Privacy Policy

This Privacy Policy describes how HeyMall, Inc. (also known as Tycoon)(“Tycoon,” “we,” “us,” or “our”) handles information we collect when you use the Tycoon platform, website, and related services (the “Service”). It applies to all users — founders, operators, team members, and visitors.

By using the Service, you agree to the collection and use of your information as described here. If you don’t agree, please don’t use the Service.

Information you give us directly:

• Account details: name, email address, and profile picture (via WorkOS AuthKit)
• Business information: your company name, description, goals, and growth stage
• Conversations with the AI CEO and your AI team — every message, instruction, and reply
• Tasks you create or approve, and any feedback you give on AI outputs
• Files or documents you upload to the platform
• Payment information (processed by Stripe — we never see or store raw card numbers)
• Credentials and API keysyou provide so that AI agents can act on your behalf (for example, OAuth tokens for Gmail, Slack, Google Workspace, HubSpot, Stripe, Shopify, and similar services). These may include what CCPA classifies as “sensitive personal information,” and we store them encrypted and use them only to operate the Service on your instructions.

Information we collect from third-party services you connect:

• Content and metadata from integrations you authorize — for example, emails and contacts from Gmail; messages and members from Slack; documents from Google Drive; customers, products, and orders from Stripe or Shopify; leads and deals from CRMs; ads, campaigns, and spend from advertising platforms; and analytics from your marketing tools.
• We pull this data so that the AI CEO and the other AI agents can understand the state of your business and take actions you’ve asked them to take. We do not pull data from services you haven’t explicitly connected.

Agent-generated and action data:

• Records of autonomous actions taken by AI agents under your account — including the action type, inputs, outputs, target service, timestamp, and outcome. We keep these logs so you can audit what the agents did on your behalf and so we can investigate incidents and billing disputes.
• Usage and cost metrics: token consumption, API calls, third-party spend attributed to agent actions, and similar data used for billing, usage-based fees, and pass-through cost calculations.

Information we collect automatically:

• Usage patterns: which features you use, how often, and for how long
• Log data: IP address, browser type, operating system, referring URL, pages visited
• Device identifiers and session tokens used for authentication and security
• Error reports and performance data to help us debug and improve the platform

We use your information to:

• Run and improve the Tycoon platform and the AI CEO’s capabilities
• Personalize the AI CEO’s responses to your business context and goals
• Route work to the right AI agents and maintain continuity across sessions
• Execute autonomous actions on your behalf (sending communications, calling third-party APIs, making purchases, publishing content, and similar) when you have authorized those integrations — as described in Section 6 of the Terms of Service
• Process payments, apply usage-based and pass-through charges, and manage your subscription
• Send transactional emails (receipts, product updates, security alerts)
• Detect abuse, fraud, and security threats, and maintain audit logs of agent activity
• Comply with legal obligations and enforce our Terms of Service
• Improve the quality and capabilities of our AI models and platform features (see Section 4)
• Produce aggregated, de-identified, or anonymized data and benchmarks for research, product development, and commercial offerings — without exposing your identifiable information

Legal basis (EEA / UK / Switzerland): For users subject to the GDPR or UK GDPR, we process personal data on the following legal bases: (a) performance of our contract with you (to provide the Service and execute authorized agent actions); (b) our legitimate interests in operating, securing, and improving the Service and our business, including AI model development; (c) your consent, where required (for example, for certain cookies or optional marketing); and (d) compliance with legal obligations.

We continually work to improve the quality, reliability, and capabilities of the Service. As part of this effort, we may use information derived from your use of the platform — including interaction patterns, usage data, task outcomes, and feedback — to operate, maintain, develop, improve, and enhance the Service, our AI models and algorithms, and our broader technology and product offerings.

We may create de-identified, aggregated, statistical, or otherwise anonymized data from Your Content or your use of the Service (“Derived Data”). Once data has been de-identified, it is no longer personal information. We may use, retain, disclose, and commercialize Derived Data for any lawful purpose without restriction or obligation to you, including to develop products, generate industry insights and benchmarks, improve our models, and support our business operations. This right is perpetual and survives termination of your account.

We will not disclose your identifiable business information to other individual users of the platform. If you have questions about how your data is used, you may contact us at support@tycoon.us.

