Privacy Policy

Last updated: May 1, 2026

itshello.io ("we", "us", the "Service") is operated by Hello.io Technologies. This page explains what data we collect, why we collect it, how we use it, and your choices around it. If anything here is unclear, email us at privacy@itshello.io.

1. Who we are and what we do

itshello.io is an iMessage-native AI character platform. Creators and businesses build AI characters that text with their fans / customers over iMessage. Some characters can take real actions on a user's behalf — for example, sending email, generating documents, or saving files to Google Drive — when the user explicitly grants that permission.

2. Data we collect

Account & conversation data

• Phone number — required for iMessage delivery.
• Display name — what we call you in conversations, if you tell us.
• Conversation content — the messages you send to AI characters and their replies, for the purpose of providing the service. Messages are stored encrypted at rest.
• Optional metadata — anything you voluntarily share (preferences, location mentioned in chat, etc.) is stored alongside your conversation so the AI can remember context.
• Approximate location— derived from your phone's area code only, never GPS. Used for time-of-day context.

Google Account data we access

When you tap a "Connect Google" link sent to you in iMessage, we ask Google for a narrow set of scopes:

• openid, userinfo.email — your email address and a stable Google user ID, used solely to display which account is connected and to identify your connection across sessions. We do not use this for advertising or share it with third parties.
• https://www.googleapis.com/auth/drive.file — permission to create and manage only the files our Service creates in your Drive. We cannot see, edit, or delete any other file in your Drive. Used when you ask the AI to save something to your Drive.
• https://www.googleapis.com/auth/gmail.send — permission to only send email on your behalf. We cannot read, modify, or delete email in your inbox. Used when you explicitly ask the AI to send an email from your Gmail account.

We never store the contents of your Drive or your Gmail. We store the OAuth access token and refresh token (encrypted at rest with AES-256) so we can perform the actions you ask for without re-prompting on every request. You can revoke access at any time at myaccount.google.com/permissions — once revoked, our copy of the tokens stops working immediately.

Payment data

Payments are processed by Stripe. We never see, store, or have access to your full credit card number. We store the last 4 digits and a Stripe customer ID for receipt and refund purposes.

Telemetry

We log standard server telemetry (request paths, status codes, timing) to debug issues and detect abuse. Logs are retained for 30 days.

3. How we use Google user data, specifically

Google requires us to call this out plainly. itshello.io's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We use Google user data only to provide the features the user explicitly invokes (Drive uploads, Gmail sends, displaying which account is connected).
• We do not transfer Google user data to third parties except as needed to provide the Service, comply with law, or protect against misuse.
• We do not use Google user data for serving advertisements, including retargeting or interest-based ads.
• We do notallow humans to read Google user data unless we have your specific consent, it's required for security purposes, to comply with law, or it's aggregated and anonymized for internal operations.

4. How we share data

We share data only in these specific cases:

• AI model providers — Anthropic, OpenAI, and ElevenLabs receive conversation content as needed to generate replies, voice, and images. They are bound by data-processing agreements that prohibit them from training on or storing your content beyond the immediate request.
• iMessage delivery — Sendblue (and through them, Apple iMessage) handle the actual message delivery to your phone.
• Storage — Supabase hosts our encrypted database and file storage.
• Stripe — handles payments.
• Resend— sends transactional email from the platform's own address.
• Law enforcement — we will respond to lawful court orders and subpoenas, with notice to affected users where legally permissible.

5. Data retention

• Conversation history: kept for as long as your account is active, or until you ask us to delete it.
• Google OAuth tokens: kept until you revoke them at myaccount.google.com/permissions or until you ask us to delete your account, whichever is sooner.
• Server logs: 30 days.
• Backup snapshots: 90 days; data deleted from the live database is purged from backups within that window.

6. Your rights

You can:

• Disconnect your Google account any time at myaccount.google.com/permissions or from inside our Service.
• Request a copy of all data we hold about you by emailing privacy@itshello.io. We'll respond within 30 days.
• Request deletion of your account and all associated data by emailing the same address. Honored within 30 days.
• Opt out of further messages by replying STOP to any iMessage from a Hello character.

7. Security

We use AES-256 encryption at rest for sensitive fields (including OAuth tokens), TLS 1.2+ in transit, row-level security on every database table, and signature verification on inbound webhooks. We disclose any data breach affecting your information within 72 hours of discovery.

8. International users

Our infrastructure is located in the United States. By using the Service, you consent to your data being transferred to and stored in the U.S. We comply with applicable data-protection laws including GDPR (for EU users) and CCPA (for California users).

9. Children

The Service is not directed to children under 16. We do not knowingly collect data from children under 16; if you believe we have, contact us and we'll delete it.

10. Changes to this policy

If we make material changes — adding new scopes, new data categories, new sharing partners — we'll notify users via iMessage at least 14 days before the change takes effect. The "Last updated" date at the top reflects the latest revision.

11. Contact

Hello.io Technologies
Email: privacy@itshello.io
For Google data-handling questions specifically: privacy@itshello.io