Privacy Policy

Legal
Privacy Policy v1.0Last modified: February 22, 2026

1. Data Controller

The controller of your personal data is:

EUREKA INNOVATIONS LLC — EIN: 38-4325432

254 Chapman Rd, Ste 208 #18613, Newark, Delaware 19702, USA.

Contact email: legal@heysally.io

Sally has not appointed a Data Protection Officer (DPO) as it falls below the mandatory threshold. For any privacy-related inquiries, you can contact us directly at legal@heysally.io.

2. Data We Collect

Data you provide directly

When you create an account or use the platform, we collect the data you provide to us: full name and company name, email and phone number, tax address and tax identification number, access credentials (passwords are always stored in hashed format, never in plain text), and billing data such as cardholder name and billing address. Credit card data is processed exclusively by Stripe, and Sally never stores or has access to it.

Data we collect automatically

When you use the platform, we automatically collect certain technical and usage data: IP address, browser type and operating system, pages visited and features used, response times and activity logs, and session identifiers. This data is used to ensure proper service operation, detect errors, and improve the user experience.

Third-party contact data (prospecting functionality)

When you use Sally for B2B prospecting activities, the platform may provide you with access to business contact data (name, company, job title, professional email, phone) obtained through specialized data providers.

It is important that you understand that in relation to this data:

  • Sally acts exclusively as a technological intermediary. You, as the Client, are the controller of this data for your own prospecting activities.
  • Data providers operate under their own privacy policies and regulatory compliance frameworks, which Sally reviews with reasonable diligence.
  • You, as the Client, are solely responsible for verifying that you have an adequate legal basis to contact the individuals you access through the platform, in compliance with Article 6 of the GDPR or the equivalent regulations in your jurisdiction.
  • If you are an individual whose data appears on the platform and wish to exercise any rights, write to us at legal@heysally.io. We will forward your request to the relevant data provider.

3. How We Use Your Data

We process your personal data for the following purposes, always with a legal basis that justifies it:

  • Provision of the contracted service (legal basis: contract performance, Art. 6.1.b GDPR). To give you access to the platform, manage your account, process payments, and provide support.
  • Contractual management (legal basis: contract performance). To manage the Order Form, renewals, cancellations, and communications related to your subscription.
  • Compliance with legal obligations (legal basis: legal obligation, Art. 6.1.c GDPR). To comply with tax, accounting, or regulatory requirements from competent authorities.
  • Product improvement (legal basis: legitimate interest, Art. 6.1.f GDPR). To analyze platform usage with aggregated or pseudonymized data and improve features.
  • Security and fraud prevention (legal basis: legitimate interest). To detect unauthorized use, prevent fraud, and ensure platform integrity.
  • Commercial communications (legal basis: consent, Art. 6.1.a GDPR). To inform you about new features, product updates, or Sally offers. You may withdraw this consent at any time by writing to us at legal@heysally.io.

4. How Long We Retain Your Data

We retain your data only for as long as strictly necessary for each purpose:

  • Active account data: for the duration of the contractual relationship.
  • Cancelled account data: 60 days from cancellation to facilitate reactivation, followed by deletion or anonymization.
  • Billing and contract data: 5 years from the date of issuance, for tax and commercial obligations.
  • Activity logs: 12 months from generation.
  • Support communications: 2 years from the last interaction.
  • Marketing consent data: until consent is withdrawn plus 3 additional years to demonstrate compliance.

5. Who We Share Your Data With

Sally may share your data with the following third parties, always under appropriate safeguards and only to the extent necessary for each purpose:

  • Stripe Inc. (USA) — Payment processing. Compliant with PCI-DSS Level 1 and has Standard Contractual Clauses for international transfers. You can view their policy at stripe.com/legal.
  • B2B data providers — Access to business contacts for the prospecting functionality. Each provider operates under its own privacy policies.
  • Cloud infrastructure providers — Hosting, storage, and data processing, contracted under GDPR-compliant data processing agreements.
  • Analytics providers — Platform performance analysis with pseudonymized or aggregated data.
  • Legal advisors and auditors — Only when strictly necessary and under confidentiality agreements.
  • Competent authorities — When there is a legal obligation or valid judicial request.

