API call volumes, latency metrics, error rates, feature usage, dashboard interactions — for billing, analytics, and platform improvement.
Communications
Emails, support tickets, and chat messages you send to Heavano.
Device & browser
IP address, browser type, OS, screen resolution, and session timestamps for security and analytics.

Call & Voice Data (Processed on Your Behalf)

Call audio
Real-time audio streams from inbound and outbound calls routed through Heavano infrastructure.
Transcripts
Automatic speech-to-text transcriptions of calls, including speaker diarization where enabled.
Voice embeddings
Numerical representations of voice characteristics used for speaker identification and voice cloning (only when you have enabled these features and obtained caller consent).
Call metadata
Caller/callee phone numbers, call start/end times, duration, telephony provider identifiers, routing decisions, and agent configuration used.
Intent & entities
Structured output from NLP processing — detected intents, extracted entities, and conversation summaries generated by Heavano or integrated LLMs.

Website & Marketing Data

When you visit heavano.com, we collect standard web analytics data (page views, referrer, session duration) via first-party analytics and, where applicable, third-party tools. See Section 11 (Cookies) for details.

nameemailIP addresscall audiotranscriptscall metadatabilling datausage logsbrowser fingerprint

3. How We Use Data

We use the information we collect for the following purposes:

Service Delivery

Processing call audio through STT, generating AI voice responses via TTS, routing calls, applying your configured agent logic, and transmitting outputs to your telephony endpoints. This is our primary purpose and the core of the Heavano service.

Billing & Account Management

Calculating usage-based fees, issuing invoices, processing payments, managing subscriptions, and responding to billing disputes.

Platform Reliability & Security

Monitoring infrastructure health, detecting and responding to security incidents, rate limiting, fraud prevention, and maintaining audit logs required by our compliance certifications.

Product Improvement

Improving speech recognition accuracy, reducing latency, and optimizing voice quality using aggregated and de-identified telemetry. We do not use individual call content or transcripts to train general AI models without your explicit opt-in.

Customer Support

Responding to support tickets, diagnosing technical issues, and reproducing bugs. Support agents may access call metadata or partial transcripts only when you explicitly share them in a support request.

Legal & Compliance

Complying with applicable laws, regulations, and enforceable legal orders, and enforcing our Terms of Service.

4. Voice & Call Data

Voice and call data is the most sensitive category of information processed by the Heavano platform. This section provides additional detail on how it is handled.

Processing Locations

Call audio is processed in the region closest to the caller for minimum latency. By default, this may include data centers in the United States, European Union, Asia-Pacific, and other regions depending on your configuration and the availability of our speech processing nodes. Enterprise customers may request region-locked processing for regulatory compliance.

Real-Time Processing Only (Default)

By default, Heavano processes audio in real time for transcription and response generation but does not persistently store raw audio after the call ends. Transcripts and call metadata are retained for the period specified in your data retention settings (default: 90 days).

Call Recording (Opt-In)

Persistent call recording — where audio is stored after the call — is an optional feature that must be explicitly enabled in your dashboard. If you enable call recording, you are responsible for complying with all applicable call recording consent laws in the jurisdictions where your agents operate, and for informing callers that the call is being recorded.

PCI Redaction

Heavano provides built-in PCI redaction that detects and masks payment card numbers, CVVs, and expiry dates in transcripts before they are stored. This feature is enabled by default on all accounts. Do not disable PCI redaction unless you have a separate compliance arrangement with Heavano.

If your voice agents handle calls in regulated industries — healthcare (HIPAA), financial services, children's services (COPPA/GDPR-K) — contact compliance@heavano.com before deploying to ensure you have the appropriate agreements and configurations in place.

Custom Voice Cloning

When you upload audio samples to create a custom voice, those samples are used solely to generate a voice model for your account. We do not share cloned voices between customers. You must ensure you have obtained explicit, informed consent from the person whose voice is being cloned, and that the use complies with all applicable laws including applicable AI voice cloning regulations.

5. Data Sharing

We do not sell your data. We share information only in the following circumstances:

Service Providers (Sub-Processors)

We engage trusted third-party vendors to help deliver the Services, including cloud infrastructure providers, telephony gateway operators, payment processors, monitoring services, and security vendors. All sub-processors are bound by data processing agreements and are permitted to use your data only to provide services to Heavano.

