1. Who We Are

HeySocialFish Ltd ("we", "us", "our") is the data controller for personal data collected through the HeySocialFish platform. We are registered in England and Wales.

Website: https://www.heysocialfish.com

App: https://app.heysocialfish.com

Contact: support@heysocialfish.com

We're a small, independent team. This policy is written to be understood, not to bury the important bits in legalese. If anything is unclear, just ask us directly.

2. What Data We Collect

Account data: Name, email address, password (hashed), subscription tier, billing information (processed via payment gateway — we do not store card details).

Content data: Content you create, upload, or generate using the platform, including posts, video analysis results, strategy plans, and campaign data.

Platform connection data: OAuth tokens for connected social platforms (YouTube, LinkedIn, X, TikTok, Instagram, Facebook). These are stored encrypted in Azure Key Vault.

TikTok integration: HeySocialFish connects to the TikTok API to enable content scheduling and analytics. We access only the scopes required for these features. TikTok data is processed in accordance with TikTok's Privacy Policy. Our app URL for TikTok API registration purposes is https://www.heysocialfish.com and the privacy policy URL is https://www.heysocialfish.com/legal/privacy.

Usage data: AI credit usage, feature usage, log data, session information, and error reports.

Technical data: IP address, browser type, device identifiers, and cookies (see Cookie Policy).

3. How We Use Your Data

• To provide, maintain, and improve the Service
• To personalise AI Copilot guidance and content suggestions
• To process subscription payments and manage your account
• To send service-critical notifications (account, billing, security alerts)
• To send product updates and hints (you can opt out any time)
• To investigate abuse, fraud, or policy violations
• To comply with legal obligations

We do not sell your data to third parties. We do not use your content to train AI models shared with other customers.

4. Legal Basis (UK GDPR)

• Contract: Processing necessary to provide the Service under our Terms of Service
• Legitimate interest: Security monitoring, fraud prevention, service improvement
• Consent: Marketing communications (opt-in)
• Legal obligation: Compliance with applicable law

5. Data Storage, Security & Workspace Protection

All data is stored on Microsoft Azure infrastructure with UK data residency (UK South / UK West regions). We apply encryption at rest and in transit, role-based access controls, and regular security reviews.

Workspace isolation: Each user account operates within a private, isolated workspace. Your workspace data — plans, content, analytics, AI interactions — is stored separately and is not accessible to any other user of the platform. No cross-user data queries are possible through normal or API-level use of the Service.

Connected platform credentials: OAuth tokens for connected social platforms (TikTok, LinkedIn, Instagram, X, YouTube, Facebook) are stored encrypted in Azure Key Vault. They are never exposed in plaintext, cannot be retrieved via the application interface, and are not shared with any third party beyond the intended platform integration.

Staff access: HeySocialFish staff do not access workspace content in the normal course of operations. Access may occur only where strictly necessary for technical support you have requested, or to comply with a legal obligation — and only with appropriate authorisation and logging.

Your responsibility: While we protect your data on our end, you are responsible for the security of the devices and credentials used to access your account. If you choose to share your login with others, you accept responsibility for their actions within your workspace. We cannot protect your account from risks you introduce yourself.

6. Third-Party Processors

We use the following third-party processors under Data Processing Agreements:

• Microsoft Azure — cloud infrastructure, storage, AI services
• OpenAI — AI language model processing (data not used for training)
• Mollie — payment processing (card data not stored by us). Mollie processes payments under their own privacy policy at https://www.mollie.com/en/privacy. Our website domain registered with Mollie is https://www.heysocialfish.com.
• SendGrid / SMTP provider — transactional email delivery

7. Data Retention

We retain your data for as long as your account is active. On account closure, we delete personal data within 90 days, except where we are required to retain it for legal or financial compliance purposes (typically 7 years for financial records under UK law).

8. Your Rights (UK GDPR)

You have the right to:

• Access — request a copy of the data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Restriction — limit how we use your data
• Portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interest
• Withdraw consent — at any time, for processing based on consent

Exercise your rights at: support@heysocialfish.com. We will respond within 30 days.

You may also lodge a complaint with the ICO (Information Commissioner's Office) at ico.org.uk.

9. Cookies

We use cookies and similar tracking technologies. See our Cookie Policy for full details.

10. Changes to This Policy

Material changes will be notified via email or in-app notification. The latest version is always available at this URL: https://www.heysocialfish.com/legal/privacy.

11. A Note to Early Adopters

If you're one of our early users — thank you. Your data protection matters to us, and so does your trust. We will never do anything unexpected with your data, and we welcome questions or concerns at support@heysocialfish.com. Early adopters have a direct line to the team and a real say in how the platform develops. Use it.