Skip to content

Privacy Policy

Last updated: April 21, 2026

1. Introduction

Hey Motek ("Hey Motek," "we," "us," or "our") operates the websites heymotek.com, app.heymotek.com, and api.heymotek.com, as well as related advertising attribution and WhatsApp lead tracking services (collectively, the "Service").

Hey Motek is an Israeli company. This Privacy Policy explains how we collect, use, share, and protect personal information when you use our Service. By using the Service, you agree to the practices described in this policy.

This policy applies to three groups of data subjects:

  • Customers — business owners, agencies, and marketers who subscribe to our Service to track their advertising performance.
  • Visitors — individuals who visit our Customers' websites where our tracking snippet is installed.
  • Correspondents — individuals who send WhatsApp messages to Customer tracking numbers provided by us.

Controller vs. Processor: For Visitor and Correspondent data collected through the Service, our Customers are the data controllers — they determine the purposes and means of processing on their own websites and for their own advertising accounts. Hey Motek acts as a data processor, processing this data on behalf of the Customer to provide the Service. A Data Processing Agreement (DPA) is available upon request for Customers who require one.

For Customer account data (information provided when subscribing and using our platform), Hey Motek acts as the data controller.

Consent: If you do not consent to our data collection and processing practices as described in this policy, you will not be able to create an account or use the Service. Use of the Service requires acceptance of these terms.

2. Data We Collect

2.1 Customer Account Information

When a Customer creates an account, we collect:

  • Name and email address
  • Phone number (for WhatsApp lead notifications)
  • Company name and website
  • Billing information (processed by our payment provider — we do not store credit card numbers)
  • OAuth tokens for Google Ads and Facebook Ads accounts (encrypted at rest)

2.2 Visitor Tracking Data

Our JavaScript tracking snippet, when installed on a Customer's website, collects the following from Visitors:

  • Visitor identifier (first-party cookie, _wat_id, valid 1 year)
  • Click identifiers: Google Click ID (gclid), Facebook Click ID (fbclid)
  • UTM parameters: source, medium, campaign, term, content
  • Referring URL, landing page, and current page URL
  • Browser user agent, approximate device type, and IP address (hashed before storage)
  • Timestamps of page views and WhatsApp button clicks

We do not use browser fingerprinting, behavioral tracking, or cross-site tracking. Visitor data is collected solely to attribute advertising performance for the Customer whose website the snippet is on.

2.3 WhatsApp Message Data

When a Correspondent sends a WhatsApp message to a Customer's tracking number, we collect and process:

  • Correspondent's WhatsApp phone number
  • WhatsApp display name (ProfileName, as provided by WhatsApp)
  • Message text content
  • Message timestamp and unique message ID
  • Approximate geographic location (country, city) where available from WhatsApp
  • For Facebook Click-to-WhatsApp ads: ad ID, ad headline, ad copy, and click tracking ID (provided by Meta)
  • Media attachments (images, documents) if the Correspondent sends them

2.4 Chatbot Data

When you interact with our website chatbot, we collect:

  • Chat conversation history
  • Name and email (when provided)
  • Country (detected automatically)
  • Page you were visiting

2.5 Usage Data

We automatically collect data about how you use our websites and platform:

  • Pages visited and interactions on heymotek.com and app.heymotek.com
  • Browser type, device information, and IP address
  • Referral source

2.6 Cookies

We use two categories of cookies: (1) analytics cookies on our own marketing website, and (2) first-party tracking cookies placed on Customers' websites by our JavaScript snippet. See Section 10 for details.

3. How We Use Your Data

We use data for the following purposes, along with the legal basis for each:

  • Provide the Service — match advertising clicks to WhatsApp messages, create leads, deliver notifications. Legal basis: contractual necessity
  • Fire offline conversions to advertising platforms — upload attribution data (including hashed phone numbers) to Google Ads and Facebook (Meta) so their algorithms can optimize campaigns. Legal basis: contractual necessity (on behalf of the Customer as controller)
  • Process WhatsApp messages — receive and respond to WhatsApp messages via Twilio and Meta. Legal basis: contractual necessity
  • Notify business owners — instant WhatsApp, SMS, or email notifications when new leads arrive. Legal basis: contractual necessity
  • Generate dashboards and reports — display lead lists, campaign analytics, and conversion data in the Customer's dashboard. Legal basis: contractual necessity
  • Send marketing communications — product updates, tips, and offers (you can opt out at any time). Legal basis: consent
  • Improve the Service — analyze usage patterns to make the product better. Legal basis: legitimate interest
  • Provide support — respond to questions and resolve issues. Legal basis: contractual necessity
  • Process payments — manage subscriptions and billing. Legal basis: contractual necessity
  • Comply with legal obligations — meet regulatory requirements. Legal basis: legal obligation

4. Third Parties We Share Data With

We share data with the following service providers (sub-processors), solely to operate the Service:

Provider Purpose Data Shared
Twilio WhatsApp messaging infrastructure Phone numbers, message content
Meta (WhatsApp Business API) WhatsApp message delivery Phone numbers, message content
Google Ads API Offline conversion uploads Hashed phone numbers, gclid, conversion timestamps
Facebook Conversions API (Meta) Offline conversion uploads Hashed phone numbers, fbclid, conversion timestamps
Google Analytics (GA4) Conversion reporting to Customers' GA4 properties Conversion events, hashed identifiers
Supabase Database hosting All Service data
Google Cloud Platform Application hosting (API server) All Service data
Cloudflare Dashboard hosting, DNS, DDoS protection Web traffic metadata
Firebase Authentication Account credentials
Stripe / Paddle Payment processing Billing information
Resend Email delivery Email addresses, notification content
Google Analytics Analytics on heymotek.com (our marketing site) Usage data, cookies

We do not sell personal data to third parties. We do not share data for advertising purposes, except for offline conversion uploads to Google Ads and Meta performed on behalf of our Customers as part of the Service.

