Hey
Legal Bases for AI
The policy explicitly mentions 'automated program' for anti-bot assessments and 'automated processes' in the context of a user's right to object to automated decision-making, which implies the use of AI/ML. However, it does not use explicit terms like 'AI' or 'machine learning' in its general disclosure.
the CAPTCHA service evaluates various information (e.g., IP address, how long the visitor has been on the app, mouse movements) to try to detect if the activity is from an automated program instead of a human.
Right to not Be Subject to Automated Decision-Making. You have the right to object to and prevent any decision that could have a legal or similarly significant effect on you from being made solely based on automated processes.
Detecting if activity is from an automated program (bot) for spam protection and brute force login mitigation using a CAPTCHA service.
the CAPTCHA service evaluates various information (e.g., IP address, how long the visitor has been on the app, mouse movements) to try to detect if the activity is from an automated program instead of a human.
Decisions that could have a legal or similarly significant effect on the user, made solely based on automated processes.
Right to not Be Subject to Automated Decision-Making. You have the right to object to and prevent any decision that could have a legal or similarly significant effect on you from being made solely based on automated processes.
The policy explicitly grants users the 'Right to not Be Subject to Automated Decision-Making' for decisions that could have a 'legal or similarly significant effect' on them, indicating a potential for high impact automated decisions.
The policy explicitly states 'We never sell your data' and, under CCPA, clarifies that data is processed 'only for the purpose you signed up for' and not for 'any other commercial purposes unless we have your explicit permission.' There is no mention of using personal data for training AI or machine learning models.
We never sell your data.
We do not retain, use, disclose, or sell any of that information for any other commercial purposes unless we have your explicit permission.
The policy does not mention using user interactions for training AI or machine learning models. The general stance on data usage and not selling data suggests this is not done.
We never sell your data.
We do not retain, use, disclose, or sell any of that information for any other commercial purposes unless we have your explicit permission.
The policy does not mention using public content for training AI or machine learning models.
The policy explicitly states that user data is never sold and is not used or disclosed for other commercial purposes without explicit permission, which would include sharing for AI training.
We never sell your data.
We do not retain, use, disclose, or sell any of that information for any other commercial purposes unless we have your explicit permission.
Hey demonstrates excellent privacy practices, explicitly stating they never sell user data and supporting major regulations like GDPR and CCPA. While they share some data with third parties for operational purposes and use hashed emails to *prevent* showing ads, their overall approach minimizes privacy risks.
Recommended Actions
Familiarize yourself with their comprehensive privacy policy to understand data handling practices.
Utilize the privacy@37signals.com email for any data access, correction, or deletion requests.
Regularly review your account settings for any privacy-related controls or preferences.