Subprocessor List¶
The third-party services Heyou relies on. We don't use subprocessors to create cross-customer datasets.
In this document
Heyou uses a limited set of third-party subprocessors required to provide, operate, secure, support, and bill for the service.
Current Subprocessors ¶
| Subprocessor | Purpose | Typical Data Categories | Status |
|---|---|---|---|
| Google Cloud Platform / Vertex AI | Cloud hosting, infrastructure, storage, logging, monitoring, and approved AI processing through Vertex AI / Gemini | Customer Data, service metadata, logs, prompts and outputs where AI processing is used | Required for core service |
| Descope | Identity, authentication, SSO, user management, and access-control workflows | User account identifiers, authentication metadata, access-control metadata | Required for authentication |
| Customer.io | Customer communications, product notifications, lifecycle emails, and service-related messaging | Business contact information, product-notification metadata | Used for communications |
| Stripe | Billing, subscription management, invoicing, and payment-related workflows | Billing contact information, subscription and invoice metadata, payment-related records | Used for billing |
| Attio | CRM and customer relationship management | Business contact information, account records, sales notes, commercial relationship data | Business operations |
| Fathom | Meeting recording, transcription, call summaries, and meeting intelligence for customer or prospect interactions, where used | Meeting participant information, recordings, transcripts, summaries | Used where meetings are recorded or summarized |
Website Subprocessors ¶
The following subprocessors operate only on heyou.io (the public marketing site) and are independent of the Heyou product subprocessors above. They process website-visitor data, never Customer Data. Where consent is required under EU/UK ePrivacy and GDPR rules, the relevant subprocessor is gated on the visitor's explicit opt-in via the site's cookie banner.
| Subprocessor | Purpose | Typical Data Categories | Consent Required |
|---|---|---|---|
| Vercel Inc. (US, hosted in EU regions where available) | Hosting of heyou.io, serverless execution, edge logs, ephemeral storage for evaluation briefs (/tmp) |
HTTP request metadata, IP address (edge logs), evaluation-brief content and the email if the visitor submits one | Necessary (legitimate interests) |
| Google LLC — Gemini API (EU/US, Vertex AI region pinning where configured) | Backs the on-site chat agent and the optional brand-color lookup for the evaluation page | Visitor chat messages, the persona/concern context, the domain extracted from a submitted work email for brand-color resolution | Necessary (legitimate interests; visitor-initiated) |
Google LLC — Favicon CDN (s2.gstatic.com) |
Serves the company logo displayed on co-branded evaluation pages | The domain portion of the visitor's email (e.g. monday.com) — never the full email |
Necessary (legitimate interests; visitor-initiated) |
| Google LLC — Google Analytics 4 (EU/US regional processing) | First-party visitor analytics for marketing-site usage | Pageviews, anonymous client identifiers (_ga / _ga_<ID> cookies), referrer, browser, OS, screen size, coarse geolocation (country/region) derived from IP at Google |
Analytics opt-in only |
PostHog Inc. (EU Cloud — eu.i.posthog.com) |
Product analytics for the marketing site | Pageviews, anonymous distinct_id (UUID, first-party cookie + localStorage), autocapture click/submit/change events on tagged selectors (no input values), browser/OS/screen/referrer/UTM, client IP server-side at PostHog Cloud (used for coarse geolocation and not stored in events) |
Analytics opt-in only |
PostHog session recording is disabled site-wide; PostHog never receives form field values, email addresses, brief content, or any personal data submitted into Heyou flows. Google Analytics 4 is configured without ad-personalization signals. Both analytics subprocessors load only after the visitor opts in via the cookie banner and are immediately opted-out on revocation.
Heyou does not sell Customer Data, does not use subprocessors to create cross-customer datasets, and does not use one customer’s data to benefit another customer. Data shared with each subprocessor is limited to what is necessary for the applicable service purpose.
Subprocessors that process Customer Data or personal data on Heyou’s behalf are governed by contractual data protection obligations, including confidentiality, security, and breach-notification commitments. Heyou provides customers with advance notice of material subprocessor changes in accordance with the DPA.
Some subprocessors may process only limited business contact information or operational metadata, depending on how the customer uses Heyou and how Heyou supports the account.
User-authorized third-party platforms that a user chooses to connect are not subprocessors of Heyou. Those platforms operate the user’s account independently and are governed by the user’s direct relationship with the platform.