Key sub-processor categories
Cloud infrastructure: AWS, GCP — compute, storage, networking
Telephony gateways: SIP trunking and PSTN interconnect providers
Payment processing: Stripe — PCI-compliant card processing
Observability: Error tracking, uptime monitoring, log management
Email delivery: Transactional email for account notifications
Security: DDoS mitigation, WAF, and fraud detection

Legal Requirements

We may disclose information when required by law, subpoena, court order, or government investigation. Where legally permitted, we will notify you before disclosure and cooperate with you in seeking a protective order.

Business Transfers

If Heavano is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred to the successor entity. We will provide notice before your data is transferred and subject to a materially different Privacy Policy.

With Your Consent

We share information with third parties when you explicitly direct us to do so, such as when you configure an integration with a CRM, calendar, or analytics platform from your dashboard.

6. Data Retention

Account & billing data
Retained for the duration of your account and for 7 years after closure to meet legal and tax record-keeping requirements.
Call transcripts & metadata
Retained for 90 days by default. Configurable per workspace (7 days to 2 years). Deleted within 30 days of your retention period expiry or account closure.
Call recordings (opt-in)
As configured in your dashboard, up to a maximum of 2 years. You can delete recordings at any time.
API usage logs
Retained for 12 months for billing verification and security audit purposes.
Support communications
Retained for 3 years to maintain continuity of service history.
Marketing & analytics
Website analytics retained for 13 months. Marketing contact records retained until you opt out or 3 years of inactivity, whichever comes first.
Deleted account data
After account closure, all Customer Data is purged from production systems within 90 days and from backups within 180 days, unless retention is required by law.

You can configure per-workspace data retention settings in your Heavano dashboard. To request early deletion of your data, contact privacy@heavano.com.

7. Security

Heavano implements a comprehensive security program designed to protect the confidentiality, integrity, and availability of your data. Our security measures include:

  • Encryption in transit: All data is encrypted using TLS 1.2 or higher for API calls, dashboard access, and webhook delivery.
  • Encryption at rest: Call data, transcripts, and account information are encrypted at rest using AES-256.
  • Access controls: Role-based access control (RBAC) for internal systems with strict least-privilege principles and mandatory MFA for all Heavano employees.
  • Network isolation: Production environments are logically isolated from development and staging environments. Customer data is segregated by tenant.
  • Vulnerability management: Continuous security scanning, regular penetration tests by independent third parties, and a responsible disclosure program.
  • Incident response: A documented incident response plan with defined escalation paths, investigation procedures, and notification timelines.
  • Certifications: SOC 2 Type II (annual), ISO 27001 alignment, and HIPAA-ready infrastructure controls.
🔐
To report a security vulnerability, please email security@heavano.com. We will acknowledge receipt within 24 hours and work to remediate confirmed vulnerabilities within our published SLAs. We do not pursue legal action against researchers who act in good faith under our responsible disclosure policy.

Despite our best efforts, no security system is impenetrable. If you believe your account has been compromised, contact us immediately. We will notify affected customers of data breaches within the timeframes required by applicable law (72 hours for GDPR).

8. GDPR (EEA & UK)

If you are located in the European Economic Area (EEA) or United Kingdom, or if you process personal data of EEA/UK data subjects through the Heavano platform, GDPR and/or UK GDPR apply.

Legal Bases for Processing

Contract performance
Providing the Services, managing your account, processing payments.
Legitimate interests
Fraud prevention, security monitoring, product improvement via de-identified analytics, direct marketing to existing customers (with opt-out).
Legal obligation
Compliance with EU/UK law, responding to lawful data requests, tax record retention.
Consent
Cookie analytics beyond strictly necessary, marketing to non-customers, optional product research participation.

Data Processing Agreement

Enterprise customers processing EEA/UK personal data through Heavano agents must execute a Data Processing Agreement (DPA). Our standard DPA, incorporating Standard Contractual Clauses (SCCs) for international transfers, is available upon request at privacy@heavano.com.

Your GDPR Rights

EEA/UK individuals have the right to access, correct, delete, restrict, and port their personal data, as well as the right to object to certain processing. See Section 14 for how to exercise these rights.

9. CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA grants you additional rights. This section supplements the rest of this Privacy Policy.

  • Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you in the past 12 months, and the purposes for which we use it.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions required by law or necessary for our legitimate business purposes.
  • Right to Correct: You may request correction of inaccurate personal information we hold about you.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share personal information as defined by CCPA. We do not use personal information for cross-context behavioral advertising.
  • Right to Limit Sensitive PI: Where we process sensitive personal information (such as biometric voice data), we limit use to the purposes necessary to provide the Services.
  • Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.

To submit a CCPA request, contact privacy@heavano.com with the subject line "CCPA Request". We will respond within 45 days, with a one-time 45-day extension if necessary.