We do not sell your personal information. We share data only in the following circumstances:

• Infrastructure and hosting: Our servers run on Google Cloud Platform and AWS. Your data is stored and processed in the United States.
• AI model APIs: We send your conversation content to large language model APIs (Anthropic Claude via AWS Bedrock) to generate AI responses. These providers process your content under their own data processing agreements with us and may not use it to train their public models.
• Authentication: We use WorkOS to manage sign-in and identity. User account data flows through WorkOS under a data processing agreement.
• Payments: Stripe processes all payment transactions. We share only the data necessary for billing.
• Third-party services you connect: When you authorize an integration (Gmail, Slack, Google Workspace, HubSpot, Shopify, Stripe, Google Ads, Meta Ads, CRMs, email providers, and similar), AI agents acting on your behalf will send and receive data from that service using the credentials you provide. We share only the data necessary for the specific action you or your agent requested. Those third parties process your data under their own privacy policies and data processing agreements with you.
• Legal obligations: We may disclose your information if required by law, subpoena, court order, or to protect the rights, property, or safety of Tycoon, our users, or the public.
• Business transfers: If Tycoon is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

We keep your account data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal data within 90 days, subject to legal retention requirements.

De-identified or aggregated data derived from your account may be retained indefinitely after account deletion for service improvement purposes (see Section 4). Log data is retained for up to 12 months.

Agent action logs — records of autonomous actions taken by AI agents under your account — are retained for at least the duration of your account plus 24 months, so that we can support audits, billing disputes, incident investigations, and legal or regulatory inquiries.

We may also retain data longer than the periods described above where we are required or permitted to do so by law, to comply with legal or tax obligations, to respond to governmental or law-enforcement requests, or to establish, exercise, or defend legal claims (a “legal hold”).

We use industry-standard security practices including TLS encryption in transit, AES-256 encryption at rest, role-based access controls, regular security reviews, and least-privilege access policies for employees. Credentials and API keys you provide for third-party integrations are stored encrypted and are never logged in plaintext.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at support@tycoon.us.

Data breach notification. In the event of a security breach that results in unauthorized access to, or disclosure of, your personal data, we will: (a) notify affected users without undue delay and, where required by GDPR, within 72 hours of becoming aware of the breach; (b) notify the relevant supervisory authority as required by applicable law; and (c) provide details of the nature of the breach, the data affected, the likely consequences, and the measures we have taken or propose to take. We maintain an incident response plan and conduct regular security assessments to minimize the likelihood and impact of breaches.

We use session cookies for authentication (to keep you logged in) and preference cookies to remember your settings. We do not use third-party advertising trackers or sell cookie data to advertisers.

We may use analytics tools (such as simple page-view counters) to understand how users navigate the platform. You can disable cookies in your browser settings; doing so will prevent you from staying logged in.

Depending on where you live, you may have the right to:

• Access / know: Request a copy of the personal data we hold about you and how we use it
• Correction: Ask us to fix inaccurate data
• Deletion: Request deletion of your account and associated personal data
• Portability: Receive your data in a machine-readable format
• Opt out of service improvement use: As described in Section 4
• Complaint: Lodge a complaint with your local data protection authority

California residents (CCPA/CPRA). If you are a California resident, you also have the right to:

• Opt out of sale or sharing of personal information. We do not sell personal information in the traditional sense, but certain data sharing with third parties (including analytics and AI model providers) may qualify as “sharing” under CPRA. You may opt out by emailing support@tycoon.us with the subject line “Do Not Sell or Share.”
• Limit use of sensitive personal information (such as connected-service credentials and API keys). Because these are strictly required to operate the Service on your instructions, our use is already limited to that purpose.
• Non-discrimination: We will not deny, degrade, or charge different prices for the Service because you exercised a privacy right under California law.
• Authorized agent: You may designate an authorized agent to submit requests on your behalf. We will require reasonable proof of authorization and, in most cases, verification of your identity.

To exercise any of these rights, email us at support@tycoon.us. We will respond within 30 days (or 45 days for CCPA requests, extendable once under law). Before fulfilling a request that could reveal or affect personal information, we will take reasonable steps to verify your identity — typically by confirming control of the email address on file or asking you to confirm information we already hold.

Tycoon is not directed at or intended for anyone under 18. We do not knowingly collect personal information from minors. If we learn we have collected data from someone under 18, we will delete it promptly.

Our servers are located in the United States. If you access Tycoon from outside the US, your data will be transferred to and processed in the US. By using the Service, you consent to this transfer.

For users in the European Economic Area, the UK, or Switzerland, this transfer is conducted under Standard Contractual Clauses as approved by the European Commission. You may request a copy of the applicable transfer mechanism by emailing us.

We will notify you of material changes to this Privacy Policy by email or via in-product notice at least 14 days before they take effect. Minor changes (such as grammar corrections or clarifications that don’t change how we use your data) may be posted without advance notice. The “effective date” at the top of this page reflects the most recent update.

For privacy questions, data requests, or to report a concern, contact us at support@tycoon.us.

HeyMall, Inc. (also known as Tycoon) · Wilmington, Delaware, United States