Privacy Policy

Heythea Pte. Ltd. (“Heythea”, “we”, “us”) is a Singapore-registered company. We operate Thea, a business software platform that helps yoga and pilates studio owners manage leads, students, and marketing — primarily through WhatsApp and connected advertising platforms.

This policy applies to heythea.app and all Thea services. It covers two groups of people: studio owners and their staff (our direct customers) and leads and students whose data studio owners manage through Thea.

Questions? Write to us at privacy@heythea.app.

2. What Data We Collect

From studio owners and staff

When you sign up and use Thea, we collect:

Account information — name, email address, business name, WhatsApp number
Business data — studio name, location, class schedules, pricing plans
Connected account credentials — Meta (Facebook/Instagram) access tokens when you authorise the ads integration
Usage data — how you use the platform, features accessed, actions taken
Payment information — billing details processed via our payment provider (we do not store full card numbers)

From your leads and students (data you bring into Thea)

When you use Thea to manage your studio, you upload or generate records that may include:

Lead records — name, phone number, WhatsApp conversation history, where the lead came from, follow-up status
Student records — name, phone number, enrollment details, class attendance, package or membership information
Payment records — amounts paid, payment dates, outstanding balances
WhatsApp message history — conversations between your studio and leads or students, stored to give Thea context for follow-up suggestions

You are the data controller for your leads' and students' personal data. Thea acts as a data intermediary processing that data on your behalf. You are responsible for having a lawful basis to share that data with us and for informing your leads and students that their information is managed in Thea.

3. How We Use It

We use the data we collect to:

Run the platform — process leads, track attendance, send you daily morning briefs and action suggestions via WhatsApp
Generate AI-powered insights — analyse your ad performance, lead patterns, and student activity to surface useful suggestions (see Section 9 on AI processing)
Connect to your Meta Ads account — read campaign performance data and surface it in your Thea dashboard
Send you WhatsApp messages — daily briefs, action alerts, and follow-up suggestions delivered to your WhatsApp number
Process payments — handle subscription billing
Improve the platform — aggregate, anonymised analysis of how studios use Thea
Comply with the law — meet our obligations under Singapore law and applicable regulations

We do not use your data or your students' data for advertising purposes. We do not sell data to third parties.

4. Who We Share Data With

We share data only with the following service providers, strictly for the purposes listed:

Provider	Purpose	Data shared
Meta (Facebook/Instagram)	Ads integration — reading your ad campaign data via their API	Your Meta access token; API calls retrieve ad performance data only
WhatsApp (Meta)	Delivering messages to your WhatsApp number	Message content, your phone number
Anthropic	AI model processing — generating insights and natural language suggestions	Portions of lead/student context and conversation history needed to generate a response
Railway	Cloud hosting and infrastructure	All platform data is stored on Railway-managed servers
Xendit	Payment processing (planned)	Billing name, amount, payment method details

All providers are bound by data processing agreements or their own terms of service. We do not authorise any provider to use your data for their own purposes beyond providing the service to us.

We may also disclose data if required by Singapore law, a court order, or a regulator.

5. Where Data Is Stored

Thea is hosted on Railway, with infrastructure located in the United States and European Union.

If you are based in Singapore or Southeast Asia, your data will be transferred to and stored on servers in the US or EU. We take reasonable steps to ensure that providers maintain appropriate security standards. By using Thea, you consent to this transfer.

6. How Long We Keep It

Data type	Retention period
Account and business data	Duration of your subscription, plus 1 year after closure
Lead and student records	Duration of your subscription, plus 1 year after closure
WhatsApp message history	2 years from the date of the message
Ad performance data	2 years
Payment records	7 years (required by Singapore tax law)
Usage logs	12 months

When you close your account, we will delete or anonymise your data within 30 days, except where retention is required by law.

7. Your Rights Under Singapore PDPA

Under the Personal Data Protection Act 2012 (Singapore), you have the right to:

Access — request a copy of the personal data we hold about you
Correction — ask us to correct inaccurate or incomplete data
Withdrawal of consent — withdraw consent for us to use your data (this may mean we can no longer provide the service)
Data portability — request your data in a portable format where technically feasible

To exercise any of these rights, email privacy@heythea.app. We will respond within 30 days.

If you are an EU resident, you may also have rights under GDPR including erasure and restriction of processing. Contact us and we will honour applicable rights.

For leads and students of a studio: If you want to access or correct data that a studio holds about you in Thea, please contact that studio directly. They are the data controller for your records.

8. WhatsApp, Instagram, and Meta Data

Thea connects to Meta's platforms in three ways:

WhatsApp messaging

Studio owners connect their WhatsApp number to Thea. Thea sends messages (morning briefs, action suggestions) to that number on the owner's behalf. Thea may also store incoming and outgoing WhatsApp conversations between a studio and its leads or students to provide follow-up context. This messaging is facilitated through WhatsApp's Business API.

Meta Ads integration

Studio owners can authorise Thea to read their Facebook and Instagram ad account data via the Meta Ads API. This allows Thea to display paid campaign performance data and generate insights. We read ad performance data only — we do not modify campaigns, set budgets autonomously without owner approval, or access personal data of the studio's ad audiences.

Instagram organic content

Studio owners can connect their Instagram Business account to Thea. This connection allows Thea to:

Read organic post performance data — impressions, reach, likes, comments, saves, and shares — to surface content insights in the studio's dashboard
Draft, schedule, and publish Instagram and Facebook posts on the studio's behalf, using captions the studio owner writes or reviews before publishing
Generate caption suggestions using AI (see Section 9) — these are always presented for the owner's review and are never published without explicit approval

We access organic post metrics only in aggregate — we do not access the personal data of individual followers who liked or commented on posts. We store post performance data for up to 2 years to enable trend analysis. Draft captions and post content are stored until the post is published or deleted.

All Meta data: We use Meta and Instagram data solely to provide Thea's features to the studio that authorised the connection. We do not combine one studio's Meta data with another's, and we do not use it for advertising or sell it to third parties.

9. AI Processing

Thea uses AI models provided by Anthropic (makers of Claude) to generate natural language insights, morning briefs, lead follow-up suggestions, and action recommendations.

To do this, we send relevant context to Anthropic's API. This may include:

Lead names, statuses, and conversation snippets
Student attendance and enrollment summaries
Ad and organic post performance figures
Instagram post briefs or topic prompts when generating caption suggestions
Studio owner preferences and historical actions

This data is sent to Anthropic solely to generate a response for you. Anthropic processes it under their API terms and data processing agreement. We do not send sensitive personal health data or payment card details to the AI model.

You can opt out of AI-generated suggestions by contacting us, though this will significantly limit Thea's functionality.

10. Security

We use industry-standard security measures including encrypted connections (HTTPS/TLS), access controls, and multi-tenant data isolation (each studio's data is strictly separated from others). No system is perfectly secure — if we become aware of a data breach that affects you, we will notify you as required by the PDPA.

11. Contact Us

Data protection enquiries:

Email: privacy@heythea.app
Support: support@heythea.app
Website: heythea.app

Heythea Pte. Ltd. (UEN: 202615884M)
Singapore
heythea.app

We will acknowledge your request within 3 business days and respond fully within 30 days. If you are not satisfied with our response, you may contact the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.

This policy may be updated from time to time. Material changes will be communicated via email or a notice on heythea.app. Continued use of Thea after an update constitutes acceptance of the revised policy.