Privacy Policy for the “HeyClient” App and Website

Last updated: October 2025

1. Scope and Quick Overview

These privacy notices explain how personal data are processed when you use the mobile app “HeyClient” (the App) and our Website (the Website).

App (short): The App reads your contacts locally on your device, detects birthdays/holidays, shows local notifications, and creates personalised message drafts. Messages are sent only after your confirmation via WhatsApp/SMS/email (deep links: wa.me, sms:, mailto:).
The App has no server connection: no transmission to us, no tracking, no external storage.

Website (short): On the Website we use — based on consentcookies/tracking and the following services: Google Analytics 4 (optional: Signals/User-ID), Google Tag Manager, YouTube (two-click solution), Meta/Facebook Pixel, LinkedIn Insight Tag, Twitter/X Pixel, and (where offered) newsletter and contact forms.

2. Controller and Contact

Efficient Operations GmbH
represented by Managing Director Daniel Fischer
Schürenbruch 13, 32479 Hille, Germany
Phone: +49 151 74269061
Email: support@heyclient.app

Supervisory authority:
State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW), P.O. Box 20 04 44, 40102 Düsseldorf, poststelle@ldi.nrw.de, https://www.ldi.nrw.de/

3. Legal Bases (Overview) and Access to End-User Devices

  • Art. 6(1)(b) GDPR (Contract performance): provision of App functionalities.

  • Art. 6(1)(a) GDPR (Consent): optional App/Website features (e.g., notifications, analytics/marketing cookies). You can withdraw consent at any time.

  • Art. 6(1)(f) GDPR (Legitimate interests): e.g., IT security, Website stability.

  • Section 25(2) No. 2 TDDDG (Germany): access/storage on your device that is strictly necessary to provide a service you expressly requested (App functionality, strictly necessary cookies).
    (The App itself does not use cookies or comparable technologies.)

4. Private Use (“Household Exemption”)

If you use HeyClient exclusively for private or family purposes (e.g., congratulating friends/family), your use is generally outside the scope of the GDPR (Art. 2(2)(c) GDPR).
If you use the App in a business/professional context (e.g., messages to customers), you are a controller under the GDPR and must ensure a legal basis (e.g., consent or legitimate interests) and fulfil information duties. Regardless, we process data for the Website and any other offerings as set out in this policy.

5. App: How It Works & Data Processing

5.1 Data Categories (stored only locally on your device)

  • Contact data: name, nickname (if any), birthday (if stored), email address(es), phone number(s).

  • Local App usage data: templates (with placeholders), settings (e.g., notifications), times of local reminders.

  • Message drafts: locally created, personalised texts.

5.2 Purposes

  • Detect birthdays/holidays and trigger local reminders.

  • Create and prefill individual greetings that you send yourself.

5.3 Permissions

  • Contacts: to read names/birthdays/email addresses/phone numbers locally.

  • Notifications: to display local birthday/holiday reminders.
    You may revoke permissions in your device settings; without contact access the core function is unavailable.

5.4 Sending Channels / Responsibility of Third-Party Providers

When you open WhatsApp/SMS/email you leave the App; the privacy policies of those providers apply (e.g., Meta/WhatsApp, Apple/Google Messages, your email provider). The App only provides deep links/drafts; sending occurs only after your confirmation.

5.5 Retention & Deletion (App)

Data remain exclusively on your device until you delete them, revoke permissions, or uninstall the App. No server/cloud storage by us.

5.6 No Automated Decision-Making/Profiling

There is no profiling and no automated decision-making within the meaning of Art. 22 GDPR; detection is rule-based and local.

6. Website: Use and Services

6.1 Visiting the Website (Server Log Files)

For purely informational use we process log data (truncated IP address, date/time, URL accessed, referrer URL, HTTP status, data volume, browser/version/language, operating system, GMT time-zone offset).
Purpose/Legal basis: stability, security, error analysis (Art. 6(1)(f) GDPR); Section 25(2) No. 2 TDDDG for strictly necessary access.
Retention: according to technical/security needs, then deletion/anonymisation.

6.2 Contact (Email/Contact Form)

Data: your email address, name and any information you provide.
Purpose/Legal basis: handling enquiries (Art. 6(1)(b) or (f) GDPR).
Retention: until the request is completed; statutory retention may apply (then processing is restricted).

6.3 Newsletter (optional)

Data: email address (double opt-in), technical metadata (truncated IP, timestamps), interaction data (opens/clicks via web beacons/tracking pixels; pseudonymised).
Purpose/Legal basis: sending based on your consent (Art. 6(1)(a) GDPR). You can unsubscribe at any time.
Retention: until withdrawal/unsubscription.

6.4 Cookies & Consent Management

We use cookies and similar technologies. Categories:

  • Strictly necessary (e.g., storing consent choices, security) – Section 25(2) No. 2 TDDDG.

  • Analytics/Performance, Marketing/Retargeting, Convenience/Sharingonly with consent (Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR).
    You can change your choices at any time in the cookie banner/consent tool (with future effect). Specific cookie names/durations are shown there.

6.5 Analytics and Marketing Tools (loaded only with consent)

6.5.1 Google Analytics 4 (GA4) – optional: Google Signals & User-ID

Provider: Google Ireland Limited (EU/EEA); parent company Google LLC, USA.
Function: audience/usage analytics. GA4 sets cookies; IPs are truncated; we receive aggregated reports/statistics.
Optional:

  • Google Signals (cross-device reporting for signed-in Google users with personalised ads enabled).

