Privacy Policy — Heal by MYIA
Last updated: 30/06/2026
MYIA ("MYIA", "we", "us") operates Heal (heal.dev), a quality-assurance platform and desktop application that automatically tests software. This Policy explains how we handle personal data when you visit our website, use the Heal application, or interact with us. It is provided under Articles 13 and 14 of the GDPR and the French loi Informatique et Libertés.
1. Who is responsible
MYIA, société par actions simplifiée, SIREN 953 111 689, registered with the RCS of Paris, registered office at 59 rue de Ponthieu, Bureau 326, 75008 Paris, France, intra-EU VAT FR22953111689.
Contact for privacy matters: privacy@heal.dev.
Our DPO can be reached at privacy@heal.dev.
2. Controller and processor roles
For most data described here — your account, billing, usage analytics, crash reports, support, and the development of our models from anonymised data — MYIA is the controller.
When we process personal data on behalf of a Customer to run tests on their applications, MYIA acts as that Customer's processor, under the Data Processing Agreement. The Customer is the controller of that data and is responsible for informing the individuals concerned. The Heal Service is designed to operate on test data that does not contain personal data; Customers undertake not to submit production personal data.
3. What we collect, why, and on what legal basis
| Data | Purpose | Lawful basis (Art. 6 GDPR) |
|---|---|---|
| Account & identity (name, work email, account ID, User role) | Create and manage accounts, authenticate Users, provide the Service | Performance of contract (b); our legitimate interest in delivering the Service to our Customer's Users (f) |
| Billing & transaction data (company, billing contact, payment status) | Invoicing, payment, accounting | Contract (b); legal obligation to keep accounting records (c) |
| Usage & telemetry (features used, sessions, performance metrics) | Operate, secure, and improve the Service | Legitimate interest (f); consent for any non-essential storage on your device (see §7) |
| Basic crash reports (type of error and where it occurred in the code; no account information or test data) | Detect, diagnose and fix faults; keep the Service stable | Legitimate interest in maintaining and improving the Service (f) |
| Detailed crash diagnostics — optional, off by default (variable values in memory at the time of a crash, console logs, crash screenshots where enabled, and a link to your account; because it captures program state, it can include the content your app was processing, such as your test data) | Reproduce and fix crashes faster | Consent (a), given via the in-app setting; you can withdraw it at any time (see §7) |
| Screenshots & test artefacts (captures, logs, page structure) | Run tests and detect bugs (as processor); then, once anonymised, improve and train our own models (as controller) | Customer's basis (as processor); training uses only anonymised data, which is not personal data |
| Support & communications (messages, tickets) | Respond to requests, provide support | Contract (b) / legitimate interest (f) |
| Prospect & marketing data (business contact details) | B2B outreach, newsletters | Legitimate interest (f) / consent where required (a) |
| Business-relationship contacts (your staff's names/emails in the contract context) | Manage the commercial relationship | Legitimate interest (f) |
| Website cookies & similar | See our Cookie Policy | Consent, except strictly necessary cookies |
We do not seek to process special categories of data (Article 9). Please do not submit them.
4. AI and model improvement
Heal uses AI systems, including large language models operated by third-party providers (e.g. Anthropic, OpenAI), to generate and maintain tests and detect issues. We use these providers under their commercial API terms, which do not use your inputs or outputs to train their own models. Under Anthropic's commercial terms, inputs and outputs are retained only for a limited period (by default up to 30 days) for operational and safety purposes, and are not used for model training.
Separately, we improve and train our own models. We do this only on anonymised or aggregated data ("Aggregated Data") — test artefacts, page-structure data, and screenshots from which personal data has been irreversibly removed, or which have been aggregated, so they can no longer be linked to you, your Customer or any individual. We do not use personal data to train our models, and we apply filtering to exclude personal data before any training. Because Aggregated Data is not personal data, data-protection law does not apply to it and its use is governed by our Terms of Service (§8.5). Customers also warrant that the data they submit contains no personal data. We never use your data to train third-party providers' models, and under our AI providers' commercial terms your inputs and outputs are not used to train their models and are retained only for a limited period.
5. Who we share data with
We share personal data only with: (i) our sub-processors (hosting, AI inference, crash diagnostics, payment), listed in our Sub-processors list; (ii) professional advisers; (iii) authorities where legally required; and (iv) parties to a corporate transaction (merger, acquisition), under confidentiality. We do not sell personal data.
6. International transfers
Some sub-processors are located outside the European Economic Area (e.g. in the United States). Where that is the case, we rely on a valid transfer mechanism under Chapter V GDPR — the European Commission's Standard Contractual Clauses or, where applicable, the EU–U.S. Data Privacy Framework. You can request a copy of the relevant safeguards at privacy@heal.dev.
7. The Heal application and your device
The Heal desktop (macOS) application runs automated tests by driving a web browser, which captures screenshots of the application or website under test, not your screen, your desktop, or your other applications. These captures are processed only to run tests and detect issues, as described in this Policy. Separately, any non-essential analytics stored on or read from your device require your consent, which you can give or withdraw in the application settings (Article 82 loi Informatique et Libertés).
Detailed crash diagnostics (optional). Heal always sends basic crash reports (the type of error and where it occurred in the code) so we can keep the app stable; these contain no account information or test data. With your consent, given by enabling the setting in the application (which is off by default), Heal additionally collects, when a crash occurs, the values of variables in memory at that time, console logs, crash screenshots where you have enabled them, and a link to your account. Because this captures program state, it can include the content your app was processing, such as your test data. These detailed reports are sent to our error-monitoring provider, Sentry, and stored in the EU. You can withdraw this consent at any time by turning the setting off; this stops future detailed reports. To also delete detailed reports we have already received, contact privacy@heal.dev.
8. How long we keep data
| Data | Retention |
|---|---|
| Account data | Duration of the relationship + 12 months |
| Invoices / accounting records | 10 years (French commercial law) |
| Usage & basic crash reports | 12 months |
| Detailed crash diagnostics (opt-in) | 90 days at Sentry, or until you withdraw consent and request deletion |
| Prospect data | 3 years from last contact |
| Support communications | Duration of the relationship + 2 years |
Anonymised/Aggregated Data is retained without time limit, as it no longer identifies anyone.
9. Your rights
Under the GDPR you have the right to: access your data; rectify it; request erasure; restrict or object to processing (including profiling and direct marketing); portability; and to withdraw consent at any time. You may also define directives for the handling of your data after death (French law).
To exercise these rights, contact privacy@heal.dev. We will respond within one month. You may be asked to verify your identity.
If you believe your rights are not respected, you may lodge a complaint with the CNIL (3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr).
10. Security
We implement appropriate technical and organisational measures, including encryption in transit and at rest, access controls, and pseudonymisation/filtering of training data. See our security measures in the DPA, Annex 2.
11. Children
Heal is a professional tool not directed at, or intended for use by, anyone under 16.
12. Changes
We may update this Policy. Material changes will be notified through the Service or by email, and the new version will state its effective date.