10. HIPAA

If you operate in the healthcare sector and your use of Heavano involves protected health information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA), Heavano can act as a Business Associate.

A Business Associate Agreement (BAA) is required before you process any PHI through the Heavano platform. Our HIPAA-ready configuration includes:

  • Encryption of PHI at rest and in transit.
  • Role-based access controls with audit logging for all PHI access.
  • Configurable data retention and deletion workflows to meet the HIPAA Minimum Necessary standard.
  • Breach notification procedures aligned with HIPAA's 60-day notification requirement.
  • Workforce training and policies covering PHI handling by Heavano personnel.
Do not route calls containing PHI through Heavano until you have executed a BAA. Contact compliance@heavano.com to initiate the BAA process.

11. Cookies & Tracking

Our website and dashboard use cookies and similar technologies to deliver the Services, maintain your session, and understand how the platform is used.

Strictly necessary
Authentication session tokens, CSRF protection, rate-limit state. Cannot be disabled without impairing functionality.
Functional
User preferences (theme, language), remember-me tokens, recent voice selections. Persistent but privacy-preserving.
Analytics
Aggregate page view counts, feature usage heatmaps, error rates using privacy-first first-party analytics. No cross-site tracking. IP addresses are anonymized.
Marketing (opt-in only)
Third-party ad pixels used only on marketing pages and only with your consent via our cookie banner.

You can manage cookie preferences through the cookie banner shown on your first visit to heavano.com, or by updating preferences in your account settings. Declining non-essential cookies does not affect your ability to use the Heavano platform.

12. Children's Privacy

The Heavano platform is designed for enterprise business use and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal information without parental consent, please contact privacy@heavano.com and we will delete such information promptly.

If you use Heavano to operate voice agents that may interact with minors (e.g., in education or children's healthcare), you are responsible for complying with applicable laws including COPPA (US), GDPR-K (EU), and other child privacy statutes.

13. International Data Transfers

Heavano is headquartered in the United States. If you use the Services from outside the US, or if your agents route calls involving non-US data subjects, personal data may be transferred to and processed in the United States and other countries where our infrastructure operates.

For transfers from the EEA/UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA) as transfer mechanisms. Our DPA includes the applicable SCCs and can be provided upon request.

For transfers from other jurisdictions, we implement appropriate safeguards as required by local law, which may include adequacy decisions, approved codes of conduct, or binding corporate rules.

14. Your Privacy Rights

Depending on your location, you may have various rights regarding your personal information. Heavano respects and honors these rights globally where feasible, not just in jurisdictions that legally require us to.

Access
Request a copy of the personal data we hold about you.
Correction
Request correction of inaccurate or incomplete data.
Deletion
Request erasure of your personal data, subject to legal retention requirements.
Portability
Receive your data in a structured, machine-readable format for transfer to another controller.
Restriction
Request that we temporarily stop processing your data while a dispute is resolved.
Objection
Object to processing based on legitimate interests, including direct marketing.
Withdraw consent
Withdraw consent you previously gave for optional data processing at any time.

To exercise any of these rights, email privacy@heavano.com with the subject line "Privacy Rights Request." We will verify your identity before processing requests. We aim to respond within 30 days; complex requests may take up to 90 days with notice.

If you are an end user of a business that uses Heavano (e.g., you spoke with an AI agent powered by Heavano), please contact that business directly — they are the Data Controller for your call data and are responsible for handling your requests.

If you are in the EEA/UK and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.

15. Changes to This Policy

Heavano may update this Privacy Policy from time to time to reflect changes in our practices, products, or legal obligations. When we make material changes, we will notify you via email and/or a prominent notice in the dashboard at least 30 days before the changes take effect.

The "Last updated" date at the top of this page indicates when this policy was most recently revised. We encourage you to review this page periodically. Your continued use of the Services after the effective date of a revised policy constitutes your acceptance of the changes.

We maintain an archive of prior versions of this Privacy Policy. If you would like access to a previous version, please contact us.

16. Contact & Data Protection Officer

If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:

Privacy teamprivacy@heavano.com
Data Protection Officerdpo@heavano.com
HIPAA / compliancecompliance@heavano.com
Security & incidentssecurity@heavano.com

Postal address:
Heavano, Inc. — Attn: Privacy
c/o Legal Department
[Address], Wilmington, Delaware, United States

EU Representative (Art. 27 GDPR): If you are in the EEA and wish to exercise your GDPR rights or contact our EU representative, please email eu-privacy@heavano.com.

View Terms of Service →Contact Heavano