  • User-ID (cross-device session linking if you hold an account with us and are signed in).
    Legal basis: consent (Art. 6(1)(a) GDPR; Section 25(1) TDDDG). Withdraw any time in the consent tool.
    Retention in GA4: user/event data typically 2–14 months (project setting).
    International transfers: USA possible; safeguarded via the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs).

6.5.2 Google Tag Manager (GTM)

Function: manages/loads tags; GTM itself does not set cookies but can trigger other tools (IP may be technically processed).
Legal basis: consent (Art. 6(1)(a) GDPR) where not strictly necessary.
Transfers: as above (DPF/SCCs).

6.5.3 YouTube (two-click solution)

Provider: Google Ireland Limited/Google LLC.
Function: video embedding. Activation only after your click/consent; only then a connection to YouTube/Google is established and cookies/tracking may occur.
Legal basis: consent (Art. 6(1)(a) GDPR; Section 25(1) TDDDG).
Transfers: as above (DPF/SCCs).

6.5.4 Meta/Facebook Pixel (Meta Platforms)

Function: conversion tracking and audience building/retargeting for Meta ads.
Legal basis: consent (Art. 6(1)(a) GDPR; Section 25(1) TDDDG).
Notes: data may be linked to Meta profiles; ad preferences e.g. at https://www.facebook.com/adpreferences/ad_settings.
Transfers: USA possible (DPF/SCCs).

6.5.5 LinkedIn Insight Tag / LinkedIn Pixel

Function: reach measurement, conversion tracking, audience building.
Legal basis: consent (Art. 6(1)(a) GDPR; Section 25(1) TDDDG).
Transfers: USA possible (DPF/SCCs).

6.5.6 Twitter/X Pixel

Function: conversion tracking and targeted ads on/through X.
Legal basis: consent (Art. 6(1)(a) GDPR; Section 25(1) TDDDG).
Transfers: USA possible (DPF/SCCs).

7. Links to Third-Party Websites

Our online offering contains links to third-party websites. We have no influence on their content or data processing and assume no responsibility. Please refer to the privacy notices of those providers. No data are transmitted to a third party until you click a link and leave our Website.

8. Recipients, Processors, International Transfers

  • Recipients/Processors: IT and hosting providers, newsletter services and consent management platforms — each based on Art. 28 GDPR (data processing agreement).

  • Authorities/public bodies: only where legally required (Art. 6(1)(c) GDPR).

  • Third countries: transfers (e.g., to US providers) may occur; safeguarded via the DPF, SCCs, or other appropriate safeguards pursuant to Art. 44 et seq. GDPR.

9. Retention Periods (Website)

  • Server logs: for technical/security needs, then deletion/anonymisation.

  • Contact/support: until your request is resolved; statutory retention may apply (then processing is restricted).

  • Newsletter: until withdrawal/unsubscription.

  • Cookies/pixels: per category/duration; details in the consent tool.

10. Data Security

We implement technical and organisational measures pursuant to Art. 32 GDPR.
App: runs offline, relying on iOS/Android security mechanisms.
Website: TLS encryption (HTTPS), system hardening, access and authorisation controls.

11. Your Rights (GDPR)

You have the rights to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), and withdrawal of consent (Art. 7(3)).
You may lodge a complaint with the competent supervisory authority (see Section 2).
App note: As the App does not transmit data to us, we will normally refer you to device-level measures (permissions/settings/deletion/uninstall).

12. No Obligation to Provide Data

There is no legal obligation to provide data. Without contact permission, the App cannot perform its core function. Without consent to optional cookies/tracking, the Website remains usable, possibly with limited functionality.

13. App Stores, OS Services & Diagnostics

Downloading via App Stores (Apple App Store/Google Play) is subject to those providers’ privacy terms (e.g., payment, usage, diagnostics).
Depending on your device settings, system crash/diagnostic data may be sent to the platform provider; we do not receive these data.

14. Purpose Change

(1) We process personal data only for the purposes described in this policy.
(2) Any further processing for other purposes will occur only where a legal basis permits it (Art. 6 GDPR) and — where required — after prior information and/or with your consent (Art. 6(1)(a) GDPR).
(3) Where further processing relies on Art. 6(1)(f) GDPR (legitimate interests), we assess purpose compatibility beforehand (Art. 6(4) GDPR).
(4) We will inform you about purpose changes (e.g., in the App/on the Website) and amend this policy accordingly.

15. Definitions (Short Version per Art. 4 GDPR)

  • Personal data: any information relating to an identified or identifiable natural person (e.g., name, email, phone, user IDs).

  • Processing: any operation on personal data (e.g., collecting, storing, reading, transmitting, deleting).

  • Controller: the entity that determines the purposes and means of processing (here: Efficient Operations GmbH for the Website/support, etc.).

  • Processor: a service provider processing data on behalf of the controller (e.g., hosting, newsletter) — with an Art. 28 GDPR agreement.

  • Recipient/Third party: persons or entities to whom personal data are disclosed (excluding the data subject, controller, processor).

  • Consent: a freely given, informed and unambiguous indication of wishes for a specific purpose.

  • Third-country transfer: transfer of personal data to countries outside the EEA; safeguarded, e.g., via EU-US DPF and/or SCCs.

  • End-user device / Cookies & similar tech: read/write access on your device; strictly necessary access is permitted under Section 25(2) No. 2 TDDDG; all other access requires consent (Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR).

16. Changes to This Policy

Legal, technical or functional changes may require updates to this policy. The current version will be provided in the App and/or on the Website.


Contact for privacy matters: support@heyclient.app (or by post to the address in Section 2).

 

Go to the homepage