5. Privacy Commitments

When processing advertising attribution and WhatsApp message data, we adhere to the following principles:

  • Matching — we match incoming WhatsApp messages to advertising attribution data using signals collected during the Visitor's session. Matching is automated and subject to limitations described in our Terms of Service.
  • No fingerprinting — we do not use canvas, WebGL, audio, or other fingerprinting techniques to identify Visitors.
  • No cross-site tracking — our cookies are first-party on the Customer's own domain. We do not track Visitors across unrelated websites.
  • Offline conversion hashing — when firing conversions to Google Ads and Meta, phone numbers are hashed with SHA-256 before transmission, following each platform's Enhanced Conversions / Conversions API specifications.
  • No model training on your data — we do not use Customer, Visitor, or Correspondent data to train machine learning models.

6. Data Security

We implement technical and organizational measures to protect your data, including:

  • Encryption in transit (HTTPS/TLS)
  • Encryption of sensitive credentials at rest (OAuth tokens, API keys)
  • Secure cloud infrastructure (Google Cloud Platform, Cloudflare)
  • Access controls and authentication (Firebase)
  • Row-level security (RLS) enforced at the database level for multi-tenant isolation
  • Regular security reviews

While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

Data Breach Notification: In the event of a data breach affecting your personal data, we will notify affected users and relevant authorities within 72 hours of becoming aware of the breach, as required by applicable law.

7. Data Retention

We retain data for as long as the Customer account is active and for a reasonable period thereafter to fulfill legal obligations, resolve disputes, and enforce agreements.

  • Customer account data — retained while the account is active and for 12 months after account closure
  • Click events and visitor tracking data — retained for 90 days for analytics and debugging; attribution snapshots retained with associated lead
  • WhatsApp messages and lead records — retained for the duration of the subscription plus 12 months after account closure
  • Conversion upload logs — retained for 25 months (standard advertising attribution window)
  • Chatbot conversations — retained for 12 months
  • Usage and analytics data — retained for 26 months (Google Analytics default)
  • Billing records — retained for 7 years as required by law

Customers may request deletion of their data, Visitor data, or Correspondent data at any time by emailing us at [email protected]. We will process deletion requests within 30 days, subject to legal retention requirements.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access — request a copy of your personal data
  • Correction — request correction of inaccurate or incomplete data
  • Deletion — request deletion of your personal data
  • Restriction — request that we limit how we use your data
  • Data portability — request your data in a structured, machine-readable format
  • Opt-out of sale / sharing — California residents may opt out via our Do Not Sell or Share My Personal Information page
  • Opt-out of marketing — unsubscribe from marketing communications at any time
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time

For Visitor and Correspondent data, rights requests should first be directed to the Customer whose website or tracking number the data relates to (they are the data controller). If you are unable to reach the Customer, email us at [email protected] and we will assist.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

9. International Data Transfers

Hey Motek is based in Israel. Your data may be transferred to and processed in countries outside of Israel, including the United States, where several of our service providers (Meta, Google, Twilio, Cloudflare) operate.

Israel is recognized by the European Commission as providing an adequate level of data protection. For transfers to other countries, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) and data processing agreements with our sub-processors.

10. Cookies

We use two categories of cookies:

10.1 Cookies on heymotek.com (our marketing website)

Cookie Provider Purpose Duration
_ga, _ga_* Google Analytics Distinguish unique visitors, track page views 2 years

10.2 Cookies on Customer websites (our tracking snippet)

Cookie Provider Purpose Duration
_wat_id Hey Motek (first-party, on Customer's domain) Unique visitor identifier for matching WhatsApp messages to website visits 1 year
_wat_attr Hey Motek (first-party, on Customer's domain) Attribution data (UTMs, gclid, fbclid) captured at first visit 30 days

Our tracking cookies are first-party only (set on the Customer's own domain). They are used exclusively for attribution. We do not use advertising cookies, social media tracking cookies, or cross-site tracking cookies.

Visitors can disable or delete cookies through their browser settings. Customers are responsible for disclosing our tracking cookies in their own privacy policy and, where required by law (e.g., GDPR, ePrivacy), obtaining appropriate consent from their Visitors before our snippet activates.

11. Additional Features

Some advanced features may collect additional data beyond what is described above (for example, voice recordings, call transcripts, or expanded analytics). These features are optional and only activated if you explicitly subscribe to them. We will update this Privacy Policy and notify you before enabling any new category of data collection.

12. Children

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. For significant changes, we will notify registered Customers by email.

Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

14. Data Protection Officer

Our Data Protection Officer (DPO) is Barak Toledano, reachable at [email protected].

15. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights:

Hey Motek — Privacy
DPO: [email protected]
General inquiries: [email protected]
Website: heymotek.com

A Data Processing Agreement (DPA) is available upon request for Customers who require one for compliance purposes.