Sally does not sell or transfer your personal data to third parties for their own marketing or advertising activities.

6. International Data Transfers

Sally is incorporated in Delaware, USA, so data processing may involve transfers outside the European Economic Area (EEA). When this occurs, we ensure that transfers are made with appropriate safeguards: Standard Contractual Clauses (SCCs) approved by the European Commission, adherence by processors to the EU-U.S. Data Privacy Framework when applicable, and data processing agreements with specific security and confidentiality clauses.

You may request information about the specific safeguards applicable to your case by writing to legal@heysally.io.

7. Your Rights

In accordance with the GDPR, you have the following rights in relation to the processing of your personal data:

  • Access (Art. 15 GDPR): obtain confirmation of whether we process your data and access it.
  • Rectification (Art. 16 GDPR): request correction of inaccurate or incomplete data.
  • Erasure (Art. 17 GDPR): request deletion of your data when it is no longer necessary for the purpose for which it was collected.
  • Restriction (Art. 18 GDPR): request that we suspend processing in certain circumstances while a complaint is resolved.
  • Data portability (Art. 20 GDPR): receive your data in a structured, machine-readable format, or request that we transmit it to another controller.
  • Objection (Art. 21 GDPR): object to processing based on legitimate interest or processing for direct marketing purposes.
  • Withdrawal of consent: withdraw at any time any consent you have given, without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, send your request to legal@heysally.io clearly indicating the right you wish to exercise and enclosing a copy of your ID. We will respond within a maximum of 30 days, extendable to 60 days in cases of particular complexity. Exercising rights is free of charge, except for manifestly unfounded or excessive requests.

If you reside in the European Union and believe that the processing of your data does not comply with regulations, you may also lodge a complaint with your local data protection supervisory authority.

8. Data Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, destruction, or accidental disclosure. Among other measures, all communications are encrypted in transit via TLS/HTTPS, passwords are stored in hashed format with secure algorithms (never in plain text), payment data is processed exclusively by Stripe under PCI-DSS Level 1 standards, internal access to production data is restricted by role and strict operational necessity, and we continuously monitor the platform to detect security incidents.

In the event of a security breach that may affect your rights and freedoms, we will notify the relevant supervisory authorities within 72 hours of becoming aware of the incident, and those affected without undue delay when the risk is high, in accordance with Articles 33 and 34 of the GDPR.

9. Minors

Sally is a B2B platform intended exclusively for professionals and businesses. It is not intended for individuals under 18 years of age, and we do not knowingly collect data from minors. If you become aware that a minor has provided their data on the platform, contact us at legal@heysally.io and we will proceed with immediate deletion.

10. Cookies and Similar Technologies

Sally uses cookies and similar technologies for platform operation and to improve the user experience. We use strictly necessary cookies for session, authentication, and security (no consent required), functional cookies to remember your preferences, analytical cookies for aggregated analysis of platform usage, and Stripe cookies necessary for payment processing.

You can manage your cookie preferences from the platform settings panel or from your browser settings. Note that disabling strictly necessary cookies may affect service functionality. For more details, see our full Cookie Policy.

11. Data Processing Agreement (DPA)

If you are a client established in the European Union or process personal data of individuals located in the EU through Sally, it may be necessary to enter into a Data Processing Agreement (DPA) between your company and Sally, in accordance with Article 28 of the GDPR. You may request a DPA by writing to legal@heysally.io. Until a specific DPA is signed, this Section 11 and Section 14 of the Terms and Conditions govern the basic data processing conditions between the parties.

12. Modifications to this Policy

We may update this Privacy Policy to reflect changes in our practices, applicable legislation, or platform features. We will notify you of any material changes at least 30 days in advance by email and through a notice on the platform. Continued use of Sally after the changes take effect will constitute acceptance. The current version will always be available at heysally.io/privacy with the date of last update.

13. Contact

For any inquiries regarding the processing of your personal data or the exercise of your rights, you may contact Sally at:

  • Email: legal@heysally.io
  • Postal address: EUREKA INNOVATIONS LLC, 254 Chapman Rd, Ste 208 #18613, Newark, Delaware 19702, USA.
  • Website: heysally.io