Privacy Policy

Last updated: November 2025

This Privacy Policy explains how HEA World collects, uses, and protects personal data in connection with our services, websites, and applications (together the “Service”).

1. Data Controller

The Service is operated by NPE Holding B.V. (trading as “HEA World”), based in the Netherlands. For processing activities related to your own visitors and customers (when HEAs are deployed on your website), you act as the data controller and HEA World acts as data processor, as described in this Privacy Policy and our Terms.

2. Categories of Data We Process

We may process the following categories of personal data:

• Account data: name, email address, organization, authentication identifiers.
• Billing data: billing contact details, company address, VAT number, Stripe customer IDs.
• Usage data: logs related to HEA usage, configuration, analytics, performance, and interactions.
• Content data: knowledge bases, documents, instructions, and material you upload or connect to your HEAs.

2a. AI Outputs and No Professional Advice

The Service may generate responses using artificial intelligence based on your configuration and the User Content you provide. HEA World does not guarantee the accuracy, completeness, legality, or appropriateness of any HEA Outputs. You remain solely responsible for reviewing HEA Outputs and determining their suitability.

HEA Outputs are not intended to constitute legal, financial, medical, or other professional advice. You agree not to rely on HEA Outputs as a substitute for professional judgment.

3. Purposes and Legal Bases

We process data for the following purposes:

• Providing, securing, and maintaining the Service (contract performance).
• Billing, invoicing, and subscription management (contract performance, legal obligation).
• Security, abuse prevention, and fraud detection (legitimate interest).
• Product analytics, debugging, and service improvement (legitimate interest, where allowed).
• Service communications (contract performance).

4. Processors and Sub-processors

We use trusted third-party providers for authentication, billing, hosting, and analytics, including identity platforms, Stripe for payments, and cloud infrastructure. These providers act as processors and are bound by written data-processing agreements.

5. Data Storage and Retention

Operational and usage logs are stored in Cloudflare R2 (EU — Frankfurt) and retained for up to 12 months for reliability, diagnostics, and abuse detection.

Billing and accounting records may be retained longer where required by law. Other personal data is retained only as long as necessary to operate the Service or comply with legal obligations.

6. International Transfers

Where data is transferred outside the European Economic Area, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms, as required by law.

7. Your Rights

You may have the right to:

• Access your personal data;
• Request correction of inaccurate information;
• Request deletion of data where permitted;
• Object to processing or request restriction;
• Request data portability.

To exercise these rights, contact us using the details below. We will respond within applicable GDPR timelines.

8. Cookies and Analytics

We use essential cookies and first-party storage for site functionality. Additional analytics cookies or tags are only activated where legally permitted. You can manage or block cookies via your browser settings, though some features may not work correctly without them.

9. Security

We apply technical and organizational measures to protect personal data against unauthorized access, loss, or misuse. No system is perfectly secure, but we implement appropriate safeguards based on the nature of the data and associated risks.

10. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in the Service or in applicable law. If changes are material, we will notify you via email or in-product notice.

11. Contact

If you have any questions about this Privacy Policy or how we process personal data, please contact us at:
privacy@hea-world.com

12. Language Versions

This Privacy Policy may be provided in English, French, and Dutch. If there is any conflict between translations, the English version prevails.

Other languages:
→ Version Française
→ Nederlandse Versie