Privacy Policy
Last updated: July 2026
This Privacy Policy explains how HEA World collects, uses, and protects personal data in connection with our services, websites, and applications (together the “Service”). It covers processing where HEA World acts as data controller and where we act as data processor on behalf of our customers.
1. Roles and controller identity
The Service is operated by NPE Holding B.V. (trading as “HEA World”), based in the Netherlands. Contact: privacy@hea-world.com.
As controller: HEA World decides how and why personal data is processed for our own purposes — for example when you create an account, subscribe, visit hea-world.com, or contact us.
As processor: When you deploy HEAs on your website, your visitors and end-users interact with the Service through your configuration. For that processing, you act as the data controller (or processor on behalf of your own controller) and HEA World acts as data processor, as further described in our Terms and Data Processing Agreement.
2. Categories of data we process
2.1 As controller — your relationship with HEA World
When you use HEA World as a customer or visit our website, we may process:
- Account data: name, email address, organization, authentication identifiers.
- Billing data: billing contact details, company address, VAT number, Stripe customer IDs.
- Platform usage data: logs related to your account, HEA configuration, performance, and interactions with the HEA World application.
- Website analytics: pseudonymous session and visitor identifiers on hea-world.com (consent-gated where required).
- Communications: support and service messages you send to us.
2.2 As processor — on your behalf
When you deploy HEAs or enable integrations, we process the following categories on your instructions (see the DPA):
- Visitor and conversation data: chat messages, pseudonymous visitor and session identifiers, conversation metadata, and structured skill fields collected through your HEA widget.
- Aggregate audience measurement: non-identifying counts of widget impressions (the widget loading on a page), aggregated by day and country. This measurement uses no cookies or device storage, no visitor or session identifiers, and does not track visitors across pages or sites.
- CRM and connector data: contacts, leads, email sync content, and related metadata where you connect Gmail, Microsoft, IMAP, WhatsApp, Shopify, or similar integrations.
- Content data: knowledge bases, documents, instructions, and other material you upload or connect to your HEAs.
2a. AI Outputs and No Professional Advice
The Service may generate responses using artificial intelligence based on your configuration and the User Content you provide. HEA World does not guarantee the accuracy, completeness, legality, or appropriateness of any HEA Outputs. You remain solely responsible for reviewing HEA Outputs and determining their suitability.
HEA Outputs are not intended to constitute legal, financial, medical, or other professional advice. You agree not to rely on HEA Outputs as a substitute for professional judgment.
2b. AI and model providers
HEA World uses third-party AI model providers (including OpenAI and others listed in our Sub-processors page) to generate responses. Conversation content and resource context needed for inference are sent to those providers for the duration of the request. We do not intentionally opt customer content into provider model training through our API usage; provider retention and safety policies may still apply and are documented per provider. HEA World does not use your HEA Outputs to train models for other customers, except as strictly necessary to deliver the Service or comply with legal obligations.
3. Purposes and Legal Bases
We process data for the following purposes:
- Providing, securing, and maintaining the Service (contract performance).
- Billing, invoicing, and subscription management (contract performance, legal obligation).
- Security, abuse prevention, and fraud detection (legitimate interest).
- Aggregate, non-identifying audience measurement of widget impressions (legitimate interest).
- Identifier-based product analytics, debugging, and service improvement (legitimate interest, where allowed; consent-gated where required).
- Service communications (contract performance).
4. Processors and Sub-processors
We use trusted third-party providers for authentication, billing, hosting, and analytics, including identity platforms, Stripe for payments, and cloud infrastructure. These providers act as processors and are bound by written data-processing agreements. Our Data Processing Agreement describes how we process personal data on behalf of our customers. A current list of sub-processors is maintained at Sub-processors.
5. Data Storage and Retention
Core customer content and operational logs are stored in Cloudflare R2 (EU — Western Europe). Session and application state may be stored in Upstash (EU — Frankfurt). Operational and usage logs are generally retained for up to 12 months for reliability, diagnostics, and abuse detection unless a longer period is required by law or your configuration.
Conversation, CRM, and connector data processed on your behalf as processor are retained according to your HEA configuration, the DPA, and applicable law. Billing and accounting records may be retained longer where required by law.
6. International Transfers
Where data is transferred outside the European Economic Area, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms, as required by law.
7. Your Rights
7.1 If you are a HEA World customer
You may have the right to:
- Access your personal data;
- Request correction of inaccurate information;
- Request deletion of data where permitted;
- Object to processing or request restriction;
- Request data portability.
To exercise these rights regarding your account or billing data, contact privacy@hea-world.com. We will respond within applicable GDPR timelines. You may also use our data deletion request form.
7.2 If you interacted with an HEA on someone else’s website
The website owner or organization that deployed the HEA is usually the data controller for visitor data. Please contact them first to access, correct, or delete your data. HEA World will assist the controller as described in our DPA. You may also contact privacy@hea-world.com and we will forward your request to the relevant customer where possible.
8. Cookies and Analytics
We use essential cookies and first-party storage for site functionality. Analytics tags (such as Google Tag Manager) are loaded only where legally permitted, managed through our Cookiebot consent banner. You can manage preferences via the banner or our Cookie Policy. Blocking non-essential cookies may limit some features.
9. Security
We apply technical and organizational measures to protect personal data against unauthorized access, loss, or misuse. No system is perfectly secure, but we implement appropriate safeguards based on the nature of the data and associated risks.
10. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in the Service or in applicable law. If changes are material, we will notify you via email or in-product notice.
11. Contact
If you have any questions about this Privacy Policy or how we process personal data, please
contact us at:
privacy@hea-world.com
12. Language Versions
This Privacy Policy may be provided in English, French, and Dutch. If there is any conflict between translations, the English version prevails.
Related documents:
→ Data Processing Agreement
→ Sub-processors
Other languages:
→ Version Française
→ Nederlandse Versie
HEA World